Found A Trojan, Did I Fix It?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Chaos Annihilator, Mar 1, 2025.

  1. Chaos Annihilator

    Chaos Annihilator Private First Class

    Hello,
    Seems it wasn't long ago that I was here, so goes my computer luck...
    A friend and I were on separate computers browsing Ebay together yesterday, and after clicking the same listing we both had Avast pop up saying it caught something bad. So we aborted what we were doing and ran an Avast Smart Scan on both computers. It finished quickly, and found nothing.
    To be sure, I ran an Avast Full System Scan on both computers. They ran all night, and when I checked them this morning saw it found a Trojan on each computer: one hidden in an internet shortcut I'd made about 4 years ago on mine, and one in a shortcut on my friends computer as well (a shortcut completely unrelated to mine). I quarantined it on each computer.
    Then I ran a Spybot scan, a Spybot rootkit scan, Malwarebytes, and HitmanPro. None of these found any more threats on either computer.
    Do any friendly geeks out there have an opinion about whether the computers should be good now, or if there is something more I should do to be on the safe side?

    Thanks!
     
    Chaos Annihilator, Mar 1, 2025
    #1
  2. Oh My!

    Oh My! Malware Expert Staff Member

    Greetings and welcome back to the Major Geeks Malware Forum.

    Please do this

    ===================================================

    Farbar Recovery Scan Tool (FRST)

    --------------------
    • Download FRST64 and save the file on your Desktop
    • If your computer language is other than English right click on the FRST64 icon and rename it to FRST64english
    • Right click on the icon and select Run as administrator
    • Note: If you receive any warning about the download it is a false positive and you can ignore it. Click on More info to get the Run anyway option
    • Click Yes to the disclaimer
    • Click Scan and allow the program to run
    • When completed, FRST.txt and Addition.txt reports will be saved on the Desktop
    • Please attach the reports to your reply
    ===================================================

    Things I would like to see in your next reply.
    • Attached reports
     
    Oh My!, Mar 1, 2025
    #2
  3. Chaos Annihilator

    Chaos Annihilator Private First Class

    Hi friend, good to "see" you again!
    Here are the reports from my computer:

    Reports removed, will be posted on separate topic.
     
    Last edited by a moderator: Mar 1, 2025
    Chaos Annihilator, Mar 1, 2025
    #3
  4. Chaos Annihilator

    Chaos Annihilator Private First Class

    And here they are from the other computer:
     

    Attached Files:

    Chaos Annihilator, Mar 1, 2025
    #4
  5. Oh My!

    Oh My! Malware Expert Staff Member

    Good to see you as well.

    We should only handle one computer per topic. I am going to remove the FRST Scan post related to your computer. You can start a separate topic but make sure you post it here.

    Regarding the "other" computer Do you recognize LestaStudio?

    Please do this.

    ===================================================

    Uninstalling Adobe Flash Player

    --------------------

    Note: Adobe Flash Player is no longer supported and is a security risk.

