Scammer got in

[Tony D]

Another case where someone let a scammer in on Oct 3.

I found that Supremo, GoToAssis, and GoToOpener were installed. I uninstalled GoToOpener and Go To Assist. There is no entry for Supremo in Programs and Features. It's still showing up in

R2 SupremoService; C:\Program Files (x86)\Supremo\SupremoService.exe [2101832 2017-10-03] (Nanosystems S.r.l.)​

These are still showing up in the FRST scan:

2017-10-03 15:31 - 2017-10-03 15:31 - 000007605 _____ C:\Users\Joe\AppData\Local\Resmon.ResmonCfg
2017-10-03 15:22 - 2017-10-03 15:22 - 000064024 _____ C:\Users\Joe\AppData\Local\GDIPFONTCACHEV1.DAT
2017-10-03 15:11 - 2017-10-06 09:50 - 000000000 ____D C:\Program Files (x86)\Citrix
2017-10-03 15:11 - 2017-10-03 15:11 - 000000000 ____D C:\Users\Joe\AppData\Local\GoToAssist Remote Support Customer
2017-10-03 15:10 - 2017-10-03 15:10 - 000000000 ____D C:\Program Files (x86)\Supremo
2017-10-03 15:08 - 2017-10-06 09:35 - 000000000 ____D C:\ProgramData\SupremoRemoteDesktop​

Can I just delete the associated files? Actually, a nice FRST fix script would be really appreciated.

 

[starbuck]

Hi Tony,

As there are some related processes and services for Supremo showing in the reports, a proper fix would be better.
The fix will stop and remove the processes and services in the correct manner.
Have just got in from work, so give me time to get cleaned up and then I'll go through the reports properly.
Back soon.

 

[Tony D]

Thanks, I have to leave for a couple of hours. I can't even End Process for Supremo. I get Access Denied when I try.

 

[starbuck]

Hi Tony,

Ok here goes.

Step 1

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Emsisoft Anti-Malware (Enabled - Up to date) {701CB209-EBBC-AADC-11E6-DE73E7AF4C9D}
AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AS: Emsisoft Anti-Malware (Enabled - Up to date) {CB7D53ED-CD86-A552-2B56-E5019C280620}
AS: Malwarebytes (Enabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

A little over the top there.
At least disable Windows Defender.


Step 2
Copy the script within the quote box below: (make sure that you include Start:: and End:: as these are the clipboard notifiers.

Start::
CloseProcesses:
(Nanosystems S.r.l.) C:\Program Files (x86)\Supremo\SupremoService.exe
(Nanosystems S.r.l.) C:\Program Files (x86)\Supremo\Supremo.exe
R2 SupremoService; C:\Program Files (x86)\Supremo\SupremoService.exe [2101832 2017-10-03] (Nanosystems S.r.l.)
2017-10-03 15:11 - 2017-10-06 09:50 - 000000000 ____D C:\Program Files (x86)\Citrix
2017-10-03 15:11 - 2017-10-03 15:11 - 000000000 ____D C:\Users\Joe\AppData\Local\GoToAssist Remote Support Customer
2017-10-03 15:10 - 2017-10-03 15:10 - 000000000 ____D C:\Program Files (x86)\Supremo
2017-10-03 15:08 - 2017-10-06 09:35 - 000000000 ____D C:\ProgramData\SupremoRemoteDesktop
CMD: ipconfig /flushdns
Hosts:
EmptyTemp:
End::

NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system

Re-run FRST/FRST64 (which ever is installed ) and press the Fix button just once and wait.

The tool will make a log in the same directory that FRST is run from (Fixlog.txt).
Please post this in your next reply.


Step 3

Java 8 Update 144

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:

• Download the latest version of Java SE 9 and save it to your desktop.
• Scroll down to where it says "Java SE 9".
• Click the "Download JRE " button.
• Accept the license agreement.
• select Windows x64 offline from the list.
• Save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on downloaded icon to install the newest version.

In your next reply, please submit:
Fixlog.txt



Thanks.

 

[Tony D]

I'll shut down MBAM from starting with Windows. Just installed that for completeness in this thread. I thought EAM would have shut down Defender. Here's the log.

Fix result of Farbar Recovery Scan Tool (x64) Version: 03-10-2017 01
Ran by Joe (06-10-2017 15:18:37) Run:1
Running from C:\Users\Joe\Desktop
Loaded Profiles: Joe (Available Profiles: Joe & admin)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
(Nanosystems S.r.l.) C:\Program Files (x86)\Supremo\SupremoService.exe
(Nanosystems S.r.l.) C:\Program Files (x86)\Supremo\Supremo.exe
R2 SupremoService; C:\Program Files (x86)\Supremo\SupremoService.exe [2101832 2017-10-03] (Nanosystems S.r.l.)
2017-10-03 15:11 - 2017-10-06 09:50 - 000000000 ____D C:\Program Files (x86)\Citrix
2017-10-03 15:11 - 2017-10-03 15:11 - 000000000 ____D C:\Users\Joe\AppData\Local\GoToAssist Remote Support Customer
2017-10-03 15:10 - 2017-10-03 15:10 - 000000000 ____D C:\Program Files (x86)\Supremo
2017-10-03 15:08 - 2017-10-06 09:35 - 000000000 ____D C:\ProgramData\SupremoRemoteDesktop
CMD: ipconfig /flushdns
Hosts:
EmptyTemp:

*****************

Processes closed successfully.
C:\Program Files (x86)\Supremo\SupremoService.exe => No running process found
C:\Program Files (x86)\Supremo\Supremo.exe => No running process found
HKLM\System\CurrentControlSet\Services\SupremoService => key removed successfully
SupremoService => service removed successfully
C:\Program Files (x86)\Citrix => moved successfully
C:\Users\Joe\AppData\Local\GoToAssist Remote Support Customer => moved successfully
C:\Program Files (x86)\Supremo => moved successfully
C:\ProgramData\SupremoRemoteDesktop => moved successfully

========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 4871225 B
Java, Flash, Steam htmlcache => 492 B
Windows/system/drivers => 119749967 B
Edge => 0 B
Chrome => 317895486 B
Firefox => 27519310 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 16802 B
systemprofile32 => 69922 B
LocalService => 16674 B
NetworkService => 7666 B
jason => 157325651 B
Joe => 40064719 B
Administrator.MLLOY204-14H => 176632378 B

RecycleBin => 0 B
EmptyTemp: => 813.1 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 15:19:05 ====

 

[starbuck]

I'd recommend running a scan with Emsisoft AntiMalware as a double check on everything now.

 

[Tony D]

I did an EAM scan earlier today. It came back clean.

I've disabled Windows Defender's Real-Time protection.
I've disabled MBAM from strating with Windows.

On the Java: I've been using www.java.com/verify to ensure the latest version is installed and older versions are removed. Using that link, it says You have the recommended Java installed - Ver 8/144.

How is this SE 9 different?
Shouldn't the Java/verify link inform me that the SE 9 is needed?

Curious

 

[starbuck]

I did an EAM scan earlier today. It came back clean.

Nice one.

On the Java: I've been using www.java.com/verify to ensure the latest version is installed and older versions are removed. Using that link, it says You have the recommended Java installed - Ver 8/144.

I've given up using the 'verify' .... it never seems to be up to date.
If Java 9 is on the download page, it must be the latest download version.

I always link to the latest version here:
https://freepchelp.forum/t/204538/

 

[Tony D]

How about that! The Verify page is showing 8/144, not version 9.

Programs and Features now showing Java 9 (64-bit) installed.

 

[Tony D]

What do you think about these two that were created about the same time as the others. Should I delete them also?

2017-10-03 15:31 - 2017-10-03 15:31 - 000007605 _____ C:\Users\Joe\AppData\Local\Resmon.ResmonCfg
2017-10-03 15:22 - 2017-10-03 15:22 - 000064024 _____ C:\Users\Joe\AppData\Local\GDIPFONTCACHEV1.DAT

 

[starbuck]

They can stay.
They're legit Microsoft files ...... associated with Microsoft Windows developed by Microsoft Corporation for the Windows Operating System.
They show as being created on that date because the removed programs used these to complete their install.

 

[Tony D]

See ... that's why you're the expert. I might have removed them.

 

[starbuck]

that's why you're the expert. I might have removed them.

If you had removed them .... it wouldn't have caused any problems.
Those files would have been re-created when you rebooted the system.

 

[Tony D]

Thanks again for your excellent help and advice.

 

[starbuck]

You're welcome Tony.