Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Norton:"Heuristic Virus Heur.AdvMLB" .But mistaking my installed keylogger?


  • This topic is locked This topic is locked
15 replies to this topic

#1 MrHappyPants

MrHappyPants

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:55 PM

Posted 07 March 2018 - 01:52 AM

Hi all, and thanks again for the great site!

 

My Norton Antivirus just turned up a file that may actually be related to my intentionally installed keylogger (right, I have a teenager...). As the keylogger no longer works, with the dll file in quarantine, the obvious guess would be that it's just the logger. But of course it might not be, and I'm reluctant to unquarantine the file until I can be sure. Hope you can help.

 

The file path is c:\windows\syswow64\msarnyern.dll, and the keylogger is the trial version of All In One keylogger.Normally the logger can be accessed by typing the password in any text file (notebook, wordpad, etc)

...which no longer works.

 

Hope to hear back soon...maybe even sooner than average, as the logger was installed to head off the teen's suspected dangerous online behavior, which is a pretty pressing concern, and I need it to find out what he's up to before anything potentially disastrous comes of it.

 

Thanks again for all you do, and hope to hear from you soon!

 

 

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:55 PM

Posted 07 March 2018 - 09:51 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


:step1:
Please download Malwarebytes Anti-Malware from here
  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.
Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

:step2:
Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

:step3:
Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs for my review.

Let me know what problems persists.

Wait for further instructions.
==============================

#3 MrHappyPants

MrHappyPants
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:55 PM

Posted 09 March 2018 - 10:50 PM

Hi nasdaq, and thanks so much for your help, and quick response!

 

Some new developments...upon running a newly downloaded Norton Security Scan, several more PUP files were turned up, then after updating the Norton definitions...several more. they've been quarantined by the Norton Suite (30 day free version). I did learn, however, that the initial flag from Norton was in fact the inentionally installed keylogger I'd installed, as that program alerted that its files had been deleted, and that it would require an install...this occurring upon immediately subsequent to the initial, pre-update Norton scan, and immediately upon the Norton informed my that the offending program had been removed (I've yet to reinstall the keylogger,-"All in one" from Relytec)

 

Even more interesting, perhaps is the fact that, after downloading the MBAM from the linked site, as instructed, I immediately attempted to download the AdwCleaner from the following link...this, while MBAM was scanning...only to find that my Firefox browser REFUSED to link to the AdwCleaner download site!!!! (https://toolslib.net/downloads/viewdownload/1-adwcleaner/). Not only that...each time I'd attempt to open the link in a new tab on the browser...the address would disappear from the address bar, after flashing there only briefly! I even attempted to copy the link, then open the tab and paste the link manually, only to get the same result! At that point, Firefox refused all further links, and Norton displayed a notice that it had stopped running! However Chrome continued to work without apparent difficulty, even while the open but blank tabs in the Firefox browser were still up.

 

By this time the MBAM had finished, however, and displayed the following log/alert...at which point I followed your instructions for removal...with MBAM then indicating a restart would be necessary.

 

As you'll note, the only MBAM result returned was a Trojan from "Refog". Not surprisingly, I had initially installed the Refog in my search for the aforementioned keylogger (as mentioned, in order to monitor my teen son's online activities).

I had attempted the uninstall process after finding the Refog unsuitable, however.

 

But upon restart, Firefox functioned without incident-re previously refusing the AdwCleaner download link, as I mentioned.

 

It would seem as the Refog was responsible for the Firefox otherwise unaccountable refusal of the link, as the Refog removal seems to have cleared up the Firefox refusal of the AdwCleaner link.

 

You thoughts?

 

I'm proceeding the with AdwCleaner, etc., scans now, however, especially as Norton found several further threats, upon update.

 

Here's the MBAM log, as requested, with further to follow immediately.:

 

Thanks so much, again!

