Locked Need Help, Trojan, Run Command running Automatically.

[LeoTheLion]

Hello Everyone,
I have this problem since yesterday. This is because of my wireless mouse i have been using it for a long time but yesterday it is making some problems. "Run" command runs automatically and there is automatically typing and it opens firefox and opens site . I run Windows Defender but no effect then i tried Malwarebytes, it detects this as a Trojan but it is not stopping "Run" command from running automatically by itself. it is still running many times as i attach my mouse connector and when i remove connector "Run" command stops immediately.
what is the problem, any one knows.
Using A4tech mouse model: G7-100N

This is summary of this trojan
Malwarebytes

-Log Details-
Protection Event Date: 7/14/20
Protection Event Time: 3:44 PM
Log File: 0a2c79c0-c5bf-11ea-9646-7824af2d2a7a.json

-Software Information-
Version: 4.1.2.73
Components Version: 1.0.972
Update Package Version: 1.0.26203
License: Premium

-System Information-
OS: Windows 10 (Build 18362.628)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files\Mozilla Firefox\firefox.exe, Blocked, -1, -1, 0.0.0

-Website Data-
Category: Trojan
Domain:
IP Address: 52.39.121.252
Port: 80
Type: Outbound
File: C:\Program Files\Mozilla Firefox\firefox.exe
(end)

 

[hamabe]

A4Tech
Not the best quality, but price isn't that bad. You get what you pay for.

IP Address: 52.39.121.252
Portland, Oregon
Amazon Inc

At least it's not calling China.
It's a first for me to see that kind of behavior wherein a script calls home trying to update drivers

you can either download drivers elsewhere for your mouse or use another hardware
Try ASUS or some other product you can afford

As for the Trojan alert, wait for more competent help from fellow users

 

[Mr. Spacely]

@LeoTheLion Outside links removed. You cannot post those links here, especially sketchy links like that. Good luck.

 

[ASimke]

Try using Kaspersky Rescue Disk.
You have tutorial how to use it.
For download just google and go for official download link.
GL.

 

[SiteWizard]

@LeoTheLion Ok read this carefully .
1) download maleware bytes and safe it on a USB
2) restart the computer / laptop in safe mode no (internet connection)
3) install Malewarebytes and let it do the scan. (it will find the trojan)

after that it have found and deleted the trojan it will restart the computer / laptop
4) when the computer is restart you can connect the internet again .

ok when you have done all this and it is still not removed then do this .
There is a dozen places where these random runs can originate from.
If the core of your Windows operating system is compromised the only reliable way is to boot from Live CD and run your Antivirus from it.
If your Windows isn't compromised but you have just these random runs of .exe from undetermined sources, use Autoruns utility from Sysinternals suite.
It will show you all places where automatic launches can start from: Startup folder, registry Keys, system DLL hooks etc. and you will be able to remove rogue .exe

And the last point is Do not use only windows defender... that is not good
install comodo internet suite + malewarebytes these are working nice together with windows defender

 

[Kornell]

I recomand to Format "C" and install windows again. Is the easiest way. This way you don't have to wait the progam to clean or not the maleware. Then try another one... Of course don NOT go or install the maleware program/site.

 

[SiteWizard]

@Kornell that is only when he do not want the files on the hdd then he can do that and spare some time

 

[SADIKSARKANE]

bro try Symantec endpoint it will work for u i hope

 

[Beef682]

extreme tin foil hat here but it sounds like an auto run is installed on the reciever on a tiny flash chip and it auto launches your browser to their website. for advertising or malware delivery . I'v seen some youtubes of fake usb flash sticks with no flash chip but when you plug it into a pc is runs malware from the flash rom. could be all wrong.

easy thing is stop using that mouse, buy a cheap new one.
medium answer is as others suggest is live usb environments to try and diagnose the issue, maybe this only works on windows and not a linux distro?
Hard answer is reformat windows, for something that might not be resident on the C drive this is a far shot imo.

other users can call me out if any of this is not correct

 

[juanamm]

I just found out that a wireless mouse is a back door for viruses.
Everyday you learn something new.
Today's technology works miracles, such as cars that drive themselves, smart keys, houses that open remotely, the problem that all this is liable to be hacked or have vulnerabilities for malwares.
But a mouse ???
The truth has been surprised.

If it is under warranty, take it to technical support, if the warranty has expired, try to a specific USB AV such as McShield Antimalware Tool that is free, look at Google or visit https://www.mcshield.net/.

I share the link here not to do it by PM, which then everyone asks for. Colleagues admin and mods, don't be mad about that.

 

[LeoTheLion]

A4Tech
Not the best quality, but price isn't that bad. You get what you pay for.

IP Address: 52.39.121.252
Portland, Oregon
Amazon Inc

At least it's not calling China.
It's a first for me to see that kind of behavior wherein a script calls home trying to update drivers

you can either download drivers elsewhere for your mouse or use another hardware
Try ASUS or some other product you can afford

As for the Trojan alert, wait for more competent help from fellow users

yes may be not best but for last 6 - 7 years i was using a4tech mouse, same mouse is available with usb wire also now using that one. it is small that's why i like. it feels fast and comfort in the hand when most of my work is with drawings.
yes i'll purchase other product but this virus made me very uncomfortable so that i wanted to know why that happened. it also happened first time with me.

 

[Cyler]

extreme tin foil hat here but it sounds like an auto run is installed on the reciever on a tiny flash chip and it auto launches your browser to their website. for advertising or malware delivery . I'v seen some youtubes of fake usb flash sticks with no flash chip but when you plug it into a pc is runs malware from the flash rom. could be all wrong.

Even though technically it can happen, Practically it cant. For those types of USB infections, the preferred method is to use storage sticks (even fake ones) but almost never a specific wireless dongle. The reason is that the hackers would also have to replicate the exact wireless chip and ID signatures for the mouse to work at the same time PLUS someone actually would have to replace the original USB wireless dongle that @LeoTheLion was using all this time.

Hello Everyone,
I have this problem since yesterday. This is because of my wireless mouse i have been using it for a long time but yesterday it is making some problems. "Run" command runs automatically and there is automatically typing and it opens firefox and opens site . I run Windows Defender but no effect then i tried Malwarebytes, it detects this as a Trojan but it is not stopping "Run" command from running automatically by itself. it is still running many times as i attach my mouse connector and when i remove connector "Run" command stops immediately.

After some digging around, with the driver, it seems that it's not a virus per se but rather a strange function of the mouse driver. The site(s) you are redirected belong (or used to) to either a4tech or cnzz as can be seen by the list below:
TCP traffic to 52.39.121.252 on port 80 is sent without HTTP header TCP traffic to 116.211.183.234 on port 80 is sent without HTTP header TCP traffic to 203.119.206.97 on port 80 is sent without HTTP header TCP traffic to 205.204.101.182 on port 80 is sent without HTTP header TCP traffic to 106.11.92.15 on port 80 is sent without HTTP header

the site names are
"www.a4tech.com" "s13.cnzz.com" "hzs12.cnzz.com" "c.cnzz.com" "cnzz.mmstat.com" "icon.cnzz.com" "pcookie.cnzz.com"

CNZZ is a web analytics company (traffic/ads etc), so it does call china after all @hamabe

52.39.121.252:80  --- TCP --- iexplore.exe ---PID: 808 --- United States
116.211.183.234:80 --- TCP --- iexplore.exe --- PID: 808 --- China
203.119.206.97:80 --- TCP --- iexplore.exe --- PID: 808  --- China
and so on

To be honest I don't know what to make of this. Maybe its a function of your mouse that hasn't been defined, like what to do with the extra mouse buttons, and by default, it opens browser and points to a4tech website as an advertising method. Maybe its a driver that released by mistake.

My advice is to use system restore and go back to a date that you didn't have that issue. Don't upgrade mouse drivers if there is no need as I suspect that those drivers did it. If restore is not an option, remove mouse drivers completely and install an older version. Not much else that can be done apart from running a virus scan which I assume you did.

For future reference, more info is always needed and not generic things. Did it happen after you updated/installed new drivers? Does it happen on other PCs? What site does it open etc, are the kind of information that can help us better understand the problem.

Edit: I'm probably testing this with a different product driver, and so I might gotten different results, but the function is the same.

Hope it helped.

 

[MrZeb]

Hi,

If you use the computer without internet access the run window open, etc. continues?

 

[LeoTheLion]

A4Tech
Not the best quality, but price isn't that bad. You get what you pay for.

IP Address: 52.39.121.252
Portland, Oregon
Amazon Inc

At least it's not calling China.
It's a first for me to see that kind of behavior wherein a script calls home trying to update drivers

you can either download drivers elsewhere for your mouse or use another hardware
Try ASUS or some other product you can afford

As for the Trojan alert, wait for more competent help from fellow users

yes may be not best but for last 6 - 7 years i was using a4tech mouse, same mouse is available with usb wire also now using that one. it is small that's why i like. it feels fast and comfort in the hand when most of my work is with drawings.
yes i'll purchase other product but this virus made me very uncomfortable so that i wanted to know why that happened. it also happened first time with me.
if its not china then its usa may be.. amazon Inc usa based.

@LeoTheLion Outside links removed. You cannot post those links here, especially sketchy links like that. Good luck.

alright no problem..i noticed already.. but just wanted to let you know of these sites..or fot info only...TY..

Try using Kaspersky Rescue Disk.
You have tutorial how to use it.
For download just google and go for official download link.
GL.

ok.i'll try that too..
TY..

 

[LeoTheLion]

@LeoTheLion Ok read this carefully .
1) download maleware bytes and safe it on a USB
2) restart the computer / laptop in safe mode no (internet connection)
3) install Malewarebytes and let it do the scan. (it will find the trojan)

after that it have found and deleted the trojan it will restart the computer / laptop
4) when the computer is restart you can connect the internet again .

ok when you have done all this and it is still not removed then do this .
There is a dozen places where these random runs can originate from.
If the core of your Windows operating system is compromised the only reliable way is to boot from Live CD and run your Antivirus from it.
If your Windows isn't compromised but you have just these random runs of .exe from undetermined sources, use Autoruns utility from Sysinternals suite.
It will show you all places where automatic launches can start from: Startup folder, registry Keys, system DLL hooks etc. and you will be able to remove rogue .exe

And the last point is Do not use only windows defender... that is not good
install comodo internet suite + malewarebytes these are working nice together with windows defender

Thanks @SiteWizard for these solutions. i'll try them and see if these can remove this virus.
i have already installed malware bytes so do i still need to install again it on usb or it will run in safe mode too.
thanks.

I recomand to Format "C" and install windows again. Is the easiest way. This way you don't have to wait the progam to clean or not the maleware. Then try another one... Of course don NOT go or install the maleware program/site.

this should be the most last solution when you make sure there is no other solution. lets see if there is..
thanks.

 

[SiteWizard]

@LeoTheLion No you just need to update it
then follow the points i have give you .

 

[YouDummyZiggy]

have you tried checking using autoruns to check for all entries or startup items. alternative is also to use comodo cleaning essentials which has mean to suspend a certain process for troubleshootting. it also has a similar tool like tcpview for active connections. also using hiren boot PE also sound on this site can be used to boot from it and update malwarebytes and run an offiline system scan on your hard drive. I also suggest to backup you bookmarks/password and do a firefox reset/refresh since part of firefox has some js scripts on it which might have been compromised. and it might be the reason why firefox is the application being detected by malwarebytes.

 

[juanamm]

no activity, closed, locked and tagged completed.