Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

JTISuspect!/131076, is it a false positive?


  • Please log in to reply
6 replies to this topic

#1 thefoggiestidea

thefoggiestidea

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 13 July 2017 - 02:13 AM

Hello all, 

 

Yesterday I installed a fresh antivirus after my subscription on the last ran out. The version I had up to yesterday (though the subscription had been expired for 5 days) was McAfee Livesafe. The version I'm now on is McAfee Total Protection. I'm not sure if it makes a difference but it seems like I should mention.

 

It ran a scan and flagged up two things as JTISuspect!/131076. Both were files that had been on my computer for a while, third-party plugins for a fractal creation program called Apophysis, which I have been using without issue for a number of months. I downloaded these particular plugins last month, from a popular user in the fractal community on Deviantart. I've had a look at the comments on the link, and one other user reported their AV flagging a virus in the folder. 

 

I also have Malwarebytes (the free version), and have run a number of scans with both that program and the older version of McAfee. Neither flagged up anything. Yesterday however, just before I uninstalled the older version of McAfee, I noticed it had removed 2 trojans in the last month. However I couldn't find where to get more information on it.

 

I scanned the folder where these plugins originally came from. Oddly, McAfee did not, at the first general scan, flag up anything in this folder, but when I scanned it this time, it removed all but one of the .dll files. 

 

I ran a full scan with Malwarebytes, and nothing else has been flagged up. I also ran a full scan with McAfee, and it found nothing at all. 

 

As to potential malware delivery methods I know of, I use an adblocker (ublock origin) and keep my browser (chrome) up to date, as well as my OS (Windows 8.1) and I don't download things from sources I don't trust, nor open attachments in spam emails. I had downloaded plugins from the same source with no issue. That said, I use Sky Go, which I need to use Internet Explorer for, as Chrome and Firefox are not supported. Up until yesterday (when I worked out how to change it), the homepage was the BT homepage, which has ads, so if an ad server was compromised I may have got something from there. Other than that, I don't know how I can have got any malware.

 

Is this a false positive, or something to be concerned about? Where should I go from here?

 

I'd be truly grateful for any advice. Thanks!

 



BC AdBot (Login to Remove)

 


#2 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 PM

Posted 13 July 2017 - 02:25 AM

If you still have the files that were flagged, you can upload those one at a time to VirusTotal.com and scan them there...

 

If not, do the following malware checks and post the logs...

Download and run AdwCleaner -

https://www.bleepingcomputer.com/download/adwcleaner/

Run Malwarebytes Anti-Malware again.

Download and run the portable version of Zemana Anti-Malware

https://www.zemana.com/en-US/Download

Download and run Junkware Removal Tool -

https://www.bleepingcomputer.com/download/junkware-removal-tool/

Create a System Restore point first.


Edited by jwoods301, 13 July 2017 - 02:33 AM.


#3 JoshRoss

JoshRoss

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:03:47 PM

Posted 13 July 2017 - 05:17 AM

Since I never encountered the issue and research didn't come with too many fruitful results, we can try the conventional methods of scanning to confirm or deny your thoughts. Addition to the post above regarding the scans, they might have some issues when Windows is in normal mode. It can't do all of the scans appropriately. You can try the following: 

  1. Restart your PC in "Safe mode with networking" this will launch mostly default Windows without any additional programs.
  2. Install and run RKill just in case to terminate the malicious services.
  3. Do the scans mentioned in the post above, I know for a fact that Malwarebytes and Hitman Pro work well. 
  4. Do another scan with your anti-virus.
  5. Restart your PC and do an additional scan with any anti-malware program.

This should get rid of most malware without any issues if you had any. If the programs found nothing, it is safe to assume that you are secure. Sometimes if the programs do something unusual (Might natural process for the program) Anti-virus can react to it, it is good that you are aware, you can never be too careful. Good luck!



#4 thefoggiestidea

thefoggiestidea
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 13 July 2017 - 08:49 AM

Hello! Thank you both, I've so far run the scans in normal mode, and I will do them again in safe mode in a little bit. 

 

Here's the results:

 

First I did Adwcleaner:

 

# AdwCleaner v6.047 - Logfile created 13/07/2017 at 11:40:23
# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-07-11.1 [Server]
# Operating System : Windows 8.1  (X64)
# Username : Jess - ART-COMPUTER
# Running from : C:\Users\Jess\Downloads\AdwCleaner.exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
No malicious services found.
 
 
***** [ Folders ] *****
 
No malicious folders found.
 
 
***** [ Files ] *****
 
No malicious files found.
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled Tasks ] *****
 
No malicious task found.
 
 
***** [ Registry ] *****
 
No malicious registry entries found.
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
No malicious Chromium based browser items found.
 
