Jump to content

Trojan.FakeMS found in Cacls.exe


Go to solution Solved by cli,

Recommended Posts

Hi guys! So my mouse was acting a little weird this morning--fighting against me and moving a lil on it's own. I'm not sure if that's related to anything but I thought I'd mention it. I got paranoid and ran a few virus scans. First thing I ran was Bitdefender and everything came up clean. Then I decided to run malwarebytes and it found what I said in the title. I dug around for the file and found it hadn't been modified since 2019, but I'm not sure if that's relevant. Can someone tell me if this is a false positive? I'll post the log below.

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 10/1/20
Scan Time: 10:18 AM
Logfile: 
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.0
Update Package Version: 1.0.18348
License: Free

-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: DESKTOP-7TR26IB\Spuddy Hell

-Scan Summary-
Scan Type: Custom Scan
Result: Completed
Objects Scanned: 1126454
Time Elapsed: 1 hr, 55 min, 41 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
Trojan.FakeMS, C:\WINDOWS\SYSWOW64\CACLS.EXE, No Action By User, [3121], [862557],1.0.18348

Physical Sector: 0
(No malicious items detected)


(end)

Link to post
Share on other sites
4 minutes ago, Screamingpotato said:

Version: 3.0.6.1469
Components Version: 1.0.0
Update Package Version: 1.0.18348

You are several versions behind on your Malwarebytes program. I suggest you update and re-scan.

image.png.d3a7021b971f1c98a46a31357202db6a.png

 

Link to post
Share on other sites

Same problem here, 43 machines all saying the same:

Trojan.FakeMS    File    Malware    Quarantined    C:\WINDOWS.OLD\WINDOWS\SYSWOW64\CACLS.EXE
Trojan.FakeMS    File    Malware    Quarantined    C:\WINDOWS.OLD\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-ACLUIFILEFOLDERCOMTOOL_31BF3856AD364E35_10.0.18362.1_NONE_35013EF5B6D4FE26\CACLS.EXE

https://www.virustotal.com/gui/file/ac9535dfd7bb58fbb48aee69d5cab6cdd7b32dc92c3ca78b4e345607279507f2/detection

https://www.virustotal.com/gui/file/7e32b9948fe3d9c99b34c2a8a6b85a160891c909b7358e2d621f1a40469ee6ea/detection

 

A lot of our machines have just gone from Windows 10 v1909 to Windows 10 v2004. I unquarantined the two files on one of our older spare computers and ran a MD5 hash check on VirusTotal.com and it says they are clean, but noted that one person a year ago flagged it as suspicious. Reading the person's comments who flagged this seems to convinced that Microsoft is spying on him and also flagged other important OS files such as DISM.EXE.

I am fairly convinced this is a false positive, but I get someone from Malwarebytes confirm that this is the case?

  • Thanks 1
Link to post
Share on other sites

 

7 minutes ago, AlexLeadingEdge said:

Same problem here, 43 machines all saying the same:

Trojan.FakeMS    File    Malware    Quarantined    C:\WINDOWS.OLD\WINDOWS\SYSWOW64\CACLS.EXE
Trojan.FakeMS    File    Malware    Quarantined    C:\WINDOWS.OLD\WINDOWS\WINSXS\WOW64_MICROSOFT-WINDOWS-ACLUIFILEFOLDERCOMTOOL_31BF3856AD364E35_10.0.18362.1_NONE_35013EF5B6D4FE26\CACLS.EXE

https://www.virustotal.com/gui/file/ac9535dfd7bb58fbb48aee69d5cab6cdd7b32dc92c3ca78b4e345607279507f2/detection

https://www.virustotal.com/gui/file/7e32b9948fe3d9c99b34c2a8a6b85a160891c909b7358e2d621f1a40469ee6ea/detection

 

A lot of our machines have just gone from Windows 10 v1909 to Windows 10 v2004. I unquarantined the two files on one of our older spare computers and ran a MD5 hash check on VirusTotal.com and it says they are clean, but noted that one person a year ago flagged it as suspicious. Reading the person's comments who flagged this seems to convinced that Microsoft is spying on him and also flagged other important OS files such as DISM.EXE.

I am fairly convinced this is a false positive, but I get someone from Malwarebytes confirm that this is the case?

That puts me at ease to hear someone else is having the same issue, and on so many machines too. I'm still waiting for the scan I promised Porthos to finish, but if you're right then that's such a massive load off my shoulders! I've been stressing about this all day.

Link to post
Share on other sites

Hey, similar thing happened to me few hours ago, I found it intriguing because it was a new laptop on which I just installed Windows today and it was my first scan, Windows was not even updated properly (as you can see tje version in the log below), because I ran mwb before that.

Malwarebyteswww.malwarebytes.com-Log Details-Scan Date: 10/2/20Scan Time: 1:25 AMLog File: 74fe91ae-043d-11eb-a9a2-e86a64b552f5.json-Software Information-Version: 4.2.1.89Components Version: 1.0.1045Update Package Version: 1.0.30624License: Trial-System Information-OS: Windows 10 (Build 17763.55)CPU: x64File System: NTFSUser: LAPTOP-6SUTTMN3\cometmem-Scan Summary-Scan Type: Custom ScanScan Initiated By: ManualResult: CompletedObjects Scanned: 328150Threats Detected: 1Threats Quarantined: 0Time Elapsed: 41 min, 25 sec-Scan Options-Memory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: DetectPUM: Detect-Scan Details-Process: 0(No malicious items detected)Module: 0(No malicious items detected)Registry Key: 0(No malicious items detected)Registry Value: 0(No malicious items detected)Registry Data: 0(No malicious items detected)Data Stream: 0(No malicious items detected)Folder: 0(No malicious items detected)File: 1Trojan.FakeMS, C:\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\7B5698DCD4DF803CA9A6079BB2F19B98\AMD64_MICROSOFT-WINDOWS-CLIENT-FEATURES-WOW64-PACKAGE~~AMD64~~10.0.18362.1\WOW64_MICROSOFT-WINDOWS-ACLUIFILEFOLDERCOMTOOL_31BF3856AD364E35_10.0.18362.1_NONE_35013EF5B6D4FE26\CACLS.EXE, No Action By User, 3121, 862557, 1.0.30624, , ame, , B304B0EF47E125F696425BD99096D3E3, 7E32B9948FE3D9C99B34C2A8A6B85A160891C909B7358E2D621F1A40469EE6EAPhysical Sector: 0(No malicious items detected)WMI: 0(No malicious items detected)(end)

 

 

Link to post
Share on other sites
4 minutes ago, reporting_for_duty said:

I want to add that I also rescanned it few minutes ago, just the location and it did not found it to be malicious. I haven't done any updates since.

Okay that's something I've done while waiting for this thing to finish. I haven't actually done it with malwarebytes since it's busy and three hours of my life have gone into this scan but. I did it with bitdefender and it was clean! I tried with windows defender and it gave me that 'Page not avaliable: Your IT admin has limited access' spiel...but it does that on everything in syswow64 so I don't think it's related. But I'm mentioning just in case it's even vaguely important.

 

I'll try to scan the file itself with malwarebytes once the scan finishes, too, if you guys want me to.

Link to post
Share on other sites

Sorry for the formatting, fixed here:

Malwarebytes

www.malwarebytes.com

 

-Log Details-

Scan Date: 10/2/20

Scan Time: 1:25 AM

Log File: 74fe91ae-043d-11eb-a9a2-e86a64b552f5.json

 

-Software Information-

Version: 4.2.1.89

Components Version: 1.0.1045

Update Package Version: 1.0.30624

License: Trial

 

-System Information-

OS: Windows 10 (Build 17763.55)

CPU: x64

File System: NTFS

User: LAPTOP-6SUTTMN3\cometmem

 

-Scan Summary-

Scan Type: Custom Scan

Scan Initiated By: Manual

Result: Completed

Objects Scanned: 328150

Threats Detected: 1

Threats Quarantined: 0

Time Elapsed: 41 min, 25 sec

 

-Scan Options-

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Detect

PUM: Detect

 

-Scan Details-

Process: 0

(No malicious items detected)

 

Module: 0

(No malicious items detected)

 

Registry Key: 0

(No malicious items detected)

 

Registry Value: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Data Stream: 0

(No malicious items detected)

 

Folder: 0

(No malicious items detected)

 

File: 1

Trojan.FakeMS, C:\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\7B5698DCD4DF803CA9A6079BB2F19B98\AMD64_MICROSOFT-WINDOWS-CLIENT-FEATURES-WOW64-PACKAGE~~AMD64~~10.0.18362.1\WOW64_MICROSOFT-WINDOWS-ACLUIFILEFOLDERCOMTOOL_31BF3856AD364E35_10.0.18362.1_NONE_35013EF5B6D4FE26\CACLS.EXE, No Action By User, 3121, 862557, 1.0.30624, , ame, , B304B0EF47E125F696425BD99096D3E3, 7E32B9948FE3D9C99B34C2A8A6B85A160891C909B7358E2D621F1A40469EE6EA

 

Physical Sector: 0

(No malicious items detected)

 

WMI: 0

(No malicious items detected)


 

(end)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.