Author Topic: Blekkotb  (Read 1033 times)

Offline sbergum

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Blekkotb
« on: August 22, 2013, 01:47:11 PM »
I was checking on my recent scans which were all negative when I noticed Avast had detected something back in July. The scans afterwards were negative but this is what it found.

C:\Users\Me\AppData\Local\blekkotb\data\130708004003-m.list  Severity: High  Status: Threat: JS:ScriptSH-inf[Trj]

Is this a false positive?

I ran Malwarebytes and it came up with these.

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.22.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16660
Sbergum :: HOME [administrator]

8/22/2013 8:50:29 AM
MBAM-log-2013-08-22 (08-59-57).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 245856
Time elapsed: 8 minute(s), 58 second(s)

Memory Processes Detected: 1
C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe (PUP.Optional.Wajam.A) -> 2140 -> No action taken.

Memory Modules Detected: 1
C:\Program Files (x86)\Wajam\IE\priam_bho.dll (PUP.Optional.Wajam) -> No action taken.

Registry Keys Detected: 11
HKLM\SYSTEM\CurrentControlSet\Services\WajamUpdater (PUP.Optional.Wajam.A) -> No action taken.
HKCR\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2} (PUP.Optional.Wajam) -> No action taken.
HKCR\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2} (PUP.Optional.Wajam) -> No action taken.
HKCR\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D} (PUP.Optional.Wajam) -> No action taken.
HKCR\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C} (PUP.Optional.Wajam) -> No action taken.
HKCR\wajam.WajamBHO.1 (PUP.Optional.Wajam) -> No action taken.
HKCR\wajam.WajamBHO (PUP.Optional.Wajam) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C} (PUP.Optional.Wajam) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C} (PUP.Optional.Wajam) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C} (PUP.Optional.Wajam) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wajam (PUP.Optional.Wajam.A) -> No action taken.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 4
C:\Program Files (x86)\Wajam (PUP.Optional.Wajam.A) -> No action taken.
C:\Program Files (x86)\Wajam\Firefox (PUP.Optional.Wajam.A) -> No action taken.
C:\Program Files (x86)\Wajam\IE (PUP.Optional.Wajam.A) -> No action taken.
C:\Program Files (x86)\Wajam\Updater (PUP.Optional.Wajam.A) -> No action taken.

Files Detected: 10
C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe (PUP.Optional.Wajam.A) -> No action taken.
C:\Program Files (x86)\Wajam\IE\priam_bho.dll (PUP.Optional.Wajam) -> No action taken.
C:\Users\Sbergum\AppData\Local\Temp\wajam_install.exe (PUP.Optional.Wajam.A) -> No action taken.
C:\Users\Sbergum\Local Settings\Temporary Internet Files\Content.IE5\2I4VCAF7\stubinst_pkg_en-us[1].cab (PUP.Optional.OpenCandy) -> No action taken.
C:\Program Files (x86)\Wajam\uninstall.exe (PUP.Optional.Wajam.A) -> No action taken.
C:\Program Files (x86)\Wajam\Firefox\firefox_trigger_extension.htm (PUP.Optional.Wajam.A) -> No action taken.
C:\Program Files (x86)\Wajam\Firefox\{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}.xpi (PUP.Optional.Wajam.A) -> No action taken.
C:\Program Files (x86)\Wajam\IE\favicon.ico (PUP.Optional.Wajam.A) -> No action taken.
C:\Program Files (x86)\Wajam\Updater\update.exe (PUP.Optional.Wajam.A) -> No action taken.
C:\Program Files (x86)\Wajam\Updater\wajamLogo.bmp (PUP.Optional.Wajam.A) -> No action taken.

(end)
« Last Edit: August 22, 2013, 02:02:52 PM by sbergum »

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21800
  • Gender: Male
    • Personal Message (Offline)
Re: Blekkotb
« Reply #1 on: August 22, 2013, 02:09:47 PM »
diffucult to say unless you upload that file to virustotal and test it
Malwarebytes would not have detected it as it is a javascript, and MBAM dont target those

your malwarebytes log say no action taken
to remove the crap it found, update MBAM, scan again and click remove selected

since Malwarebytes found that crap, you may have more in your browser so run AdwCleaner
you find it here.  http://forum.avast.com/index.php?topic=53253.0

you may post the log here

« Last Edit: August 22, 2013, 02:12:29 PM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline sbergum

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Re: Blekkotb
« Reply #2 on: August 22, 2013, 02:17:20 PM »
# AdwCleaner v3.000 - Report created 22/08/2013 at 09:12:15
# Updated 20/08/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Sbergum - HOME
# Running from : C:\Users\Sbergum\Desktop\adwcleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

