is clover really a trojan

[BettyB723]

is clover really a trojan...today it is being stopped and deleted. Or, is it safe to do an exclusion of it

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

1. Download Malwarebytes Support Tool
2. Once the file is downloaded, open your Downloads folder/location of the downloaded file
3. Double-click mb-support-X.X.X.XXXX.exe to run the program
   • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
4. Place a checkmark next to Accept License Agreement and click Next
5. You will be presented with a page stating, "Get Started!"
6. Click the Advanced tab on the left column
   
7. Click the Gather Logs button
   
8. A progress bar will appear and the program will proceed with getting logs from your computer
   
9. Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
10. Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:
       

Click "Reveal Hidden Contents" below for details on how to attach a file:
 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

 

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

 

[Maurice Naggar]

Hi,       @BettyB723

My name is Maurice. I will be helping and guiding you, going forward on this case.

We need to get information from this machine in order to have the proper detail to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

    Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.4.0.623.exe to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

 

Thank you.

 

[BettyB723]

here are the log files

mbst-grab-results.zip

[Maurice Naggar]

Thanks for the support tool report.  I notice that the last scan with Malarebytes reported no malware.

My question is, "Where do you see 'clover' ?  I am asking just as a double check.

The Microsoft Windows 10 antivirus Windows Defender has detected a program named "clover" on your PC.  It is tagged as Trojan:Win32/CryptInject

This is a portion of the Windows system logs  

Quote

Windows Defender:
===================================
Date: 2019-08-06 14:31:16.031
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/CryptInject&threatid=2147725859&enterprise=0
Name: Trojan:Win32/CryptInject
ID: 2147725859
Severity: Severe
Category: Trojan
Path: file:_C:\Program Files (x86)\Clover\Clover.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Program Files (x86)\Clover\ClvUtil.exe
Security intelligence Version: AV: 1.299.1319.0, AS: 1.299.1319.0, NIS: 1.299.1319.0
Engine Version: AM: 1.1.16200.1, NIS: 1.1.16200.1

 

 

See this Microsoft page on this type  https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/CryptInject&ThreatID=2147725859

 

I am going to have you do a series of scans.  Starting out with this.

Windows 10 has the Microsoft Windows Defender which can run the Windows Defender Offline scan.
Windows Defender Offline in Windows 10 can be run directly from within Windows, without having to create bootable media.

Click the Windows Start menu button on the Taskbar, select Settings icon. Then choose Update and Security.
Then look on the right hand side and click on Windows Defender.
Then, scroll all the way down on the scroll bar, down to where you see "Windows Defender Offline"
Click on the button Scan Offline to start the process and let it scan the system.

Keep in mind that the design and what is scanned by Windows Defender is a whole different design from Malwarebytes. But do let me know how this scan goes and what the result is.

 

 

[BettyB723]

I must be blind....I can't find the windows defender off line option anywhere! I will include a screen shot.

Malwarebytes had deleted clover from my computer so you wouldn't have seen that. I reinstalled the earlier version of clover 3.04 or something like that. and I get no protests from Malwarebytes. It is versions 3.5 and 3.4 that cause the trojan message.

[Maurice Naggar]

In Windows Settings  >>> click on Windows Security from the left side list.

Next, In Windows Security section:  Click on the grey button Open Windows Security

Click Virus and threat protection   & next click on the blue Scan options

Look down the options list.  Tick on Windows Defender Offline scan.   Then click the grey "Scan now" button.

 

 

 

[Maurice Naggar]

P.S.  I noticed from the reports that RogueKiller64  tool was listed.  Are you doing self-medication on this pc ?  or are you getting help elsewhere on this same case ??

[BettyB723]

I tried to do exclusions but got worried that there could really be a Trojan. I had gone into windows defender to try to get it to ignore the clover program. Other than that, I have no other security programs and about a month or so ago, had to start the computer from scratch, so got rid of some things while reinstalling.   By the way I have no idea what the rougekiller64 is or where it came from!

[BettyB723]

ok I did the scan but don't know where to look for the results/file...it is not on the desktop...I also saw no notices of problems, either

[Maurice Naggar]

The item that was flagged by Windows Defender is a real infection.    See this Microsoft page on this type  https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/CryptInject&ThreatID=2147725859

 

Are you saying that today, just very recently, you did a clean Windows re-install ?

This is the way to look at the Windows Defender scan history.

