Seshien Posted June 21, 2018 ID:1251748 Share Posted June 21, 2018 (edited) Hello everyone! I have the trojan win32/fuery.b!cl on my computer (Windows 10). I tried cleaning it off with Windows Defender Security and Malwarebytes, but it doesn't show in scans, I only have popups that it is found by Windows Defender Security. I've already searched the forums and I'm following the advice given to previous postings. Attached are my addition and FRST files. They are in polish, I hope it isn't a problem? Please advise me on the next steps. Thanks in advance for any help! FRST.txt Addition.txt EDIT: From what I saw, it only makes new files (which are detected by WDS) when computer is connected to internet, when it isn't, nothing happens. Edited June 21, 2018 by Seshien Link to post Share on other sites More sharing options...
Staff Malwarebytes Posted June 21, 2018 Staff ID:1251749 Share Posted June 21, 2018 ***This is an automated reply*** Hi, Thanks for posting in the Malware Removal for Windows Help forum. Being infected is not fun and can be very frustrating to resolve, but don't worry because we have a team of experts here help you!! Note: Please be patient. When the site is busy it can take up to 48 hours before a malware removal helper can assist you. If no one has replied to your new topic after 48 hours please contact an Administrator to let them know. First, if you haven't done so, please run a Threat Scan with the latest version of Malwarebytes. This may resolve your malware infection issue without the need for additional support. Click "Reveal Hidden Contents" below for details: Spoiler Malwarebytes can detect and remove most malware with no further actions required for free. If you do not have Malwarebytes, please download it here and install. Be sure to post back the log as shown below. Open Malwarebytes for Windows To the left, click Scan > Scan Types. Select Threat Scan. Threat Scan is the most thorough and recommended scan method available. Click Start Scan Next, if you're still experiencing issues after running Malwarebytes, then technical logs will be required to assist you. Click "Reveal Hidden Contents" below and follow the instructions to run the Farbar Recovery Scan Tool: Spoiler Don't use any temporary file cleaners unless requested - this can cause data loss and make a recovery difficult. Please download the Farbar Recovery Scan Tool here and save it to your desktop. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit Double-click to run it. When the tool opens click Yes to the disclaimer. Press the Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please attach or copy and paste it to your reply. The first time the tool is run, it also makes another log (Addition.txt). If you've run it before it may not and you may need to select it manually. Finally, attach the Malwarebytes Threat Scan, FRST.txt and Additional.txt logs to your reply. Before submitting your reply, be sure to enable "Notify me of replies" like so: Click "Reveal Hidden Contents" below for details on how to add attachments to your post.Note: If you are unable to attach files, please copy and past the contents of the requested files in your Reply instead. Spoiler To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button. Please Note the Following: One of our expert helpers will give you one-on-one assistance when one becomes available. Refrain from making any further changes to your computer (such as Install/Uninstall programs, using special fix tools, delete files, edit the registry, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine. Do not 'bump' or add a reply to your topic once it is started. Topics which appear to have replies are considered to have a helper assisting them and may be overlooked, resulting in a longer waiting period for help If you're using Peer 2 Peer software such as uTorrent or similar, please completely disable it from running while being assisted here. Troubleshooting Tips FAQ - Malwarebytes won't run or failed to resolve my issues Groups authorized to help with Malware Removal for Windows logs Link to post Share on other sites More sharing options...
kevinf80 Posted June 22, 2018 ID:1251874 Share Posted June 22, 2018 Hello Seshien and welcome to Malwarebytes, I believe your system is being exploited by the use of a Windows built-in program called CertUtil, have a read at the following link by @grinler of Bleeping Computers https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/ Make a lockdown in your Firewall for CertUtil.exe as shown in the following link: https://www.bleepingcomputer.com/forums/t/674836/locking-down-certutil/ When that lockdown is complete continue: Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. Next, Open Malwarebytes Anti-Malware. On the Settings tab > Protection Scroll to and make sure the following are selected:Scan for RootkitsScan within Archives Scroll further to Potential Threat Protection make sure the following are set as follows:Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended) Click on the Scan make sure Threat Scan is selected, A Threat Scan will begin. When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab If asked to restart your computer to complete the removal, please do so When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard. Wait for the prompt to restart the computer to appear, then click on Yes. After the restart once you are back at your desktop, open MBAM once more to retrieve the log. To get the log from Malwarebytes do the following: Click on the Reports tab > from main interface. Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options:Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your replyText file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Next, Download AdwCleaner by Malwarebytes onto your Desktop. Or from this Mirror Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the EULA (I accept), then click on Scan Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply Next, Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop Ensure to get the correct version for your system....https://www.microsoft.com/en-gb/download/malicious-software-removal-tool-details.aspx Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window In the "Scan Type" window, select Quick Scan Perform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function 2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:notepad c:\windows\debug\mrt.log The log will include log details for each time MSRT has run, we only need the most recent log by date and time.... Let me see those logs in your reply, also tell me if there are any remaining issues or concerns.... Thank you, Kevin... fixlist.txt Link to post Share on other sites More sharing options...
