Jump to content

Removing Trojan: Win32/Fuery.B!cl


Recommended Posts

Hello,

I recently downloaded an executable that extracted several files.  When scanning these files with Microsoft Security Essentials it found that one of them was a Win32/Fuery.B!cl Trojan.  I believed it was removed by MSE.  I have done a full scan with Microsoft Security Essentials (with virus and spyware definition: 1.239.252.0) and a Threat Scan with Malwarebytes (and had it scan for rootkits and within archives).  Neither found anything.  This was also downloaded on a friend's computer, and nothing was found and when scanned with MSE.

 

Should I assume the Trojan was removed or a false positive?  Is there anything else I can do to check for the Trojan?  Should I wipe my hard drive to be safe?

 

Thank you very much.

Link to post
Share on other sites

  • Root Admin

Hello @M_westing and :welcome:

 

Please restart the computer first and then run the following steps and post back the logs when ready.

STEP 01
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 02

adwcleaner_new.png Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

STEP 03
Download Sophos Free Virus Removal Tool and save it to your desktop.
 

  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View Log file (bottom left-hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found, please confirm that result.

STEP 04
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Link to post
Share on other sites

Some additional information:  The Trojan was first detected on my computer on the 17th of March.  For some reason I did not delete the other files after the Trojan was detected.  Two days ago I tried it again after seeing that my friend had scanned the files and found nothing.  I extracted the files several times, sometimes nothing would be found, sometimes I would get Error code 0x80508023, which can mean that its a false positive apparently.

Some errors:  I didn't put Junkware Removal Tool on the desktop or AdwCleaner.  As such when AdwCleaner rebooted the computer I couldn't find jrt.txt I thought it was deleted.  I ran jrt.txt again.  The first time around 50 items were deleted, this time only 6.  I'm fairly certain the original jrt.txt was overwritten. I then ran AdwCleaner again, and it found nothing.

AdwCleaner Clean logfile:

# AdwCleaner v6.045 - Logfile created 28/03/2017 at 14:06:25
# Updated on 28/03/2017 by Malwarebytes
# Database : 2017-03-28.2 [Server]
# Operating System : Windows 7 Ultimate Service Pack 1 (X64)
# Username : Ryan - RYAN-PC
# Running from : E:\downloads\adwcleaner_6.045.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support

 

***** [ Services ] *****

 

***** [ Folders ] *****

[-] Folder deleted: C:\Windows\SysNative\Tasks\WiseCleaner
[-] Folder deleted: C:\Windows\SysWOW64\C2MP


***** [ Files ] *****

[-] File deleted: E:\Ryan\Desktop\window.bat
[-] File deleted: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CodecPackTrayMenu.lnk


***** [ DLL ] *****

 

***** [ WMI ] *****

 

***** [ Shortcuts ] *****

 

***** [ Scheduled Tasks ] *****

[-] Task deleted: WiseCleaner\WRCSkipUAC
[-] Task deleted: WiseCleaner


***** [ Registry ] *****

[-] Key deleted: HKLM\SOFTWARE\WISECLEANER
[-] Value deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Codec Settings UAC Manager]


***** [ Web browsers ] *****

[-] [C:\Users\Ryan\AppData\Local\Chromium\User Data\Default\Web data] [Search Provider] Deleted: aol.com
[-] [C:\Users\Ryan\AppData\Local\Chromium\User Data\Default\Web data] [Search Provider] Deleted: ask.com


*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [1438 Bytes] - [28/03/2017 14:06:25]
C:\AdwCleaner\AdwCleaner[S0].txt - [1602 Bytes] - [28/03/2017 14:05:36]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [1584 Bytes] ##########

 

I didn't find anything with Sophos.

 

Note:  Junkware Removal Tool ran quickly and Sophos took hours to complete, does that mean anything?

 

Thank you very much.

JRT.txt

FRST.txt

Addition.txt

Link to post
Share on other sites

  • Root Admin

You need to repair your Windows Search

Application errors:
==================
Error: (03/28/2017 01:50:23 PM) (Source: Windows Search Service) (EventID: 7010) (User: )
Description: The index cannot be initialized.

Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

 

 

You're also having some other errors in the Event Logs.

 

System errors:
=============
Error: (03/28/2017 04:54:38 PM) (Source: volsnap) (EventID: 35) (User: )
Description: The shadow copies of volume C: were aborted because the shadow copy storage failed to grow.

Error: (03/28/2017 02:17:32 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The NVIDIA Streamer Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (03/28/2017 02:08:23 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom

Error: (03/28/2017 02:07:00 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has stopped unexpectedly.

Module Path: C:\Windows\System32\bcmihvsrv64.dll

Error: (03/28/2017 02:07:00 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has stopped unexpectedly.

Module Path: C:\Windows\System32\bcmihvsrv64.dll

Error: (03/28/2017 02:06:57 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has stopped unexpectedly.

Module Path: C:\Windows\System32\bcmihvsrv64.dll

Error: (03/28/2017 02:06:39 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error:
An instance of the service is already running.

Error: (03/28/2017 02:06:10 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Media Player Network Sharing Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (03/28/2017 02:06:09 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (03/28/2017 02:06:09 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The WSWNA3100 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service.

 

 


Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

 

 

Link to post
Share on other sites

My computer seems to be running fine, it sometimes seems to take a little while for folders containing lots of images (over 90) to show up (both the thumbnails and the files themselves).  I'm not sure if this was different before MSE detected the Trojan.  The RAM usage doesn't seem to be much higher than usual (still 30-40% with steam and firefox open).  I've never seen any signs of an infection on my computer beyond MSE saying a couple of files were unsafe.

Do you think my computer is safe, given what you've seen?  Do you think MSE could have given me a false positive?  Considering how bad a Win32/Fuery.B!cl can apparently be I'd like to be 99% sure I'm fine before I stop worrying about it.

Link to post
Share on other sites

  • Root Admin

The system does not appear to be infected at this time. We can do a bit more cleanup in general, though.

 

Please Run TFC by OldTimer to clear temporary files:

  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

 

Next, let's go ahead and reset your browsers.

 

Please visit each of the following sites and let's reset all of your browsers back to defaults to prevent unexpected issues.
If you are not using one of the browsers but it is installed then you may want to consider uninstalling it as older versions of some software can pose an increase in the potential for an infection to get in.

Internet Explorer
How to reset Internet Explorer settings

Firefox
Click on Help / Troubleshooting Information then click on the Reset Firefox button.

Chrome

I would like to reset Chrome back to defaults to completely clear out what is going on with Chrome.

You can keep your “Bookmarks” if you want to keep them, but you have to export them first – >> Export Bookmarks << – Everything else should be removed.

Then I need you to go to >> Google Sync << and sign into your account.
Scroll down until you see the reset sync button and click on the button
At the prompt click on Ok.

.
Reset Your Browser Settings
.

  1. In the top-right corner of the browser window, click the “Chrome Menu” icon (Three horizontal lines)
  2. Select Settings.
  3. At the bottom, click Show advanced settings…
  4. Scroll down until you see “Reset settings”, Then click on the button Reset Settings.
  5. In the dialog that appears, click Reset.

.
Close Chrome and restart it and check it out for me please

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.