Persistent alert "klarittyjoy.com". Don't know how to get rid of it.

Hello.

I have a problem with an URL malware: “Klarittyjoy.com”, marked as a trojan by Avast.

Avast blocks it but I have the pop-up coming every time I search or change any website in Google Chrome.

I’ve done all the scans that passed through my mind but it’s really persistent. I also deleted all the Google Chrome cookies, history, etc. but it has no result.

Here I attach a screenshot of the alert. Sorry because all the information is in Spanish.

https://imagizer.imageshack.com/img924/8051/XCoTaQ.png

I ran Malwarebytes and this is the resulting log:

-Resumen del análisis-
Tipo de análisis: Análisis de amenazas
Análisis iniciado por:: Manual
Resultado: Completado
Objetos analizados: 319224
Amenazas detectadas: 16
Amenazas en cuarentena: 16
Tiempo transcurrido: 25 min, 23 seg

-Opciones de análisis-
Memoria: Activado
Inicio: Activado
Sistema de archivos: Activado
Archivo: Activado
Rootkits: Activado
Heurística: Activado
PUP: Detectar
PUM: Detectar

-Detalles del análisis-
Proceso: 1
Generic.Malware/Suspicious, C:\PROGRAMDATA\KMSAUTOS\BIN\KMSSS.EXE, En cuarentena, 0, 392686, , , ,

Módulo: 1
Generic.Malware/Suspicious, C:\PROGRAMDATA\KMSAUTOS\BIN\KMSSS.EXE, En cuarentena, 0, 392686, , , ,

Clave del registro: 1
Generic.Malware/Suspicious, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\KMSEmulator, En cuarentena, 0, 392686, , , ,

Valor del registro: 0
(No hay elementos maliciosos detectados)

Datos del registro: 0
(No hay elementos maliciosos detectados)

Secuencia de datos: 0
(No hay elementos maliciosos detectados)

Carpeta: 1
PUP.Optional.Spigot, C:\USERS\JACOBO\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, En cuarentena, 155, 475078, , , ,

Archivo: 12
Generic.Malware/Suspicious, C:\PROGRAMDATA\KMSAUTOS\BIN\KMSSS.EXE, En cuarentena, 0, 392686, 1.0.21406, , shuriken,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000005.ldb, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000155.ldb, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000158.ldb, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000159.log, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000160.ldb, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000001, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\USERS\JACOBO\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Sustituido, 155, 475078, 1.0.21406, , ame,

Sector físico: 0
(No hay elementos maliciosos detectados)

WMI: 0
(No hay elementos maliciosos detectados)

(end)

I tried to run Farbar Recovery Scan Tool several times (FRST) but it always freezes after 10 minutes of starting. So I dessisted.

Anybody can help me with what can I do to stop these alerts? Thank you in advance.

Were you specifically trying to connect to this Klarittyjoy.com site ?
If so the site is blacklisted by other programs and not just Avast. It is also has a Critical Security Risk.

If you weren’t directly connecting to this site, then it is possible that:
You were being redirected from another site you visited.
Or you could have hidden malware on your system or a malicious add-on in your browser.

In any case a malware removal specialist needs to check your logs to be sure.

No, I don’t ever remember to visit this website. It must be one of the other options.

Thank you for your help. I will have my computer revised.

Blacklisted here: Website Blacklist Status
Domain blacklisted by ESET: -klarittyjoy.com
Domain blacklisted by McAfee: -klarittyjoy.com

Consider the raw info coming from here: https://www.shodan.io/host/172.64.162.3/raw

Consider also: https://sitereport.netcraft.com/?url=klarittyjoy.com

8 detected under this IP address (CloudFlare abuse): https://www.virustotal.com/gui/ip-address/172.64.163.3/relations

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

You’re welcome.

Had you left your logs attached they could have been checked by a qualified volunteer within the forums (free). He would have been trying to ascertain which of the options I mentioned was trying to make the connection.

