Trend Micro not detecting xyz popup virus

  • 1
  • Problem
  • Updated 4 days ago
  • Acknowledged
  • (Edited)
I've recently gotten a popup virus on my computer that will show up on my desktop when I start up the computer and every hour or so after that. It sihows news articles and the popup advertises the website iklik.xyz. I did a fullscan with my Trend Micro and it didn't find anything wrong.

Edit: I'll post a screenshot when it pops up gain
Photo of outback10

outback10

  • 230 Points 100 badge 2x thumb

Posted 2 weeks ago

  • 1
Photo of Tom Emmelot

Tom Emmelot, Champion

  • 25,562 Points 20k badge 2x thumb
Hi outback10

Looks like a PUA, what you installed with your permission!
Uninstalling Potentially Unwanted Applications (PUA)
https://esupport.trendmicro.com/en-us/home/pages/technical-support/1105484.aspx?cm_mmc=Community-_-S...
Resetting your web browser for performance and website redirection issues
https://esupport.trendmicro.com/en-us/home/pages/technical-support/1096707.aspx
Hope this helps, here from you.

Kind regards,
Tom


(Edited)
Photo of TM_Joemar

TM_Joemar, Official Rep

  • 1,330 Points 1k badge 2x thumb
Hi outback10,

Welcome to the Community!

Yes. Please provide a screenshot so we can easily identify the root cause of the issue.

You may also try our free tool specialized in malware detection.
Download it here:
Scanning your computer using Trend Micro HouseCall (For Home Users)

Regards,
Joemar
Photo of outback10

outback10

  • 230 Points 100 badge 2x thumb


Also in response to Tom Emmelot, I don't have any recently downloaded programs from untrusted sources that would cause this, except for possibly two microsoft updates titled "Microsoft Office 365 ProPlus - en-us" and "Update for Windows 10 for x64-based Systems (KB4023057)" which were installed two days ago, both have Microsoft Corporation as the pubilsher.

I didn't manually installing those but I assumed they were legitimate updates. Could those be the issue?

Edit: Also housecall found no issues with my computer.
(Edited)
Photo of Tom Emmelot

Tom Emmelot, Champion

  • 25,312 Points 20k badge 2x thumb
Hi outback10

The only way you can get this PUA (no Virus), is by side installing with a other program!!
Timesindia.xyz must be in the programs list to uninstall , but the name is on-none, but must be installed lately!
If you uninstalled already then follow this.
Resetting your web browser for performance and website redirection issues
https://esupport.trendmicro.com/en-us/home/pages/technical-support/1096707.aspx

Kind regards,
Tom

Photo of TM_Joemar

TM_Joemar, Official Rep

  • 1,330 Points 1k badge 2x thumb
Hi outback10,

I don't think that those two programs would be the cause of the issue.
Do you have any luck on taking a screenshot of the popup? If yes, please attach it here so we can have a look at it.

Also, can you screenshot the installed programs on your computer, there might be an installed program that might cause it.

Regards,
Joemar
Photo of outback10

outback10

  • 230 Points 100 badge 2x thumb
I already attached a screenshot of the popup but will attach it again here. Also here's a screenshot of my installed items sorted by date installed but again I'm familiar with every item on there (except for things from Microsoft or Intel but again I'm assuming those are okay).

And again this has only been going on for a few days. So unless the PUA got onto my computer months ago and has remained dormant until now there's nothing I recently installed on this machine, program or download or otherwise, that would coincide with the PUA's sudden appearance. 

There also isn't any suspiciously named program, xyz format or otherwise, anywhere in my installed Programs and Features


(Edited)
Photo of TM_Mac

TM_Mac, Official Rep

  • 1,310 Points 1k badge 2x thumb
Hi outback10

Try running a scan using the Anti-Threat Toolkit which you can download from here: Anti-Threat Toolkit 

Please tell us the support ID that you will get after the scan so that we can check it on our end as well. 


Regards, 
Mac
Photo of outback10

outback10

  • 230 Points 100 badge 2x thumb
The program found no threats. The temporary ID number is 1235.

I haven't received a popup in the last few hours, during which I've restarted my computer. Maybe it somehow got deleted without any of these programs telling me?

Edit: The popup's still here, nevermind what I said about it leaving haha
(Edited)
Photo of outback10

outback10

  • 230 Points 100 badge 2x thumb
Have you looked at the scan on your side?
Photo of TM_Joemar

TM_Joemar, Official Rep

  • 1,290 Points 1k badge 2x thumb
Hi outback10,

Upon checking on the log files, it seems that there is a fileless malware which infected the computer. However, the Anti-threat Toolkit must have removed that malware after the scan.
Have you deleted the malware detected using the Anti-threat toolkit after the scan?

Regards,
Joemar
Photo of outback10

outback10

  • 230 Points 100 badge 2x thumb

I have run the scan twice a day ago but the popup is still on my computer (as shown in the picture). I'm running the scan a third time.


This scan also showed there was nothing wrong with the computer. Same temp ID number of 1235.

Edit: The popup is no longer going away. It used to just go away after a few minutes but it stays on my screen for over 30 now.
(Edited)
Photo of outback10

outback10

  • 230 Points 100 badge 2x thumb
I didn't realize the original scan was a quick scan. I did a full scan and it found 9 issues which it deleted. I restarted my computer and (hopefully) the problem is fixed.
Photo of TM_Pat

TM_Pat, Official Rep

  • 10,286 Points 10k badge 2x thumb
Hi outback10,

We'll wait for your observation. Let us know if the same problem will still occur.

Regards,
Pat
Photo of outback10

outback10

  • 230 Points 100 badge 2x thumb
I've run the scanner an additional 2 times. Each time it's found at least one threat and removed it from my computer, however the malware is still on my computer.
Photo of outback10

outback10

  • 230 Points 100 badge 2x thumb
So I've run the full scan three to four more times. Each time it has found EXACTLY two threats in the computer: a Wallpaper threat and a HiddenU threat. Each time, the toolkit says it fixed both threats, but then the popup will reappear after a while, where I will run the scan again, find the same two threats, and have TrendMicro "remove" them.

The popup never goes away when the threats are removed. I always have to restart the computer for it to do so.
Photo of Tom Emmelot

Tom Emmelot, Champion

  • 25,502 Points 20k badge 2x thumb
Hi outback10

Did you use the Anti-threat toolkit???
Free anti-malware tools for Home Users
https://esupport.trendmicro.com/en-us/home/pages/technical-support/1105967.aspx
Resetting your web browser for performance and website redirection issues
https://esupport.trendmicro.com/en-us/home/pages/technical-support/1096707.aspx
Resolving website redirection issues
https://esupport.trendmicro.com/en-us/home/pages/technical-support/1111744.aspx?_ga=2.263079436.1262...

Hope this helps,

Kind regards ,
Tom



Photo of outback10

outback10

  • 230 Points 100 badge 2x thumb
I ran that toolkit multiple times, as I said before. I double checked it's the same toolkit as the other representative instructed me to use.

The toolkit finds errors, says it removed them, I restart my computer (since the popup doesn't go away), the popup comes back after some time, I restart the toolkit, it finds the SAME errors, "successfully" removes them, then it repeats.
Photo of TM_Pat

TM_Pat, Official Rep

  • 10,286 Points 10k badge 2x thumb
Hi outback10,

Have you already checked all of the installed extensions on all of your web browsers?
Photo of outback10

outback10

  • 230 Points 100 badge 2x thumb
I've removed all my Chrome extensions and the popup persists. I have no popups on Edge and have no other browsers.
Photo of Tom Emmelot

Tom Emmelot, Champion

  • 25,502 Points 20k badge 2x thumb
Hi outback10

Are you sure there is no program in your programs list that should not be there?
Did you clean the startup link of Chrome?
Right click on icon and click on properties.
There should be nothing after chrome.exe



Hope this helps,

Kind regards,
Tom

Photo of outback10

outback10

  • 230 Points 100 badge 2x thumb
There is nothing after chrome.exe in the startup link.


Here's a complete list of every single program installed on my computer within the last two months (the popup has existed for little more than a week):

Innkeeper: 12/5/2018 (a well known Hearthstone companion app, updated due to a game update)

Google Chrome: 12/3/2018 (I uninstalled Chrome and reinstalled it to see if that would fix the issue. It did not)

Hearthstone Deck Tracker: 11/30/2018 (another well known Hearthstone companion app, also updated for the same reason)

Microsoft OneDrive: 11/28/2018

SteelSeries Engine 3.13.3: 11/27/2018 (Driver for my mouse. Do not know why it updated)

Update for Windows 10 for x64-based Systems (KB4023057): 11/25/2018

Microsoft Office 365 ProPlus - en-us: 11/25/2018

Overwolf: 11/13/2018 (another gaming companion app, which I use for Hearthstone)

The Long Dark: 11/10/2018 (a videogame I bought and installed through Steam)

Europa Universalis IV: 11/5/2018 (a videogame I bought and installed through Steam)

Vulkan Run Time Libraries 1.0.54.1: 9/28/2018 (I don't know what this is, publisher says its from Intel Corporation Inc.)


As a reference, I have Innkeeper, Chrome, Hearthstone Deck Tracker, and Overwolf on my laptop and that has no issues.


No other program is installed since 9/10/2018. So unless the popup got onto my computer before then and remained dormant for nearly two months it's not from an earlier time. Regardless, there is no installed program whatsoever that I do not recognize. I also googled all the programs I listed to see if anyone was complaining about a popup and got no matches.
(Edited)
Photo of outback10

outback10

  • 230 Points 100 badge 2x thumb
By the way, this popup is consistently updating. It now includes a picture with it and has a much more streamlined UI than it had at the start, with the UI becoming nicer and more refined nearly each day.
Photo of Tom Emmelot

Tom Emmelot, Champion

  • 25,502 Points 20k badge 2x thumb
Hi outback10

Can you provide us with a screenshot of that new popup?

Kind regards,
Tom

Photo of outback10

outback10

  • 230 Points 100 badge 2x thumb

As you can see it has most of the same info on it but streamlined
Photo of TM_Joemar

TM_Joemar, Official Rep

  • 1,290 Points 1k badge 2x thumb
Hi outback10,

Would it be okay with you if we can remotely access your computer to check what might be causing these popups?

Regards.
Joemar
Photo of outback10

outback10

  • 230 Points 100 badge 2x thumb
Sure that would be fine. How would I help set that up?
Photo of TM_Joemar

TM_Joemar, Official Rep

  • 1,290 Points 1k badge 2x thumb
Hi outback10,

Sorry for the late response. I'll send you an email and we'll do our conversation there regarding this case.

Regards,
Joemar