Yesterday I got an Avast notification that it had detected the js:Redirector-BOS [Trj] Tojan Horse but it had been blocked,
After looking stuff up it seemed like virusscanners couldn’t really remove it, so I wasn’t sure if “has been blocked” really meant that it had been blocked.

My laptop runs on Windows 8 so no aswMBR log, but I’ve attached the MBAM and OTL logs.
I’ve never really had a virus before (at least not in years, and definitely not on my own laptop) so I got a bit of a scare.

In a “better safe than sorry” way, I hope you can help me with determining if my laptop’s really infected, because the OTL logs in particular confuse me.
The first MBAM scan prompted me to restart, so I did, and the second came up clean. Both logs are attached.

Thank you so much for your help!

malware experts notified…it may take some hours before they are online

Welcome to AVAST, skipaheartbeat

My name is Machiavelli and I’ll try to fix your PC problems. If you are in SafeMode then print my instructions! Removing Malware on a computer can be very complicated. Malware (malicious software) is able to hide and so I may not be able to find it so easily. In order to remove Malware from you Computer, you need to follow my instructions carefully. Don’t be worried if you don’t know what to do, just ask me! Please stay in contact with me until the problem is fixed.

http://s7.directupload.net/images/130831/anqpskr7.png

http://s1.directupload.net/images/130831/94gcza5x.png

!NOTE! Please respect my volunteered time and stay with me until I declare your computer clean. If you are going to be delayed for a while, please let me know.

I am currently in training and my posts will need to be reviewed by an expert, so expect a slight delay between posts.

Hi Machiavelli,

Thanks for helping me! I’ll be away this afternoon (it 1.24pm here) and I’m not sure when I’ll be back but I’ll reply when I can.
I’m available basically all of tomorrow if today will go too slow.

I just got the same Avast notice the moment I opened my computer and it said it had to do with Chrome.exe.
It’s the same “Infection blocked” notification, but if I get it more than once I assume it’s in my files somewhere…

[*]Step 1: P2P Warning

IMPORTANT I see, you have one or more P2P (Person to Person) programs installed.

1.) You have following P2P program installed: uTorrent
2.) If you download files from non-documented sources per a P2P File sharing Program, you can expect a infection of malware. That isn’t good for your PC. A long time ago File-sharing with P2P programs like UTorrent was fairly safe. But at this time it isn’t true any more. Of course you can use P2P programs at your own risk, but that is maybe your source of your infection. It would be nice if you read this here. So after reading the text you will recognize why you shouldn’t have them.
3.) Please read this reports about the danger of P2P Programs:

[]Cyber Education
[]500000 computers infected
[]USA
[]infoworld

4.) I would recommend that you uninstall the above. That would be nice. If you like to uninstall the P2P Program, you can do it via Start >> Control Panel >> Add or Remove Programs
5.) If you want to keep the program on your computer , don’t use it while we are fixing your computer!

[*]Step 2: Chrome Homepage

Please follow these steps here to change the homepage. (I recommend changing it to Google.com)

[*]Step 3: OTL Fix

[*]Run OTL. (if you have Windows Vista / Windows 7 / Windows 8 please do a Right click on the OTL icon and select Run as Administrator)
[*]Copy (Ctrl+C) and Paste (Ctrl+V) all of the following text into the Custom Scans/Fixes box:

:Commands
[CreateRestorePoint]

:OTL
O4 - HKLM..\Run: [] File not found
O4 - HKU\S-1-5-21-4175021441-3514754845-1123196991-1002..\Run: [AdobeBridge] File not found
@Alternate Data Stream - 220 bytes -> C:\Users\noukkasigne\SkyDrive:ms-properties

:Commands
[EMPTYTEMP]

[*]Click the Run Fix button.
[*]After your computer has rebooted, post the Fixlog into your next reply.

[*]Step 4: AdwCleaner

Please download AdwCleaner (by Xplode) from the link below and save it to your Desktop:

Download Mirror #1

[*]Right-click on AdwCleaner.exe and select Run as administrator. (if you have Windows XP you just need to run it)
[*]Click Scan and let the scan run.
[*]When it finishes, click Clean, following the on screen prompts
[*]After your computer reboots, a log will open. Please Copy (Ctrl+C) and Paste (Ctrl+V) this into your next post.