What you refer with the logs?

I checked my computer with Malwarebytes and this is what I obtained:

Malwarebytes
www.malwarebytes.com

-Detalles del registro-
Fecha del análisis: 26/3/20
Hora del análisis: 19:18
Archivo de registro: 252c624e-6f8e-11ea-ab88-80c16e56d19c.json

-Información del software-
Versión: 4.1.0.56
Versión de los componentes: 1.0.835
Versión del paquete de actualización: 1.0.21406
Licencia: Gratis

-Información del sistema-
SO: Windows 10 (Build 17763.1098)
CPU: x64
Sistema de archivos: NTFS
Usuario: Jacob

-Resumen del análisis-
Tipo de análisis: Análisis de amenazas
Análisis iniciado por:: Manual
Resultado: Completado
Objetos analizados: 319224
Amenazas detectadas: 16
Amenazas en cuarentena: 16
Tiempo transcurrido: 25 min, 23 seg

-Opciones de análisis-
Memoria: Activado
Inicio: Activado
Sistema de archivos: Activado
Archivo: Activado
Rootkits: Activado
Heurística: Activado
PUP: Detectar
PUM: Detectar

-Detalles del análisis-
Proceso: 1
Generic.Malware/Suspicious, C:\PROGRAMDATA\KMSAUTOS\BIN\KMSSS.EXE, En cuarentena, 0, 392686, , , ,

Módulo: 1
Generic.Malware/Suspicious, C:\PROGRAMDATA\KMSAUTOS\BIN\KMSSS.EXE, En cuarentena, 0, 392686, , , ,

Clave del registro: 1
Generic.Malware/Suspicious, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\KMSEmulator, En cuarentena, 0, 392686, , , ,

Valor del registro: 0
(No hay elementos maliciosos detectados)

Datos del registro: 0
(No hay elementos maliciosos detectados)

Secuencia de datos: 0
(No hay elementos maliciosos detectados)

Carpeta: 1
PUP.Optional.Spigot, C:\USERS\JACOBO\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, En cuarentena, 155, 475078, , , ,

Archivo: 12
Generic.Malware/Suspicious, C:\PROGRAMDATA\KMSAUTOS\BIN\KMSSS.EXE, En cuarentena, 0, 392686, 1.0.21406, , shuriken,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000005.ldb, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000155.ldb, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000158.ldb, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000159.log, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000160.ldb, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\Users\Jacobo\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000001, En cuarentena, 155, 475078, , , ,
PUP.Optional.Spigot, C:\USERS\JACOBO\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Sustituido, 155, 475078, 1.0.21406, , ame,

Sector físico: 0
(No hay elementos maliciosos detectados)

WMI: 0
(No hay elementos maliciosos detectados)

(end)

I thought you had three log files attached, but my mind could be playing tricks.

The logs I referred to are the ones requested in this information only topic, https://forum.avast.com/index.php?topic=194892.0

Proceso: 1 Generic.Malware/Suspicious, C:\PROGRAMDATA\KMSAUTOS\BIN\KMSSS.EXE, En cuarentena, 0, 392686, , , ,

Módulo: 1
Generic.Malware/Suspicious, C:\PROGRAMDATA\KMSAUTOS\BIN\KMSSS.EXE, En cuarentena, 0, 392686, , , ,

Clave del registro: 1
Generic.Malware/Suspicious, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\KMSEmulator, En cuarentena, 0, 392686, , , ,


so you are using cracked windows software …

I have no idea. I don’t have any idea about informatics and I’ve never installed a cracked version. I can’t say if some technician have done it in a “repair” of my computer. It can be possible.

Hi Cobo93,

Someone who “repairs” your computer in such a fashion, does not have your best interest at heart to say the least.
Wait for a qualified remover to get your device back to normal standards, whenever a qualified remover eventually wants to do so,
when he feels you are/were an unintentional victim. :smiley:

polonus