Win32/filcout

Having just run windows updates (which ran the Microsoft Malware removal tool), it has popped up saying it has partially removed malware. It provides a long list of 'not infected' files, but lists one 'Win32/filcout' as removed?

 

Having done a little searching I can't really seem to find a clear explanation for this other than that it might be a legitimate file but potentially could be a trojan (which is what you find if you google any file name whatsoever) so thought I'd ask those with more experience (i:e you ).

 

Thank you for any advice you can provide.

Hello Leofric,

I could find no info about the operating system ver. nor Norton products installed, any other security s/w being used etc. Please post that too.
.
.
From what you posted, it seems to be  its an infection by trojan or adware.

I suggest you to scan your system with Full System scan of Norton.

To cross check the detection, a full scan with Malwarebytes(free ed, I assume you already have) will be also helpful. Its because, Microsoft has removed only partially the suspcted file / infection.


Lets hope for best.

.
Alternatively you can work with the malware removal forums listed @:
http://community.norton.com/t5/Tech-Outpost/Malware-Removal-Forum-Recommendations/m-p/1059145

.
.
We cannot provide expert malware removal here, due to limited facility. Work with any of forums there, they will be surely of help.They are free and one to one.

...

Related MS article:

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader%3AWin32%2FFilcout.A&ThreatID=-2147280851

Hope it helps.

I use Windows 7 64 bit with  Norton Internet Security 2013

 

Ran Norton Eraser and Full System scan found nothing.

Ran Malwarebytes and found this:--

 

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 460060
Time elapsed: 58 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCR\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3} (PUP.Optional.Delta.A) -> Quarantined and deleted successfully.
HKCU\Software\BabSolution\Updater (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 2
C:\ProgramData\IBUpdaterService (Adware.InstallBrain) -> Quarantined and deleted successfully.
C:\Users\user\AppData\Roaming\SpeedAnalysis2 (PUP.Optional.SpeedAnalysis.A) -> Quarantined and deleted successfully.

Files Detected: 5
C:\ProgramData\DSearchLink\DSearchLink.exe (PUP.Optional.Delta.A) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\Setup.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\ProgramData\IBUpdaterService\repository.xml (Adware.InstallBrain) -> Quarantined and deleted successfully.
C:\Users\user\AppData\Roaming\SpeedAnalysis2\speedanalysis.crx (PUP.Optional.SpeedAnalysis.A) -> Quarantined and deleted successfully.
C:\Users\user\AppData\Roaming\speedanalysis.ico (PUP.Optional.SpeedAnalysis2.A) -> Quarantined and deleted successfully.

 

Any ideas what this all means?

 


Leofric wrote:

Ran Norton Eraser and Full System scan found nothing.

Ran Malwarebytes and found this:--

 

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

Registry Keys Detected: 2
HKCR\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3} (PUP.Optional.Delta.A) -> Quarantined and deleted successfully.
HKCU\Software\BabSolution\Updater (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.

Folders Detected: 2

C:\ProgramData\IBUpdaterService (Adware.InstallBrain) -> Quarantined and deleted successfully.
C:\Users\user\AppData\Roaming\SpeedAnalysis2 (PUP.Optional.SpeedAnalysis.A) -> Quarantined and deleted successfully.

Files Detected: 5
C:\ProgramData\DSearchLink\DSearchLink.exe (PUP.Optional.Delta.A) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\Setup.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\ProgramData\IBUpdaterService\repository.xml (Adware.InstallBrain) -> Quarantined and deleted successfully.
C:\Users\user\AppData\Roaming\SpeedAnalysis2\speedanalysis.crx (PUP.Optional.SpeedAnalysis.A) -> Quarantined and deleted successfully.
C:\Users\user\AppData\Roaming\speedanalysis.ico (PUP.Optional.SpeedAnalysis2.A) -> Quarantined and deleted successfully.

 

Any ideas what this all means?

 


Sorry for posting late.

Let me explain this a colour coded:

Thats why I asked you to run MBAM Scan.

Microsoft has revised its criteria to categorize or white list the malwares and similar applications recently.

See a related post here:

http://community.norton.com/t5/Tech-Outpost/Does-link-contain-OpenCandy-virus/m-p/1134254#M10412

(The correct justification given by SendOfJive is highlighted there)

This is what the criteria is:

http://www.microsoft.com/security/portal/shared/objectivecriteria.aspx

So as soon as Windows defender got updated and scanned (scanning is auto triggered by update) using latest rules and signatures of detection it found the threat.

 

Since you enabled scanning for PUP | PUM | P2P in MBAM, you detected that malware, acutually not completely as windows defender has already remove some parts of the threat or malware. Actually the detected threat is not a virus or something. It comes under PUP /PUA (Potentially Unwanted Program / Potentially Unwanted Application) and adware.

 

These registry keys were related to those application installation, which proves that it was installed, not infected automatically.

 

The folders show that there were multiple programs of the above said category (PUP /PUA /Adware) existing in your system before removal by MBAM.

 

Those detections generic names are given.

 

Successfully detected, Qurantined and Deleted. So peace of mind assured.

 


Then a question araises : "Why didn't Norton detect these craps? "


Norton didn't detect these simply because you installed them knowingly or unknowingly (I'll tell how you was tricked). The threats detected were:

  • Babylon
  • InstallBrain
  • SpeedAnalysis
  • Delta
  • Conduit


In this except InstallBrain, all were marked Potentially Unwanted Program / Optional. The optional is because, MBAM also recognised it as been installed by user knowingly or unknowingly, and gives user an option whether to destroy (Qurantine) or retain it. So, how did the execption Install Brain came? It was installed by the toolbars you accidently installed.

 

So what the hell did I mean by "you installed them knowingly or unknowingly and you accidently installed"? Was it to criticise you or blame you for that action?

No no, not really. (And no offence by it too... :) ) Actually you downloaded some of your favorite softwares or games for Third party websites rather than downloading from OEM's or developer's sites.In order to host files and maintain them, these 3rd party sites need revenue. This revenue is not contributed by the real developers and OEM's in most cases. So these sites edit the hosted executables to include (actually append) an EULA in the software and add some Toolbars.

In your case, before the removal of these craps by Windows defender and MBAM, while browsing using keywords, you will be redirected to Delta Search result or Babylon page result instead of getting a google page result. Thats how revenue is generated.

 

"Why didn't Norton detect these craps? "

Norton is mainly designed to prevent unexpected infection of home user's devices. So as the user was tricked to install the so called PUPs, Norton assume it is being installed because user needs it and treats it similar to other installed programs. Thats why Norton skipped detecting them.

 

How to prevent such events again?


Visit the below link. There are a lot of suggestions there, which will be surely of help to you.

http://community.norton.com/t5/Tech-Outpost/How-I-stay-safe-online/m-p/1117004#M9764

 

I hope what I explained to you is crystal clear. To make it more useful for someone in future, the explanation is kept interactive and brief.

Keep us posted if in doubt.

 

 

Thanks for that. Am I right that I don't need to do anything other  than usual for 'safe surfing' ?

Hi, Leofric. MalwareBytes has picked up these PUAS and PUPS because that's what it specialises in.

 

Norton does not normally regard them as malicious.

 

They are often more of a nuisdance than anything else..

 

If you leave them quarantined, they cannot access your system.

 

If future scans by both Norton and MalwareBytes come up clean, then don't be concerned.

 

Surf sensibly, and try not to downlaod programs from 3rd party sites, and ALWAYS uncheck the additions such as the ASK Toolbar, or similar.

OK thanks for all the help much appreciated

Hi,  
glad to hear you solved the problem. Keep in touch with community. :)