Author Topic: Detecting Deleted File?  (Read 633 times)

0 Members and 1 Guest are viewing this topic.

May 03, 2021, 12:49:04 pm

BaggotMaggot

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Detecting Deleted File?
« on: May 03, 2021, 12:49:04 pm »
Hi,

I've ran many anti-malware software like Hitman Pro, Malwarebytes, ESET, Windows Defender, and MSERT. A while ago I found a malware file called "System.exe" inside the Local/Temp folder and I deleted it.

Today, I ran RogueKiller and it detected that same "System.exe" file that I should've deleted a while ago. RogueKiller detected this, but when I tried actually finding it's file location manually, it was no where to be found. I've set my computer up so that I should be able to see all hidden files as well, so I shouldn't have been able to miss it. The other antiviruses I've ran didn't detect it a second time after I already deleted it so I think it should have already been dealt with. Any ideas if this is a false positive? For what it's worth, after I deleted the file using RogueKiller, when I ran it again, it didn't detect it.

To summarize in order of what I did:
I ran Hitman Pro, Malwarebytes, ESET, Windows Defender, and MSERT and it detected and deleted "System.exe" in Local/Temp/ (and I could actually locate and find this file).
I ran Hitman Pro, Malwarebytes, ESET, Windows Defender, and MSERT again, and nothing was detected.
A few week pass
I run the above again and nothing is detected once more.
I then ran RogueKiller, and it detected "System.exe", claiming that it was in Local/Temp/ like last time, but I could not find anything in local temp this time.

Do you guys have any ideas why RogueKiller detected an already-deleted file the first time? Was it perhaps a false positive? Thank you!
« Last Edit: May 03, 2021, 02:50:06 pm by BaggotMaggot »

Reply #1May 03, 2021, 06:48:52 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2555
  • Reputation:
    91
    • View Profile
Re: Detecting Deleted File?
« Reply #1 on: May 03, 2021, 06:48:52 pm »
Hi BaggotMaggot,

Welcome to Adlice.com Forum.
Could you please attach RogueKiller scan report with your next reply ?

Regards.

Reply #2May 03, 2021, 11:08:16 pm

BaggotMaggot

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: Detecting Deleted File?
« Reply #2 on: May 03, 2021, 11:08:16 pm »
Hi, here's the scan report

Reply #3May 03, 2021, 11:08:36 pm

BaggotMaggot

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: Detecting Deleted File?
« Reply #3 on: May 03, 2021, 11:08:36 pm »
and the delete report

Reply #4May 04, 2021, 10:37:24 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2555
  • Reputation:
    91
    • View Profile
Re: Detecting Deleted File?
« Reply #4 on: May 04, 2021, 10:37:24 pm »
Hi BaggotMaggot,

Please download SystemLook (x64) and save it to your desktop.
  • Double-click SystemLook_X64.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: [Select]
    :file
    C:\Users\AT_ST\AppData\Local\Temp\System.exe
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please attach this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

    Regards.

    Reply #5May 05, 2021, 01:21:07 am

    BaggotMaggot

    • Newbie

    • Offline
    • *

    • 6
    • Reputation:
      0
      • View Profile
    Re: Detecting Deleted File?
    « Reply #5 on: May 05, 2021, 01:21:07 am »
    SystemLook 30.07.11 by jpshortstuff
    Log created at 19:20 on 04/05/2021 by AT_ST
    Administrator - Elevation successful

    ========== file ==========

    C:\Users\AT_ST\AppData\Local\Temp\System.exe - Unable to find/read file.

    -= EOF =-

    Reply #6May 07, 2021, 03:10:00 am

    Curson

    • Global Moderator
    • Hero Member

    • Offline
    • *****

    • 2555
    • Reputation:
      91
      • View Profile
    Re: Detecting Deleted File?
    « Reply #6 on: May 07, 2021, 03:10:00 am »
    Hi BaggotMaggot,

    Sorry for the delay.
    Could you please download Adlice Diag, run a scan, then attach the generated report with your next reply ?

    Regards.

    Reply #7May 07, 2021, 03:54:05 am

    BaggotMaggot

    • Newbie

    • Offline
    • *

    • 6
    • Reputation:
      0
      • View Profile
    Re: Detecting Deleted File?
    « Reply #7 on: May 07, 2021, 03:54:05 am »
    Hi, the website wouldn't let me send the .txt as an attachment because it was too large, so I zipped the .txt into a .7z. I hope you don't mind too much.

    I also really appreciate the help!
    « Last Edit: May 07, 2021, 03:59:53 am by BaggotMaggot »

    Reply #8May 07, 2021, 10:10:16 pm

    Curson

    • Global Moderator
    • Hero Member

    • Offline
    • *****

    • 2555
    • Reputation:
      91
      • View Profile
    Re: Detecting Deleted File?
    « Reply #8 on: May 07, 2021, 10:10:16 pm »
    Hi BaggotMaggot,

    I think there is an issue with RogueKiller.
    Our office is closed during the week-end, but we will discuss it with our team at the beginning of next week.

    Thanks for your understanding.
    Regards.

    Reply #9May 08, 2021, 05:32:04 am

    BaggotMaggot

    • Newbie

    • Offline
    • *

    • 6
    • Reputation:
      0
      • View Profile
    Re: Detecting Deleted File?
    « Reply #9 on: May 08, 2021, 05:32:04 am »
    Alright, thank you.

    I should clarify just in case there's a case of any misunderstanding.

    After I ran all the previous antiviruses that I mentioned,
    I actually ran RogueKiller three times:
    The first time I ran it, it detected System.exe, and I did nothing to it because I wanted to figure out where it was from. However, I could not find it's location at all in /temp/.
    I ran it a second time, and RogueKiller detected it once again. I then deleted System.exe using RogueKiller.
    I ran it one final third time, and this time it didn't detect anything.

    After this is when I asked you guys for help.

    I sent you logs for the 2nd time where I did infact delete it.

    Sorry if there was any misunderstanding.
    « Last Edit: May 08, 2021, 05:36:31 am by BaggotMaggot »

    Reply #10May 24, 2021, 03:24:01 am

    Curson

    • Global Moderator
    • Hero Member

    • Offline
    • *****

    • 2555
    • Reputation:
      91
      • View Profile
    Re: Detecting Deleted File?
    « Reply #10 on: May 24, 2021, 03:24:01 am »
    Hi BaggotMaggot,

    Sorry for the delay.

    OK, this makes sense. The first scan removed the file itself, but not the associated task (which was probably protected by the malware). The second scan detected the task itself and removed it successfully this time. The subsequent scan reported nothing, since the file and the task were both removed at this time.

    Regards.