Jump to content

Spyware.socelars


miwu

Recommended Posts

Hello, i'm new here. Just registered because i hope for some help regarding the title issue. I like to mention, that for the last two days since detection i search up the entire web for according themes. There was for example the Google Chrome preferences issue relation, which can be solved along a guide (setting back the Sync): Not in my case, or in other words: It is briefly not my case. Description as follows.

 

- Malewarebytes (Premium trial phase) does not find anything.

- adwcleaner 8.0.7 (Malewarebytes) finds always the spyware.socelars. This, after quarantene removal-system new start. Just when re-running adwcleaner, it detects the item again. I did this "routine" now for two days.

 

In-between ...

- diverse other adware and antivirus tools applied (fe. Rogue Killer and other, which installed just for this purpose).

All those do not find spyware.socelars (there were fe. some more or less harmless PUPs, which went into quarantene).

 

- Thus the pc is apparently very clean now, except this specific trojan, which is only found by adwcleaner.

 

- in meantime, i'm back to solely using Windows Defender (formerly also Avira), Malwarebytes and adwcleaner as according tools (plus Bleachbit, since i removed ccleaner, for just in case and specific application).

 

The adwcleaner log (this is just one of the many, which i saved separated)

# -------------------------------
# Malwarebytes AdwCleaner 8.0.7.0
# -------------------------------
# Build:    07-22-2020
# Database: 2020-07-20.1 (Cloud)
# Support:  https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start:    09-02-2020
# Duration: 00:00:01
# OS:       Windows 7 Professional
# Cleaned:  1
# Failed:   0


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

No malicious folders cleaned.

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

Deleted       HKLM\System\CurrentControlSet\Services\EventLog\Application\WinService

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

No malicious Chromium URLs cleaned.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.

***** [ Hosts File Entries ] *****

No malicious hosts file entries cleaned.

***** [ Preinstalled Software ] *****

No Preinstalled Software cleaned.


*************************

[+] Delete Prefetch
[+] Delete Tracing Keys
[+] Reset Chromium Policies
[+] Reset IE Policies
[+] Reset Proxy Settings
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [5156 octets] - [01/09/2020 16:47:17]
AdwCleaner[C00].txt - [4688 octets] - [01/09/2020 16:48:11]
AdwCleaner[S01].txt - [1601 octets] - [01/09/2020 16:54:34]
AdwCleaner[C01].txt - [1771 octets] - [01/09/2020 16:54:46]
AdwCleaner[S02].txt - [1723 octets] - [01/09/2020 17:04:28]
AdwCleaner[C02].txt - [1893 octets] - [01/09/2020 17:04:41]
AdwCleaner[S03].txt - [1845 octets] - [01/09/2020 17:12:37]
AdwCleaner[C03].txt - [2015 octets] - [01/09/2020 17:12:44]
AdwCleaner[S04].txt - [1967 octets] - [01/09/2020 21:13:49]
AdwCleaner[C04].txt - [2137 octets] - [01/09/2020 21:15:09]
AdwCleaner[S05].txt - [2089 octets] - [01/09/2020 21:26:22]
AdwCleaner[S06].txt - [2150 octets] - [01/09/2020 22:48:36]
AdwCleaner[C06].txt - [2320 octets] - [01/09/2020 22:48:55]
AdwCleaner[S07].txt - [2272 octets] - [01/09/2020 22:50:57]
AdwCleaner[S08].txt - [2333 octets] - [02/09/2020 01:22:02]
AdwCleaner[C08].txt - [2503 octets] - [02/09/2020 01:22:13]
AdwCleaner[S09].txt - [2455 octets] - [02/09/2020 01:23:31]
AdwCleaner[S10].txt - [2516 octets] - [02/09/2020 03:06:58]
AdwCleaner[C10].txt - [2686 octets] - [02/09/2020 03:08:48]
AdwCleaner[S11].txt - [2638 octets] - [02/09/2020 05:09:40]
AdwCleaner[C11].txt - [2808 octets] - [02/09/2020 05:10:09]
AdwCleaner[S12].txt - [2760 octets] - [02/09/2020 05:11:53]
AdwCleaner[S13].txt - [2821 octets] - [02/09/2020 15:43:26]
AdwCleaner[C13].txt - [2991 octets] - [02/09/2020 15:43:38]
AdwCleaner[S14].txt - [2943 octets] - [02/09/2020 15:45:05]
AdwCleaner[S15].txt - [3004 octets] - [02/09/2020 16:15:22]
AdwCleaner[C15].txt - [3174 octets] - [02/09/2020 16:15:33]
AdwCleaner[S16].txt - [3126 octets] - [02/09/2020 16:34:06]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C16].txt ##########

As one can see, the troyan sits in

***** [ Registry ] *****

Deleted       HKLM\System\CurrentControlSet\Services\EventLog\Application\WinService

---

I tried also a registry fix, which i found on bleeping.computer forums, with a fixing file for that registry line. To no avail.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application\WinService]

That guy from bleeping.computer but had the Google Chrome issue: In the end, the according guide helped him to solve the identical registry trojan.

---

I'm a Firefox user (for many many years, i'm also using adblockers, do not track me, etc.).

But i thought, "okay, i had Chrome on the pc for a while (no Google account), i shall go through the guide to try my luck". Briefly made that including creating a Google account. To no avail. In meantime, Chrome is uninstalled.

---

Also, certain other programs are uninstalled to try my luck, if that would help there. To no avail. Some are replaced by newest/fresh installs (fe. 7-zip).

Else, Windows gets updates automatically, as well as other programs, and drivers.

---

I already ask myself, is spyware.socelars possibly a false-positive with adwcleaner specifically?

Because, why normal Malwarebytes does not find that infection, and all other scanners don't find it as well?

Only adwcleaner? Looks somehow suspicious to me ( in meantime at least, lol ... just to mention it ;) ).

Note, the infection is on an older pc (a good old Dell Latitude business laptop with Win 7 Pro, but always updated).

A newer Win 10 desktop pc, which i apply parallel, and imo. for much more apparently "dangerous" surfing in the net, is free of any infections (just also no finding of spyware.socelars with adwcleaner, i applied the same tools/routines there).

---

Are there random other users here with similar or even the same experience?

And/or can anyone give brief hints to help solving the issue?

Link to post
Share on other sites

Hello Maurice, thanks for stepping by to help me! My name is Michael, from Germany.

Here i attach FRST.txt and Addition.txt (it's in German language, i hope that doesn't matter, as the log lines are default anyway? ... else, i will run it again with the "english" addition in exe).

All "Exceptions" have been disabled, so the log should be complete. 

I wait then for you to tell me next steps (fix list?).

FRST.txt Addition.txt

Link to post
Share on other sites

Hello Michael.    Thanks for the reports.  There is a definite  set of settings here that need the first focus.   This is only a starter step.

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from this link here

and save it to your desktop.

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
  
 

Link to post
Share on other sites

Hello Michael.

Thanks for running the MBAR tool.   The tagged registry line   HKLM\System\CurrentControlSet\Services\EventLog\Application\WinService

has no payload.    This registry line cannot do anything. It will be removed by the script here.   There is no need to run Adwcleaner any further.

While that line ought not to be around, it nevertheless has no "danger" or payload.

.

This system does need cleanups.   There are a large number of settings shown to "disallow" a bunch of certifivcates  & the Winsock needs rebuilding.

This custom script will also run the Windows System File Checker app.

 

The system will be rebooted after the script has run.

.

This custom script is for  Miwu  only / for this machine only.

 
Close and save any open work files before starting this procedure. 

I am sending a    custom Fix script which is going to be used by the FRST64  tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Desktop  folder

The tool named FRST64 .exe   tool    is already on the Downloads folder
Start the Windows Explorer and then, to the Desktop folder.


RIGHT click on  FRST64     and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it do its thing.  

We will do more after this round.

Sincerely.

Fixlist.txt

Link to post
Share on other sites

Thank you for the report.   I would like for you to do 2 scans.

[      1     ]

Do one new scan with Malwarebytes for Windows.    Let me know the result of that run.

[      2     ]

Please disconnect any USB or external drives ( if any)  from the computer before you run this scan!

Please download RogueKiller (x64) using the link below.
→ http://download.adlice.com/api?action=download&app=roguekiller&type=x64

 

  • Save the file first,
  • Close any running programs that you started on your own ( if any).

Double-click  RogueKillerx64.exe to run the program.

Follow the prompts. If a browser window opens, close the window.

 

In the HOME tab, click Scan button

Next, on the Quick scan pane, click om the Start button to proceed.

.

Upon completion, a browser window may open. Close this window.

 Important: Please do not have RogueKiller remove any detected items.

Click the HISTORY tab followed by Scan Reports.

Double-click the scan log. Click Export TXT, enter a filename and save the file to your Desktop.

Please attach the file in your next reply.

Sincerely.

Link to post
Share on other sites

Those are very good results.

Lets do a different scan with a scan tool from Kaspersky.

Please download the following scanner from Kaspersky and save it to your computer: TDSSkiller

Then watch the following video on how to use the tool a

PC Winvids - How to run Kaspersky TDSSKiller

 

If any infection is found please make sure to choose SKIP and post back the log in case of a False Positive detection.

Once the tool has completed scanning make sure to re-enable your other security applications.

Sincerely.

Link to post
Share on other sites

53 minutes ago, miwu said:

... but i forgot to disable MWB and Windows Defender previously. Is this a big mistake? If so, i should re-run with disabled security apps?

No.   That is ok.  TDSSKILLER reports no malicious items.

How is the system now  ?   Is there anything else that you need at this point ?

 

SecurityCheck by glax24    

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.
Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe

and save the tool on the desktop.

If Windows's  SmartScreen block that with a message-window, then
Click on the MORE INFO spot and over-ride that and allow it to proceed.
This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt
 

Link to post
Share on other sites

1 hour ago, Maurice Naggar said:

How is the system now  ?   Is there anything else that you need at this point ?

Tons of thanks for the process so far.

System runs good, no hiccups. While i do not see a difference to the pre-process, as far as i can tell now.

Yes, just if you have, an idea why adwcleaner finds the according registry "infection" (which after all was the reason for the process here).

Adwcleaner still finds that "threat" after every system re-start and re-running adwcleaner. Is it a kind of adwcleaner specific False-Positive?

But it seems so it is tied to my system alone and parallel no way to get rid of it, and thus it is still a strange occurance, which makes me a tad uneasy (but i trust your expertise, as you said: No threat at all).

--

Will do the Security Check now.

Link to post
Share on other sites

I hope we do not get 'stuck'  or obssessed about the one item tagged by Adwcleaner.   It is not a false positive.  It is NOT a real threat since that one line cannot do any harm.

Lets ignore it please.   I do not know why, I am sorry to say, why it shows up still.   But we have tried to get rid of it several times.   It re-appears.

There is not much else I can do for you on that,   It does not pose a threat.   It does nothing.  We need to get past that.

.

These need your attention

LibreOffice 5.3.6.1 v.5.3.6.1 Warning! Download Update

 

Mozilla Thunderbird 68.12.0 (x86 de) v.68.12.0 Warning! Download Update

 

With that noted, we should wrap up this case.

To remove the FRST  tool & its work files, do this.  Go to your  Desktop folder.  Do a RIGHT-click on FRST64.exe & select RENAME & then change it to UNINSTALL.exe .
Then run that ( double click on it)  to begin the cleanup process.

 

You can delete TDSSKILLER.exe

Delete Roguekillerx64

Delete MBAR.exe

Delete the folder \MBAR

Delete Securitycheck.exe

 

Sincerely.

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.