Note: The log can also be found in here: [b]C:\AdwCleaner[/b]

[*]Step 5: JRT Scan

http://imageshack.us/a/img841/7292/thisisujrt.gif
Please download Junkware Removal Tool to your desktop.

[]Shut down your protection software now to avoid potential conflicts.
[]Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select “Run as Administrator”.
[]The tool will open and start scanning your system.
[]Please be patient as this can take a while to complete depending on your system’s specifications.
[]On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
[]Post the contents of JRT.txt into your next message.

[*]Step 6: OTL

[*]Run OTL by double-clicking on it. (if you have Windows Vista / Windows 7 / Windows 8 please do a Right click on the OTL icon and select Run as Administrator)
[*]Click Quick Scan to start OTL.
[*]When OTL finishes scanning, a logs, OTL.txt will open.
[*]Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.

I’ll keep uTorrent but won’t open it. I also haven’t used it in a long time (and haven’t download much on this laptop either through P2P either). I’m always very careful with it, and never had problems before (if it’s come from one of the torrents)

Homepage has been changed

Added the OTL fix log

AdwCleaner has just scanned so I’ll reboot now and add the log when it’s back up.

Thanks again!

//removed logs//

EDIT: JRT log has been added.
Going to do the last step now.

Copy & Pasting the OTL log exceeds the maximum length of a reply here,

I’ve attached the file now, if I need to do anything else, please let me know!

(P.S. I’ll leave for my appointment in 10 minutes, so I take further actions tonight. Thank you so much again)

Which website did you visit when you got the alert? Do you get further alerts?

[*]Step 1: OTL Fix

[*]Run OTL. (if you have Windows Vista / Windows 7 / Windows 8 please do a Right click on the OTL icon and select Run as Administrator)
[*]Copy (Ctrl+C) and Paste (Ctrl+V) all of the following text into the Custom Scans/Fixes box:

:Commands
[CreateRestorePoint]

:OTL
[2013-11-11 17:54:34 | 000,000,031 | -HS- | C] () -- C:\ProgramData\2358749098397709073116022696520727205

:Commands
[EMPTYTEMP]

[*]Click the Run Fix button.
[*]After your computer has rebooted, run OTL and click Quick Scan.
[*]Copy and paste the contents of the log that it produces into your next post.

[*]Step 2: ESET Online Scanner

Please disable your AntiVirus before doing these steps!

[*]If you have Win Vista / Win 7 / Win 8 please start IE as Administrator!
[*]This will only work for Internet Explorer or FireFox
[*]Please download ESET Online Scanner from here

How to do this?

[]Visit this website here
[]You will see a screen like this:

http://s7.directupload.net/images/131201/e922iil8.png

[*]Click Run ESET Online Scanner

http://s14.directupload.net/images/131201/4e3svhbd.png

[*]A Window will open (see above) - please click on the link
[*]A window will pop up - please download the file to your Desktop
[*]When the download has finished please run the program (for Win Vista/ Win7 / Win 8 User please run it as Administrator)

http://s14.directupload.net/images/131201/p35jbmyy.png

[*]Tick the box next to YES, I accept the Terms of Use then click on: Start
[*]You may see a panel towards the top of the screen telling you the website wants to install an addon… click and allow it to install. If your firewall asks whether you want to allow installation, say yes.

http://s7.directupload.net/images/131201/p3b9meru.png

[*]Make sure that the option Remove found threats is NOT checked.
[*]Make sure that the option Scan archives is checked.
[*]Now click on Advanced Settings and select the following:
[list]
[*]Scan for potentially unwanted applications
[*]Scan for potentially unsafe applications
[*]Enable Anti-Stealth Technology

[*]Then click on Start
[*]virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
[*]When completed the Online Scan will begin automatically. The scan may take several hours.
[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

http://s14.directupload.net/images/131201/zfq43h4p.png

[*]After the scan is finished please click on Finish
[/list]
[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
[*]Copy and paste that log as a reply to this topic.
[*]I want you to uninstall following programs (XP: Start > Control Panel > Add/Remove Programs | Vista / Win7 / Win8: Start > Control Panel > uninstall a program):

[*]ESET Online Scanner

[*]Step 3: Security Check

Please download Security Check from one of the links below and save it to your Desktop.