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/9/18
Scan Time: 9:07 PM
Log File: 233e3dde-2410-11e8-a224-00ff7f73ea01.json
Administrator: Yes

-Software Information-
Version: 3.4.4.2398
Components Version: 1.0.322
Update Package Version: 1.0.4282
License: Premium

-System Information-
OS: Windows 8.1
CPU: x64
File System: NTFS
User: CrappyPC\Mary

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 260635
Threats Detected: 1
Threats Quarantined: 1
Time Elapsed: 14 min, 37 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 1
Trojan.RefogKeyLogger, HKLM\SOFTWARE\Refog Software, Quarantined, [4835], [245936],1.0.4282

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)



#4 MrHappyPants

MrHappyPants
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:55 PM

Posted 10 March 2018 - 01:24 AM

Here are the AdwCleaner logs.

 

I'm not familiar with the Slim Cleaner/slimware utilities programs, though I do have CCleaner and SUPERAntispyware Free Edition.

 

I saved both logs-preremoval and post removal, and you'll notice that there were 2 programs, listed as "PUP.Optional.Legacy", and listed alongside the Slimware Utilities files. Which don't show up as "deleted", on the postremoval logs

-Should I attempt to manually remove/delete these "PUP.Optional.Legacy" files, as they don't appear to have been deleted, for some reason?

 

Additionally, when attempting to terminate all programs as instructed, prior to running the AdwCleaner scan, Windows Defender couldn't be terminated via either Task Manager, or MS Services menu, and the Services menu didn't even provide the "stop", as an option.

 

I uninstalled Norton prior to the scan, in order to stop the program, as it wasn't possible to stop it via Task Manager,.

I reinstalled and restarted Norton immediately after the AdwCleaner scan was finished. Windows Defender alerted that the program had stopped upon restarting Norton.

 

You'll note that the first scan shows these Downloaded Installers/"PUP.Optional.Legacy" files, however they weren't reported as deleted, in the second post deletion log.

 

Also, I'm concerned that there are some programs which don't appear in the MBAM/AdwCleaner scans due to their having been Quarantined by Norton (the quarantine was performed by Norton automatically, prior to my finding your reply and beginning this process).

 

When I uninstalled Norton, as I mentioned, I opted for the "retain settings" option provided, in order to avoid releasing these programs back into the OS.

 

Please let me know your instructions regarding these programs, as well.

 

Lastly, should I be concerned that my data has been compromised, given the items reported, so far, including the additional

         PUP.Optional.DriverSupport, C:\Windows\System32\rnd_chunk.bin
         PUP.Optional.DriverSupport, C:\Windows\SysWOW64\rnd_chunk.bin

 

Thanks so much for your invaluable assistance!

 

Here are the logs, pre-deletion, then post deletion:

 

# AdwCleaner 7.0.8.0 - Logfile created on Sat Mar 10 05:40:19 2018
# Updated on 2018/08/02 by Malwarebytes
# Database: 02-08-2018.1
# Running on Windows 8.1 (X64)
# Mode: scan
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

PUP.Optional.Legacy, C:\Users\All Users\Documents\Downloaded Installers
PUP.Optional.Legacy, C:\Users\Public\Documents\Downloaded Installers
PUP.Optional.SlimCleanerPlus, C:\Users\Mary\AppData\Local\slimware utilities inc
PUP.Optional.SlimCleanerPlus, C:\Users\Mary\AppData\Local\SlimWare Utilities Inc


***** [ Files ] *****

PUP.Optional.DriverSupport, C:\Windows\System32\rnd_chunk.bin
PUP.Optional.DriverSupport, C:\Windows\SysWOW64\rnd_chunk.bin


***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

PUP.Optional.SlimCleanerPlus, [Key] - HKLM\SOFTWARE\SlimWare Utilities Inc


***** [ Firefox (and derivatives) ] *****

PUP.Optional.Legacy, SearchProvider found: nortonsafe.search.ask.com - Norton Search


***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries.

*************************

C:/AdwCleaner/AdwCleaner[S0].txt - [941 B] - [2017/10/13 22:9:38]
C:/AdwCleaner/AdwCleaner[S1].txt - [1486 B] - [2018/3/10 4:15:31]


########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt ##########

 

 

                         Here's the post deletion log:

 

# AdwCleaner 7.0.8.0 - Logfile created on Sat Mar 10 05:41:51 2018
# Updated on 2018/08/02 by Malwarebytes
# Running on Windows 8.1 (X64)
# Mode: clean
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services deleted.

***** [ Folders ] *****

Deleted: C:\Users\Mary\AppData\Local\slimware utilities inc
Deleted: C:\Users\Mary\AppData\Local\SlimWare Utilities Inc


***** [ Files ] *****

Deleted: C:\Windows\System32\rnd_chunk.bin
Deleted: C:\Windows\SysWOW64\rnd_chunk.bin


***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks deleted.

***** [ Registry ] *****

Deleted: [Key] - HKLM\SOFTWARE\SlimWare Utilities Inc


***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries deleted.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries deleted.

*************************

::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0



*************************

C:/AdwCleaner/AdwCleaner[S0].txt - [941 B] - [2017/10/13 22:9:38]
C:/AdwCleaner/AdwCleaner[S1].txt - [1486 B] - [2018/3/10 4:15:31]
C:/AdwCleaner/AdwCleaner[S2].txt - [1553 B] - [2018/3/10 5:40:19]
 

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ##########

 

 

 



#5 MrHappyPants

MrHappyPants
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:55 PM

Posted 10 March 2018 - 01:45 AM

Here are the FRST/Addition scan logs, as attachments, as instructed.

 

I've also attached a screenshot of the current Norton Quarantine, as of 5 minutes ago, as well.

 

Also, am I safe to update the Norton, at this point, or should I wait?

 

Thanks again!

Attached Files


Edited by MrHappyPants, 10 March 2018 - 01:49 AM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:55 PM

Posted 10 March 2018 - 08:56 AM

Hi,

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-1992209377-382255440-3143550161-1001\...\Policies\Explorer: [NoInternetOpenWith] 1
HKU\S-1-5-21-1992209377-382255440-3143550161-1001\...\MountPoints2: {c42caf0c-a78b-11e6-8255-806e6f6e6963} - "E:\OmniVue.exe"
GroupPolicy: Restriction <==== ATTENTION
SearchScopes: HKU\S-1-5-21-1992209377-382255440-3143550161-1001 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxps://nortonsafe.search.ask.com/web?q={searchTerms}&o=APN11913&l=dis&prt=NS&chn=oem&geo=US&ver=22&locale=en_US&gct=kwd&qsrc=2869
BHO: No Name -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> No File
Filter: application/x-mfe-ipt - No CLSID Value
S2 MainLSyncHost; c:\windows\syswow64\mpk\lsynchost.exe /startedbyscm:E4233B4F-40E3FE91-MPKService [X] <==== ATTENTION
U1 aswbdisk; no ImagePath

ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
Task: {0055CFC1-D713-47EE-B8E4-F136FB9C321D} - \Hewlett-Packard\HP Support Assistant\WarrantyChecker -> No File <==== ATTENTION
Task: {4837BA13-2857-42A6-B413-0E5AA367A73F} - \Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\Temp:8927A071 [450]
HKU\S-1-5-21-1992209377-382255440-3143550161-1001\...\StartupApproved\Run: => "HijackThis startup scan"

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F
===

Update your Norton product.

Restart the computer normally.
===

Re-install your key Logger.
If Norton object to the download file you will be notified.

You can stop this notificatio for this keylogger.
https://support.norton.com/sp/en/us/home/current/solutions/v80629965_EndUserProfile_en_us

Make sure that the feature is turned back on after you download the file
===

Please post the fixlog.txt and let me know if all is well.

#7 MrHappyPants

MrHappyPants
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:55 PM

Posted 10 March 2018 - 05:17 PM

Hi!

 

OK, hit a snag. I'm probably just paranoid at this point and jumping at shadows, but the thing is--when I went to save the txt to the folder containing FRST, as you instructed above...

 

...instead of displaying the contents of that folder (the download folder, as you'll note), it displayed that downloads folder as containing a completely different list of contents.