File Found : C:\END
File Found : C:\Windows\System32\Tasks\Scheduled Update for Ask Toolbar
Folder Found : C:\Users\Sbergum\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp
Folder Found : C:\Users\Sbergum\AppData\Roaming\Mozilla\Firefox\Profiles\s7dmh0s1.default\Extensions\toolbar@ask.com
Folder Found C:\Program Files (x86)\Ask.com
Folder Found C:\Program Files (x86)\blekkotb
Folder Found C:\Program Files (x86)\Wajam
Folder Found C:\ProgramData\Anti-phishing Domain Advisor
Folder Found C:\ProgramData\Ask
Folder Found C:\ProgramData\Partner
Folder Found C:\Users\Sbergum\AppData\Local\blekkotb
Folder Found C:\Users\Sbergum\AppData\Local\PackageAware
Folder Found C:\Users\Sbergum\AppData\Local\Wajam
Folder Found C:\Users\Sbergum\AppData\LocalLow\AskToolbar
Folder Found C:\Users\Sbergum\AppData\LocalLow\blekkotb
Folder Found C:\Users\Sbergum\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Wajam

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\APN
Key Found : HKCU\Software\AppDataLow\Software\AskToolbar
Key Found : HKCU\Software\AppDataLow\Software\blekkotb
Key Found : HKCU\Software\AppDataLow\Software\SmartBar
Key Found : HKCU\Software\Ask.com
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{20A0BE68-8FD9-4539-8712-CE3D1C1FDFC6}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{26C9E18C-3717-4BE1-A225-04E4471F5B6E}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{20A0BE68-8FD9-4539-8712-CE3D1C1FDFC6}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{26C9E18C-3717-4BE1-A225-04E4471F5B6E}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Found : HKCU\Software\Wajam
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : [x64] HKCU\Software\APN
Key Found : [x64] HKCU\Software\Ask.com
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
Key Found : [x64] HKCU\Software\Wajam
Key Found : [x64] HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\Software\APN
Key Found : HKLM\Software\AskToolbar
Key Found : HKLM\SOFTWARE\Classes\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}
Key Found : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Found : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Found : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\priam_bho.DLL
Key Found : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{20A0BE68-8FD9-4539-8712-CE3D1C1FDFC6}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{26C9E18C-3717-4BE1-A225-04E4471F5B6E}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd
Key Found : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1
Key Found : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Found : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Found : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
Key Found : HKLM\SOFTWARE\Classes\wajam.WajamDownloader
Key Found : HKLM\SOFTWARE\Classes\wajam.WajamDownloader.1
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{00F12770-E60E-4DC6-9105-425BFACE7C73}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\WajamUpdater_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\WajamUpdater_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{20A0BE68-8FD9-4539-8712-CE3D1C1FDFC6}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{26C9E18C-3717-4BE1-A225-04E4471F5B6E}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Anti-phishing Domain Advisor
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\blekkotb
Key Found : HKLM\Software\Wajam
Key Found : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\WajamUpdater
Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{00000000-6E41-4FD3-8538-502F5495E5FC}]
Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{26C9E18C-3717-4BE1-A225-04E4471F5B6E}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Anti-phishing Domain Advisor]
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater]

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16660


-\\ Mozilla Firefox v22.0 (en-US)

[ File : C:\Users\Sbergum\AppData\Roaming\Mozilla\Firefox\Profiles\12tge68d.default-1358108534121\prefs.js ]

Line Found : user_pref("CT2422939_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\":1358697310369,\"isWithState\":\"\",\"timeFromStart\":0,\"timeFromPrev\":0}]");
Line Found : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT2422939&SearchSource=13&CUI=UN84101825100795891");
Line Found : user_pref("Smartbar.ConduitSearchEngineList", "AccuWeather Customized Web Search");
Line Found : user_pref("Smartbar.ConduitSearchUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2422939&SearchSource=2&CUI=UN84101825100795891&q=");
Line Found : user_pref("Smartbar.keywordURLSelectedCTID", "CT2422939");
Line Found : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2422939&SearchSource=2&CUI=UN84101825100795891&q=");
Line Found : user_pref("smartbar.machineId", "X3CLOE2HFSHGZGLHTOL0JBHHXFDAW9VFIWKVVXIVCWGJGTGBLN+WHQYQEYMVJFGABUAKEHHDAIQVHXDF67OL/W");

-\\ Google Chrome v29.0.1547.57

[ File : C:\Users\Sbergum\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [8732 octets] - [22/08/2013 09:12:15]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [8792 octets] ##########

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21800
  • Gender: Male
    • Personal Message (Offline)
Re: Blekkotb
« Reply #3 on: August 22, 2013, 02:22:48 PM »
click ... clean ... and let it remove all the crap found

Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline sbergum

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Re: Blekkotb
« Reply #4 on: August 22, 2013, 02:25:46 PM »
Already done.

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21800
  • Gender: Male
    • Personal Message (Offline)
Re: Blekkotb
« Reply #5 on: August 22, 2013, 02:28:22 PM »
thats it ..... unless you have any problems?



Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline sbergum

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Re: Blekkotb
« Reply #6 on: August 22, 2013, 02:35:56 PM »
Thanks for your help Pondus! I appreciate it immensely! Going to upload that file to Virus Total.

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now