Jump to content
MaggyIsSalty

Trojan: Win32/Fuery.B!cl. Need Help.

Recommended Posts

Hello everyone, I recently got a notification from window defender that my machine was infected by Trojan: Win32/Fuery.B!cl. The infected files as show by window defender are Xtuservice.exe and OCControl.service.exe. Window defender can't quarantine or delete those infected files either automatically by itself or even me manually click on Take action button. It continue to pop up the notification many times that my PC have this malware. I've try window defender quick, full, offline, and malwarebytes threat scan, but all of this does not detect any threat. So I delete those infected files by myself and do a factory reset by select remove everything option. But just an hour of booting up to the windows that has been reinstalling, again window defender detect the same Trojan as before. Then I do the factory reset again and result are the same. This make me think is it window defender false positive? But I'm very worried. Please help me, any help would be appreciated. Thanks in advance.

Sorry for my bad English, this is not my main language.

PS. I have attached FRST.txt and Addition.txt from FRST scan as the resolved topic were suggested.

PSS. The second time of reset I also delete the infected files by myself and reinstalling the corresponding software, but this time window defender do not detect any threat even I do a custom scan to those files. But just to make sure I do a factory reset one more time and then came to this forum. 

 

FRST.txt Addition.txt

Share this post


Link to post
Share on other sites

Hi,  :welcome:

My name is Maurice. I will be helping and guiding you, going forward on this case.

Thank you for the FRST reports.

 

Lets start by running a special scan with Windows Defender.   as listed here.

Windows 10 has the Microsoft Windows Defender which can run the Windows Defender Offline scan.
Windows Defender Offline in Windows 10 can be run directly from within Windows .

Click the Windows Start menu button on the Taskbar, select Settings icon. Then choose Update and Security.
 

In Windows Settings  >>> click on Windows Security from the left side list.

Next, In Windows Security section:  Click on the grey button Open Windows Security

next click on the blue Scan options

Look down the options list.  Tick on Windows Defender Offline scan.   Then click the grey "Scan now" button.


and let it scan the system.

Keep in mind that the design and what is scanned by Windows Defender is a whole different design from Malwarebytes. But do let me know how this scan goes and what the result is.

 

We will do more, later.

 

Share this post


Link to post
Share on other sites

Hi Maurice. Firstly thanks for your quick reply and helping me, I appreciate it. I do the window defender offline scan as you told me. It scan about 50k of files and restarting the machine which take me back to the windows at 91% of scanning (As it show on the screen, but didn't reach 100%). No word or notification or any pop up that told me the threat were found or not, so I think they don't found any threat.

Thank you again.

Share this post


Link to post
Share on other sites

I regret to read that the scan did not seem to reach 100%.

Lets just take a couple of minutes and take a look at the scn history of Windows Defender.

This is the way to look at the Windows Defender scan history.

 

Go to the Windows Start menu.  Click on the Settings icon.

Now click on Update & Security.   Then click on Open Windows Security.

·  Click the Virus & threat protection tile     and then the Protection  history label  ( in blue color)

The Protection history will have a list of recent events.

 

[ B ]

In any event, let's have you do this indenpent scan.  It is free.

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now
It will start a download of "esetonlinescanner_enu.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan
Click on the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

NOTE:   Win32/Fuery.B!cl   is a classification that Microsoft uses.  Unfortunately, MS does not list details about this on their online security intelligence page.

 

Share this post


Link to post
Share on other sites

I have checked the Protection History of Windows Defender and its show no recent actions. I did download ESET Online Scanner and do a full scan of my system as you suggest me. The result came out to be they found no threats. By the way I just curious about my FRST log, is it show any sign of machine infected or threats? 

Thank you very much. 😊

Share this post


Link to post
Share on other sites

Hi.

I am glad that the ESET scan tool found no infection,   Bravo.

FRST is a generic diagnostic (information )  type report.  It is not one that identifies specific  "infections".  Specialized antivirus & anti-malware programs do that.

You have already run a scan with ESET antivirus  and MS Windows Defender.

 

Run a new scan with Malwarebytes for Windows.   I recommend doing that.

https://support.malwarebytes.com/docs/DOC-1156

 

[ 2 ]

You can also run another scan for yet another opinion, if you so desire.

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Let me know the result of this.

 

 

Share this post


Link to post
Share on other sites

Hello Maurice. I've scanned my system with Malwarebytes Threat scan and Microsoft Safety Scanner Full scan. The result of both scan is no threats were detected in the system. I will paste Malwarebytes and  Microsoft Safety Scanner log in my reply, just in case you want to see them. Also one thing I forgot to mention in my previous reply is that while I going to scan my system with ESET Online Scanner by selecting the Full scan option. My system is freeze before I click on full scan option button. I don't know is it be my laptop fault or the malware try to evade the scan by make my system freezing before the scan is happening. What's your opinion on this? Anyway thanks you very much Maurice, you help me a lot. 😁

Malwarebytes Report

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 9/9/19
Scan Time: 11:00 AM
Log File: 4ec9a0be-d2b6-11e9-91f3-e4b97ae981fe.json

-Software Information-
Version: 3.8.3.2965
Components Version: 1.0.613
Update Package Version: 1.0.12377
License: Trial

-System Information-
OS: Windows 10 (Build 18362.329)
CPU: x64
File System: NTFS
User: DESKTOP-SVCQBQ9\Light

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 266839
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 0 min, 46 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

 

msert log


---------------------------------------------------------------------------------------

Microsoft Safety Scanner v1.0, (build 1.301.834.0)
Started On Mon Sep 09 11:19:21 2019

Extended Scan Results
----------------
->Scan ERROR: resource process://pid:144,ProcessStart:132124754295960947 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:480,ProcessStart:132124754329289631 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:708,ProcessStart:132124754393261180 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:812,ProcessStart:132124754408016497 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:828,ProcessStart:132124754408062824 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:884,ProcessStart:132124754408301402 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:2912,ProcessStart:132124754414664080 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:4256,ProcessStart:132124754421741427 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:4684,ProcessStart:132124754422507641 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:7964,ProcessStart:132124754440920203 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:4880,ProcessStart:132124754560239448 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:10916,ProcessStart:132124755628340743 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:11532,ProcessStart:132124755686126496 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:11636,ProcessStart:132124763436576990 (code 0x0000012B (299))
->Scan ERROR: resource process://pid:12680,ProcessStart:132124763437091195 (code 0x0000012B (299))
->Scan ERROR: resource process://pid:4684,ProcessStart:132124754422507641 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:4880,ProcessStart:132124754560239448 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:11532,ProcessStart:132124755686126496 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:7964,ProcessStart:132124754440920203 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:4256,ProcessStart:132124754421741427 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:10916,ProcessStart:132124755628340743 (code 0x00000005 (5))
->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\swapfile.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\swapfile.sys (code 0x00000020 (32))
->Scan ERROR: resource process://pid:4684,ProcessStart:132124754422507641 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:4256,ProcessStart:132124754421741427 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:4684,ProcessStart:132124754422507641 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:4256,ProcessStart:132124754421741427 (code 0x00000005 (5))
->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\swapfile.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\Users\Light\AppData\Local\Microsoft\WindowsApps\MicrosoftEdge.exe (code 0x00000780 (1920))
->Scan ERROR: resource file://C:\Users\Light\AppData\Local\Microsoft\WindowsApps\python.exe (code 0x00000780 (1920))
->Scan ERROR: resource file://C:\Users\Light\AppData\Local\Microsoft\WindowsApps\python3.exe (code 0x00000780 (1920))
->Scan ERROR: resource file://C:\Users\Light\AppData\Local\Microsoft\WindowsApps\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\python.exe (code 0x00000780 (1920))
->Scan ERROR: resource file://C:\Users\Light\AppData\Local\Microsoft\WindowsApps\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\python3.exe (code 0x00000780 (1920))
->Scan ERROR: resource file://C:\Users\Light\AppData\Local\Microsoft\WindowsApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe (code 0x00000780 (1920))
No infection found as part of the extended scan

Results Summary:
----------------
No infection found.
Microsoft Safety Scanner Finished On Mon Sep 09 11:33:55 2019


Return code: 0 (0x0)
 

 

Share this post


Link to post
Share on other sites

Both the MS Safety scanner  & Malwarebytes for Windows report NO malware.

My view is not to jump to an assumption of there being some "malware"  unless I see it identified by the tools I had you use, or some other known security tool.

The system freeze you mention can just be temporary.

Given that the scans found no malware,  AND  that you have done a factory reset,  I do not think there is a actual issue at this point.

 

Share this post


Link to post
Share on other sites

P.S.   Make sure that you do a Microsoft Windows Update check for updates.  Today, Microsoft made available security fixes for Windows.

Share this post


Link to post
Share on other sites

Hi Maurice, I'm glad that you think my computer has no issue now. I did update windows today as you told me. At this point I would like to know are there anything else I need to do or be worry? Also I want to clean all the things that I've used to solve my malware problem, can you provide me the step to remove those things please? Like the step of how to remove FRST, ESET Online Scanner and so on.. 

Thanks you Maurice for helping me. I've been very worried almost all the time recently. I appreciated.

Share this post


Link to post
Share on other sites

What I suggest doing is to backup your system.   Backup is your best friend.  Backups on some regular basis is a great security practice.

( more of those listed below).

For the Eset Online scanner, just see where you saved that download file  "esetonlinescanner_enu.exe"   and then just Delete it.

FRST64.exe  is on your Desktop.  Go to the Desktop

RIGHT-Click on FRST64.exe      and rename  it to  uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator"

If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST64 to uninstall

The above will remove FRST and all created files and folders...

.

 

Use Windows System Restore to create a new saved Restore point.

Create  fresh Restore Point: http://www.thewindowsclub.com/create-system-restore-point

 

.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).


Free games & free programs are like "candy". We do not accept them from "strangers".


Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.
 

 

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 
Do a Windows Update.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq




Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

.

You are running Malwarebytes as a free mode program.   I would suggest you consider getting a Premium subscription license, and activating it into Malwarebytes.

That way you get benefits of all real-time protections of the Premium.

Sincerely,

Share this post


Link to post
Share on other sites

Thanks you a bunch! Maurice. I have read all the link in your reply. It was very helpful and make me learnt the things I didn't know before. I will follow the suggestions. Thanks you for all of this.

Respectfully yours, 

Share this post


Link to post
Share on other sites

You are very welcome.   Thank you so much for this feedback.

All the best wishes to you.

Sincerely,

Maurice

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.