 

I've attached screenshots of the contents of each folder..the first of the "downloads" folder when opened independently...the second a sceenshot of that "download" file as it appears, when I attempt to save the above text file to that folder.

 

Is that cause for concern? My first thought was that the villainous malware was preventing me from saving the text file to the proper folder, to prevent the fix.

 

Sorry to be such a bother, I'm likely just overreacting, but that's the first thing that occurred to me.

 

I went ahead and did it as instructed, though.

 

So please let me know if I need to re-save the fixlist differently, to get the fix to work.

 

Thanks!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:55 PM

Posted 11 March 2018 - 08:21 AM



instead of displaying the contents of that folder (the download folder, as you'll note), it displayed that downloads folder as containing a completely different list of contents.


Do you by an chance have 2 folders not quite of the same name.

Download

and

Downloads with an s

Which proigram did you use to save the file.

p.s.
The Screenshots were not attached.

#9 MrHappyPants

MrHappyPants
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:55 PM

Posted 11 March 2018 - 08:19 PM

Hi nasdaq!!!

 

Thanks again for your continuing assistance!

 

In answer to your question, nope...no "downloads" with an "S". Just the one download folder. I searched the entire directory (with the Search function, from the drop-down, right-clicked from the start-menu key, windows 8)

 

As far as the screenshots not making it through, that's odd, because they display on the current view of the thread...in my last entry to this thread, above.

 

I'm reattaching them, here, below. Also, should I go ahead and delete the files in the Quarantine in Norton? They're still there, in the Norton (as I mentioned, I retained the Norton settings when I uninstalled it, then reinstalled it).

 

Do recognize any of these Quarantined files? Do they pose a continuing threat, even though they're in Quarantine? Should I be concerned, given that they were in effect prior to the recent Norton installation, which first caught them?

 

Was all previously entered account information compromised, in other words?

 

As far as your question re what program I used to save the file (the fixlog from FRST, presumably), I just saved it as usual, with the only option provided automatically. I didn't even realize there were different methods/programs that could be used to save a file.

 

Here are the screenshots, another I just took--reflecting the keystroke.exe, found after yet another Norton scan--then the first one, which  I attempted to attach previously...as a cut/paste, directly, in the body of this reply, as I just noticed that the site flashed a "you're not allowed to use that image extension in this community" message when I attempted to attach the screenshots as either a png file or a jpeg.

So lets see if they make it through this time.

 

Hope the cut/paste versions of the screenshots are visible on your version. If not, please let me know how to get them to you.

 

Nope.I'm getting the same message..."You are not allowed to use that image extension on this community".

 

Here's a transcript of Norton Quarantine as of just now. The only addition since yesterday is the first entry-keysetup.exe--the keylogger?

---------------

High           keysetup.exe (Trojan.Gen.2) detected by Virus scanner                                                                         Quarantined  3/10/2018    11:28:06 am

High           msarnyern.dll (Heur. AdvML.B)detected by Virus scanner                                                                      Quarantined  3/8/2018       3:55:26 am

Low            msarnyern64.(PUA.Gen2) detected by Auto-protect                                                                                Quarantined  3/7/2018       1:58:43 pm              

Low            msarnyern64.(PUA.Gen2) detected by Auto-protect                                                                                Quarantined  3/7/2018       1:42:24 pm

Low            a34d4bf9f41e9ece3faa656dd38beec01116550f     (JS.Webcoinminer) detected by Download Insight    Quarantined  3/72018        7:14:24 am

Low            6890c01fe7e1fe4ef947d03b28a689b80c1777381 (JS. Webcoinminer) detected by Download Insight    Quarantined  3/7/2018       7:14:04 am

HIGH          msarnyern.dll (Heur.AdvML. B)detected by Auto-Protect                                                                          Quarantined  3/6/2018       11:38:57 pm

 

For some reason the smiley faces appear where I've typed ".B", instead....so I've placed an additional space there, after the  "." so it will render correctly. Those spaces aren't there in the original...odd ????

Thanks so much for bearing with me through all of this!!!!


