Solved May or may not be infected with nusojog and r.sastts

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

whitehound

Thread Starter
Joined
Aug 17, 2006
Messages
116
After using AnyDesk as part of my work I had a couple of incidents of my cursor appearing to move under someone else's control - generally as if that someone wasn't seeing my screen but their own, although the movements didn't correspond with what either of the two people I had AnyDesked with were doing at the time. I discovered that AnyDesk wasn't closing fully and had to be cleared via the Task Manager, and I haven't have any incidents with the cursor since, but I do suffer from bouts of lag time when working on the net. These may just be due to connection problems as BT have been working on the cables to my village.

However, to be on the safe side I ran some scans. Malware Bytes says (repeatedly) that my copy of chrome.exe is infected with two outbound Trojans, nusojog.com and r.sastts.com, but AVG says my setup is clean, including browsers.

I found some instructions on the net for cleaning r.sastts in Safe Mode, and followed them, but I did not find any of the signs of infection which the instructions said I should see and delete.

How can I establish whether these infections are real or just a glitch in Malware Bytes, and remove them if they are real? Aside from not wanting Trojans on my machine, I am using a free, trial copy of Malware Bytes (which I used successfully in the past but hadn't used with W10 before), so I want to establish whether it's giving spurious readings or not before I decide whether or not to pay for a licence.

I am using up to date copies of Windows 10 and Chrome and of the virus checkers. My AVG is the free edition.
 

iMacg3

Malware Specialist
Joined
Nov 3, 2018
Messages
850
Welcome to the Tech Support Guy malware removal forum.
I'm iMacg3 and will be helping you.

Please keep the following information in mind before we begin:
  • Do not run any fixes or tools on your system unless I request that you do so.
  • Please read all instructions carefully, and complete them in the order listed.
  • If your computer seems to start working normally, please don't abandon the topic. Just because your computer doesn't seem to have a problem doesn't mean that it isn't infected.
  • If you have pirated or illegal software on your computer, uninstall it now before proceeding.
  • If you have questions about anything during the cleanup, please ask.


--------------------


Download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right-click FRST/FRST64 and select Run as administrator. (Windows XP users double-click on the file).
  • If you receive a SmartScreen alert, click More Info, then Run Anyway.
  • When the tool opens, click Yes to the disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Attach it to your reply.
  • The tool will also produce another log (Addition.txt ). Please attach this, along with FRST.txt, to your reply.

Note - FRST.txt and Addition.txt are saved to the same location as FRST/FRST64.
 

whitehound

Thread Starter
Joined
Aug 17, 2006
Messages
116
OK, it didn't generate a file called Additions, just the FRST.txt one, which says:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 17.03.2019
Ran by Claire (administrator) on PEEL_TOWER (31-03-2019 02:21:46)
Running from C:\FRST
Loaded Profiles: Claire & (Available Profiles: Claire & DefaultAppPool)
Platform: Windows 10 Pro Version 1809 17763.379 (X64) Language: English (United States)
Default browser: Chrome
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 

iMacg3

Malware Specialist
Joined
Nov 3, 2018
Messages
850
Hi,

It seems that FRST is running from C:\FRST. Please move FRST64.exe to your desktop and run it. Make sure that Addition.txt is checked before clicking Scan.
Attach both reports to your reply. (FRST.txt and Addition.txt)
 

whitehound

Thread Starter
Joined
Aug 17, 2006
Messages
116
I've a suspicion there is no Trojan, and that Malware Bytes is giving spurious readings, since AVG says it's all clean - but I need to find out before I decide whether to pay for Malware Bytes or not, and my free trial copy expires in a couple of days.
 

iMacg3

Malware Specialist
Joined
Nov 3, 2018
Messages
850
Hi,

Did you install the Chromium open source browser intentionally?
 

whitehound

Thread Starter
Joined
Aug 17, 2006
Messages
116
No, it arrived a couple of months ago, along with a Windows update, and I've been too busy starting a new job to investigate what it does and find out whether I want it or not, so I just left it there for the moment and shut it down manually.
 

iMacg3

Malware Specialist
Joined
Nov 3, 2018
Messages
850
Hi,

That was not a Windows update, but rather an unwanted program posing as an update.

-------------------------

Do you recognize this program?

Tangysoft (HKLM-x32\...\Tangysoft_is1) (Version: - Tangysoft Ltd.)

-------------------------

We need to run a fix with FRST:

  • Please download the attached fixlist.txt file and save it to the same location as FRST
    Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait[/*]
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply
 

Attachments

whitehound

Thread Starter
Joined
Aug 17, 2006
Messages
116
Ah, right, I've never heard of anything actually posing as a Windows update before! Abobe updates, yes, but not W10.

Yes, Tangysoft is legit. I don't recall why I wanted it - I guess I was trying to access something on Usenet - but I know it was something I installed intentionally. I don't need it any more. though, so it wouldn't do any harm to lose it.

I'm just doing my dinner at present - don't know where you are but it's 9pm here - so I'll tackle this in an hour or two. And thank you.
 

whitehound

Thread Starter
Joined
Aug 17, 2006
Messages
116
OK, here it is.

If malware is now posing as actual Windows updates, how do you tell if an update is real or not?
 

Attachments

iMacg3

Malware Specialist
Joined
Nov 3, 2018
Messages
850
Hi,

The easiest way is to prevent the infection posing as the update in the first place.
Once we are finished, I'll provide some information about how to keep your computer safe on the Internet.

-------------------

Some remnants to clean up:

  • Please download the attached fixlist.txt file and save it to the same location as FRST
    Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply

------------------------


Download ESET Online Scanner and save it to your desktop.
  • Right-click on esetonlinescanner_enu.exe and select Run as Administrator.
  • Click on Get Started.
  • Another window will appear - select Get Started. Select whether you would like to send anonymous data to ESET.
  • Click on the Full Scan option.
  • Click on the option to Enable ESET to detect and remove potentially unwanted applications, and select Start scan.
  • ESET will now begin scanning your computer. This may take some time.
  • When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop with a name like ESETlog.txt. Click on Continue.
  • ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue.
  • On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback.
  • On your desktop, a file will be created called ESETlog.txt. Open it, then copy and paste its contents into your next reply.
 

Attachments

whitehound

Thread Starter
Joined
Aug 17, 2006
Messages
116
01/04/2019 08:58:33
Files scanned: 1149458
Infected files: 40
Cleaned threats: 40
Total scan time 05:52:19
Scan status: Finished
 

iMacg3

Malware Specialist
Joined
Nov 3, 2018
Messages
850
Hi,

After you ran the FRST fix, there should a file called fixlog.txt saved to the same location as FRST. Please attach it to your reply.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top