Download Mirror #1

[*]Double-click SecurityCheck.exe and follow the on-screen instructions. (if you have Windows Vista / Windows 7 / Windows 8 please do a Right click on the Security Check icon and select Run as Administrator)
[*]A text file, checkup.txt, will open when the scan is finished.
[*]Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.

[*]Step 4: Question

How is the system running?

Hi there, back again!

I’m attaching the new OTL log to this comment, ESET is now doing its scan.

It’s not a specific website that gave me the notification, the first time was when I opened a couple of tabs, not sure what kind, but probably Tumblr or something like it.
Another time was when I clicked on my desktop notification from Soluto and Chrome opened and so did the avast notif. But nothing out of the ordinary as far as I remember.

ESET scan is now at 52%, step 3 out of 4. I’ll try to check it tonight, if it’s quick enough, but it’s already late so I might have to proceed tomorrow morning.

Thanks again!

ESETSmartInstaller@High as downloader log:
all ok

version=8

OnlineScannerApp.exe=1.0.0.1

OnlineScanner.ocx=1.0.0.6920

api_version=3.0.2

EOSSerial=b64199183cce5e428e7817d37ab53833

engine=16805

end=finished

remove_checked=false

archives_checked=true

unwanted_checked=true

unsafe_checked=true

antistealth_checked=true

utc_time=2014-01-27 01:46:44

local_time=2014-01-27 02:46:44 (+0100, W. Europe Standard Time)

country=“United States”

lang=1033

osver=6.2.9200 NT

compatibility_mode=774 16777213 85 79 103404 7454202 0 0

compatibility_mode=5893 16776574 100 94 7229515 13620906 0 0

scanned=334625

found=3

cleaned=0

scan_time=9442

sh=7A6D6B9285D027203FF469132FD942331C04739D ft=1 fh=ff117eceb0910af5 vn=“a variant of Win32/Packed.Armadillo.AAC trojan” ac=I fn=“C:\Program Files (x86)\ZenWriter\ZenWriter.exe”
sh=3F070E1610AF41BE95DA5D4C782AC0664C674C4D ft=0 fh=0000000000000000 vn=“OSX/Keygen.AA application” ac=I fn=“C:\Users-–\Downloads_To Keep\ADOBE.CS6.0.MASTER.COLLECTION.WIN.OSX.KEYGEN-XFORCE\Crack-OSX\xf-amcs6.dmg”
sh=2C9E64807C9300C8875096BB3F83E17333F4DCF6 ft=0 fh=0000000000000000 vn=“BAT/HostsChanger.A application” ac=I fn=“C:\Users-–\Downloads_To Keep\ADOBE.CS6.0.MASTER.COLLECTION.WIN.OSX.KEYGEN-XFORCE\Crack-Windows\disable_activation.cmd”

Security Check Scan

Results of screen317’s Security Check version 0.99.79
x64 (UAC is enabled)
Internet Explorer 11
[u]Antivirus/Firewall Check:[/u]
Windows Firewall Enabled!
Windows Defender
avast! Antivirus
Antivirus up to date!
[u]Anti-malware/Other Utilities Check:[/u]
Malwarebytes Anti-Malware version 1.75.0.1300
Java 7 Update 45
Java version out of Date!
Adobe Reader XI
Mozilla Firefox 24.0 Firefox out of Date!
Mozilla Thunderbird (24.1.0)
Google Chrome 31.0.1650.63
Google Chrome 32.0.1700.76
[u]Process Check: objlist.exe by Laurent[/u]
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
Malwarebytes’ Anti-Malware mbamscheduler.exe
AVAST Software Avast AvastSvc.exe
AVAST Software Avast AvastUI.exe
[u]System Health check[/u]
Total Fragmentation on Drive C: %
[u]````````````````````End of Log``````````````````````[/u]

4. I’m not sure if there’s any difference, it may be slower but that could also be because I’d expect that. I’m not sure, really. I guess it works fine.

I too have received an Avast notification that it had detected the js:Redirector-BOS [Trj] Tojan Horse. I think I caught it from Bittorrent which I have now deleted. It’s a bit scary, as I get very few infections, thanks to Avast.

Should I follow the same instructions as given above? I am running Windows XP, Except I do not understand what MBAM and OTL stand for.

- Illegal Software Warning -

I see some files which are related to Cracks, Keygens etc. Below I list you which files are illegal and please remove them. Using illegal software is against the rules and we can’t support. Don’t understand that wrong but I have to warn you about that.

Illegal files/folders:

sh=3F070E1610AF41BE95DA5D4C782AC0664C674C4D ft=0 fh=0000000000000000 vn="OSX/Keygen.AA application" ac=I fn="C:\Users\noukkasigne\Downloads\_To Keep\ADOBE.CS6.0.MASTER.COLLECTION.WIN.OSX.KEYGEN-XFORCE\Crack-OSX\xf-amcs6.dmg" sh=2C9E64807C9300C8875096BB3F83E17333F4DCF6 ft=0 fh=0000000000000000 vn="BAT/HostsChanger.A application" ac=I fn="C:\Users\noukkasigne\Downloads\_To Keep\ADOBE.CS6.0.MASTER.COLLECTION.WIN.OSX.KEYGEN-XFORCE\Crack-Windows\disable_activation.cmd"

Download CKScanner from here

Important : Save it to your desktop.

[*]Doubleclick CKScanner.exe and click Search For Files.
[*]After a very short time, when the cursor hourglass disappears, click Save List To File.
[*]A message box will verify that the file is saved.
[*]Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

@soreEyes)

Please open a new topic for that.

Files have been removed, I don’t use them either.
What about the first file that mentions “trojan?” It’s a program I paid for after the free version was discontinued, so I’d be pretty disappointed if that was it…

CKScanner is not responding, so I’ll try again. Will update this when it works!

Update:
All the files are related to old Adobe programs, and can all be deleted (I suppose I should but I’ll wait for your confirmation), and so can the few torrents I have.
These are all old files or never used files, while the notification is very recent…

Well, anyway, here’s the log.

Your computer looks good to me. We are done so far - so well done! You were fast at responding and so we could solve your problem very quickly.

Uninstall Software

[*]Click on the Start
http://dl.dropbox.com/u/16537616/Canned%20Speeches/Start%20Orb.jpg
button and select Control Panel
[*]Click on Programs then click on Uninstall a program
[*]You will now see a list of your installed software, double click on the following one by one to uninstall them:

[]adobe premiere pro cs6
[]adobe dreamweaver cs6

[*]Once you have done this, reboot your computer

I. Removal of Tools and other things

[*]Step 1: OTL Fix | Delete old restore points and create a new one

[*]Run OTL.exe
[*]Copy (Ctrl+C) and Paste (Ctrl+V) all of the following text into the Custom Scans/Fixes box:

:Files
c:\program files\adobe\adobe premiere pro cs6
c:\program files (x86)\adobe\adobe dreamweaver cs6
c:\users\noukkasigne\documents\program files d\adobe photoshop lightroom 5.0 final (64 bit) [chingliu]
c:\users\noukkasigne\downloads\mad men season 1, 2, 3 & 4 dvd boxset+ extras  (minisodes etc) dvdrip, hdtv
c:\users\noukkasigne\downloads\_to keep\crack adobe master collection cs6.rar
c:\users\noukkasigne\downloads\_to keep\adobe.cs6.0.master.collection.win.osx.keygen-xforce
c:\users\noukkasigne\downloads\_to keep\crack adobe master collection cs6\crack adobe master collection cs6
%systemroot%\sysnative\vssadmin delete shadows /for=c: /all /quiet /c

:Commands
[RESETHOSTS]
[EMPTYTEMP]
[CreateRestorePoint]

[*]Click the Run Fix button.
[*]Your computer will reboot.

[*]Step 2: OTL CleanUp

Run OTL and hit the cleanup button. It will remove all the programs we have used plus itself.

http://s14.directupload.net/images/130523/zlpq8ukk.png

[*]Step 3: Uninstalling ESET (if you haven’t already)

[*]Click on the Start
http://dl.dropbox.com/u/16537616/Canned Speeches/Start Orb.jpg
button and select Control Panel
[*]Click on Programs then click on Uninstall a program
[*]You will now see a list of your installed software, double click on the following one by one to uninstall them:

[*]ESET

[*]Once you have done this, reboot your computer

[*]Step 4: Malwarebytes

It is an on demand scanner so it will not conflict with your AntiVirus!
But if you want to uninstall it, then please follow these steps:

[*]Click on the Start
http://dl.dropbox.com/u/16537616/Canned Speeches/Start Orb.jpg
button and select Control Panel
[*]Click on Programs then click on Uninstall a program
[*]You will now see a list of your installed software, double click on the following one by one to uninstall them:

[*]Malwarebytes

[*]Once you have done this, reboot your computer

[*]Step 5: Uninstalling Adwarecleaner

[*]Run Adwarecleaner
[*]Please click Uninstall - this will delete the tool from the computer

[*]Step 6: Removing other tools

You can remove JRT.exe and SecurityCheck.exe manually.