Edited by MrHappyPants, 11 March 2018 - 08:22 PM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:55 PM

Posted 12 March 2018 - 08:11 AM

Hi,

 

Also, should I go ahead and delete the files in the Quarantine in Norton? They're still there, in the Norton (as I mentioned, I retained the Norton settings when I uninstalled it, then reinstalled it).


These two entries can be deleted.
Low a34d4bf9f41e9ece3faa656dd38beec01116550f (JS.Webcoinminer) detected by Download Insight Quarantined 3/72018 7:14:24 am
Low 6890c01fe7e1fe4ef947d03b28a689b80c1777381 (JS. Webcoinminer) detected by Download Insight Quarantined 3/7/2018 7:14:04 am
====

The other files are from the Keylogger developed by Relytec

Dequanrantine the files
How To:

https://support.norton.com/sp/en/hk/home/current/solutions/v6200368_ns_retail_en_us

Restart the computer normally.

Is the key logger working?
===

In post no. 6, I asked that your create a fixlist.txt you did and it's in a downloads folder.

Find the file or recreate it and move it to this downloads folder in bold.
C:\Users\Mary\Downloads

The farbar program was run in that folder and you should see it.

With the Fixlist file in that folder run the Farbar tool and execute the fix as I suggested in post no, 6.

Post the Fixlog.txt for my review.

p.s.
You also have a Downloads folder here. The Fixlist.txt is probably there.
C:\Users\Public\Downloads
===


Nope.I'm getting the same message..."You are not allowed to use that image extension on this community".
What is the file extension of the image you are trying to attached.
===

If normally you use Firefox the Downloads will be by default in the Folder set in the FF settings.
Startup, home page, tabs, and download settings
https://support.mozilla.org/en-US/kb/startup-home-page-tabs-download-settings

Check it out.

===
 

I didn't even realize there were different methods/programs that could be used to save a file


When you save a new file you create with Notepad you the SAVE AS from the menu.
This will give you an options to direct the folder in which you want to the to be saved.

As a trial open Notepad, enter some text in the box.
Go to menu and FILE > SAVE AS option.
Click on the folder you wish to save the in and give it a filename with the .txt extension.
The file will be saved where you want to.

====

#11 MrHappyPants

MrHappyPants
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:55 PM

Posted 16 March 2018 - 02:55 PM

Thanks so much for getting back to me so quickly, and apologies for not doing the same, as I've been very busy lately.

 

I ran a new FARBAR scan, and followed your directions as to saving the log to the same folder as the FARBAR tool, then clicking the fix button.

 

Here's the fixlog it created from that fix.

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 14.03.2018
Ran by Mary (16-03-2018 21:46:48) Run:3
Running from C:\Users\Mary\Desktop\CompSecurity\security\Programs
Loaded Profiles: Mary (Available Profiles: Mary)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-1992209377-382255440-3143550161-1001\...\Policies\Explorer: [NoInternetOpenWith] 1
HKU\S-1-5-21-1992209377-382255440-3143550161-1001\...\MountPoints2: {c42caf0c-a78b-11e6-8255-806e6f6e6963} - "E:\OmniVue.exe"
GroupPolicy: Restriction <==== ATTENTION
SearchScopes: HKU\S-1-5-21-1992209377-382255440-3143550161-1001 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxps://nortonsafe.search.ask.com/web?q={searchTerms}&o=APN11913&l=dis&prt=NS&chn=oem&geo=US&ver=22&locale=en_US&gct=kwd&qsrc=2869
BHO: No Name -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> No File
Filter: application/x-mfe-ipt - No CLSID Value
S2 MainLSyncHost; c:\windows\syswow64\mpk\lsynchost.exe /startedbyscm:E4233B4F-40E3FE91-MPKService [X] <==== ATTENTION
U1 aswbdisk; no ImagePath

ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
Task: {0055CFC1-D713-47EE-B8E4-F136FB9C321D} - \Hewlett-Packard\HP Support Assistant\WarrantyChecker -> No File <==== ATTENTION
Task: {4837BA13-2857-42A6-B413-0E5AA367A73F} - \Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\Temp:8927A071 [450]
HKU\S-1-5-21-1992209377-382255440-3143550161-1001\...\StartupApproved\Run: => "HijackThis startup scan"

End
*****************

Restore point was successfully created.
Processes closed successfully.
"HKU\S-1-5-21-1992209377-382255440-3143550161-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoInternetOpenWith" => not found
"HKU\S-1-5-21-1992209377-382255440-3143550161-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c42caf0c-a78b-11e6-8255-806e6f6e6963}" => removed successfully
HKLM\Software\Classes\CLSID\{c42caf0c-a78b-11e6-8255-806e6f6e6963} => not found
"C:\windows\system32\GroupPolicy\Machine" => not found
HKU\S-1-5-21-1992209377-382255440-3143550161-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} => not found
HKLM\Software\Classes\CLSID\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} => not found
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE} => not found
HKLM\Software\Classes\CLSID\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE} => not found
HKLM\Software\Classes\PROTOCOLS\Filter\Filter: application/x-mfe-ipt - No CLSID Value => not found
MainLSyncHost => service not found.
aswbdisk => service not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00asw => not found
HKLM\Software\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => not found
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avg => not found
HKLM\Software\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => not found
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0055CFC1-D713-47EE-B8E4-F136FB9C321D} => could not remove. Access Denied.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Hewlett-Packard\HP Support Assistant\WarrantyChecker => could not remove. Access Denied.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4837BA13-2857-42A6-B413-0E5AA367A73F} => could not remove. Access Denied.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan => could not remove. Access Denied.
"C:\ProgramData\Temp" => ":8927A071" ADS not found.
"HKU\S-1-5-21-1992209377-382255440-3143550161-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\HijackThis startup scan" => not found
"HKU\S-1-5-21-1992209377-382255440-3143550161-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\HijackThis startup scan" => not found

=========== EmptyTemp: ==========

BITS transfer queue => 16777216 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 44832671 B
Java, Flash, Steam htmlcache => 291 B
Windows/system/drivers => 0 B
Edge => 0 B
Chrome => 201272 B
Firefox => 27341998 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 7436 B
NetworkService => 0 B
Mary => 4837679 B

RecycleBin => 2756 B
EmptyTemp: => 89.6 MB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 16-03-2018 21:49:20)


Result of scheduled keys to remove after reboot:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0055CFC1-D713-47EE-B8E4-F136FB9C321D} => could not remove. Access Denied.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Hewlett-Packard\HP Support Assistant\WarrantyChecker => could not remove. Access Denied.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4837BA13-2857-42A6-B413-0E5AA367A73F} => could not remove. Access Denied.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan => could not remove. Access Denied.

==== End of Fixlog 21:49:20 ====

 

I would like to delete the additional threats as well, as you mentioned in your last post, however there is no "Delete" option offered within the Norton Quarantine section.

 

I looked for the files within the path specified in the Quarantine, but the files weren't there. Presumably they were moved to Quarantine

 

But rather than a delete option, the Quarantine only lists the following available actions:

"Restore and Exclude this file"

"Remove from history", and

"Submit to Symantec"

 

However, at the top of the "File Action" box, within the Quarantine section, the threat is labeled as "This threat has been removed. No further action is necessary.", as well as "Resolved. No Further Action Necessary"

 

Of course, it's still listed in as being in Quarantine, and the fact that I'm given the option to "restore" it would seem to suggest that it has not been deleted entirely...and remains in Quarantine.

 

I'm of course reluctant to restore it, in order to then delete it entirely...as that would seem to pose further risk.

 

What do you recommend?

 

I did not restore the remaining Relytec files either, as I wanted to be sure the offending files were safely deleted, before restoring the Relytec files...as I feared the Relytec files might be corrupted/controlled by these threats, potentially.

 

Please let me know how to best go about deleting the threats.

 

Thanks again for all you help!!!!


Edited by MrHappyPants, 16 March 2018 - 10:06 PM.


#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:55 PM

Posted 17 March 2018 - 09:45 AM

Hi,

I have had Norton for the last 15 years and trust it.

The file may be seen as a false positive. Remember you removed Norton land possibly the old Quarantined items were not deleted. The new installation may not be able to remove them. They are or were quarantined and that is good.
Nothing can come of it.

---

You may be able to clean them with this tool.
Download to your Desktop the Junkware Removal Tool Download from this link.
http://www.bleepingcomputer.com/download/junkware-removal-tool/

Shutdown your antivirus to avoid any conflicts.
Right click the icon - disable for say 20 mins.
Right-mouse click JRT.exe and select Run as administrator (If using XP just double click on the icon to run it.)
The tool will open and start scanning your system.
Please be patient as this can take a while to complete.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.
======

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#13 MrHappyPants

MrHappyPants
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:55 PM

Posted 17 March 2018 - 01:23 PM

just to be absolutely clear, the following files are DEFINITELY part of my intentionally downloaded Relytec logger?
-keysetup.exe (Trojan.Gen2)
-msarnyern.dll (Heur.AdvML.B)
-msarnyern64.dll (PUA.Gen.2)
-msarnyern64.dll (PUA.Gen.2)
-msarnyern.dll (Heur.AdvML.B)
the second and last entries have identical paths

Does that mean that the same file was both detected AND Quarantined TWICE?, two days apart?

If so, would that imply that the file "escaped" from Norton Quarantine, after the first Quarantine...

...only to then be rediscovered...and relegated to Quarantine the SECOND time?

Is that any cause for concern?

If it truly is the Realytec logger, then I supposed it's irrelevant.

But, I suppose, it would give reason to doubt the Norton reliability to detect/quarantine threats. Yes?

Please let me know if these files, specifically, are only part of the Realytec, and can be disregarded.

Thanks so much, again!!!. I realize that I be less informed, and more paranoid, than your average request for help

...so thanks so much for your patience, and willingness to stay with me with it, for this long!!!



#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:55 PM

Posted 18 March 2018 - 07:54 AM


Hi,

Does that mean that the same file was both detected AND Quarantined TWICE?, two days apart?

If so, would that imply that the file "escaped" from Norton Quarantine, after the first Quarantine...

...only to then be rediscovered...and relegated to Quarantine the SECOND time?

Is that any cause for concern?


Any time Norton finds these active files they will be deleted.

Question for now.

Is the key logger installed on your computer and is it working?
===

Do you need a keylogger or some parental control?
You can send me a personal message is the information is personal.

I'm quoting this as for reference only.
Exclude Files from Norton Antivirus Scans
https://www.lifewire.com/exclude-files-from-norton-antivirus-scans-153348

#15 MrHappyPants

MrHappyPants
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:55 PM

Posted 20 March 2018 - 12:31 PM

Hi Nasdaq, and thanks again!

 

Here's the JR.txt log you requested.

 

Thanks so much for the offer to message you personally, but I think the situation has changed, and that's become unnecessary. But I'd certainly be open to any suggestions you might have, along those lines.

 

It seems all the Realytec files have been removed, and the program is no longer working, to answer your question-I went ahead and cleared those files from Norton.

 

   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.4 (07.09.2017)
Operating System: Windows 8.1 x64
Ran by Mary (Administrator) on Tue 03/20/2018 at 12:03:24.33
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 1

Successfully deleted: C:\users\Public\Documents\downloaded installers (Folder)

Deleted the following from C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\xyv9ujan.default-1520726078299\prefs.js
user_pref(browser.uiCustomization.state, {\placements\:{\widget-overflow-fixed-list\:[\zoom-controls\,\characterencoding-button\,\bookmarks-menu-button\,\edit-co
user_pref(extensions.webextensions.uuids, {\screenshots@mozilla.org\:\fc1b3a1b-bc23-4100-b293-6d55c4b91f4d\,\jid1-93WyvpgvxzGATw@jetpack\:\0731b646-57d8-4c2a-8b8c-e3



Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 03/20/2018 at 12:08:23.83
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users