Jump to content

Another Trojan: Win32/Fuery.B!cl Infection

wrawlind
 Share

Recommended Posts

wrawlind

wrawlind

Posted
Posted (edited)

Hi--about a week ago, Windows Defender began notifying me that it had found Trojan: Win32/Fuery.B!cl on my Windows 10 Pro 64-bit Lenovo laptop, and that it was in the process of removing the malware. The Windows Defender history showed that it had quarantined the trojan which was found in file:C:\Windows\System32\KMSServer.exe. Since the trojan was in quarantine, I figured it was okay to leave Windows Defender to do it own thing. Ever since then, however, I have been getting the exact same notifications from Windows Defender a few times a day telling me that the same trojan is present and that WD is trying to remove it. I've tried manually removing the trojan in Windows Defender (as opposed to just quarantining it) but that doesn't seem to get rid of it either. I've also done full system scans with Windows Defender as well as Malwarebytes Premium (free demo), but neither of them are able to detect Trojan: Win32/Fuery.B!cl. MWB found a couple of other things that it promptly got rid of for me, but my Fuery problem still won't go away. The thing is, it's hard for me to check if the malware is still present because I have to rely on WD's occasional notifications, as it doesn't show up in any scans.

Any help getting rid of thing will be very much appreciated! I know a few other folks on this forum have had problems with this particular trojan, but it seems like the solutions provided are all tailored to their specific setup. I've attached my FRST logs below, but I'm new here, so my apologies if there's something obvious that's been previously discussed that I'm missing. In any case, thanks in advance for your help!

FRST.txt

Addition.txt

Edited by wrawlind
Didn't attach FRST logs in initial post
Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted (edited)

Hello wrawlind and welcome to Malwarebytes,

My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please:

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

The issue you mention is related to illegal software installed on your system, using such software is commonly named as Piracy....

Piracy Guidelines

Malwarebytes does not condone nor support piracy in any shape or form. Any discussion topics that ask for help with pirating software, circumventing copy protection, or any other illegal activities related to copy righted content in any form will be closed and locked.

If you feel this is ever done in error, please report the post or PM an Administrator.
 
As a reminder, using pirated software or utilities that allows one to pirate software (e.g. cracks, key generators, registration/license removal, redirection, or workaround utilities, etc.) is not a safe practice and can lead to malware infection, ransomware attack, or even legal action.
Because of these risks, we always recommend that you remove any pirated software or pirating utilities before asking for support on our forums in order to improve our ability to best support you and to help protect yourself and your data from malware or other piracy related consequences.

To continue you must remove (uninstall)  KMSpico v9.0.6.20131120 any remnants will be removed as we progress. Continue with the following:

The DNS settings in use are known and blacklisted for spamming. Reset your router, instructons available at the following link:

http://setuprouter.com/networking/how-to-reset-your-router/

Follow those instructions very carefully.

Next,

Download and unzip DNSJumper to your Desktop, the tool is portable no installation necessary.

Tool can be downloaded here: http://www.sordum.org/downloads/?dns-jumper

Right click on Dnsjumper.exe and select "Run as Administrator" to start the tool, For XP just double click to run.
From the left hand pane select "Flush DNS"
From the main interface select the dropdown under "Choose a DNS Server"
From the list select either "Google Public DNS" or "Open DNS"
From the left hand pane select "Apply DNS"
When done re-boot your system....

Next,

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Download AdwCleaner by Xplode onto your Desktop.
 
  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...


Next,

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply...

Next,

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

Let me see those logs in your reply, also tell me if there are any remaining issues or concerns...

Thank you,

Kevin....

 

 

 

fixlist.txt

Edited by kevinf80
typing error
Link to post
Share on other sites
wrawlind

wrawlind

Posted
  • Author
Posted

Hi, thanks for your reply, Kevin. I was tied up all day yesterday and couldn't respond to your post until now. I purchased my computer overseas a few years ago with software already loaded onto it, and it's likely that some of it could have been pirated software. If so, I have no problem getting rid of now, although I do find it strange that I didn't start getting these malware notifications until just recently. As for the first step in your response, resetting the router, I think I will have to wait until later this evening to do so, as there are several people are using it during business hours. Once that's done, I will follow the remaining steps and post my logs as you have instructed.

Thanks for your help!

Link to post
Share on other sites
wrawlind

wrawlind

Posted
  • Author
Posted

Hi Kevin,

So I looked into starting the first step in your response--resetting the router--but I'm a little concerned about what to do once the router is reset. The website that you referred me to, Setuprouter.com, links to Port Forward's Network Utilities Suite as a tool for finding my router's internal IP address. I downloaded and installed the tool, but while it shows me my Public IP as well as my computer's internal IP, the router's brand and internal IP are both listed as "Unknown." I am pretty inexperienced when it comes to networking, and worry that once my router is reset, I will have to call someone from my ISP to come help me get it back up and running. Can I skip this step and go ahead with the other steps?

Let me know and thanks again for your help!

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Thanks for those logs, all looking good. If no remaining issues or concerns run the following to clean up:

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

 
  • Remove disinfection tools <----- this will remove tools we have used.
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection


Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites
  • 2 weeks later...
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.