 

Go to the Windows Start menu.  Click on the Settings icon.

Now click on Update & Security.   Then click on Open Windows Security.

Click the Virus & threat protection tile     and then the Protection  history label  ( in blue color)

 

 

[BettyB723]

the clean ire-install was about a month ago. I see that the Cryptinject was from clover if I read it right. I assume there is no way to fix clover unless they come out with another version?

[Maurice Naggar]

Windows Defender from the Windows operating system will remove it.  Did you look on the Defender history like I last wrote?

# 2

You can check this system using another free tool at Microsoft.  For another opinion.

The Microsoft Safety Scanner is a free stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

take a minute to locate & then send the log that it made, named msert.log

It should be at C:\Windows\debug\msert.log

[  # 3 ]

We can do more different scans if needed.   Lets please take one thing at a time.

 

[BettyB723]

funny thing...the only thing under debug is passwords.log

 

I had ready the defender stuff, which is why I said they reported the cryptinjct file came from clover and it called it severe and apparently got rid of it!

[BettyB723]

oops, I guess I jumped the gun and need to run the microsoft file I just downloaded first!

[BettyB723]

here is the log file.

msert.log

[Maurice Naggar]

Quote

Results Summary:
----------------
No infection found.
Microsoft Safety Scanner Finished On Tue Aug 06 19:16:21 2019

 

Thanks for the MS Safety Scanner log.  It reports NO infection.

Let's do one other scan just in case, for a fresh new opinion.   It should only take a few minutes.  Be sure to Close all web browsers before pressing "scan button".

Run a scan with Malwarebytes for Windows.
Start Malwarebytes from the Start menu.

Click Settings. Then click the Protection tab.
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON

Click the SCAN button.
Select a Threat Scan ( which should be the default).

When the scan phase is done , IF any items are tagged, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

When that is completed, kindly send the report.
In Malwarebytes.
Click the Reports button ( on the left )
Look for the "Scan Report" that has the most recent Date and time.

When located, click the check box for it and click on View Report.
Then click the Export button at the bottom left.
Then select Text File (*.txt)

Put in a name for that file and remember where the file is created.

Then attach that file with your reply. Thank you.

 

[BettyB723]

done and here is the report

Malware scan tonight.txt

[Maurice Naggar]

Thanks for the Malwarebytes for Windows scan run report.  That is a very good run;  it found and removed what look like 2 "clover" exe files  ( plus some other items).

I would like to follow-up by doing a search on this PC for any other potential "clover" type files.

We are going to use a tool named FRSTENGLIGH, which is already on your pc, in the Downloads folder.

Use Windows Explorer to go to the Downloads folder.

Look for and double-click FRSTENGLISH to start it.

Start FRSTENGLISH.
Type the following   ( better yet, use COPY  then Paste)  into the search box exactly as show then press the Search Files button

SearchAll: clv;clover

Please wait while the program searches for all entries relating to this program, when done a search.txt log will be saved to the desktop. Please attach this log to your next reply.

Sincerely,

Edited August 7, 2019 by Maurice Naggar

[BettyB723]

I am on a plane to Houston and will try to find time tonight to do it. After then, we will be traveling to Ft Worth and busy with all the stuff for our granddaughter’s wedding. So, it may be a while before I can get back to you, but I will when I can. Thanks 

[Maurice Naggar]

Have a safe trip.   Thanks for the heads up.

[BettyB723]

made it to Houston....the long way which included a taxi ride between PVd and Boston paid for by United. What a day!!!

FRST.txt

[Maurice Naggar]

Good to know you had a safe trip.

Thanks for the FRST.   It was not the file I had been looking for.  But it did show that somehow "Clover" is still on this PC.

I have a custom script ( below) to get that removed.

 

Please Close and save any open work files before you start this next step.  It will involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRST64  tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE AS and save it directly ( as is) to the D:\Downloads folder

The tool named FRST64.exe  is already on the  D drive  Downloads folder.

Start the Windows Explorer and then, open the  D rive  Downloads folder.


Double click FRST64

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.

 

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. Some machines take longer than others.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your reply.    Also advise on the situation after this run.

Sincerely,

Fixlist.txt

[Maurice Naggar]

Just checking back with you.  What is the status now?   I sent a custom fix script last Thursday.

[Maurice Naggar]

Hi.  Are you still with us ?