Possible trojan

[netmars]

Hello, can you please check possible problem.
I used SUPERAntiSpyware today and it detected:
Trojan/Malware - HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN#20131121

Is it real, or some false alarm?
Can you please check it?

[Pondus]

if you have a file, upload and test at www.virustotal.com / www.metascan-online.com / www.jotti.org

log experts are notified, it may take some time before they are online

[netmars]

Thank you for reply.
Actually i dont have any file. I did quick system scan and it just detected this one register as malware/trojan.

[argus]

Hello.





Please download Farbar Recovery Scan Tool () by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Under Optional Scan ensure "Driver MD5" are ticked.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

[netmars]

Hello,
here are logs.

[argus]

I see no present or active malware.


Please download DelFix by "Xplode" to your Desktop.

Run the tool and check the following boxes below;

• Remove disinfection tools
• Create registry backup
• Purge System Restore

Now click on "Run" button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt


> I don't need DelFix log report.



edit.

Or is it some rest in the registry, malware (if it was present) not active.

[netmars]

Ok, thank you.

Can you please explain what is Delfix for and what it actually does? i mean if there is no threat, i am curious especially about options - remove desinfection tools and purge system restore.

[argus]

 DelFix, nicely explained

Removed system restore and create a new point, also deleted the tools that we use.

[netmars]

ok, i did even this, but SUPERAntiSpyware system scan still targeting register (i cant even find it in regedit)

Trojan.Agent/Gen - (x86) HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN#20131121

so you are sure there is no malware and this is only false alarm?

Edit: I did find it. - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 and there is "20131121"=hex:02,00,00,00,00,00,00,00,00,00,00,00

[polonus]

Could be a Bitcoinminer detection remainder, use safe mode to not get the alert.
Maybe a temp file cleaner will get rid of this remainder.

polonus

[netmars]

Thanks for reply,
i found that it is in "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" too.
There is register record "20131121"="C:\\Program Files\\AVAST Software\\Avast\\setup\\emupdate\\737f022d-1098-4dad-9fbb-f3244e2767fc.exe /check".

So can it be actually from Avast?

[Simion]

I'm getting the same detection from SAS and believe it's a false positive.

[netmars]

ok, good to know, thank you

[Simion]

You're welcome, netmars. Let's see what the experts say, though. 

[storm_21]

Same detection here while running SAS!