Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Had shaking cursor, maybe removed- not sure


  • This topic is locked This topic is locked
9 replies to this topic

#1 gutterbust

gutterbust

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 06 March 2018 - 11:22 AM

Hello,

 

I am running Windows 10 64bit. Yesterday evening my computer began behaving erratically, with the mouse cursor shaking whenever touched on the mousepad. I booted the computer into safe mode and checked the mouse settings to confirm that this was not a hardware or driver issue (I suspected a virus).

 

I got on this site and found various pieces of information, so I downloaded adwcleaner, reinstalled a clean version of Malware bytes, Malware bytes Anti Rootkit beta, and FRST64. I ran each of these.

 

With the adwcleaner I had some initial positive results. I ran Rkill before running the program, and it PUPs on the first and second times I ran it. I had it quarantine those. However I have run it three more times to no further results, telling me the system is clean.

 

I have run Malwarebytes on a full system scan and run an Avast full system scan and found nothing. However, even after running adwcleaner and 'quarantining' those items, I was still experiencing the shaky mouse. The PUPs found on adwcleaner were in chrome if I recall, so I uninstalled and reinstalled chrome. I am not experiencing the shaky mouse at this time, but because this was happening after the quarantine, I suspect something may still be on there.

 

What's more- I tried running FRST to give you guys a log, but it crashed the system every time I try to open it. I run it as an admin and in compatibility mode, but that doesn't help. The screen flashes black and cursor goes orange- then system freezes and I cannot even open the task manager. Given this problem, I decided to try opening FRST in safe mode. When I did that? It worked fine and opened for me and ran. So I think there is something still on here preventing me from running that, and evading the other scans.

 

I have attached the adwcleaner logs and I have the FRST logs from the last I used it- however I have run scans subsequently, so you may want me to run it again. I should also note that the FRST may not be the most up to date, it is only what I could download. Since I cannot connect to the internet in safe mode, and I cannot open FRST in normal mode, it can't seem to update its database, in case that is important.

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:25 PM

Posted 06 March 2018 - 11:55 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
HKU\S-1-5-21-578724547-110614563-3876043935-1001\...\Run: [AceStream] => C:\Users\Robbi\AppData\Roaming\ACEStream\engine\ace_engine.exe
GroupPolicy: Restriction <==== ATTENTION
FF HKU\S-1-5-21-578724547-110614563-3876043935-1001\...\Firefox\Extensions: [acewebextension_unlisted@acestream.org] - C:\Users\Robbi\AppData\Roaming\ACEStream\extensions\awe\firefox\acewebextension_unlisted.xpi => not found
FF Plugin HKU\S-1-5-21-578724547-110614563-3876043935-1001: @acestream.net/acestreamplugin,version=3.1.16.2.1 -> C:\Users\Robbi\AppData\Roaming\ACEStream\player\npace_plugin.dll [No File]
CHR HKU\S-1-5-21-578724547-110614563-3876043935-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mjbepbhonbojpoaenhckjocchgfiaofo] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx

Task: {A63C8761-3DF3-4CE9-B1DC-F6D4DC2CBAD4} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {BA68854F-BBB3-430E-9F19-446D1DAAA11F} - \CCleanerSkipUAC -> No File <==== ATTENTION
FirewallRules: [{CE973BDE-1455-4F80-895C-ABD9926DF881}] => (Allow) C:\Users\Robbi\AppData\Roaming\ACEStream\engine\ace_engine.exe
FirewallRules: [{B2270D2B-DCAE-46CA-AB5F-BB0A4F0D80CC}] => (Allow) C:\Users\Robbi\AppData\Roaming\ACEStream\engine\ace_engine.exe

C:\Users\Robbi\AppData\Roaming\ACEStream

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

p.s.
How and when did you remove Comodo from this computer?

#3 gutterbust

gutterbust
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 06 March 2018 - 12:34 PM

Okay so I went ahead and ran the Fixlist, and have attached the Fixlog.

 

I'm going to try to open FRST in normal mode. I thought maybe I had a trojan of some kind because the cursor was shaking and because up to this morning I haven't been able to open FRST (in normal mode; you will note that it works fine in safe mode). If it still causes my cpu to crash is this a sign of lingering malware?


And also- I removed Chomodo about 1 year ago and opted for avast. I really used to like it, but it was bombarding me with notifications for their other products.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:25 PM

Posted 06 March 2018 - 01:49 PM



Hi,

There are may residual entries referring to Comodo in your logs.

I suggest your download and run the Comodo Uninstaller tool.

https://forums.comodo.com/install-setup-configuration-faq-cis/forced-uninstaller-tools-t95115.0.html

===

Restart the computer normally when done.

===

If still unable to run FRST in normal mode please delete the program file.

Download the latest version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===


Please post the logs for my review.

Let me know if all is well or not.

#5 gutterbust

gutterbust
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 06 March 2018 - 04:10 PM

Hi,

 

I have just done as you instructed but still no dice. I used the comodo tool you recommended for removing and that seemed to have gone through okay. However I deleted the FRST64 I had previously donwloaded to my laptop and downloaded a new on into it's own folder on the desktop, per your recommendation. I just tried to open that and again it flashed my screen black and then the system froze, unable to do anything (I had to restart to get back into the system).

 

I can probably still run it in safe mode. What's your advice?



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:25 PM

Posted 07 March 2018 - 08:46 AM



Hi,

Please run it in Safe mode and post fresh FRST and Addition.txt log for my review.
Make sure the box to create an Addition.txt log is marked.

===

Next
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Post the logs for my review.

#7 gutterbust

gutterbust
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 07 March 2018 - 05:24 PM

Okay see the attached logs. I only deleted the items highlighted in orange using RogueKiller. The FRST is from prior to using that.

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:25 PM

Posted 08 March 2018 - 09:16 AM

Hi

Please download the attached fixlist.txt to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Can you now execute the FRST program in normal mode?

Any other issues with this computer?

Attached Files



#9 gutterbust

gutterbust
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 12 March 2018 - 07:31 PM

Hey- I ran the fixlist. I think that did it. I'm not noticing any further erratic behavior, and FRST ran in Normal mode this time.

 

See attached log. Let me know if you have any further suggestions.

Attached Files



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:25 PM

Posted 13 March 2018 - 07:07 AM

Hi,

Glad we could help.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users