II. Prevention and Future Guidelines

[*]Step 1: FileHippo’s UpdateChecker

Download File-Hippo Updatechecker from here and install it. Please run it monthly - it will scan your Updatestatus. For example a program is out dated the UpdateChecker will give you a link where you can download the newest version of the respective program.

How to update programs with FileHippo Updatechecker?

[]Start FileHippo Updatechecker
[]You get redirected to a Website
[]You probably see a list of updates (if not then all your critcal programs are up to date )
[]Click on the first item of the list, download the Update, after that reboot the Computer and take the next item of the list!

[*]Step 2: Future Tips

Exercise common sense

Having security programs installed is very helpful to you, but none of them have the gift of human thought. The best way to make sure you don’t get infected is to look before you leap. Be careful of what websites you visit - if a site looks suspicious, trust your instincts and get out of there. Be careful of what attachments you open in emails and files you download from websites - check them over carefully and look at the file extensions to make sure that you know what you’re getting. Using peer-to-peer file sharing programs or downloading cracks and keygens is something else to avoid - the files you will be downloading are infected in the vast majority of cases, and the benefits simply aren’t worth the risk to your computer.

Keep up on Windows updates

Along with keeping all of the security programs that you choose to use updated, it is also important to keep up on system updates from Microsoft, as these patch critical security vulnerabilities and help to keep you safe. Typically the windows update icon will appear in your taskbar when new updates are available, whenever you see it you should open the menu up and install the updates that are available. Although it may be an annoyance, that little bit of extra time it takes to stay updated is very well worth it instead of getting infected from an exploit and having to clean your PC again.

Slow computer?

If your computer begins to slow down again in the future for no particular reason, your first step should not be to come back to the malware forum. As your computer ages and is used, its parts wear, files and programs accumulate, and its performance speed can decrease. To restore your computer’s performance to its best possible level, follow the steps in this guide written by tech expert Artellos.

Keep Safe!

Thanks so much! I’ll get on it.

Dreamweaver & Premiere Pro are part of the Master Collection I have so I’d have to uninstall them through the Adobe Updater, is it absolutely necessary to uninstall them? It seems odd those programs form threats while my other programs in the Collection don’t…

Let me know! If I have to, I’ll do it of course.

And the obvious question: So when avast tells me they blocked this infection, it’s really nothing? I got another notification today when I browsed to AirBnb, which had never given me trouble before. Just being worried here, haha.

Let me know, and thank you so much for your help again!
Also wanted to mention that your instructions are always very clear, so thank you for that too.

Dreamweaver & Premiere Pro are part of the Master Collection I have so I'd have to uninstall them through the Adobe Updater, is it absolutely necessary to uninstall them?

I got another notification today when I browsed to AirBnb, which had never given me trouble before.

You are most welcome.

Thanks, I’ll go through all the steps now!

Oh, and the Zenwriter file is safe? (first file from the ESET scan)

C:\Program Files (x86)\ZenWriter\

Hmmm good question. https://www.virustotal.com/de/file/b87eef4340f4888318cd287b8891f594a23f6b3b326cdf2568f6ed56506b4c06/analysis/1390843489/ If you want to go for sure delete the folder.

Hi!

So, I removed everything last night and nothing happened, and then I just started up my laptop, opened Chrome and got the same notification again…
So I guess it happens like, once a day these past few days. It’s a little odd avast has a block a virus every day, not even being on any suspicious websites.

Also, I’d like to remove/edit my replies with files etc. logs etc. in them, but maybe I shouldn’t yet if the notification is still coming up?
And could it maybe be because of an extension I have? I recently removed extensions after the whole “Chrome Extensions include adware” news, but who knows…?

Thank you so much for you help again!