Tech Support Guy banner
Cancel
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice

May or may not be infected with nusojog and r.sastts

8554 Views 22 Replies 2 Participants Last post by  iMacg3
W
After using AnyDesk as part of my work I had a couple of incidents of my cursor appearing to move under someone else's control - generally as if that someone wasn't seeing my screen but their own, although the movements didn't correspond with what either of the two people I had AnyDesked with were doing at the time. I discovered that AnyDesk wasn't closing fully and had to be cleared via the Task Manager, and I haven't have any incidents with the cursor since, but I do suffer from bouts of lag time when working on the net. These may just be due to connection problems as BT have been working on the cables to my village.

However, to be on the safe side I ran some scans. Malware Bytes says (repeatedly) that my copy of chrome.exe is infected with two outbound Trojans, nusojog.com and r.sastts.com, but AVG says my setup is clean, including browsers.

I found some instructions on the net for cleaning r.sastts in Safe Mode, and followed them, but I did not find any of the signs of infection which the instructions said I should see and delete.

How can I establish whether these infections are real or just a glitch in Malware Bytes, and remove them if they are real? Aside from not wanting Trojans on my machine, I am using a free, trial copy of Malware Bytes (which I used successfully in the past but hadn't used with W10 before), so I want to establish whether it's giving spurious readings or not before I decide whether or not to pay for a licence.

I am using up to date copies of Windows 10 and Chrome and of the virus checkers. My AVG is the free edition.
Save
Like
Status
Not open for further replies.
1 - 20 of 23 Posts
iMacg3
Welcome to the Tech Support Guy malware removal forum.
I'm iMacg3 and will be helping you.

Please keep the following information in mind before we begin:
  • Do not run any fixes or tools on your system unless I request that you do so.
  • Please read all instructions carefully, and complete them in the order listed.
  • If your computer seems to start working normally, please don't abandon the topic. Just because your computer doesn't seem to have a problem doesn't mean that it isn't infected.
  • If you have pirated or illegal software on your computer, uninstall it now before proceeding.
  • If you have questions about anything during the cleanup, please ask.

--------------------

Download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right-click FRST/FRST64 and select Run as administrator. (Windows XP users double-click on the file).
  • If you receive a SmartScreen alert, click More Info, then Run Anyway.
  • When the tool opens, click Yes to the disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Attach it to your reply.
  • The tool will also produce another log (Addition.txt ). Please attach this, along with FRST.txt, to your reply.

Note - FRST.txt and Addition.txt are saved to the same location as FRST/FRST64.
See less See more
Save
Like
W
Thank you very much - I'll have a crack at this over the weekend.
Save
Like
W
OK, it didn't generate a file called Additions, just the FRST.txt one, which says:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 17.03.2019
Ran by Claire (administrator) on PEEL_TOWER (31-03-2019 02:21:46)
Running from C:\FRST
Loaded Profiles: Claire & (Available Profiles: Claire & DefaultAppPool)
Platform: Windows 10 Pro Version 1809 17763.379 (X64) Language: English (United States)
Default browser: Chrome
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
Save
Like
iMacg3
Hi,

It seems that FRST is running from C:\FRST. Please move FRST64.exe to your desktop and run it. Make sure that Addition.txt is checked before clicking Scan.
Attach both reports to your reply. (FRST.txt and Addition.txt)
Save
Like
W
OK, here we are.

Attachments

Save
Like
W
I've a suspicion there is no Trojan, and that Malware Bytes is giving spurious readings, since AVG says it's all clean - but I need to find out before I decide whether to pay for Malware Bytes or not, and my free trial copy expires in a couple of days.
Save
Like
iMacg3
Hi,

Did you install the Chromium open source browser intentionally?
Save
Like
W
No, it arrived a couple of months ago, along with a Windows update, and I've been too busy starting a new job to investigate what it does and find out whether I want it or not, so I just left it there for the moment and shut it down manually.
Save
Like
iMacg3
Hi,

That was not a Windows update, but rather an unwanted program posing as an update.

-------------------------

Do you recognize this program?

Tangysoft (HKLM-x32\...\Tangysoft_is1) (Version: - Tangysoft Ltd.)

-------------------------

We need to run a fix with FRST:

  • Please download the attached fixlist.txt file and save it to the same location as FRST
    Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply

Attachments

See less See more
Save
Like
W
Ah, right, I've never heard of anything actually posing as a Windows update before! Abobe updates, yes, but not W10.

Yes, Tangysoft is legit. I don't recall why I wanted it - I guess I was trying to access something on Usenet - but I know it was something I installed intentionally. I don't need it any more. though, so it wouldn't do any harm to lose it.

I'm just doing my dinner at present - don't know where you are but it's 9pm here - so I'll tackle this in an hour or two. And thank you.
Save
Like
W
OK, here it is.

If malware is now posing as actual Windows updates, how do you tell if an update is real or not?

Attachments

Save
Like
iMacg3
Hi,

The easiest way is to prevent the infection posing as the update in the first place.
Once we are finished, I'll provide some information about how to keep your computer safe on the Internet.

-------------------

Some remnants to clean up:

  • Please download the attached fixlist.txt file and save it to the same location as FRST
    Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply

------------------------

Download ESET Online Scanner and save it to your desktop.
  • Right-click on esetonlinescanner_enu.exe and select Run as Administrator.
  • Click on Get Started.
  • Another window will appear - select Get Started. Select whether you would like to send anonymous data to ESET.
  • Click on the Full Scan option.
  • Click on the option to Enable ESET to detect and remove potentially unwanted applications, and select Start scan.
  • ESET will now begin scanning your computer. This may take some time.
  • When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop with a name like ESETlog.txt. Click on Continue.
  • ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue.
  • On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback.
  • On your desktop, a file will be created called ESETlog.txt. Open it, then copy and paste its contents into your next reply.

Attachments

See less See more
Save
Like
W
01/04/2019 08:58:33
Files scanned: 1149458
Infected files: 40
Cleaned threats: 40
Total scan time 05:52:19
Scan status: Finished
Save
Like
iMacg3
Hi,

After you ran the FRST fix, there should a file called fixlog.txt saved to the same location as FRST. Please attach it to your reply.
Save
Like
W
Here we are.

Attachments

Save
Like
iMacg3
Hi,

Right-click on FRST/FRST64 and click Run as Administrator
Click on Scan. Once the scan is complete, Notepad will open with the scan logs. (FRST.txt and Addition.txt)
Attach FRST.txt and Addition.txt in your next reply.

How is the computer doing?
Save
Like
W
Better - no more unwanted appearances of Chromium, and it's generally running more smoothly.

Attachments

Save
Like
iMacg3
Hi,

Does Malwarebytes still detect the threats in Chrome?
Save
Like
W
No, and the programme is still live - I just checked and it's got 23 hours to go. So I think you succeeded. I really appreciate it.
Save
Like
1 - 20 of 23 Posts
Status
Not open for further replies.
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Off Topic Lounge Thread Games & Discussion Networking
Top