Jump to content

Deleting Trojan.Fileless.MTGen

DCUI

By DCUI
in Resolved Malware Removal Logs

 Share

Recommended Posts

DCUI

DCUI

Posted
Posted

A recent scan with Malwarebytes Premium turned up two threats, both Trojan.Fileless.MTGen.  I understand that these are difficult to remove.  Malwarebytes seemed to quarantine and then remove them, but after restarting the computer and scanning again, they were still there.  I repeated the scanning, quarantining, and removal a few times, but the threats did not go away.  I am wondering how to rid my machine of them.  Thanks!

Addition_21-12-2017 13.31.54.txt

FRST_21-12-2017 13.31.54.txt

Scan_log_Dec21.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Hello DCUI and welcome to Malwarebytes,

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Protection Scroll to and make sure the following are selected:
    Scan for Rootkits
    Scan within Archives
     
  • Scroll further to Potential Threat Protection make sure the following are set as follows:
    Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)
     
  • Click on the Scan make sure Threat Scan is selected,
  • A Threat Scan will begin.
  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab
  • If asked to restart your computer to complete the removal, please do so
  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more to retrieve the log.


To get the log from Malwarebytes do the following:
 
  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

https://www.microsoft.com/en-gb/download/malicious-software-removal-tool-details.aspx


Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Let me see those logs in your reply, also tell me if there are any remaining issues or concerns...

Thank you,

Kevin...

 

 

fixlist.txt

Link to post
Share on other sites
DCUI

DCUI

Posted
  • Author
Posted

Kevin,

After I followed all your instructions the first time, I noticed that fixlist.txt was no longer where I thought I had saved it.  I thought perhaps I had made a mistake and had saved it in a different folder than FRST which meant I had not followed your instructions correctly.  This all happend after I ran Malwarebytes again and found that the two threats were still present.  So, I saved fixlist.txt again and ran FRST fix again.  When I did this, I noticed that fixlist.txt disappeared and that was likely what had happened the first time.  Unfortunately, the second FRST fix log apparently overwrote the first one and so I no longer have it.  I was expecting that this second log would be the same as the first and so I sent the second one to you - not true?  Should I repeat your original instructions and resend all the new logs so that they will be in the proper order?  Sorry for the confusion and long story.

DCUI

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Hello DCUI,

Is no big deal what has happened, lets just move on. I`d like you to run FRST again, see what is happening with your system:

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

Thank you,

Kevin....

Link to post
Share on other sites
DCUI

DCUI

Posted
  • Author
Posted

Kevin,

I did what you asked in your last post and have attached the logs.  I also continued on and ran MBAM, AdwCleaner, and MSRT again and have attached all of those logs in case they would be useful.  Finally, I ran MBAW again and, as expected, the two threats still remain.  Thanks again!

Addition_27-12-2017 10.53.17.txt

AdwCleaner[S1].txt

FRST_27-12-2017 10.53.17.txt

MBAMscanlog.txt

mrt.log

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

 

fixlist.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted
The infection is proving very difficult to remove, probably the best way forward is to remove it via the Recovery Environment. You will need a USB flash drive....

Please download Farbar Recovery Scan Tool from here:

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit

Also download and save the attached file fixlist.txt (end of reply) to same flash drive

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


How to access System Recovery Options for Windows 7.

Plug the flashdrive into the infected PC.

Enter System Recovery Options I give two methods, use whichever is convenient for you.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.


To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you may get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
 
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64 or e:\frst depending on your version. Press Enter Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Fix button.
  • It will make a log (fixlog.txt) on the flash drive. Please copy and paste it to your reply.

Let me see that log in your reply...

Thank you,

Kevin...

fixlist.txt

Link to post
Share on other sites
DCUI

DCUI

Posted
  • Author
Posted

No progress.  "Repair your computer" does not exist in the advanced boot options menu of my computer which means that means I need to access system recovery options using a Windows installation disc.  Unfortunately, I do not have this disc.  I hoped that I might find one at my office, but did not.  So, I think I am at a dead end with attempting to remove these fileless threats from my computer until I can obtain a windows installation disc.  I will contact you again soon if I obtain one.

DCUI

Link to post
Share on other sites
DCUI

DCUI

Posted
  • Author
Posted

Good thinking, but it was not possible to create a system repair disc because all the files needed to create the disc are not on my machine.  So, when I follow the directions on Microsoft support I just end up getting a message directing me to insert a windows installation disc to create the disc.  So, I am still looking for someone here who has a Windows 7 installation disc that they can loan to me.

DCUI

Link to post
Share on other sites
  • 2 weeks later...
kevinf80

kevinf80

Posted
Posted

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.