Seshien Posted June 22, 2018 Author ID:1252000 Share Posted June 22, 2018 (edited) Spoiler Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 22/06/2018 Scan Time: 19:54 Log File: 556c5656-7645-11e8-ba13-4ccc6ab583c4.json Administrator: Yes -Software Information- Version: 3.5.1.2522 Components Version: 1.0.374 Update Package Version: 1.0.5586 Licence: Trial -System Information- OS: Windows 10 (Build 17134.112) CPU: x64 File System: NTFS User: DESKTOP-DQ49ULE\Pc -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 309223 Threats Detected: 0 (No malicious items detected) Threats Quarantined: 0 (No malicious items detected) Time Elapsed: 5 min, 56 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) There is a report from scanning. I will edit this post in few minutes and send you rest of information. There is a report from AdwCleaner Spoiler # ------------------------------- # Malwarebytes AdwCleaner 7.2.0.0 # ------------------------------- # Build: 06-05-2018 # Database: 2018-06-22.1 # Support: https://www.malwarebytes.com/support # # ------------------------------- # Mode: Clean # ------------------------------- # Start: 06-22-2018 # Duration: 00:00:01 # OS: Windows 10 Pro # Cleaned: 1 # Failed: 0 ***** [ Services ] ***** Deleted DsSvc ***** [ Folders ] ***** No malicious folders cleaned. ***** [ Files ] ***** No malicious files cleaned. ***** [ DLL ] ***** No malicious DLLs cleaned. ***** [ WMI ] ***** No malicious WMI cleaned. ***** [ Shortcuts ] ***** No malicious shortcuts cleaned. ***** [ Tasks ] ***** No malicious tasks cleaned. ***** [ Registry ] ***** No malicious registry entries cleaned. ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries cleaned. ***** [ Chromium URLs ] ***** No malicious Chromium URLs cleaned. ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries cleaned. ***** [ Firefox URLs ] ***** No malicious Firefox URLs cleaned. ************************* [+] Delete Tracing Keys [+] Reset Winsock ************************* AdwCleaner[S00].txt - [1250 octets] - [22/06/2018 20:10:42] ########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ########## There is a last log. Spoiler --------------------------------------------------------------------------------------- Microsoft Windows Malicious Software Removal Tool v5.61, June 2018 (build 5.61.14929.3) Started On Fri Jun 22 20:17:27 2018 Engine: 1.1.14901.4 Signatures: 1.269.297.0 Run Mode: Interactive Graphical Mode Results Summary: ---------------- No infection found. I personally don't see any more popups or messages, so I think problem is solved. Fixlog.txt Edited June 22, 2018 by Seshien Link to post Share on other sites More sharing options...
kevinf80 Posted June 22, 2018 ID:1252014 Share Posted June 22, 2018 Thanks for the logs and information update, good to hear the issues have ceased. Continue to clean up; Download "Delfix by Xplode" and save it to your desktop. Or use the following if first link is down:"Delfix link mirror" If your security program alerts to Delfix either, accept the alert or turn your security off. Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator Make Sure the following items are checked: Remove disinfection tools <----- this will remove tools we may have used. Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created. Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection Now click on "Run" and wait patiently until the tool has completed. The tool will create a log when it has completed. We don't need you to post this. Any remnant files/logs from tools we have used can be deleted… Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful....Answers to Common Security Questions and best PracticesDo I need a Registry Cleaner? Take care and surf safe Kevin... Link to post Share on other sites More sharing options...
Seshien Posted June 22, 2018 Author ID:1252017 Share Posted June 22, 2018 Hey, many thanks for help Everything seems fine, my computer works as it was working before. Read your links, they look useful, I will keep them in mind. Again, thanks and may I don't need to write in this subforum again Link to post Share on other sites More sharing options...
kevinf80 Posted June 22, 2018 ID:1252021 Share Posted June 22, 2018 You`re very welcome Seshien, comeback anytime... Regards, Kevin... Link to post Share on other sites More sharing options...
kevinf80 Posted June 24, 2018 ID:1252356 Share Posted June 24, 2018 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks Link to post Share on other sites More sharing options...
Recommended Posts