Closed "C:\ProgramData\simplitec" keeps reappearing

[acuvic 0]

Hello, hope you can help me. When I scan my PC with Emsisoft AntiMalware (installed in the PC) "C:\ProgramData\simplitec" is flagged up as an infection. I select to delete this folder but it reappears on next power-up.

This problem has been reported on this forum before and I'd like help to decide if this is a genuine infection. And if so, how to get rid of it.

Thanks.

Victor

FRST.txt

scan_171227-021824.txt

Addition.txt

[Kevin Zoll 309]

Hi Victor,

There is a good chance that the Simplitec folder is empty.

Please download SystemLook (x64) http://jpshortstuff.247fixes.com/SystemLook_x64.exe and save it to your desktop.

• Double-click SystemLook_X64.exe to run it.
• Copy the content of the following codebox into the main textfield:

  :dir
  C:\ProgramData\simplitec /s /md5
  C:\Users\All Users\simplitec /s /md5

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please attach this log in your next reply.
  Note: The log can also be found on your Desktop entitled SystemLook.txt

Download fixlist.txt from

https://ufile.io/sclsg to your Desktop.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

[acuvic 0]

Hi Kevin, thanks for your help. But the link http://jpshortstuff.247fixes.com/SystemLook_x64.exe leads to a 404 page for me.

Should I hold fire on running FRST64 with the Fixlist? Or run it anyway?

[Kevin Zoll 309]

Use this link http://images.malwareremoval.com/jpshortstuff/SystemLook_x64.exe

[acuvic 0]

Kevin,

Here are the log files

Fixlog.txt

SystemLook.txt

[Kevin Zoll 309]

The folder C:\ProgramData\simplitec is empty.  Since, it contains no files it posses no threat. You can whitelist the detection.

Run a fresh scan with FRST, attach the new FRST scan reports to your reply.

[acuvic 0]

Thanks Kevin, appreciate your help. Any idea what keeps creating the simplitec folder at start-up? I'm nervous that an unknown process creates folders, even though it's an empty one.

Anyway, attached are the result of the latest FRST scans.

FRST.txt

Addition.txt

[Kevin Zoll 309]

No idea what may be recreating it or has a lock on the folder.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

() C:\Windows\SysWOW64\dxconfig.exe
() C:\Windows\SysWOW64\dxconfig.exe
2016-03-19 22:17 - 2016-03-19 22:17 - 000099384 _____ () D:\Victor\Roaming\inst.exe
2016-03-19 22:17 - 2016-03-19 22:17 - 000007859 _____ () D:\Victor\Roaming\pcouffin.cat
2016-03-19 22:17 - 2016-03-19 22:17 - 000001167 _____ () D:\Victor\Roaming\pcouffin.inf
2016-03-19 22:17 - 2016-03-19 22:17 - 000000055 _____ () D:\Victor\Roaming\pcouffin.log
2016-03-19 22:17 - 2016-03-19 22:17 - 000082816 _____ (VSO Software) D:\Victor\Roaming\pcouffin.sys
2016-03-13 23:48 - 2016-03-13 23:48 - 000115236 _____ () C:\Users\Victor\AppData\Local\ars.cache
2016-03-13 23:48 - 2016-03-13 23:48 - 000317054 _____ () C:\Users\Victor\AppData\Local\census.cache
2016-03-13 23:43 - 2016-03-13 23:43 - 000000036 _____ () C:\Users\Victor\AppData\Local\housecall.guid.cache
2016-03-25 01:28 - 2016-05-04 00:06 - 000000600 _____ () C:\Users\Victor\AppData\Local\PUTTY.RND
2017-12-28 22:46 - 2017-12-28 22:46 - 000014110 _____ () C:\Users\Victor\AppData\Local\recently-used.xbel
2016-01-22 01:43 - 2016-01-22 01:43 - 000007606 _____ () C:\Users\Victor\AppData\Local\Resmon.ResmonCfg
2017-04-30 00:37 - 2017-12-30 01:14 - 011868160 _____ () C:\Users\Victor\AppData\Local\SageThumbs.db3
2016-03-13 23:49 - 2016-03-13 23:49 - 000000010 _____ () C:\Users\Victor\AppData\Local\sponge.last.runtime.cache
C:\Windows\SysWOW64\dxconfig.exe
2016-10-07 23:26 - 2016-10-07 23:26 - 000064512 _____ () C:\WINDOWS\SysWOW64\dxconfig.exe
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [125]

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

[acuvic 0]

Hi Kevin

I ran FRST64 with the fixlist.txt and have enclosed Fixlog.txt (attached)

I read the log file and in the result section, saw lines 3 to 7 said that five files "=> not found". However, I can still see them as screenshot below

If I've got the wrong end of the stick, sorry please ignore my comment!

Fixlog.txt

[Kevin Zoll 309]

The are most likely hidden from most third-party applicaitons and that's OK. The time stamps on those files looks to be correct and the system will recreate them after they have been deleted.

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.

 

[acuvic 0]

 

Here they are attached

scan_180103-211350.txt

FRST.txt

[Kevin Zoll 309]

Other than the Simplitec folder, I see no malware in your logs.  Since the Simplitec folder is empty, it is benign, go ahead and whitelist the folder.

[acuvic 0]

Thanks for your help, Kevin. I assume we have now closed the case and the post?

[Kevin Zoll 309]

Unless you are having problems, it is time to do the final steps.

Now to remove most of the tools that we have used in fixing your machine:

Download Delfix from here and save it to your desktop.

• Ensure Remove disinfection tools is checked.
• Also place a checkmark next to:
  
  • Create registry backup
  • Purge system restore
    
• Click the Run button.
  

When the tool is finished, a log will open in notepad. I do not need the log. You can close Notepad.

Empty the Recycle Bin

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

To Remove EEK simple delete the EEK for in the of your System Drive, normally C:\EEK

Run Windows Update and update your Windows Operating System.

Articles to Read:
How to Protect Your Computer From Malware
How to keep you and your Windows PC happy
Web, email, chat, password and kids safety
How Did I Get Infected?

That should take care of everything.

Safe Surfing!

[acuvic 0]

DelFix run and all is well.

Again thanks Kevin - you're a great resource.

[Kevin Zoll 309]

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only.  Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair.  Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.