acuvic 0 Posted December 27, 2017 Report Share Posted December 27, 2017 Hello, hope you can help me. When I scan my PC with Emsisoft AntiMalware (installed in the PC) "C:\ProgramData\simplitec" is flagged up as an infection. I select to delete this folder but it reappears on next power-up. This problem has been reported on this forum before and I'd like help to decide if this is a genuine infection. And if so, how to get rid of it. Thanks. Victor FRST.txt scan_171227-021824.txt Addition.txt Link to post Share on other sites
Kevin Zoll 309 Posted December 28, 2017 Report Share Posted December 28, 2017 Hi Victor, There is a good chance that the Simplitec folder is empty. Please download SystemLook (x64) http://jpshortstuff.247fixes.com/SystemLook_x64.exe and save it to your desktop. Double-click SystemLook_X64.exe to run it. Copy the content of the following codebox into the main textfield::dir C:\ProgramData\simplitec /s /md5 C:\Users\All Users\simplitec /s /md5 Click the Look button to start the scan. When finished, a notepad window will open with the results of the scan. Please attach this log in your next reply. Note: The log can also be found on your Desktop entitled SystemLook.txt Download fixlist.txt from https://ufile.io/sclsg to your Desktop. NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version. Link to post Share on other sites
acuvic 0 Posted December 28, 2017 Author Report Share Posted December 28, 2017 Hi Kevin, thanks for your help. But the link http://jpshortstuff.247fixes.com/SystemLook_x64.exe leads to a 404 page for me. Should I hold fire on running FRST64 with the Fixlist? Or run it anyway? Link to post Share on other sites
Kevin Zoll 309 Posted December 29, 2017 Report Share Posted December 29, 2017 Use this link http://images.malwareremoval.com/jpshortstuff/SystemLook_x64.exe Link to post Share on other sites
acuvic 0 Posted December 29, 2017 Author Report Share Posted December 29, 2017 Kevin, Here are the log files Fixlog.txt SystemLook.txt Link to post Share on other sites
Kevin Zoll 309 Posted December 30, 2017 Report Share Posted December 30, 2017 The folder C:\ProgramData\simplitec is empty. Since, it contains no files it posses no threat. You can whitelist the detection. Run a fresh scan with FRST, attach the new FRST scan reports to your reply. Link to post Share on other sites
acuvic 0 Posted December 30, 2017 Author Report Share Posted December 30, 2017 Thanks Kevin, appreciate your help. Any idea what keeps creating the simplitec folder at start-up? I'm nervous that an unknown process creates folders, even though it's an empty one. Anyway, attached are the result of the latest FRST scans. FRST.txt Addition.txt Link to post Share on other sites
Kevin Zoll 309 Posted January 2, 2018 Report Share Posted January 2, 2018 No idea what may be recreating it or has a lock on the folder. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. () C:\Windows\SysWOW64\dxconfig.exe () C:\Windows\SysWOW64\dxconfig.exe 2016-03-19 22:17 - 2016-03-19 22:17 - 000099384 _____ () D:\Victor\Roaming\inst.exe 2016-03-19 22:17 - 2016-03-19 22:17 - 000007859 _____ () D:\Victor\Roaming\pcouffin.cat 2016-03-19 22:17 - 2016-03-19 22:17 - 000001167 _____ () D:\Victor\Roaming\pcouffin.inf 2016-03-19 22:17 - 2016-03-19 22:17 - 000000055 _____ () D:\Victor\Roaming\pcouffin.log 2016-03-19 22:17 - 2016-03-19 22:17 - 000082816 _____ (VSO Software) D:\Victor\Roaming\pcouffin.sys 2016-03-13 23:48 - 2016-03-13 23:48 - 000115236 _____ () C:\Users\Victor\AppData\Local\ars.cache 2016-03-13 23:48 - 2016-03-13 23:48 - 000317054 _____ () C:\Users\Victor\AppData\Local\census.cache 2016-03-13 23:43 - 2016-03-13 23:43 - 000000036 _____ () C:\Users\Victor\AppData\Local\housecall.guid.cache 2016-03-25 01:28 - 2016-05-04 00:06 - 000000600 _____ () C:\Users\Victor\AppData\Local\PUTTY.RND 2017-12-28 22:46 - 2017-12-28 22:46 - 000014110 _____ () C:\Users\Victor\AppData\Local\recently-used.xbel 2016-01-22 01:43 - 2016-01-22 01:43 - 000007606 _____ () C:\Users\Victor\AppData\Local\Resmon.ResmonCfg 2017-04-30 00:37 - 2017-12-30 01:14 - 011868160 _____ () C:\Users\Victor\AppData\Local\SageThumbs.db3 2016-03-13 23:49 - 2016-03-13 23:49 - 000000010 _____ () C:\Users\Victor\AppData\Local\sponge.last.runtime.cache C:\Windows\SysWOW64\dxconfig.exe 2016-10-07 23:26 - 2016-10-07 23:26 - 000064512 _____ () C:\WINDOWS\SysWOW64\dxconfig.exe AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [125] Close Notepad. NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version. Link to post Share on other sites
acuvic 0 Posted January 2, 2018 Author Report Share Posted January 2, 2018 Hi Kevin I ran FRST64 with the fixlist.txt and have enclosed Fixlog.txt (attached) I read the log file and in the result section, saw lines 3 to 7 said that five files "=> not found". However, I can still see them as screenshot below If I've got the wrong end of the stick, sorry please ignore my comment! Fixlog.txt Link to post Share on other sites
Kevin Zoll 309 Posted January 3, 2018 Report Share Posted January 3, 2018 The are most likely hidden from most third-party applicaitons and that's OK. The time stamps on those files looks to be correct and the system will recreate them after they have been deleted. Let's take a fresh look. Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply. Be sure to let me know how things are running. Link to post Share on other sites
acuvic 0 Posted January 3, 2018 Author Report Share Posted January 3, 2018 Here they are attached scan_180103-211350.txt FRST.txt Link to post Share on other sites
Kevin Zoll 309 Posted January 4, 2018 Report Share Posted January 4, 2018 Other than the Simplitec folder, I see no malware in your logs. Since the Simplitec folder is empty, it is benign, go ahead and whitelist the folder. Link to post Share on other sites
acuvic 0 Posted January 4, 2018 Author Report Share Posted January 4, 2018 Thanks for your help, Kevin. I assume we have now closed the case and the post? Link to post Share on other sites
Kevin Zoll 309 Posted January 5, 2018 Report Share Posted January 5, 2018 Unless you are having problems, it is time to do the final steps. Now to remove most of the tools that we have used in fixing your machine: Download Delfix from here and save it to your desktop. Ensure Remove disinfection tools is checked. Also place a checkmark next to:Create registry backup Purge system restore Click the Run button. When the tool is finished, a log will open in notepad. I do not need the log. You can close Notepad. Empty the Recycle Bin You can delete and uninstall any programs I had you download, that you do not wish to keep on the system. To Remove EEK simple delete the EEK for in the of your System Drive, normally C:\EEK Run Windows Update and update your Windows Operating System. Articles to Read:How to Protect Your Computer From MalwareHow to keep you and your Windows PC happyWeb, email, chat, password and kids safetyHow Did I Get Infected? That should take care of everything. Safe Surfing! Link to post Share on other sites
acuvic 0 Posted January 5, 2018 Author Report Share Posted January 5, 2018 DelFix run and all is well. Again thanks Kevin - you're a great resource. Link to post Share on other sites
Kevin Zoll 309 Posted January 6, 2018 Report Share Posted January 6, 2018 Thread Closed Reason: Resolved The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread. Link to post Share on other sites
Recommended Posts