Jump to content

Trojan.FakeMS


Recommended Posts

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

Combofix

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
  • Disable all security programs as they will have a negative effect on Combofix, instructions available Here if required. Be aware the list may not have all programs listed, if you need more help please ask.
  • Close any open browsers and any other programs you might have running
  • Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  • Instructions for running Combofix available Here if required.
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why disabling autoruns is recommended.

*EXTRA NOTES*

  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Kevin

Link to post
Share on other sites

Go to Virustotal

  • Click the Browse... button
  • Navigate to the file c:\windows\system32\drivers\83037828.sys or just copy/paste it in.
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the results back here please.

Next,

Download Security Check by screen317 from HERE or HERE.

Save it to your Desktop.

Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Link to post
Share on other sites

Virustotal (https://www.virustotal.com/file/a8c1577876cf16186610f26d7d859f8fda4057aafc33e8212339f56da6a5f874/analysis/1355276758/): Antivirus Result Update Agnitum - 20121211 AhnLab-V3 - 20121211 AntiVir - 20121212 Antiy-AVL - 20121211 Avast - 20121212 AVG - 20121211 BitDefender - 20121212 ByteHero - 20121130 CAT-QuickHeal - 20121211 ClamAV - 20121212 Commtouch - 20121212 Comodo - 20121211 DrWeb - 20121212 Emsisoft - 20121212 eSafe - 20121210 ESET-NOD32 - 20121211 F-Prot - 20121212 F-Secure - 20121212 Fortinet - 20121212 GData - 20121212 Ikarus - 20121211 Jiangmin - 20121211 K7AntiVirus - 20121211 Kaspersky - 20121212 Kingsoft - 20121210 Malwarebytes - 20121211 McAfee - 20121212 McAfee-GW-Edition - 20121211 Microsoft - 20121212 MicroWorld-eScan - 20121211 NANO-Antivirus - 20121212 Norman - 20121211 nProtect - 20121211 Panda - 20121211 Rising - 20121211 Sophos - 20121212 SUPERAntiSpyware - 20121212 Symantec - 20121212 TheHacker - 20121211 TotalDefense - 20121211 TrendMicro - 20121212 TrendMicro-HouseCall - 20121212 VBA32 - 20121211 VIPRE - 20121212 ViRobot - 20121211

Results of screen317's Security Check version 0.99.56

Windows Vista Service Pack 2 x86 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Microsoft Security Essentials

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.65.1.1000

Java 6 Update 31

Java 7 Update 7

Java version out of Date!

Adobe Flash Player 10 Flash Player out of Date!

Adobe Flash Player 11.5.502.110

Adobe Reader 10.1.2 Adobe Reader out of Date!

Mozilla Firefox (17.0.1)

Google Chrome 21.0.1180.83

Google Chrome 21.0.1180.89

Google Chrome 22.0.1229.79

Google Chrome 22.0.1229.92

Google Chrome 22.0.1229.94

Google Chrome 23.0.1271.64

Google Chrome 23.0.1271.91

Google Chrome 23.0.1271.95

Google Chrome 23.0.1271.97

````````Process Check: objlist.exe by Laurent````````

Microsoft Security Essentials MSMpEng.exe

Microsoft Security Essentials msseces.exe

Malwarebytes Anti-Malware mbamservice.exe

Eset nod32krn.exe

ESET UpdateReminder.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 4 % Defragment your hard drive soon! (Do NOT defrag if SSD!)

````````````````````End of Log``````````````````````

Link to post
Share on other sites

Can I see the log from Malwarebytes about the intial reason for this thread, Open malwarebytes, select "Logs" tab, scroll to bottom log, left click that log to highlight, then select open. Post that log... I`ve had information from a fellow member that the entry in question maybe a false positive http://forums.malwarebytes.org/index.php?showtopic=119385

Link to post
Share on other sites

I had filesystem protection enabled, and it automatically detected notepad.exe as a threat and notified me, after which I quarantined it - it was not through a scan that the Trojan.FakeMS was detected.

I did, however, find this:

2012/12/11 18:04:32 -0500 S-PC S DETECTION C:\Windows\System32\notepad.exe Trojan.FakeMS QUARANTINE

2012/12/11 18:06:15 -0500 S-PC S DETECTION c:\windows\system32\notepad.exe Trojan.FakeMS DENY

2012/12/11 18:10:23 -0500 S-PC S DETECTION c:\windows\system32\notepad.exe Trojan.FakeMS DENY

Link to post
Share on other sites

I assume it is safe to restore it from quarantine. In that case yes, I am able to open Notepad and it works normally.

I take it that this was a false positive and it is safe for me to continue on with my life? If so, feel free to respond with a yes and close this thread.

Thank you for your help in resolving this problem.

Link to post
Share on other sites

Yes it was an FP so as you say, it is safe to continue, bit of a clean up and some updating, after that you should be good to go....

OK, do the following:

Remove Combofix now that we're done with it

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

The above procedure will delete the following:

  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

It is very important that you get a successful uninstall because of the extra functions done at the same time, let me know if this does not happen.

Next,

Delet Security Checks and any created logs from the Desktop....

Next,

Adobe reader is outdated..

Visit http://get.adobe.com/uk/reader/otherversions/ and download the latest version of Acrobat Reader

Step 1 - Select your Operating System.

Step 2 - Select your Langauge.

Step 3 - Select latest version.

Untick the option for McAfee security scanner if offered.

Download and install.

Having the latest updates ensures there are no security vulnerabilities in your system.

Next,

Go here www.adobe.com/shockwave/welcome/ and have Adobe Flashplayer checked. Accept new version if required.

There maybe an offer of Google Chrome, untick those options if offered...

Next,

Your Java javaicon.gif maybe out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

Go to http://java.com/en/ and click on "Do I have Java"

It will check your current version and then offer to update to the latest version

Watch for and make sure you untick the box next to whatever free program they prompt you to install during the installation, unless you want it.

***Note: Check in Programs and Features (or Add/Remove Programs if you are an XP user) to make certain there are no old versions of Java still installed, if so - remove them.

Next,

You have two AV programs Microsoft Security Essentials and Eset Nod32, as MSE is active it is advisable to UNinstall nod32...

Next,

You will need to defrag your system shortly, instructions here http://windows.microsoft.com/en-GB/windows-vista/Improve-performance-by-defragmenting-your-hard-disk if required...

Let me know if those steps complete OK, also if any remaining issues or concerns...

Kevin...

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.