Trojan Found... Maybe

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Joyfulsong11, Mar 22, 2018.

  1. Joyfulsong11

    Joyfulsong11 Private E-2

    Hi, I was asked to look at a friends computer. She was trying to use a publishing program, PrintMaster18, when it stopped working and gives her an error message asking to insert the disk to install missing components. I have included image files of the messages. Once the disc is inserted, an installation is attempted, at which time AVG pops up and alerts that there is a trojan. Doesn't seem to matter what choice you give AVG this just happens over and over. I have since run the complete malware procedure (one run of Malwarebyte prior to disabling the UAC), and I don't see anything else coming up with a trojan. If there's nothing there, that's great, but I sure don't want to let her keep going with the potential for nasties !

    Thanks !

    ***Images and some log files in this post, the remainder of log files in following post.
     

    Attached Files:

    Joyfulsong11, Mar 22, 2018
    #1
  2. Joyfulsong11

    Joyfulsong11 Private E-2

    Log files
     

    Attached Files:

    Joyfulsong11, Mar 22, 2018
    #2
  3. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Hello Joyfulsong-

    Questions: Is PrintMaster18 being installed from a purchased disc? Have you scanned the installer using VirusTotal? *Has a proxyserver been knowingly setup?

    Please go here: https://www.zemana.com/Download
    Scroll all the way to the bottom of the page and at the bottom of column 2 you will find FREE AntiMalware. Click on it and download Zemana....install and scan. Upload the log.
     
    dr.moriarty, Mar 22, 2018
    #3
  4. Joyfulsong11

    Joyfulsong11 Private E-2

    Thanks for your quick reply !

    Yes, PrintMaster18 is a purchased disc. I didn't scan an installer since it is the original branded disc that was used to install the program 2-3 years ago when the machine was set up. I just inserted it to try to repair the installation, only to have AVG flag it. The program has been working fine until about a week ago. She said something popped up and asked her if she wanted to get rid of something bad (elderly lady terms), so I initially thought she'd clicked on one of those spoof things on websites that try to get you to click on them just to download viruses. I don't see any evidence of that though, and the screen shots she took with her camera only show the AVG screen, nothing funky. She said she doesn't even use the internet on this machine, though it is hooked up. It's used mainly for photos & publishing tasks.

    I don't know of a proxy server being set up, and can't imagine it being needed with the basic home network environment.

    Zemana says everything is clean. Log file included.

    P.S. I've tried to find AVG log files to include, but can't find where they're located... be glad to if you know where to find them !

    *scratching head....
     

    Attached Files:

    Joyfulsong11, Mar 22, 2018
    #4
  5. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    You're welcome!

    I think that AVG is giving a false positive and that you need to white-list the application and/or turn AVG off while installing it.

    Rerun RogueKiller and fix these detections:
    ¤¤¤ Registry ¤¤¤
    [PUP.Coupons|PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{1A53AD8B-D0B9-4E7F-88E4-50C07A65F2DC} (C:\Windows\COUPON~2.OCX) -> Found
    [PUP.Coupons|PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{A85A5E6A-DE2C-4F4E-99DC-F469DF5A0EEC} (C:\Windows\COUPON~2.OCX) -> Found
    [PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    [PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    [PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    [PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    [PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:57307;https=127.0.0.1:57307; -> Found
    [PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:57307;https=127.0.0.1:57307; -> Found
    [PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:57307;https=127.0.0.1:57307; -> Found
    [PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:57307;https=127.0.0.1:57307; -> Found

    Re-boot , run RogueKiller again to generate an updated log..... upload that log, please.
     
    dr.moriarty, Mar 22, 2018
    #5
  6. Joyfulsong11

    Joyfulsong11 Private E-2

    OK, so here's the latest logs.
     

    Attached Files:

    Joyfulsong11, Mar 22, 2018
    #6
  7. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Good!The user may want to update from this very old Firefox v.42.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase it, it provide no protection. It do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    3. If running Vista, Win 7/8/10 - it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. Go to the C:\MGtools folder and find the MGclean.bat file. Double-click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. If you are running Win 7/8/10, Vista, Windows XP or Windows ME, do the below:
      • Refer to the instructions for your Windows version in this link: Disable And Enable System Restore
      • For Windows 8/8.1/10 system restore see this link: Win 8 System Restore - How to enable/disable
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    7. After doing the above, you should work through the below link:
    Safe surfing!
     
    dr.moriarty, Mar 22, 2018
    #7
  8. Joyfulsong11

    Joyfulsong11 Private E-2

    Great ! Thank you so much ! I set an exception in AVG, and discovered there is a warning from PrintMaster about the font size being set too large and possibly causing areas of the program to be difficult to read. I've never seen this before, but I suspect that popup warning is what was causing AVG to go haywire. All good now that AVG knows the program is safe and not calling it a Trojan ! Don't even need to disc at all. I'll just finish the cleanup steps and we'll be all set ! Thanks again !
     
    Joyfulsong11, Mar 22, 2018
    #8
  9. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    You're very welcome!
     
    dr.moriarty, Mar 22, 2018
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds