Author Topic: Persistent alert "klarittyjoy.com". Don't know how to get rid of it.  (Read 2072 times)

0 Members and 1 Guest are viewing this topic.

Offline Cobo93

  • Newbie
  • *
  • Posts: 4
 Hello.

I have a problem with an URL malware: "Klarittyjoy.com", marked as a trojan by Avast.

Avast blocks it but I have the pop-up coming every time I search or change any website in Google Chrome.

I've done all the scans that passed through my mind but it's really persistent. I also deleted all the Google Chrome cookies, history, etc. but it has no result.

Here I attach a screenshot of the alert. Sorry because all the information is in Spanish.




I ran Malwarebytes and this is the resulting log:

-Resumen del análisis-
Tipo de análisis: Análisis de amenazas
Análisis iniciado por:: Manual
Resultado: Completado
Objetos analizados: 319224
Amenazas detectadas: 16
Amenazas en cuarentena: 16
Tiempo transcurrido: 25 min, 23 seg

-Opciones de análisis-
Memoria: Activado
Inicio: Activado
Sistema de archivos: Activado
Archivo: Activado
Rootkits: Activado
Heurística: Activado
PUP: Detectar
PUM: Detectar

-Detalles del análisis-
Proceso: 1
Generic.Malware/Suspicious, C:\PROGRAMDATA\KMSAUTOS\BIN\KMSSS.EXE, En cuarentena, 0, 392686, , , ,

Módulo: 1
Generic.Malware/Suspicious, C:\PROGRAMDATA\KMSAUTOS\BIN\KMSSS.EXE, En cuarentena, 0, 392686, , , ,

Clave del registro: 1
Generic.Malware/Suspicious, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\KMSEmulator, En cuarentena, 0, 392686, , , ,

Valor del registro: 0
(No hay elementos maliciosos detectados)

Datos del registro: 0
(No hay elementos maliciosos detectados)

Secuencia de datos: 0
(No hay elementos maliciosos detectados)

Carpeta: 1
PUP.Optional.Spigot, C:\USERS\JACOBO\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, En cuarentena, 155, 475078, , , ,

Archivo: 12
Generic.Malware/Suspicious, C:\PROGRAMDATA\KMSAUTOS\BIN\KMSSS.EXE, En cuarentena, 0, 392686, 1.0.21406, , shuriken,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000005.ldb, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000155.ldb, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000158.ldb, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000159.log, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000160.ldb, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000001, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\USERS\JACOBO\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Sustituido, 155, 475078, 1.0.21406, , ame,

Sector físico: 0
(No hay elementos maliciosos detectados)

WMI: 0
(No hay elementos maliciosos detectados)


(end)

I tried to run Farbar Recovery Scan Tool several times (FRST) but it always freezes after 10 minutes of starting. So I dessisted.

Anybody can help me with what can I do to stop these alerts? Thank you in advance.
« Last Edit: March 28, 2020, 06:40:04 PM by Cobo93 »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83537
  • No support PMs thanks
Re: Persistent alert "klarittyjoy.com". Don't know how to get rid of it.
« Reply #1 on: March 26, 2020, 07:29:26 PM »
Were you specifically trying to connect to this Klarittyjoy.com site ?
If so the site is blacklisted by other programs and not just Avast.  It is also has a Critical Security Risk.

If you weren't directly connecting to this site, then it is possible that:
You were being redirected from another site you visited.
Or you could have hidden malware  on your system or a malicious add-on in your browser.

In any case a malware removal specialist needs to check your logs to be sure.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.6.2420 (build 20.6.5495.561) UI-1.0.541/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Cobo93

  • Newbie
  • *
  • Posts: 4
Re: Persistent alert "klarittyjoy.com". Don't know how to get rid of it.
« Reply #2 on: March 26, 2020, 07:36:39 PM »
No,  I don't ever remember to visit this website. It must be one of the other options.

Thank you for your help. I will have my computer revised.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32613
  • malware fighter
Re: Persistent alert "klarittyjoy.com". Don't know how to get rid of it.
« Reply #3 on: March 26, 2020, 10:28:00 PM »
Blacklisted here: Website Blacklist Status
Domain blacklisted by ESET: -klarittyjoy.com
Domain blacklisted by McAfee: -klarittyjoy.com

Consider the raw info coming from here: https://www.shodan.io/host/172.64.162.3/raw

Consider also: https://sitereport.netcraft.com/?url=klarittyjoy.com

8 detected under this IP address (CloudFlare abuse): https://www.virustotal.com/gui/ip-address/172.64.163.3/relations

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83537
  • No support PMs thanks
Re: Persistent alert "klarittyjoy.com". Don't know how to get rid of it.
« Reply #4 on: March 26, 2020, 10:37:50 PM »
No,  I don't ever remember to visit this website. It must be one of the other options.

Thank you for your help. I will have my computer revised.

You're welcome.

Had you left your logs attached they could have been checked by a qualified volunteer within the forums (free).  He would have been trying to ascertain which of the options I mentioned was trying to make the connection.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.6.2420 (build 20.6.5495.561) UI-1.0.541/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Cobo93

  • Newbie
  • *
  • Posts: 4
Re: Persistent alert "klarittyjoy.com". Don't know how to get rid of it.
« Reply #5 on: March 27, 2020, 11:59:37 PM »
What you refer with the logs?

I checked my computer with Malwarebytes and this is what I obtained:



Malwarebytes
www.malwarebytes.com

-Detalles del registro-
Fecha del análisis: 26/3/20
Hora del análisis: 19:18
Archivo de registro: 252c624e-6f8e-11ea-ab88-80c16e56d19c.json

-Información del software-
Versión: 4.1.0.56
Versión de los componentes: 1.0.835
Versión del paquete de actualización: 1.0.21406
Licencia: Gratis

-Información del sistema-
SO: Windows 10 (Build 17763.1098)
CPU: x64
Sistema de archivos: NTFS
Usuario: Jacob

-Resumen del análisis-
Tipo de análisis: Análisis de amenazas
Análisis iniciado por:: Manual
Resultado: Completado
Objetos analizados: 319224
Amenazas detectadas: 16
Amenazas en cuarentena: 16
Tiempo transcurrido: 25 min, 23 seg

-Opciones de análisis-
Memoria: Activado
Inicio: Activado
Sistema de archivos: Activado
Archivo: Activado
Rootkits: Activado
Heurística: Activado
PUP: Detectar
PUM: Detectar

-Detalles del análisis-
Proceso: 1
Generic.Malware/Suspicious, C:\PROGRAMDATA\KMSAUTOS\BIN\KMSSS.EXE, En cuarentena, 0, 392686, , , ,

Módulo: 1
Generic.Malware/Suspicious, C:\PROGRAMDATA\KMSAUTOS\BIN\KMSSS.EXE, En cuarentena, 0, 392686, , , ,

Clave del registro: 1
Generic.Malware/Suspicious, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\KMSEmulator, En cuarentena, 0, 392686, , , ,

Valor del registro: 0
(No hay elementos maliciosos detectados)

Datos del registro: 0
(No hay elementos maliciosos detectados)

Secuencia de datos: 0
(No hay elementos maliciosos detectados)

Carpeta: 1
PUP.Optional.Spigot, C:\USERS\JACOBO\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, En cuarentena, 155, 475078, , , ,

Archivo: 12
Generic.Malware/Suspicious, C:\PROGRAMDATA\KMSAUTOS\BIN\KMSSS.EXE, En cuarentena, 0, 392686, 1.0.21406, , shuriken,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000005.ldb, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000155.ldb, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000158.ldb, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000159.log, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000160.ldb, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000001, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\USERS\JACOBO\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Sustituido, 155, 475078, 1.0.21406, , ame,

Sector físico: 0
(No hay elementos maliciosos detectados)

WMI: 0
(No hay elementos maliciosos detectados)


(end)

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83537
  • No support PMs thanks
Re: Persistent alert "klarittyjoy.com". Don't know how to get rid of it.
« Reply #6 on: March 28, 2020, 01:07:02 AM »
I thought you had three log files attached, but my mind could be playing tricks.

The logs I referred to are the ones requested in this information only topic, https://forum.avast.com/index.php?topic=194892.0
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.6.2420 (build 20.6.5495.561) UI-1.0.541/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36730
Re: Persistent alert "klarittyjoy.com". Don't know how to get rid of it.
« Reply #7 on: March 28, 2020, 09:31:57 AM »
Quote
Proceso: 1
Generic.Malware/Suspicious, C:\PROGRAMDATA\KMSAUTOS\BIN\KMSSS.EXE, En cuarentena, 0, 392686, , , ,

Módulo: 1
Generic.Malware/Suspicious, C:\PROGRAMDATA\KMSAUTOS\BIN\KMSSS.EXE, En cuarentena, 0, 392686, , , ,

Clave del registro: 1
Generic.Malware/Suspicious, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\KMSEmulator, En cuarentena, 0, 392686, , , ,
so you are using cracked windows software .....






« Last Edit: March 28, 2020, 09:47:51 AM by Pondus »

Offline Cobo93

  • Newbie
  • *
  • Posts: 4
Re: Persistent alert "klarittyjoy.com". Don't know how to get rid of it.
« Reply #8 on: March 28, 2020, 01:42:05 PM »
I have no idea. I don't have any idea about informatics and I've never installed a cracked version. I can't say if some technician have done it in a "repair" of my computer. It can be possible.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32613
  • malware fighter
Re: Persistent alert "klarittyjoy.com". Don't know how to get rid of it.
« Reply #9 on: March 28, 2020, 09:08:18 PM »
Hi Cobo93,

Someone who "repairs" your computer in such a fashion, does not have your best interest at heart to say the least.
Wait for a qualified remover to get your device back to normal standards, whenever a qualified remover eventually wants to do so,
when he feels you are/were an unintentional victim. :D

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!