*************************
 
C:\AdwCleaner\AdwCleaner[S0].txt - [984 Bytes] - [13/07/2017 11:40:23]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1056 Bytes] ##########
 
Then Malwarebytes:
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 13/07/2017
Scan Time: 11:43
Logfile: 
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2017.07.13.02
Rootkit Database: v2017.05.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 8.1
CPU: x64
File System: NTFS
User: Jess
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 388178
Time Elapsed: 50 min, 7 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
Then Zemana:
 
Zemana AntiMalware 2.74.2.76 (Portable)
 
-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2017/7/13
Operating System       : Windows 8.1 64-bit
Processor              : 4X Intel® Core™ i5-4200U CPU @ 1.60GHz
BIOS Mode              : UEFI
CUID                   : 123C932BDB9541AE691726
Scan Type              : System Scan
Duration               : 79m 37s
Scanned Objects        : 377908
Detected Objects       : 2
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : Enabled
Detect All Extensions  : Disabled
Scan Documents         : Disabled
Domain Info            : WORKGROUP,0,2
 
Detected Objects
-------------------------------------------------------
 
modulus_x.dll
Status             : Scanned
Object             : %userprofile%\downloads\apophysis\cool plugins\modulus_x.dll
MD5                : 367FD7F743F599D9B7CF93A0D926C5D6
Publisher          : -
Size               : 11264
Version            : -
Detection          : Trojan:Win32/Sarajia.A!Tama
Cleaning Action    : Quarantine
Related Objects    :
                File - %userprofile%\downloads\apophysis\cool plugins\modulus_x.dll
 
modulus_y.dll
Status             : Scanned
Object             : %userprofile%\downloads\apophysis\cool plugins\modulus_y.dll
MD5                : 31DC65CA056D93B266CFE5433025D9EA
Publisher          : -
Size               : 11264
Version            : -
Detection          : Trojan:Win32/Sarajia.A!Tama
Cleaning Action    : Quarantine
Related Objects    :
                File - %userprofile%\downloads\apophysis\cool plugins\modulus_y.dll
 
 
Cleaning Result
-------------------------------------------------------
Cleaned               : 2
Reported as safe      : 0
Failed                : 0
 
 
Now, the two things that were flagged here, I managed to scan them with Virustotal this time. 
 
 
 
And finally I ran Junkware Removal Tool:
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.3 (04.10.2017)
Operating System: Windows 8.1 x64 
Ran by Jess (Administrator) on 13/07/2017 at 14:30:09.07
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 4 
 
Successfully deleted: C:\Users\Jess\AppData\Roaming\3909 (Folder) 
Successfully deleted: C:\Users\Jess\AppData\Roaming\system (Folder) 
Successfully deleted: C:\Users\Jess\AppData\Roaming\wyupdate au (Folder) 
Successfully deleted: C:\WINDOWS\wininit.ini (File) 
 
Deleted the following from C:\Users\Jess\AppData\Roaming\Mozilla\Firefox\Profiles\mzxkgh5n.default\prefs.js
user_pref(browser.search.defaultenginename, Secure Search);
 
 
 
Registry: 4 
 
Successfully deleted: HKLM\SYSTEM\CurrentControlSet\services\0272981499884387mcinstcleanup (Registry Key) 
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{4FDFC0E6-C76C-49B6-A02A-89BE64904F9D} (Registry Key)
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{FE8AC6E5-2D42-46BC-B4BE-9AEE649D4B16} (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{FE8AC6E5-2D42-46BC-B4BE-9AEE649D4B16} (Registry Key)
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 13/07/2017 at 14:33:21.22
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Thank you for your advice, I'll post more findings once I've done the scans in Safe Mode. 


#5 thefoggiestidea

thefoggiestidea
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 15 July 2017 - 08:39 AM

Safe Mode scans are done:
 
Rkill 2.8.4 by Lawrence Abrams (Grinler)
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 07/14/2017 02:39:55 PM in x64 mode. (Safe Mode)
Windows Version: Windows 8.1 
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
 
***** [ Folders ] *****
 
 
 
***** [ Files ] *****
 
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled Tasks ] *****
 
 
 
***** [ Registry ] *****
 
 
 
***** [ Web browsers ] *****
 
[-] [C:\Users\Jess\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: uk.ask.com
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [855 Bytes] - [14/07/2017 14:45:43]
C:\AdwCleaner\AdwCleaner[S0].txt - [1135 Bytes] - [13/07/2017 11:40:23]
C:\AdwCleaner\AdwCleaner[S1].txt - [1490 Bytes] - [14/07/2017 14:45:10]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [1073 Bytes] ##########
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 14/07/2017
Scan Time: 14:52
Logfile: 
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2017.07.13.02
Rootkit Database: v2017.05.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 8.1
CPU: x64
File System: NTFS
User: Jess
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 386324
Time Elapsed: 46 min, 58 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
Zemana wouldn't work in Safe Mode (even though I turned on Safe Mode with networking), and JRT couldn't get the restore point, so I thought it safest not to run it in case it messed anything up. I ran a full scan with McAfee overnight, and it didn't turn up anything, though I don't seem to be able to find the log file. 
 
Thank you! Is there anything else I should do?


#6 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 PM

Posted 15 July 2017 - 03:33 PM

It appears your system is clean.

 

If you have further issues, let us know.



#7 thefoggiestidea

thefoggiestidea
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 15 July 2017 - 04:00 PM

Ah, that's good to know. Thanks very much!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users