Adlice forum
Software feedback => RogueKiller => Topic started by: BaggotMaggot on May 03, 2021, 12:49:04 PM
-
Hi,
I've ran many anti-malware software like Hitman Pro, Malwarebytes, ESET, Windows Defender, and MSERT. A while ago I found a malware file called "System.exe" inside the Local/Temp folder and I deleted it.
Today, I ran RogueKiller and it detected that same "System.exe" file that I should've deleted a while ago. RogueKiller detected this, but when I tried actually finding it's file location manually, it was no where to be found. I've set my computer up so that I should be able to see all hidden files as well, so I shouldn't have been able to miss it. The other antiviruses I've ran didn't detect it a second time after I already deleted it so I think it should have already been dealt with. Any ideas if this is a false positive? For what it's worth, after I deleted the file using RogueKiller, when I ran it again, it didn't detect it.
To summarize in order of what I did:
I ran Hitman Pro, Malwarebytes, ESET, Windows Defender, and MSERT and it detected and deleted "System.exe" in Local/Temp/ (and I could actually locate and find this file).
I ran Hitman Pro, Malwarebytes, ESET, Windows Defender, and MSERT again, and nothing was detected.
A few week pass
I run the above again and nothing is detected once more.
I then ran RogueKiller, and it detected "System.exe", claiming that it was in Local/Temp/ like last time, but I could not find anything in local temp this time.
Do you guys have any ideas why RogueKiller detected an already-deleted file the first time? Was it perhaps a false positive? Thank you!
-
Hi BaggotMaggot,
Welcome to Adlice.com Forum.
Could you please attach RogueKiller scan report with your next reply ?
Regards.
-
Hi, here's the scan report
-
and the delete report
-
Hi BaggotMaggot,
Please download SystemLook (x64) (http://images.malwareremoval.com/jpshortstuff/SystemLook_x64.exe) and save it to your desktop.
- Double-click SystemLook_X64.exe to run it.
- Copy the content of the following codebox into the main textfield:
:file
C:\Users\AT_ST\AppData\Local\Temp\System.exe- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please attach this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Regards.
-
SystemLook 30.07.11 by jpshortstuff
Log created at 19:20 on 04/05/2021 by AT_ST
Administrator - Elevation successful
========== file ==========
C:\Users\AT_ST\AppData\Local\Temp\System.exe - Unable to find/read file.
-= EOF =-
-
Hi BaggotMaggot,
Sorry for the delay.
Could you please download Adlice Diag (https://www.adlice.com/download-start/?app=diag&type=x64), run a scan (https://www.adlice.com/docs/diag/getting-started/run-a-scan/), then attach the generated report (https://www.adlice.com/docs/diag/getting-started/history/#0-%C2%A0reporting) with your next reply ?
Regards.
-
Hi, the website wouldn't let me send the .txt as an attachment because it was too large, so I zipped the .txt into a .7z. I hope you don't mind too much.
I also really appreciate the help!
-
Hi BaggotMaggot,
I think there is an issue with RogueKiller.
Our office is closed during the week-end, but we will discuss it with our team at the beginning of next week.
Thanks for your understanding.
Regards.
-
Alright, thank you.
I should clarify just in case there's a case of any misunderstanding.
After I ran all the previous antiviruses that I mentioned,
I actually ran RogueKiller three times:
The first time I ran it, it detected System.exe, and I did nothing to it because I wanted to figure out where it was from. However, I could not find it's location at all in /temp/.
I ran it a second time, and RogueKiller detected it once again. I then deleted System.exe using RogueKiller.
I ran it one final third time, and this time it didn't detect anything.
After this is when I asked you guys for help.
I sent you logs for the 2nd time where I did infact delete it.
Sorry if there was any misunderstanding.
-
Hi BaggotMaggot,
Sorry for the delay.
OK, this makes sense. The first scan removed the file itself, but not the associated task (which was probably protected by the malware). The second scan detected the task itself and removed it successfully this time. The subsequent scan reported nothing, since the file and the task were both removed at this time.
Regards.