Adlice forum
Software feedback => RogueKiller => Topic started by: Johyn on April 27, 2017, 07:05:16 PM
-
Greets!
Just about an unremovable PUP: Simplitec, in programdata. Roguekiller locate it, and supress it, but to get them (there are two of them) back in next scan. That doesn't seem really nasty, got it since a couple of week, but that's still anoyin, eh. :)
-
Hi Johyn,
Thanks for your feedback.
Could you please attach RogueKiller deletion report with your next reply ?
Regards.
-
Sorry, how do I get that report?
-
Hi Johyn,
To export a report, go to the "History" tab, then to the "Scan Reports" section.
There, do a right click on the first line, the click on the "Export json" button.
Please then attach this JSON report with your next reply.
Regards.
-
Got only a 'supression' option...
-
Hi Johyn,
Could you please check the content of the following directory ?
C:\ProgramData\RogueKiller\Logs
Regards.
-
no logs, only changelogs...
-
Hi Johyn,
That's not normal.
Could you please redo a scan and check if the option to save a log is available at the end of it ?
Regards.
-
Ok, here it is.
-
Hi Johyn,
The report is not complete, but the [Suspicious.Path] detection is legit.
Regards.
-
Ok, but what's lackin? I shouldn't mind the two 'simplitec'?
-
Hi Johyn,
Could you please do a screenshot of these detections ?
Regards.
-
Is that ok?
-
Hi Johyn,
Yes, thats clearly PUP.
Please download Farbar Recovery Scan Tool (x64) (http://download.bleepingcomputer.com/farbar/FRST64.exe) and save it to your Desktop.
- Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will produce a log called FRST.txt in the same directory the tool is run from.
- Please attach log back here.
- The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also attach that along with the FRST.txt into your reply.
Regards.
-
Ok,
-
Hi Johyn,
These folders are not visible in the reports. Anyway, there are some leftovers.
TeamViewer is installed as as service on your system. It's recommanded to uninstall it in case you don't use it.
Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !
Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Regards.
-
Here,
-
Hi Johyn,
The PUP folder is not present anymore.
Could you please retry a scan with RogueKiller to check if the item is still detected ?
Regards.
-
Yes, they disapear after Roguekilller supression, to be back in the morrow...
Made a new 'fix' scan:
-
Hi Johyn,
Something is reinfecting your computer.
Please follow the following tutorial : Malwarebytes Tutorial (http://www.adlice.com/documentation/malwarebytes/tutorial/).
Please attach the scan report with your next reply.
Regards.
-
Ok, new threats founds with malwarebytes (see log), but no simplitec, and it's still in roguekiller scan...
By the way, what's the diference between the two programs?
-
Hi Johyn,
MalwareBytes is edited by MalwareBytes Company and is a general scanner.
RogueKiller is specialized again advanced threads.
Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !
Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Regards.
-
Ok, supressed simplitecs earlier, so they'll be back tomorow, with the fixlog... :)
-
Ok,
-
Hi Johyn,
This is really troublesome.
Please download SystemLook (x64) (http://jpshortstuff.247fixes.com/SystemLook_x64.exe) and save it to your desktop.
- Double-click SystemLook_X64.exe to run it.
- Copy the content of the following codebox into the main textfield:
:filefind
*simplitec*
:folderfind
*simplitec*
:regfind
*simplitec*- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please attach this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Regards.
-
Hop
-
Hi Johyn,
SystemLook did detect some folder that was not reported by FRST.
We are going to delete it with FRST.
Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !
Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Regards.
-
Ok,
-
Hi Johyn,
It should be gone.
Is the simplitec folder still detected ?
Regards.
-
Nope, still there... :(
-
Hi Johyn,
We are going to check for rootkits.
- Please download TDSSKiller (http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe) and save it to your Desktop
- Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
(http://i1118.photobucket.com/albums/k611/lhs22/tds2.jpg)
- Check Loaded Modules and Detect TDLFS file system.
- If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.
(http://i1118.photobucket.com/albums/k611/lhs22/2012081514h0118.png)
- Click Start Scan and allow the scan process to run.
If threats are detected select Skip for all of them unless I instruct you otherwise.
- Click Continue
(http://i1118.photobucket.com/albums/k611/lhs22/tds6.jpg)
- Click Reboot computer
Please attach the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\)in your next reply.
Regards.
-
Ok, nothin found..
-
Hi Johyn,
Let's try another scanner.
- Please download Kaspersky Virus Removal Tool (http://devbuilds.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe) and save it on your desktop..
- Right click on KVRT.exe and select Run as Administrator.
- Read the EULA, then select Accept.
- Wait for Kaspersky Virus Removal Tool to initialize.
- In the main screen, select Change parameters, place a checkmark in System drive, then click OK.
- Click Start scan.
- Wait for Kaspersky Virus Removal Tool to complete scanning.
- When the scan is finished, select Neutralize all for all detected objects.
- Close Kaspersky Virus Removal Tool when done.
Please then informe me if something is detected.
Regards.
-
Yes, one threat detected and eliminated, but simplitecs are still there...
-
Hi Johyn,
I'm sorry but I'm out of ideas.
I will ask my others security colleagues about this specific malware.
Thanks for your patience and understanding.
Regards.
-
Thanks for YOUR patience and understandin, cheers!
-
Hi Johyn,
Sorry for the delay.
These folders may be created by a legitimate software.
Please download SystemLook (x64) (http://jpshortstuff.247fixes.com/SystemLook_x64.exe) and save it to your desktop.
- Double-click SystemLook_X64.exe to run it.
- Copy the content of the following codebox into the main textfield:
:dir
C:\ProgramData\simplitec /s /md5
C:\Users\All Users\simplitec /s /md5- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please attach this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Regards.
-
Here, but nothin found i'm afraid...
-
Hi Johyn,
The simplitec folders are empty, that's why SystemLook didn't find anything.
The good new is this is nothing malicious, since they don't contain anything.
The bad new, however, is we still don't know why the are recreated at system startup.
Would you like to continue the investigation, knowning your computer is not at risk ?
Regards.
-
As I told you, t'was mostly to get it clean, but I could live with it, sure. You surely have a beter use for time, and I should thank you for all that you've done already.
Many thanks! :)
-
Hi Johyn,
You are very welcome. :)
If I ever find the cause of these folders recreation, I will let you know for sure.
Regards.