Posted October 6, 20177 yr FPCH Staff Another case where someone let a scammer in on Oct 3. I found that Supremo, GoToAssis, and GoToOpener were installed. I uninstalled GoToOpener and Go To Assist. There is no entry for Supremo in Programs and Features. It's still showing up in R2 SupremoService; C:\Program Files (x86)\Supremo\SupremoService.exe [2101832 2017-10-03] (Nanosystems S.r.l.) These are still showing up in the FRST scan: 2017-10-03 15:31 - 2017-10-03 15:31 - 000007605 _____ C:\Users\Joe\AppData\Local\Resmon.ResmonCfg 2017-10-03 15:22 - 2017-10-03 15:22 - 000064024 _____ C:\Users\Joe\AppData\Local\GDIPFONTCACHEV1.DAT 2017-10-03 15:11 - 2017-10-06 09:50 - 000000000 ____D C:\Program Files (x86)\Citrix 2017-10-03 15:11 - 2017-10-03 15:11 - 000000000 ____D C:\Users\Joe\AppData\Local\GoToAssist Remote Support Customer 2017-10-03 15:10 - 2017-10-03 15:10 - 000000000 ____D C:\Program Files (x86)\Supremo 2017-10-03 15:08 - 2017-10-06 09:35 - 000000000 ____D C:\ProgramData\SupremoRemoteDesktop Can I just delete the associated files? Actually, a nice FRST fix script would be really appreciated.FRST.txtFRST.txtAddition.txtMBAM scan.txt
October 6, 20177 yr Hi Tony, As there are some related processes and services for Supremo showing in the reports, a proper fix would be better. The fix will stop and remove the processes and services in the correct manner. Have just got in from work, so give me time to get cleaned up and then I'll go through the reports properly. Back soon.
October 6, 20177 yr Author FPCH Staff Thanks, I have to leave for a couple of hours. I can't even End Process for Supremo. I get Access Denied when I try.
October 6, 20177 yr Hi Tony, Ok here goes. Step 1 ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AV: Emsisoft Anti-Malware (Enabled - Up to date) {701CB209-EBBC-AADC-11E6-DE73E7AF4C9D} AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B} AS: Emsisoft Anti-Malware (Enabled - Up to date) {CB7D53ED-CD86-A552-2B56-E5019C280620} AS: Malwarebytes (Enabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96} AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} A little over the top there. At least disable Windows Defender. Step 2 Copy the script within the quote box below: (make sure that you include Start:: and End:: as these are the clipboard notifiers. Start:: CloseProcesses: (Nanosystems S.r.l.) C:\Program Files (x86)\Supremo\SupremoService.exe (Nanosystems S.r.l.) C:\Program Files (x86)\Supremo\Supremo.exe R2 SupremoService; C:\Program Files (x86)\Supremo\SupremoService.exe [2101832 2017-10-03] (Nanosystems S.r.l.) 2017-10-03 15:11 - 2017-10-06 09:50 - 000000000 ____D C:\Program Files (x86)\Citrix 2017-10-03 15:11 - 2017-10-03 15:11 - 000000000 ____D C:\Users\Joe\AppData\Local\GoToAssist Remote Support Customer 2017-10-03 15:10 - 2017-10-03 15:10 - 000000000 ____D C:\Program Files (x86)\Supremo 2017-10-03 15:08 - 2017-10-06 09:35 - 000000000 ____D C:\ProgramData\SupremoRemoteDesktop CMD: ipconfig /flushdns Hosts: EmptyTemp: End:: NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Re-run FRST/FRST64 (which ever is installed ) and press the Fix button just once and wait. The tool will make a log in the same directory that FRST is run from (Fixlog.txt). Please post this in your next reply. Step 3 Java 8 Update 144Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:Download the latest version of Java SE 9 and save it to your desktop. Scroll down to where it says "Java SE 9". Click the "Download JRE " button. Accept the license agreement. select Windows x64 offline from the list. Save the file to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on downloaded icon to install the newest version. In your next reply, please submit: Fixlog.txt Thanks.
October 6, 20177 yr Author FPCH Staff I'll shut down MBAM from starting with Windows. Just installed that for completeness in this thread. I thought EAM would have shut down Defender. Here's the log. Fix result of Farbar Recovery Scan Tool (x64) Version: 03-10-2017 01 Ran by Joe (06-10-2017 15:18:37) Run:1 Running from C:\Users\Joe\Desktop Loaded Profiles: Joe (Available Profiles: Joe & admin) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: (Nanosystems S.r.l.) C:\Program Files (x86)\Supremo\SupremoService.exe (Nanosystems S.r.l.) C:\Program Files (x86)\Supremo\Supremo.exe R2 SupremoService; C:\Program Files (x86)\Supremo\SupremoService.exe [2101832 2017-10-03] (Nanosystems S.r.l.) 2017-10-03 15:11 - 2017-10-06 09:50 - 000000000 ____D C:\Program Files (x86)\Citrix 2017-10-03 15:11 - 2017-10-03 15:11 - 000000000 ____D C:\Users\Joe\AppData\Local\GoToAssist Remote Support Customer 2017-10-03 15:10 - 2017-10-03 15:10 - 000000000 ____D C:\Program Files (x86)\Supremo 2017-10-03 15:08 - 2017-10-06 09:35 - 000000000 ____D C:\ProgramData\SupremoRemoteDesktop CMD: ipconfig /flushdns Hosts: EmptyTemp: ***************** Processes closed successfully. C:\Program Files (x86)\Supremo\SupremoService.exe => No running process found C:\Program Files (x86)\Supremo\Supremo.exe => No running process found HKLM\System\CurrentControlSet\Services\SupremoService => key removed successfully SupremoService => service removed successfully C:\Program Files (x86)\Citrix => moved successfully C:\Users\Joe\AppData\Local\GoToAssist Remote Support Customer => moved successfully C:\Program Files (x86)\Supremo => moved successfully C:\ProgramData\SupremoRemoteDesktop => moved successfully ========= ipconfig /flushdns ========= Windows IP Configuration Successfully flushed the DNS Resolver Cache. ========= End of CMD: ========= C:\Windows\System32\Drivers\etc\hosts => moved successfully Hosts restored successfully. =========== EmptyTemp: ========== BITS transfer queue => 8388608 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 4871225 B Java, Flash, Steam htmlcache => 492 B Windows/system/drivers => 119749967 B Edge => 0 B Chrome => 317895486 B Firefox => 27519310 B Opera => 0 B Temp, IE cache, history, cookies, recent: Users => 0 B Default => 0 B Public => 0 B ProgramData => 0 B systemprofile => 16802 B systemprofile32 => 69922 B LocalService => 16674 B NetworkService => 7666 B jason => 157325651 B Joe => 40064719 B Administrator.MLLOY204-14H => 176632378 B RecycleBin => 0 B EmptyTemp: => 813.1 MB temporary data Removed. ================================ The system needed a reboot. ==== End of Fixlog 15:19:05 ====
October 6, 20177 yr I'd recommend running a scan with Emsisoft AntiMalware as a double check on everything now.
October 6, 20177 yr Author FPCH Staff I did an EAM scan earlier today. It came back clean. I've disabled Windows Defender's Real-Time protection. I've disabled MBAM from strating with Windows. On the Java: I've been using www.java.com/verify to ensure the latest version is installed and older versions are removed. Using that link, it says You have the recommended Java installed - Ver 8/144. How is this SE 9 different? Shouldn't the Java/verify link inform me that the SE 9 is needed? Curious
October 6, 20177 yr I did an EAM scan earlier today. It came back clean.Nice one. On the Java: I've been using www.java.com/verify to ensure the latest version is installed and older versions are removed. Using that link, it says You have the recommended Java installed - Ver 8/144.I've given up using the 'verify' .... it never seems to be up to date. If Java 9 is on the download page, it must be the latest download version. I always link to the latest version here: https://freepchelp.forum/t/204538/
October 6, 20177 yr Author FPCH Staff How about that! The Verify page is showing 8/144, not version 9. Programs and Features now showing Java 9 (64-bit) installed.
October 6, 20177 yr Author FPCH Staff What do you think about these two that were created about the same time as the others. Should I delete them also? 2017-10-03 15:31 - 2017-10-03 15:31 - 000007605 _____ C:\Users\Joe\AppData\Local\Resmon.ResmonCfg 2017-10-03 15:22 - 2017-10-03 15:22 - 000064024 _____ C:\Users\Joe\AppData\Local\GDIPFONTCACHEV1.DAT
October 6, 20177 yr They can stay. They're legit Microsoft files ...... associated with Microsoft Windows developed by Microsoft Corporation for the Windows Operating System. They show as being created on that date because the removed programs used these to complete their install.
October 6, 20177 yr Author FPCH Staff See ... that's why you're the expert. I might have removed them.
October 6, 20177 yr that's why you're the expert. I might have removed them. If you had removed them .... it wouldn't have caused any problems. Those files would have been re-created when you rebooted the system.
