Jump to content

Trojan.FakeMS.ED


Recommended Posts

I rain Malwarebytes Anti-Rootkit and found 6 malware. They were are HKCR. Immediately after I clicked "clean" it told me to restart and so I did. I ran the Malwarebytes again and it said I am infected in 2 places. When I clicked next, it said "Scan Finished: No malware found!" The first 3 screenshots are when I ran it the first time, and the last 2 are from after I restarted my computer and ran it. (The images also may have uploaded backwards)

Also, when I ran Malwarebytes the first time I accidentally closed the computer and when I opened it the scan was finished so maybe, there could've been more? I don't know.

Also, sometimes my computer mouse doesn't move at all when I move it, and it clicks randomly, and sometimes it moves on its own. 

I used notepad to do my homework and my text kept on overwriting itself. I never clicked insert. 

Thank you!!

image (4).jpg

image (3).jpg

image (2).jpg

image (1).jpg

image.jpg

Link to post
Share on other sites

Hello :welcome: 

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

  • Removing malware can be unpredictable
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

I need more information from this machine. Close as many other apps as you can before running this report. 

I would like a report set for review.   This is a report only.

Please download MALWAREBYRES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply
  • The IP block actions by Malwarebytes are keeping the machine safe from potential threats.
  • We do need the support zip reports to see more detail  ( the screen grabs just do not have full details + those screens give no clue as to what processes are running.
Link to post
Share on other sites

Hi, thank you. I had to run it twice because I didn't see I had to close all the apps. But I'm a little worried because when I ran it the first time it took a lot longer. I was gonna move the first zip but then I thought what if something happens if I do? And I'm thinking what if when I ran it the second time something happened? But here are the logs.

mbst-grab-results.zip

Link to post
Share on other sites

Take these actions so that Windows 11 is set to show all hidden files and folders.

  • Open File Explorer from the taskbar.
  • Select View > Show > Hidden items.

*

Thank you for the report file. Do not fret about running the support-tool twice. Know that I did not notice obvious signs of infection.
You ran Rkill tool from Bleepingcomputer?
You ran Hitmanpro ?
Please do not run any further tools on your own. Do not make changes on your own without first checking with me. I will guide you along.
This is a Windows 11 O.S. so I want to be sure it is set to Show all folders & hidden files ( like above).
This next run is a custom run. This is just one procedure. We will do more later on. I will guide you.
*

This custom script is for  TeatreePlant  only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. Next, a custom script to do  checks & some  cleanups. 

We will use FRSTENGLISH  on the Downloads  folder to run a custom script.    The system will be rebooted after the script has run.

NOTE-1:  This script will  check on Microsoft Defender & make sure it is up-to-date & do one Quick Scan. It will also get a status check on services. It will run Windows SFC & DISM to check integrity. It will rebuild the Winsock. 

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt     <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.


RIGHT click on FRSTENGLISH   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity. Stick with me.

After this run, you will want to do a new scan with Malwarebytes.

Link to post
Share on other sites

Hello. Thanks. The run is a good run. That would have started a CHKDSK on the Restart, so that is likely what you perceived as "very slow". Once the Windows system is settled back in, it will be more normal. The run did good.

Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

  • Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.  That is, once it is under way, you should leave it running.  It will run for several hours.

  • At screen "Detections occured and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review
Link to post
Share on other sites

The MBAR tool (which you mentioned running in your first post here, last Friday) had found a trojan, or else, the remains of a trojan. I very much want to have the logs it created after that run ( which you had reported at top of this case). two files named mbar-log.txt and system-log.txt were created.
Both files can be found in the extracted MBAR folder on your Desktop.
Trojan.FakeMS is Malwarebytes’ generic detection name for trojans that try to pose as legitimate Microsoft files.
Please, at your next chance, when machine is idle, attach mbar-log.txt + system-log.txt

Link to post
Share on other sites

Hello. There were 3 files that the MBAR tool had flagged: C:\Windows\System32\atl.dll and 
C:\Windows\SysWOW64\msinfo32.exe and
C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe

We will run some tasks later for the "msinfo32". This next bit is to get a new good copy of ATL.DLL by getting a download from Microsoft.
Your O S is a 64-bit Windows 11, and on a Intel microprocessor system. So we want the 64-bit / X64 file vc-redistx64.exe
Get and SAVE this file to some folder on your system, or else to Desktop
https://aka.ms/vs/17/release/vc_redist.x64.exe

NOW, temporarily Turn Off ( temporarily disable) Windows Security ( Microsoft Defender)
https://bit.ly/3Gy31kZ

Now, Launch the vc_redist.x64.exe file to do the install.

When done, turn back ON the Microsoft Defender antivirus.

NEXT 

Insure that this pc is all up-to-date with security updates & cumulative updates on Windows. select the Windows Start  button, and then go to Settings  > Update & Security  > Windows Update . and click Check for Updates.
Have much patience.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.