1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved May or may not be infected with nusojog and r.sastts

Discussion in 'Virus & Other Malware Removal' started by whitehound, Mar 26, 2019.

Advertisement
  1. whitehound

    whitehound Thread Starter

    Joined:
    Aug 17, 2006
    Messages:
    113
    After using AnyDesk as part of my work I had a couple of incidents of my cursor appearing to move under someone else's control - generally as if that someone wasn't seeing my screen but their own, although the movements didn't correspond with what either of the two people I had AnyDesked with were doing at the time. I discovered that AnyDesk wasn't closing fully and had to be cleared via the Task Manager, and I haven't have any incidents with the cursor since, but I do suffer from bouts of lag time when working on the net. These may just be due to connection problems as BT have been working on the cables to my village.

    However, to be on the safe side I ran some scans. Malware Bytes says (repeatedly) that my copy of chrome.exe is infected with two outbound Trojans, nusojog.com and r.sastts.com, but AVG says my setup is clean, including browsers.

    I found some instructions on the net for cleaning r.sastts in Safe Mode, and followed them, but I did not find any of the signs of infection which the instructions said I should see and delete.

    How can I establish whether these infections are real or just a glitch in Malware Bytes, and remove them if they are real? Aside from not wanting Trojans on my machine, I am using a free, trial copy of Malware Bytes (which I used successfully in the past but hadn't used with W10 before), so I want to establish whether it's giving spurious readings or not before I decide whether or not to pay for a licence.

    I am using up to date copies of Windows 10 and Chrome and of the virus checkers. My AVG is the free edition.
     
  2. iMacg3

    iMacg3 Malware Specialist

    Joined:
    Nov 3, 2018
    Messages:
    316
    Welcome to the Tech Support Guy malware removal forum.
    I'm iMacg3 and will be helping you.

    Please keep the following information in mind before we begin:
    • Do not run any fixes or tools on your system unless I request that you do so.
    • Please read all instructions carefully, and complete them in the order listed.
    • If your computer seems to start working normally, please don't abandon the topic. Just because your computer doesn't seem to have a problem doesn't mean that it isn't infected.
    • If you have pirated or illegal software on your computer, uninstall it now before proceeding.
    • If you have questions about anything during the cleanup, please ask.


    --------------------


    Download Farbar Recovery Scan Tool and save it to your Desktop.

    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.
    • Right-click FRST/FRST64 and select Run as administrator. (Windows XP users double-click on the file).
    • If you receive a SmartScreen alert, click More Info, then Run Anyway.
    • When the tool opens, click Yes to the disclaimer.
    • Press the Scan button.
    • It will make a log (FRST.txt) in the same directory the tool is run. Attach it to your reply.
    • The tool will also produce another log (Addition.txt ). Please attach this, along with FRST.txt, to your reply.

    Note - FRST.txt and Addition.txt are saved to the same location as FRST/FRST64.
     
  3. whitehound

    whitehound Thread Starter

    Joined:
    Aug 17, 2006
    Messages:
    113
    Thank you very much - I'll have a crack at this over the weekend.
     
  4. whitehound

    whitehound Thread Starter

    Joined:
    Aug 17, 2006
    Messages:
    113
    OK, it didn't generate a file called Additions, just the FRST.txt one, which says:

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 17.03.2019
    Ran by Claire (administrator) on PEEL_TOWER (31-03-2019 02:21:46)
    Running from C:\FRST
    Loaded Profiles: Claire & (Available Profiles: Claire & DefaultAppPool)
    Platform: Windows 10 Pro Version 1809 17763.379 (X64) Language: English (United States)
    Default browser: Chrome
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
     
  5. iMacg3

    iMacg3 Malware Specialist

    Joined:
    Nov 3, 2018
    Messages:
    316
    Hi,

    It seems that FRST is running from C:\FRST. Please move FRST64.exe to your desktop and run it. Make sure that Addition.txt is checked before clicking Scan.
    Attach both reports to your reply. (FRST.txt and Addition.txt)
     
  6. whitehound

    whitehound Thread Starter

    Joined:
    Aug 17, 2006
    Messages:
    113
    OK, here we are.
     

    Attached Files:

  7. whitehound

    whitehound Thread Starter

    Joined:
    Aug 17, 2006
    Messages:
    113
    I've a suspicion there is no Trojan, and that Malware Bytes is giving spurious readings, since AVG says it's all clean - but I need to find out before I decide whether to pay for Malware Bytes or not, and my free trial copy expires in a couple of days.
     
  8. iMacg3

    iMacg3 Malware Specialist

    Joined:
    Nov 3, 2018
    Messages:
    316
    Hi,

    Did you install the Chromium open source browser intentionally?
     
  9. whitehound

    whitehound Thread Starter

    Joined:
    Aug 17, 2006
    Messages:
    113
    No, it arrived a couple of months ago, along with a Windows update, and I've been too busy starting a new job to investigate what it does and find out whether I want it or not, so I just left it there for the moment and shut it down manually.
     
  10. iMacg3

    iMacg3 Malware Specialist

    Joined:
    Nov 3, 2018
    Messages:
    316
    Hi,

    That was not a Windows update, but rather an unwanted program posing as an update.

    -------------------------

    Do you recognize this program?

    Tangysoft (HKLM-x32\...\Tangysoft_is1) (Version: - Tangysoft Ltd.)

    -------------------------

    We need to run a fix with FRST:

    • Please download the attached fixlist.txt file and save it to the same location as FRST
      Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
      NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
    • Run FRST.exe/FRST64.exe and press the Fix button just once and wait[/*]
    • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
    • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply
     

    Attached Files:

  11. whitehound

    whitehound Thread Starter

    Joined:
    Aug 17, 2006
    Messages:
    113
    Ah, right, I've never heard of anything actually posing as a Windows update before! Abobe updates, yes, but not W10.

    Yes, Tangysoft is legit. I don't recall why I wanted it - I guess I was trying to access something on Usenet - but I know it was something I installed intentionally. I don't need it any more. though, so it wouldn't do any harm to lose it.

    I'm just doing my dinner at present - don't know where you are but it's 9pm here - so I'll tackle this in an hour or two. And thank you.
     
  12. whitehound

    whitehound Thread Starter

    Joined:
    Aug 17, 2006
    Messages:
    113
    OK, here it is.

    If malware is now posing as actual Windows updates, how do you tell if an update is real or not?
     

    Attached Files:

  13. iMacg3

    iMacg3 Malware Specialist

    Joined:
    Nov 3, 2018
    Messages:
    316
    Hi,

    The easiest way is to prevent the infection posing as the update in the first place.
    Once we are finished, I'll provide some information about how to keep your computer safe on the Internet.

    -------------------

    Some remnants to clean up:

    • Please download the attached fixlist.txt file and save it to the same location as FRST
      Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
      NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
    • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
    • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
    • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply

    ------------------------


    Download ESET Online Scanner and save it to your desktop.
    • Right-click on esetonlinescanner_enu.exe and select Run as Administrator.
    • Click on Get Started.
    • Another window will appear - select Get Started. Select whether you would like to send anonymous data to ESET.
    • Click on the Full Scan option.
    • Click on the option to Enable ESET to detect and remove potentially unwanted applications, and select Start scan.
    • ESET will now begin scanning your computer. This may take some time.
    • When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop with a name like ESETlog.txt. Click on Continue.
    • ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue.
    • On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback.
    • On your desktop, a file will be created called ESETlog.txt. Open it, then copy and paste its contents into your next reply.
     

    Attached Files:

  14. whitehound

    whitehound Thread Starter

    Joined:
    Aug 17, 2006
    Messages:
    113
    01/04/2019 08:58:33
    Files scanned: 1149458
    Infected files: 40
    Cleaned threats: 40
    Total scan time 05:52:19
    Scan status: Finished
     
  15. iMacg3

    iMacg3 Malware Specialist

    Joined:
    Nov 3, 2018
    Messages:
    316
    Hi,

    After you ran the FRST fix, there should a file called fixlog.txt saved to the same location as FRST. Please attach it to your reply.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...

Short URL to this thread: https://techguy.org/1224959

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice