Problem, Maybe?

Nov 17, 2019
11,344
6,750
136
Searched for Tuya Desktop to be able to control smart switches. I use it on mobile devices and it's OK.

Found a website with all the right information so went to download. Installer offered AVG which I denied and something called Alructisit which I also denied. But they both tried to install. I was able to cancel AVG, but not this other thing:

AlructisitApplication


I find the folder under ProgramFiles(x86), but I can't delete it or the files inside it which includes an .exe and a .dll -- get the message file in use, but I can't see which file or where it is.

It tries to run a Service ( AlructisitService ) which I can terminate, but it just tries again and again. When it does, it hogs CPU time and slows everything else down. Microsoft Security Essentials isn't griping even after a manual quick scan.

In Services, I see it's Started, but under Properties, all of the options are greyed out.

I disconnected from the web ISP and it stopped trying to run the process.

I can't remember how to block a program from accessing the web under Windows Firewall.


MalwareBytes found some adware and quarantined it, so I just popped the web connection back to active to post this while I see if it tries again.
 
Last edited:
Nov 17, 2019
11,344
6,750
136
So far it hasn't tried again. This is part of what Malwarebytes found and quarantined:

Data Stream: 0
(No malicious items detected)

Folder: 1
Adware.PremierOpinion, C:\PROGRAM FILES (X86)\PREMIEROPINION, Delete-on-Reboot, 1630, 729333, 1.0.85475, , ame, , ,

File: 3
Adware.PremierOpinion, C:\Program Files (x86)\PremierOpinion\pmropn.exe, Delete-on-Reboot, 1630, 729333, , , , , F27F98C1A877F9CA6F06C23BED4014CA, 1ED47933C9F33C4860ECC0BF1BA7525212AA00054037A9A51A8D8F5CE3B821BD
Adware.PremierOpinion, C:\WINDOWS\SYSTEM32\PMLS64.DLL, Delete-on-Reboot, 1630, 829038, 1.0.85475, D5D9014529BA189AFB122828, dds, 02854534, AA56CB7FD83150C3A75CD6A0DE97EB78, 034E066829D28BBC81604250F6DF721A35AB1C0898AB82BEF6305FFADA240765
Adware.PremierOpinion, C:\WINDOWS\SYSWOW64\PMLS.DLL, Delete-on-Reboot, 1630, 829038, 1.0.85475, 4B12A37EEDFF5ADA67525F4D, dds, 02854534, 50A0C6C01CDC5D2690CCD1F1541F6670, F9A853830949BB22D6F4D128D71A0AB923D9B5549C0DC8785C7DE7D1A4EABF99

Physical Sector: 0
(No malicious items detected)
 
Nov 17, 2019
11,344
6,750
136
Yeah, it tried again. MB wanted a restart after the quarantine, so I went ahead and did that.

Once restarted and the Q'd files deleted, I still saw the above files in the same directory and still could not delete them ... file in use. Also still found the Service listed in Task Manager.

Rebooted again into Safe Mode and from there I could delete the file folders from Program Files, then went into the Recycle Bin and deleted from there. But the Service still showed and still could not be edited, although it did show Stopped now instead of Running. Properties showed the directory I deleted, so if it tries to run, there shouldn't be anything to run. Going to Services, it shows as Automatic, but stopped.

Rebooted again into normal. Folder is still gone, but the Service is still listed in Task Manager, showing as Stopped and in Services as Automatic but not Started.

How do I delete/remove a Service?
 
Nov 17, 2019
11,344
6,750
136
This seems to be how:




In Cmd running as Admin,

SC DELETE AlructisitService

No longer showing in Task Manager or Services


But will it stay gone?


And why did it happen to begin with? As I said, the site 'looked' legit, but who knows. I won't link it here just in case, but you should be able to find it from the Search I mentioned above.
 
Jul 27, 2020
18,231
11,949
116
Nuke from orbit. Only way to be sure.

I had something like that crap auto-installed when I tried to UNINSTALL KMPlayer (downloaded from the frickin' official website!).

Got my CC details compromised at least twice on that system. That system is fully firewalled now and I don't do anything personal on it that needs me to input CC details. Can't format it coz it has too much important stuff installed and redoing a working installation with the way things are now would drive me crazy.

Tried every kind of free rootkit revealer and antivirus/antimalware software on the system. They say it's clean but I KNOW it isn't.