    • Download Adobe Flash Player Uninstaller and save it to your Desktop
    • Right click on the icon and select Run as administrator
    • Click Uninstall then Done to reboot your computer
    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST64 icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST64 will do it for you
    Code:
    Start::
SystemRestore: On
CreateRestorePoint:
CloseProcesses:
Zip: C:\ProgramData\AVAST Software\Avast\report
Task: {3A623699-8054-4A3C-AB77-40666F0FEF60} - System32\Tasks\Lenovo\Vantage\StartupFixPlan => C:\Program Files (x86)\Lenovo\VantageService\4.2.24.0\\uninstall.exe  /repair (No File) 
ContextMenuHandlers1: [SDECon32] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} =>  -> No File 
ContextMenuHandlers1: [SDECon64] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} =>  -> No File 
ContextMenuHandlers2: [SDECon32] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} =>  -> No File 
ContextMenuHandlers2: [SDECon64] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} =>  -> No File 
ContextMenuHandlers6: [SDECon32] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} =>  -> No File 
ContextMenuHandlers6: [SDECon64] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} =>  -> No File 
FirewallRules: [TCP Query User{6BBCB6A8-AB47-4888-A42C-760CFBE45441}C:\users\User\appdata\roaming\zoom\bin\zoom.exe] => (Block) C:\users\User\appdata\roaming\zoom\bin\zoom.exe => No File 
FirewallRules: [UDP Query User{6ACF0395-2E10-4A83-8545-DA948C3B75A3}C:\users\User\appdata\roaming\zoom\bin\zoom.exe] => (Block) C:\users\User\appdata\roaming\zoom\bin\zoom.exe => No File 
FirewallRules: [{69F74FD2-4056-4BA1-A714-77B26836E91E}] => (Allow) C:\Users\User\AppData\Roaming\Zoom\bin\Zoom.exe => No File 
FirewallRules: [{7612B76E-82B6-4EA6-A29E-4AD684F3CD7F}] => (Allow) C:\Users\User\AppData\Roaming\Zoom\bin\airhost.exe => No File 
FirewallRules: [{A49F68E5-B400-4898-B56C-7786861941C0}] => (Allow) C:\Users\User\AppData\Roaming\Zoom\bin\airhost.exe => No File 
C:\ProgramData\TEMP
cmd: sfc /scannow
cmd: DISM /Online /Cleanup-Image /CheckHealth
End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
    • The tool will create a zipped folder on your Desktop with today's date, example: 02.17.2022_13.24.50.zip. Please attach the file to your reply
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Flash Player uninstalled?
    • Fixlog
    • Attached file
     
    Oh My!, Mar 1, 2025
    #5
  6. Chaos Annihilator

    Chaos Annihilator Private First Class

    Okay, I started another topic for my computer in the Specialist forum. I always hesitate to post threads there because I'm bad at following the directions before confusing myself and just asking for help...

    My friend does not recognize LestaStudio, we did a quick search and it seems to be related to war games, which she would never play.

    Adobe is uninstalled (I think it already was uninstalled from this computer, don't know why it came back).

    Still working on the Fixlog an zip file, it is still in progress. As per my usual (not the brightest) self, I changed the User name to protect my friend's privacy, yet forgot to change it back before copying your code. I hope I didn't break something...

    Thanks again for all your help.
     
    Chaos Annihilator, Mar 1, 2025
    #6
  7. Chaos Annihilator

    Chaos Annihilator Private First Class

    Here is the log and the zip file. It appears I didn't break anything (phew!), it just couldn't find a file? I probably need to redo something, sorry about that. Anyway, here's what I've got:
     

    Attached Files:

    Chaos Annihilator, Mar 1, 2025
    #7
  8. Oh My!

    Oh My! Malware Expert Staff Member

    Can you tell me if the web page you were viewing was related to bicycles?
     
    Oh My!, Mar 1, 2025
    #8
  9. Chaos Annihilator

    Chaos Annihilator Private First Class

    Yes, we were on Ebay trying to find a workout bike. We looked at different listings with no trouble until we both clicked on the same listing for a Vevor exercise bike.
    Here's another story of my excellent, blinding brilliance: when we clicked on this vevor listing, Avast quickly dinged and said it stopped 4 threats. We both thought it couldn't be so, since we thought we'd talked to this seller before, so we closed the window, opened it again, and went back to the same listing. Of course Avast dinged again, this time saying there were 26 threats caught on my Mom's computer (the one in this thread). I aborted before avast could ding on mine, and like a real genius thought I might get a different result if I found a Vevor website off of ebay. I sure did find one, but Avast also caught 2 threats there. That was when we woke up and decided to run scans...better late than never, I suppose.
    I didn't know people could hide viruses in ebay listings.
     
    Chaos Annihilator, Mar 1, 2025
    #9
  10. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you for the clarification.

    I consider the Avast "detection" a false positive. I located and reviewed the detection, navigated to the same web site and, without having Avast installed successfully loaded the page without any problem. Avast is showing the web address as Blacklisted, which it is not. Feel free to create an Avast exception for the website.

    I am happy to report the computer is clean. There is no need to remove LestaStudio.
     
    Oh My!, Mar 1, 2025
    #10
  11. Chaos Annihilator

    Chaos Annihilator Private First Class

    Oh weird. Why would it have detected something on the one ebay listing for the Vevor bike? So you think there was never anything wrong? Could you see anything about what it said was a trojan that I quarantined?

    Do you know what LestaStudio is?

    Thank you so much!
     
    Chaos Annihilator, Mar 1, 2025
    #11
  12. Oh My!

    Oh My! Malware Expert Staff Member

    No, those were empty Firewall rules taking up space but not doing anything.

    Avast is falsely identifying the web page as problematic. It is an Avast false positive detection. False positive detections by antivirus programs are common.

    My initial guess regarding LestaStudio was that it was related to a game, similar to the other gaming type entries in the FRST.txt report. That is why I asked about it rather than automatically remove it. It is not malicious but if it is not wanted feel free to remove it..
     
    Oh My!, Mar 1, 2025
    #12
  13. Chaos Annihilator

    Chaos Annihilator Private First Class

    Okay, thanks.
    I just didn't know an antivirus would find false positives on individual listing on ebay, I thought it would be a false positive on ebay as a whole. Is it weird that Avast went off on the vevor listing on ebay as well as the vevor website? Glad it was all okay!

    After this happened, the full system scan with Avast found what it called a Trojan associated with a shortcut called Ed Chin on this (my mom's) computer, and a Trojan associated with a shortcut to Carve magazine on mine. I assumed this was all related to the Vevor thing, since that was what caused the alerts with Avast in the first place. Do you think it was all related to the same incident, and nothing to worry about now? (I know I made the Carve magazine shortcut sometime in 2020, we really can't remember what Ed Chin is, but assume someone legitimately made this shortcut as well).
     
    Chaos Annihilator, Mar 1, 2025
    #13
  14. Oh My!

    Oh My! Malware Expert Staff Member

    I would like to look at the Avast reports again. Please do this.

    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST64 icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST64 will do it for you
    Code:
    Start::
Zip: C:\ProgramData\AVAST Software\Avast\report
End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
    • The tool will create a zipped folder on your Desktop with today's date, example: 02.17.2022_13.24.50.zip. Please attach the file to your reply
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Fixlog
    • Attached file
     
    Oh My!, Mar 2, 2025
    #14
  15. Chaos Annihilator

    Chaos Annihilator Private First Class

    Okay, here's the log and the zip file:

    Fix result of Farbar Recovery Scan Tool (x64) Version: 02-03-2025
    Ran by User (02-03-2025 13:03:57) Run:2
    Running from C:\Users\User\Desktop
    Loaded Profiles: User
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    Start::
    Zip: C:\ProgramData\AVAST Software\Avast\report
    End::
    *****************

    ================== Zip: ===================
    C:\ProgramData\AVAST Software\Avast\report -> copied successfully to C:\Users\User\Desktop\02.03.2025_13.03.57.zip
    =========== Zip: End ===========

    ==== End of Fixlog 13:03:59 ====

    Do you want me to do the same on the other thread for my computer as well?
    Thanks
     

    Attached Files:

    Chaos Annihilator, Mar 2, 2025
    #15
  16. Oh My!

    Oh My! Malware Expert Staff Member

    No need to repeat the step on your computer.

    I am not sure what happened previously but currently there isn't anything of concern in the latest Avast report. I think things are good.
     
    Oh My!, Mar 2, 2025
    #16
    Chaos Annihilator likes this.
  17. Chaos Annihilator

    Chaos Annihilator Private First Class

    Okay, great. Thanks!
     
    Chaos Annihilator, Mar 2, 2025
    #17

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds