Kaspersky
Question

Trojan + AdWare


hello, this is the first time i found a virus on my pc since i’ve always been careful, but this time a browser extension, that i’ve been using since years (it had also over 500k download), was corrupted.

my antivirus didn’t detect anything, but the browser (Brave browser) told me that the extension was malicious so i deactivated it and i started a full scan with my antivirus (not kaspersky), at the end  it found nothing, but since i like different opinions i did the full scan with another antivirus and it also found nothing.

so i kept using my pc normally for 3 weeks and then one of my friend told me about the kaspersky virus removal tool and yesterday i tried it.

so i started the full scan with the kaspersky virus removal tool and it found 2 viruses connected to the extension.

those are the viruses “HEUR:Trojan.Script.Generic” and “not-a-virus:HEUR:AdWare.Script.Generic” both are located in C \users … \appdata \local \bravesoftware \brave-browser \userdata \defaul \extensions \“the name of that extension (the ID of the esxtensione that you see while in developer mode)” \”the version of that extension” \js \background.js (for the first one, trojan.script.generic) and \js \contentscript.js (for the second one, adware.script.generic)

now i have a few question because i never had a virus before so i don’t know what to do and because, at the end of the scan i selected just “delete” (after the scan you have to choose what to do whith those viruses, like “skip” ,”delete” ,”copy to quarantine”,ecc..) but i accidentally pressed the enter button and the tool started another scan (who found nothign this time).

now, if in the tool, i click “quarantine” i see those 2 viruses and i also read this here https://support.kaspersky.com/15675 that the files are stored on my pc and can be accessed and something like this so my questions are.

-am i safe now or i need to do other things? what should i do?

-since after the scan  i just selected for both “delete” and pressed enter, what happened to those files? on the scan report i see (in this order) scan (started) - detected (the trojan) - detected (the adware) - scan (finished) - select action (delete) - select action (delete) - disinfection (started) - quarantined - quarantined - deleted - deleted - disinfection (finished). i also see that the extension is still on the browser

-is there any chance to see which kind of virus the trojan is? one is an adware (that is not a big deal) but the other one is a trojan and i used the pc for 3 weeks. the pc wasn’t slow, i didn’t see anything strange, while idle the cpu and disk usage are normal (from 0 to 2%) but i know almost nothing

my operating system is windows 10 and the kaspersky tool version is 20.0.6.0

sorry for the long post and for all those questions but i really feel bad for this and i’m not sure what to do now


35 replies

Userlevel 7
Badge +8

@Rokoz Welcome.

Can you please run AdwCleaner as ADMIN and provide the Log. 

⚠️ Please don’t clean eventual detections ⚠️ 

 

I put the X every time there was something like “ddfg3…. - cf5… - 2dd…. -” and so on. tell me if you also need them.


 

# -------------------------------
# Malwarebytes AdwCleaner 8.2.0.0
# -------------------------------
# Build:    03-22-2021
# Database: 2021-03-22.1 (Cloud)
# Support:  https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start:    03-27-2021
# Duration: 00:00:26
# OS:       Windows 10 Home
# Scanned:  31969
# Detected: 37


***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

PUP.Optional.Legacy             C:\Users\...\AppData\Roaming\Tencent

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

Preinstalled.ASUSManager   Folder   C:\Program Files (x86)\ASUS\ASUS MANAGER\AI BOOTING
Preinstalled.ASUSManager   Folder   C:\Program Files (x86)\ASUS\ASUS MANAGER\ASUS MANAGER - UPDATE
Preinstalled.ASUSManager   Folder   C:\Program Files (x86)\ASUS\ASUS MANAGER\BACKUP & RECOVERY
Preinstalled.ASUSManager   Folder   C:\Program Files (x86)\ASUS\ASUS MANAGER\PC CLEANUP
Preinstalled.ASUSManager   Folder   C:\Program Files (x86)\ASUS\ASUS MANAGER\POWER MANAGER
Preinstalled.ASUSManager   Folder   C:\Program Files (x86)\ASUS\ASUS MANAGER\RECOVERY
Preinstalled.ASUSManager   Folder   C:\Program Files (x86)\ASUS\ASUS MANAGER\SYNCUP
Preinstalled.ASUSManager   Folder   C:\Users\...\AppData\Local\ASUS\ASUS MANAGER\PC CLEANUP
Preinstalled.ASUSManager   Registry   HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\ X
Preinstalled.ASUSManager   Registry   HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\ X
Preinstalled.ASUSManager   Registry   HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\ X
Preinstalled.ASUSManager   Registry   HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\ X
Preinstalled.ASUSManager   Registry   HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\ X
Preinstalled.ASUSManager   Registry   HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\ X
Preinstalled.ASUSProductRegistration   Folder   C:\Program Files (x86)\ASUS\APRP
Preinstalled.ASUSProductRegistration   Registry   HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\ X
Preinstalled.ASUSWebStorage   Folder   C:\Program Files (x86)\ASUS\WEBSTORAGE
Preinstalled.ASUSWebStorage   Folder   C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ASUS\WEBSTORAGE
Preinstalled.ASUSWebStorage   Registry   HKLM\Software\Classes\CLSID\ X
Preinstalled.ASUSWebStorage   Registry   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32|WebStorage
Preinstalled.ASUSWebStorage   Registry   HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\WebStorage
Preinstalled.HPCleanFLC   File   C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office.lnk
Preinstalled.HPSupportAssistant   Folder   C:\Program Files (x86)\HEWLETT-PACKARD\HP SUPPORT SOLUTIONS
Preinstalled.HPSupportAssistant   Folder   C:\ProgramData\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK
Preinstalled.HPSupportAssistant   Folder   C:\Users\...\AppData\Roaming\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK
Preinstalled.HPSupportAssistant   Registry   HKLM\Software\Wow6432Node\\Classes\CLSID\ X
Preinstalled.WildTangentGamesBundle   File   C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WildTangent Games App - asus.lnk
Preinstalled.WildTangentGamesBundle   Folder   C:\Program Files (x86)\WILDTANGENT GAMES
Preinstalled.WildTangentGamesBundle   Folder   C:\Program Files (x86)\WILDTANGENT GAMES\APP
Preinstalled.WildTangentGamesBundle   Registry   HKLM\Software\Wow6432Node\\Classes\CLSID\ X
Preinstalled.WildTangentGamesBundle   Registry   HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Ext\Preapproved\ X
Preinstalled.WildTangentGamesBundle   Registry   HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\WildTangent wildgames Master Uninstall
Preinstalled.WildTangentGamesBundle   Registry   HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\ X.WildTangent Games App
Preinstalled.WildTangentGamesBundle   Registry   HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\ X.WildTangent Games App-asus
Preinstalled.WildTangentGamesBundle   Registry   HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\ X
Preinstalled.WildTangentGamesBundle   Registry   HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\ X

 

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########

 

Userlevel 7
Badge +8

@Rokoz It looks like your PC is containing preinstalled software with Bundleware,  do you use this game ?

no, but, if can help, this is an asus pre assembleb pc

Userlevel 7
Badge +8

In this case i should try this :

  • create a restore point
  • delete the game entries 
  • delete the PUP entrie
  • clear Browser cache
  • reboot

 

which game do i need to delete? the things i see with something like WildTangentGamesBundle are..

on task manager i see wildtangent games app integration service (32) bit (author:Wildtangent) and if i open his folder location is in C:\Program Files (x86)\WildTangent Games\App (all the files are from 2014 and 2015, but i bought the pc in 2016.

and i see wildtangent games app in the list of the programs (where there are all the programs installed in your pc).

 

another question, this is a new thing found on my pc or it is connected to the problem i posted first? becuse i also still have those found by the kaspersky tool

 

Userlevel 7
Badge +8

Another option is removing the games with RevoUninstaller. After the uninstall procedure is finished RU will prompt you to remove leftover files and folders and registry entries. Please take care to backup your personal files before proceeding . Please reboot after each uninstall. When finished clear cache & temp files (e.g. CCleaner) and run another scan with KVRT + AdwCleaner. Also, if you see a game running in the Services please disable before proceeding.

i’m trying to find where tu put all my personal files.

anyway i still don’t understand which are those games and if i need to delete them manually first and then run the programs you said

Userlevel 7
Badge +8

@Rokoz Please use only RevoUninstaller , this software is a removal application that is cleaning all low level left overs.

Above procedure is not a risky operation,but keeping external /disconnected backups from personal files is always recommended.

just a small recap beacuse i’m still confused.

-kaspersky found 2 viruses from an extension, trojan + adware (is this one virus or 2 different one? i don’t know). i have those files in the kaspersky quarantine (i think)

-adwcleaner found 38 things. 1 marked as red (***** [ Folders ] ***** PUP.Optional.Legacy             C:\Users\...\AppData\Roaming\Tencent) and the other 37 marked as yellow un the “***** [ Preinstalled Software ] ***** “ (i didn’t remove anything)

from now i don’t know what to do, which files/programs do i neeed to remove? using what?, the kasperky tool, adwcleaner or revo? in which order do i need to do this?

again, sorry for all these questions

 

 

Userlevel 7
Badge +8

Please proceed with these 2 steps :

  1. Clean “PUP.Optional.Legacy”   with AdwCleaner
  2. Remove  “WildTangent wildgames”  with RevoUninstaller

 

sorry for the late reply. i downloaded the revo uninstaller and i ran again adwcleaner (because the first time you said to don’t clear the detections, i didn’t even put them in quarantine).

i see this

 

are we sure that wildtanget is the consequence of the viruses initially found by kasperky? adwcleaner also say this “ We also want to be clear here: Preinstalled software is not malicious. Instead, for some users, preinstalled applications serve more as an annoyance. “ here https://blog.malwarebytes.com/malwarebytes-news/2019/07/your-device-your-choice-adwcleaner-now-detects-preinstalled-software/

 

 

on revo i see only this that cointains the word wildtangent. it this one?

 

 

another question, here i see all these things to check.

do i need to check some of them before cleaning the pup?

and also, do i need to remove the pup and the “Preinstalled.WildTangentGamesBundle”?

Userlevel 7
Badge +8

@Rokoz Bundled Software isn’t systematically  infected,  but personally i always recommend to stay  away from games or other tools that have been installed on a PC without   consent of the user. In the meantime  your best option is to quarantine  “PUP.Optional.Legacy” with AdwCleaner and see if your system is behaving correctly.

If you suspect any suspicious object you can submit it here : https://opentip.kaspersky.com/
For further investigation you can contact Kaspersky Technical Support which is available for paid Kaspersky products.

ok, so i put the PUP.Optional.Legacy in quarantine and now i see that there are no more process in the task manager about wildtangent but the folder whit all the files is  still there ( C:\Program Files (x86)\WildTangent Games\App ) so if it is a safe procedure using revo uninstaller, i’ll unnistall this.

i also used the opetip that you linked, i sent some files from that folder and all are clean.

 

anyway, my first problem was this

 

 

now i have these 2 in quarantine in the kasperky removal tool and the extension is still in the browser

and  i also have 1 thing in quarantine in adwclean.

 

is everything safe in their respective quarantine? or do i need to do something more?

i read the faq here, https://support.kaspersky.com/kvrt2020#kb  on the site, but i didn’t find anything regard this

Userlevel 7
Badge +8

@Rokoz  Files in Quarantine are stored in a special format and are not dangerous.

Also please see this Kaspersky Support article https://support.kaspersky.com/14523

 

 

ok, thanks. last 2 questions, is it normal that the extesion is still on the browser?

i want also to do another full scan with the kaspersky tool, but today it says “this version is obsolete. update now”. as far i understand i need to download again the tool. this doesn’t change anything, right? i mean, the file will continue to stay in quarantine, i can still see the older report, etc?

Userlevel 7
Badge +8

@Rokoz 

  1. Can you please post a screenshot from the extension.
  2. Please “update now” to obtain the latest DB definitions

oh, for the new version i downloaded it from the site again. i didn’t click the “update now”. is the same thing?

 

for the extension, i downloader it like in 2019 and this month i reactivated it by mistake (when i don’t use one extension i don’t keep it active)

 

this one, they have the same ID

 

 

Userlevel 7
Badge +8

@Rokoz I  temporary installed the “Video Downloaded Professional” extension :

  • No alert from Kaspersky Security Cloud
  • AdwCleaner : “No items were detected on your system”
     

does it have the same id? because there are a lot of extensions with thename  of “Video Downloaded Professional“ and also i can’t find it on the store.

the top 3 extensions with that same name have these id’s pboidikkgjoedgccndgmgcalcpofdoia - hcmifggiafbblnlgkeamfopdecenbcle - elicpjhcidhpjomhibiffojpinpmmpil

 

the one that i have installed is eooikgjpbiiaebbbnjbcnmgggekfnhfj

Userlevel 7
Badge +8

Can you please provide the extension link  as follows “xxxxx://…...”

Userlevel 7
Badge +5

Hi @Rokoz , 

is it normal that the extesion is still on the browser?

You can delete those extentions manually in Brave. Can you give it a try? 

If it does not work for some reason, you can reset Brave browser or delete current user profile and create a new one. 

 

Can you please provide the extension link  as follows “xxxxx://…...”


how do i do that?

 

Hi @Rokoz , 

is it normal that the extesion is still on the browser?

You can delete those extentions manually in Brave. Can you give it a try? 

If it does not work for some reason, you can reset Brave browser or delete current user profile and create a new one. 

 

 

if with delete manually you mean just to press the “remove” button on the browser, i know i can but i didn’t do that, because since i don’t know what viruses that are in extension can do i thought that was safer to keep it but inactive and i also to avoid doing more damage

 

sorry for the late replies but i saw only thoday the email that someone tagged me

Userlevel 7
Badge +8

@BernyCan you please provide de download location from the extension.

the kaspersky tool found it in C:\Users\….\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Extensions\ eooikgjpbiiaebbbnjbcnmgggekfnhfj i posted it at the beginning where i explained my problem. but i don’t know if this is the download location that you are asking me.

 

also i went now in that folder and the extension is still here but without the “ background.js” “contentscript.js” that are in the kasperky tool quarantine

Reply