[coruptcow]

The problem is that my computer has been getting attacked from another computer for the past month. I am using Norton and it has been doing a great job so far of blocking the attacks. The attacker however is getting more persistent. The attacks used to happen every few days but have gotten a lot more common, it has blocked four attacks today alone. I am also getting worried about the source of the attack. Most of them were from another computer with the IP right there and a source website, the last two though have come from localhost, with the attacking IP, source IP and destination IP all being the same but still having the same attacking URL. 

 

I have tried using the "Power Eraser" in Norton but it wont pick anything up, I tried downloading Malwarebyte and doing a full scan that also came up with nothing. I tried booting in safe mode and doing full scans with both Norton and Malwarebyte, but still no luck. I am guessing that there is a Trojan hidden somewhere but i have no idea where to even begin looking.

 

I do not know much about computer systems so any information that is needed to help me solve this i am willing to pass along.

 

Any kind of help would be really appreciated.

[Advertisements]

Hi lets have a look first... Could you attach a screenshot of the Norton alert please

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
• Select additions at the bottom
• Press Scan button.
  
• It will produce a log called FRST.txt in the same directory the tool is run from.
• Please attach both logs generated.

[Essexboy]

Hi lets have a look first... Could you attach a screenshot of the Norton alert please

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
• Select additions at the bottom
• Press Scan button.
  
• It will produce a log called FRST.txt in the same directory the tool is run from.
• Please attach both logs generated.

[Essexboy]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

[Essexboy]

User returned

[coruptcow]

Thanks for the reply and reopening the thread. 

 

Heres the screenshot of Norton and the 2 logs from the Recovery Tool.

Attached Thumbnails

• 

Attached Files

•  Addition.txt   60.17KB   383 downloads
•  FRST.txt   90.23KB   278 downloads

[Essexboy]

Could you let me know if this stops the alerts

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
HKLM-x32\...\Run: [UpdReg] => C:\Windows\UpdReg.EXE
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [win_en_77] => [X]
CHR StartupUrls: Default -> "search.mpc.am"
CHR DefaultSearchURL: Default -> hxxp://www-searching.com/search.aspx?s=G34zftpbl2,a0bb3947-421f-421b-a48d-74dcc699a327,&prd=smw&q={searchTerms}
CHR DefaultSearchKeyword: Default -> www-searching.com
CHR DefaultSuggestURL: Default -> hxxp://api.searchpredict.com/api/?rqtype=ffplugin&siteID=8661&dbCode=1&command={searchTerms}
CHR Session Restore: Default -> is enabled.
CHR Extension: (Unlimited Free VPN - Hola) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio [2016-03-03]
2016-03-03 21:34 - 2016-03-03 21:34 - 00003330 _____ C:\WINDOWS\System32\Tasks\{FDFD9010-D1F8-47BD-A280-FA9A29F8AA71}
2016-03-03 21:17 - 2016-03-25 17:44 - 00000000 ____D C:\Users\Owner\AppData\LocalLow\Company
2016-03-03 21:17 - 2016-03-14 17:45 - 00000000 ____D C:\Users\Owner\AppData\Roaming\TymfoWea
2016-03-03 21:17 - 2016-03-03 21:17 - 00003418 _____ C:\WINDOWS\System32\Tasks\Uefoj
2016-03-03 21:17 - 2016-03-03 21:17 - 00000000 ____D C:\Users\Owner\AppData\Local\Tempfolder
2016-03-03 21:11 - 2016-03-03 21:11 - 00003748 _____ C:\WINDOWS\System32\Tasks\{770B6B26-C9C1-4D00-848C-E196823DFC76}
2016-03-03 20:57 - 2016-03-03 21:50 - 00000000 ____D C:\Program Files (x86)\MPC Cleaner
CustomCLSID: HKU\S-1-5-21-1225192743-1763719466-560388653-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1225192743-1763719466-560388653-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
Task: {1FC14DE9-5DB3-4AF3-8F84-FCB2626CF6F9} - System32\Tasks\{770B6B26-C9C1-4D00-848C-E196823DFC76} => pcalua.exe -a "C:\Program Files (x86)\Common Files\Jobantrax\uninstall.exe" -c shuz -f "C:\Program Files (x86)\Common Files\Jobantrax\uninstall.dat" -a uninstallme B66FCBFF-7CF3-4B53-A750-49C7D44523C1 DeviceId=5d75f071-d9ac-3a99-4609-cf7637cb52df BarcodeId=50081003 ChannelId=3 DistributerName=APSFIMonetizer
Task: {49321AF2-848F-4E4E-BB8C-984FB28A3D17} - System32\Tasks\{FDFD9010-D1F8-47BD-A280-FA9A29F8AA71} => pcalua.exe -a C:\Users\Owner\AppData\Local\AAAAAAAA-1457036269-AAAA-AAAA-D8CB8A700F1E\Uninstall.exe
Task: {71F2E7C8-75F1-481F-A5A4-76C1376D8B40} - System32\Tasks\Uefoj => C:\PROGRA~1\SHOPPE~1\Zuuesdu.bat
C:\PROGRA~1\SHOPPE~1
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
• Click on Scan.
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S0].txt as well.

[coruptcow]

I have attached the log generated after using FRST with the fixlist and the log from AdwCleaner.

Attached Files

•  Fixlog.txt   7.72KB   228 downloads
•  AdwCleanerC1.txt   2.73KB   219 downloads

[Essexboy]

Have the alerts now ceased ?

[coruptcow]

I just looked and the last alert I got was on March 26. I'm not sure if I did something to stop them, or if something else happened and it quit trying. I am going to monitor it more closely for a while to see if it happens again.
I have not seen anything else suspicious so I'm hoping its all gone and dealt with.

 

Thank you very much for your help and I hope it wont come to this again.

[Essexboy]

Any further problems before I clean up ?

[coruptcow]

The only other thing I can think of is that since I got that virus my mouse will randomly double click things when I only click once and my keyboard will stop working for a sec then instantly reset itself. I've only noticed these in games but they never happened before I got the virus. I've tried switching both for new one of different makes but it still happens. I'm not sure if this is actually related but it would be nice to figure out.

Edited by coruptcow, 05 April 2016 - 05:42 PM.

[Essexboy]

Is this in the same game or different ones ?

[coruptcow]

It happens in a few different games. CSGO is the main game I play and it happens a lot in that. I've tried a couple smaller indie games and the same thing happens but those also minimize themselves or close completely.

[Essexboy]

Do you use a special gaming mouse or is it a generic one

[coruptcow]

I use a Razor Naga Hex, and for a keyboard I have a Logitech G910 Orion Spark. I have also tried a Logitech G502 mouse and a Razor Blackwidow keyboard.