Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need help removing a suspected Trojan [Solved]


  • This topic is locked This topic is locked

#1
coruptcow

coruptcow

    New Member

  • Member
  • Pip
  • 7 posts

The problem is that my computer has been getting attacked from another computer for the past month. I am using Norton and it has been doing a great job so far of blocking the attacks. The attacker however is getting more persistent. The attacks used to happen every few days but have gotten a lot more common, it has blocked four attacks today alone. I am also getting worried about the source of the attack. Most of them were from another computer with the IP right there and a source website, the last two though have come from localhost, with the attacking IP, source IP and destination IP all being the same but still having the same attacking URL. 

 

I have tried using the "Power Eraser" in Norton but it wont pick anything up, I tried downloading Malwarebyte and doing a full scan that also came up with nothing. I tried booting in safe mode and doing full scans with both Norton and Malwarebyte, but still no luck. I am guessing that there is a Trojan hidden somewhere but i have no idea where to even begin looking.

 

I do not know much about computer systems so any information that is needed to help me solve this i am willing to pass along.

 

Any kind of help would be really appreciated.


  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi lets have a look first... Could you attach a screenshot of the Norton alert please

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Select additions at the bottom
  • Press Scan button.
    frst.JPG
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please attach both logs generated.

  • 0

#3
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.


  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

User returned


  • 0

#5
coruptcow

coruptcow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

Thanks for the reply and reopening the thread. 

 

Heres the screenshot of Norton and the 2 logs from the Recovery Tool.

Attached Thumbnails

  • Untitled1.png

Attached Files


  • 0

#6
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Could you let me know if this stops the alerts

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
HKLM-x32\...\Run: [UpdReg] => C:\Windows\UpdReg.EXE
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [win_en_77] => [X]
CHR StartupUrls: Default -> "search.mpc.am"
CHR DefaultSearchURL: Default -> hxxp://www-searching.com/search.aspx?s=G34zftpbl2,a0bb3947-421f-421b-a48d-74dcc699a327,&prd=smw&q={searchTerms}
CHR DefaultSearchKeyword: Default -> www-searching.com
CHR DefaultSuggestURL: Default -> hxxp://api.searchpredict.com/api/?rqtype=ffplugin&siteID=8661&dbCode=1&command={searchTerms}
CHR Session Restore: Default -> is enabled.
CHR Extension: (Unlimited Free VPN - Hola) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio [2016-03-03]
2016-03-03 21:34 - 2016-03-03 21:34 - 00003330 _____ C:\WINDOWS\System32\Tasks\{FDFD9010-D1F8-47BD-A280-FA9A29F8AA71}
2016-03-03 21:17 - 2016-03-25 17:44 - 00000000 ____D C:\Users\Owner\AppData\LocalLow\Company
2016-03-03 21:17 - 2016-03-14 17:45 - 00000000 ____D C:\Users\Owner\AppData\Roaming\TymfoWea
2016-03-03 21:17 - 2016-03-03 21:17 - 00003418 _____ C:\WINDOWS\System32\Tasks\Uefoj
2016-03-03 21:17 - 2016-03-03 21:17 - 00000000 ____D C:\Users\Owner\AppData\Local\Tempfolder
2016-03-03 21:11 - 2016-03-03 21:11 - 00003748 _____ C:\WINDOWS\System32\Tasks\{770B6B26-C9C1-4D00-848C-E196823DFC76}
2016-03-03 20:57 - 2016-03-03 21:50 - 00000000 ____D C:\Program Files (x86)\MPC Cleaner
CustomCLSID: HKU\S-1-5-21-1225192743-1763719466-560388653-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1225192743-1763719466-560388653-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
Task: {1FC14DE9-5DB3-4AF3-8F84-FCB2626CF6F9} - System32\Tasks\{770B6B26-C9C1-4D00-848C-E196823DFC76} => pcalua.exe -a "C:\Program Files (x86)\Common Files\Jobantrax\uninstall.exe" -c shuz -f "C:\Program Files (x86)\Common Files\Jobantrax\uninstall.dat" -a uninstallme B66FCBFF-7CF3-4B53-A750-49C7D44523C1 DeviceId=5d75f071-d9ac-3a99-4609-cf7637cb52df BarcodeId=50081003 ChannelId=3 DistributerName=APSFIMonetizer
Task: {49321AF2-848F-4E4E-BB8C-984FB28A3D17} - System32\Tasks\{FDFD9010-D1F8-47BD-A280-FA9A29F8AA71} => pcalua.exe -a C:\Users\Owner\AppData\Local\AAAAAAAA-1457036269-AAAA-AAAA-D8CB8A700F1E\Uninstall.exe
Task: {71F2E7C8-75F1-481F-A5A4-76C1376D8B40} - System32\Tasks\Uefoj => C:\PROGRA~1\SHOPPE~1\Zuuesdu.bat
C:\PROGRA~1\SHOPPE~1
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers


Save this as fixlist.txt, in the same location as FRST.exe
FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S0].txt as well.

  • 0

#7
coruptcow

coruptcow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

I have attached the log generated after using FRST with the fixlist and the log from AdwCleaner.

Attached Files


  • 0

#8
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Have the alerts now ceased ?
  • 0

#9
coruptcow

coruptcow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

I just looked and the last alert I got was on March 26. I'm not sure if I did something to stop them, or if something else happened and it quit trying. I am going to monitor it more closely for a while to see if it happens again.
I have not seen anything else suspicious so I'm hoping its all gone and dealt with.

 

Thank you very much for your help and I hope it wont come to this again.


  • 0

#10
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

Any further problems before I clean up ?


  • 0

Advertisements


#11
coruptcow

coruptcow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

The only other thing I can think of is that since I got that virus my mouse will randomly double click things when I only click once and my keyboard will stop working for a sec then instantly reset itself. I've only noticed these in games but they never happened before I got the virus. I've tried switching both for new one of different makes but it still happens. I'm not sure if this is actually related but it would be nice to figure out.


Edited by coruptcow, 05 April 2016 - 05:42 PM.

  • 0

#12
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Is this in the same game or different ones ?
  • 0

#13
coruptcow

coruptcow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

It happens in a few different games. CSGO is the main game I play and it happens a lot in that. I've tried a couple smaller indie games and the same thing happens but those also minimize themselves or close completely.


  • 0

#14
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Do you use a special gaming mouse or is it a generic one
  • 0

#15
coruptcow

coruptcow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

I use a Razor Naga Hex, and for a keyboard I have a Logitech G910 Orion Spark. I have also tried a Logitech G502 mouse and a Razor Blackwidow keyboard.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP