Furtivex Malware Removal Script v7

Hello WildersSecurity,

Furtivex Malware Removal Script v7 has been released

Furtivex Malware Removal Script (FMRS) is a free scan and removal tool from the same developer as Junkware Removal Tool (JRT).

FMRS is for Windows 10 and Windows 11 (32 and 64 bit) computers and its goal is to restore full functionality to the system as well removing all the latest threats and junk from the computer.

FMRS is translated into 20 languages now!

Multiple languages are supported: English, Arabic, Bulgarian, Chinese, Czech, Dutch (Thanks Maxstar), French, German (Thanks MKDB), Greek, Hindi, Italian, Japanese, Korean, Polish (Thanks Picasso), Portuguese, Russian (Thanks Dragokas), Serbian, Spanish, Swedish, Turkish.

Some key features: Read here for the full list

• Killing off unnecessary processes that may be hindering your ability to use the PC in its current state. Think of it as having a built in 'RKill' utility. This is the first stage of the scanner and sets the motion for the rest of remediation to happen successfully.
  
• Removing the latest types of computer hijacks that may be causing the PC to be untenable. e.g. your antivirus program keeps shutting down (crashing)
  
• Restoring damaged service keys which may be causing Windows Updates to not function properly
• Removing annoying push notifications from Chromium based browsers
  
• Cleaning caches - FMRS advocates for maintaining a very tidy and neat system. You probably won't find another scanner out there right now that is hunting for so much junk that tends to accumulate on the system.
• and of course, deleting the malware that is giving you a problem by removing the related registry keys, registry values, files, folders, services, drivers, tasks, etc..

>> Its simple design may get overlooked as ineffective, but you don't need a fancy GUI to do repairs. FMRS was developed by a computer technician with over 20 years of experience, who also enjoys hunting for malware on forums around the world by reviewing logs publicly available. I start to see what belongs, what does not belong, etc.. and this is how the database is maintained.

>> I aim to keep it a small program (1.35mb) compared to other in its class but packs a bigger punch. If you are having doubts about your antivirus / Windows Defender, you can always use FMRS as a second opinion scanner. A GUI is a long term plan of mine for those that are more comfortable with it.

FMRS does not offer pro-active protection against malware. Think of it more as a clean up utility only that can save you a lot of time if you're a computer technician repairing PCs, or having trouble finding malware on a particular system.


https://furtivex.net/pics/fmrs_204px.jpg

Download Link: https://furtivex.net/FMRS.exe

Feedback wanted

 

Hi @ Wilders

It's ironic that the author mentions Windows Defender if you are "having doubts about your antivirus". Windows Defender detects furtivex.net/FMRS.exe as a Trojan.

Trojan:Win32/Sabsik.FL.A!ml

Terry

 

holy...

Code:

SFX module version:
    1.4.0 beta [x86] build 1795 (June 27, 2010)

7-Zip version:
    9.15 beta (June 20, 2010)

maybe blocked due this? or because of "boost"?

 

Hi, I'll try to address the concerns.

Hello Terry,

Yes, I am aware that usually Microsoft is flagging the file but I was not aware of the website being blocked too. I'm on Windows Defender and can access the site fine and haven't had this report lately. I have reported to them several times regarding the file and they do end up whitelisting it.

I think the problem is due to how often the file is updated. If you give it a few days, that same file will most likely be cleared from VirusTotal's detections. At the current moment, I do not see a detection for the website: https://www.virustotal.com/gui/url/...c0ad33b44912b348c1cb48d69f0cc19e7d4?nocache=1

The direct exe has 2 (at the moment) https://www.virustotal.com/gui/url/...c78dd6e3e2f9ef0fc713a2e4c77b580c95b?nocache=1

If I may quote an article I read recently from MajorGeeks, which may explain the situation a bit better. https://www.majorgeeks.com/content/page/not_commonly_downloaded.html

"This is the bain for new authors as since the antivirus programs has never seen the program before, in an abundance of caution, The AV assumes danger until proven otherwise -"

Here's a video which may also explain it better than I can: hxxps://youtu.be/MuBeblbUXpU

Currently, the latest file has a detection ratio of 2/71. One of them being Windows Defender - > https://www.virustotal.com/gui/file/834c78557d0cf90871c73c88380fc3bc590332081e822f70b11aa1b932f7532e

I'm going to look into seeing if I can update those even though I am running the latest 7zip. It's the creation program that is old.

pevFind uses Boost software license, I think this is the file you're referring to

Thanks for the feedback guys

 

As many 2nd opinion scanners have been shown to be lacking in some areas of protection i thought I would put this product through a (very) simple test.

In the past it has been found that applications like HMP, MD, Emsisoft are not capable of preventing Scriptor infections, I infected an otherwise clean system with 8 VBS worms. After confirming manually that the system was indeed compromised (confirming the worms were actively running and also had created Startup entries to these malware exited). In addition 1 data stealer was executed that would restart via Task Scheduler. I then rebooted and confirmed that the system was indeed infected.

I then ran FMRS as admin, waited for the script to finish and rebooted.

On system start, although the Startup entries to the malware (essentially registry changes) the actual worms had been detected and deleted as was the data stealer (which still left the Scheduled Task but the Stealer itself was deleted) leaving the system clean, thus outperforming most 3nd opinion scanners that are commonly used.

Please note a few things:
1). this test was far from extensive, but done just to give a taste.
2). This will NOT detect any malware that is not currently running (so will ignore any UN-executed stuff one may have as a test bed).
3). for those that rely on sub-optimal 2nd opinion scanners (like those that I've trashed over the years on my videos) FMRS would be a good ideas to use as a 3rd opinion scanner.

 

Trying on Windows 10 x64, a window opens briefly showing an error then closes:
https://streamable.com/o9vyh7

 

I don't see where Terry said it was blocking the site. It didn't block it for me.

As for tagging the file, if any program is coded to look for specific malicious code, it makes sense a security program might tag it - especially if that program is new and the author did not take steps to certify it.

Certainly False Positives (tagging good programs as bad) are unfortunate, but sure are better than False Negatives (allowing bad programs in as good).

Not sure about ironic but I think it sad, perhaps inappropriate even, that Defender was singled out by name. Feels like just another opportunistic MS bashing to me.

I am not suggesting Defender is the best thing since sliced bread, but it is a very capable solution for the vast majority of users out there, just as most well known 3rd party solutions are these days. It is because modern Windows itself is hard to infect, therefore easy to protect, that I think it sad Defender was singled out.

IMO, the comment should have been inclusive, not divisive and should have simply said, "If you are having doubts about your antivirus, you can always use FMRS as a second opinion scanner."

I will say that I have been using Defender (and its predecessor, MSE) since W7 on all our systems here with no problems. And more importantly, secondary scanning with various secondary scanners have never, not once found anything malicious Defender missed. Worse case is Malwarebytes tagging a couple clean "wanted" programs as PUPs.

That said, I am in favor of second opinions - to verify our systems are clean - regardless our primary solution of choice. So when this program is seen as clean, then I may add it to my list of potential second (or third) opinion products. Until then, I don't see a need for it. The days of needing layer upon layer upon layer are long gone.

Now if the user fails to keep Windows and their security current, and is prone to being "click-happy" on every link, popup, download, and attachment they see, then all bets are off and they need all the security they can get - plus a robust backup plan.

 

Hello cruelsister,

Hi, thank you for giving it a test

Although worms are mostly a thing of the past and the tool focuses on newer threats from late 2024 and onwards, I am glad it still recognized that a bunch of VBS files scattered throughout the system were successfully deleted. Can you share the log for us to review?

May I understand better which language the operating system is in in order to address the Task Scheduler issue you described? It is unusual for the script to not delete the scheduled tasks as you mentioned. Was it run through Safe Mode / Safe Mode with Networking perhaps? The scheduled tasks deletion portion does not work there and is documented here

If they are running as .exe files, should be detected and closed. This is the first stage of the program.. Any files that are purporting to be legitimate Microsoft files that are outside of the normal directories are appended to the Processes section of the log and closed

https://furtivex.net/wp-content/uploads/2024/11/fmrs_2-1024x577.png

Thank you again for your honest feedback

 

Hi Bill_Bright,

Allow me to try to clarify myself a bit. I'm not a great speaker, that's for sure .. haha

Terry shared a URL block in his post of the website https://furtivex.net/FMRS.exe being labeled as Trojan:Win32/Sabsik.FL.A!ml

You are referring to a digitial signature here yes? Maybe some day, the problem for me with this is one that it is expensive, you have to renew yearly, and it would slow down updates on my end. While being completely undetected would be great, and I've gotten as low as 1/72 detection ratio in previous versions, it's nearly impossible to bypass every AV that has any sort of behavioral or cloud scanning. I didn't mention this early on because I didn't feel it was necessary, but maybe it is. I'm a former employee of an anti-virus company. The product Junkware Removal Tool was acquired by Malwarebytes in 2015 and I went to work with them for 8+ years as a research engineer. Hopefully this adds to my credibility or reputation here.

Oh absolutely. I love Windows Defender and use it myself. It's all I really need/want. It's also not worded like this on my website. The reason I mentioned antivirus and Windows Defender separately was only because Windows Defender comes with every Windows computer. You have to go out and get a second antivirus to replace it if you wanted to. It was not intended to bash or otherwise single out Microsoft in any way.

I hope this clears up things

 

Hello Mr.X!

It looks like the system here is missing system32\CHCP.com . This file helps the tool to identify which language to output the log file and DOS window based on the user's Language / Region preferences. It couldn't find the file, maybe other files were missing as well and it determined it couldn't safely run in this environment. I do have some safe checks built in. Is it a heavily modded system by chance? Or is the Windows directory not located on the C: drive?

 

Modded, but not so heavily.

Yes.

Turns out the environment variable path %SystemRoot%\System32 was missing in my Windows 10, I don't know why.

 

I am glad you figured it out. Yes that would explain the cause of that issue

 

First, credibility (yours or FMRS') was never in question. Sorry if my comments suggested otherwise. I see here, that you are the author so again, I am not questioning your credibility or reputation.

Perhaps my use of the word "clean" is misleading. I did not mean to suggest the program is "dirty". I simply mean it did not install without issues. And reporting the presence of a trojan is a big issue! Seeing that warning does not instill confidence, especially for less experienced users already concerned their computer has been compromised.

No user should need to be a security expert to protect their systems, or families.

I base my use and recommendation decisions, in large part, on whether or not I would recommend a program to my clients, family and friends. You can see through the link in my signature that I have a bit of experience in IS/IT security myself. With that in mind, I am often the one my clients, family and friends call first if anything even appears to be wrong. As anyone who has, by default, become the de facto, neighborhood/family "go to" computer guy, that can be a blessing and curse.

Its a blessing when they call BEFORE making changes, and often a curse when they call after the fact. Oh well.

Anyway, the real point I did a poor job of explaining really has nothing to do with whether or not FMRS is any good or not. It appears to be good but this is another one of those "impossible to test for every scenario" scenarios.

Not specifically signatures or definitions unique to a specific threat - at least not exclusively sig/def files. Relying on them leads to unnecessary bloat and outdated code. Plus they are essentially ineffective against new threats and suspicious behavior.

Relying on sig/def files is an "always playing catch-up scenario" for the white-hats and often leads to included signatures for malware that has not been seen "in the wild" for 20 years. Or it leads to a signature for a specific piece of malware designed to exploit a vulnerability that was patched way back in Windows XP. I was talking about code that looks for malicious patterns, activities, or trends.

My point is, do users "need" yet another security program on our systems? And IMO, if they simply keep their OS and security current, and they avoid being "click-happy", then no, they don't.

HOWEVER, as I noted earlier, getting a second opinion - regardless the primary solution of choice - is wise.

BUT, there are already many decent second opinion scanners out there, including RogueKiller, Comodo Cleaning Essentials, Dr. Web CureIT, Emsisoft Emergency Kit, ESET Online Scanner, F-Secure Online Scanner, Malwarebytes, MS Safety Scanner, Norton Power Eraser, HitmanPro, TM HouseCall Online Scanner, Panda Cloud Cleaner, Zemana and more. Most of those are either Free or have a free trial period.

For FMRS to compete in that field of already successful scanners, it needs to stand out as something better, and easy to use! And not just easy for the less experienced, but for those who have no interest in becoming computer or security experts. I note "most" computer users see their computers as just another appliance in the house, like a toaster. Or like a game console. No expertise required. No GUI already puts it in the experienced user/enthusiast realm.

AND, to succeed, it needs to be a program we "need". And I'm not seeing that. Sorry.

"IF" you are able to ensure users get a "clean" install (no reports of malicious code or activities), then I probably would be willing to add FMRS to the list of recommended secondary scanners for my more experienced clients, friends, and family. But it needs a functional, intuitive GUI to succeed with everyone else.

This seems to be more of a personal project than a commercial endeavor. And there is nothing wrong with that. In this case, the problem I see is the wheel has already been invented.

 

v7.2.2 now available

It attempts to address a potential bug where the Task scheduler portion of the tool would not work on non-English operating systems.

Please keep in mind that this feature is still disabled if run through Safe Mode or Safe Mode with Networking. I aim to increase the effectiveness in this mode as well

 

FMRS looks interesting, but I have a question based on the text portion quoted above:

Would using FMRS affect (counteract) the use of tools like GRC's InControl or Windows Update Manager?

 

Hi,

First off, it's nice to see the author of SpinRite is still making tools. Was a little shocked to see the Spinrite 6.1 announcement

According to their GRC technical details page, it focuses on these six registry entries:

Code:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
        TargetReleaseVersionInfo = {Feature release such as “21H1”, “21H2”, etc.}
        TargetReleaseVersion = 1
        ProductVersion = {Windows major version, “10”, “11”, “12”, etc.}
        DisableOSUpgrade = 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore
        DisableOSUpgrade = 1
    HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeNotification
        UpgradeAvailable = 0

4/6 of those entries (the ones involving HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate), FMRS would attempt to delete as it's considered a policy restriction. The last two are unaffected

For the second program you mentioned, Windows Update Manager, I am very beginner at reviewing C# code, so even though this is opensource, I don't fully understand what it's doing. This comment here though by the author suggests that it wants to restrict some access

Code:

 // Note: windows tryes to re enable this services so we need to remove system write access
            if (mode == ServiceStartMode.Disabled) // add new rule
                ac.AddAccessRule(new RegistryAccessRule(new SecurityIdentifier(FileOps.SID_System), RegistryRights.FullControl, AccessControlType.Deny));
            subKey.SetAccessControl(ac);
        }

        static public bool GetDisableAU()
        {
            return IsSvcDisabled("UsoSvc") && IsSvcDisabled("WaaSMedicSvc");
        }

The UsoSVC and WaaSMedicSvc service keys are mutually found within FMRS and Windows Update Manager

However, I think it's important to note, FMRS would only attempt to restore their defaults if a relevant miner infection (which attempts to delete those keys entirely) was found on the system.

I'll try to document this on the website in the future, but I can note here in the meantime,

If you have these service keys:

• BITS_bkp
• dosvc_bkp
• wuauserv_bkp
• WaaSMedicSvc_bkp
• UsoSvc_bkp

You're likely infected with a particular BitCoinMiner infection and can't perform Windows Updates at all.

This is where FMRS might be useful to the user as it attempts not only to delete that particular miner, and afterwards, restore functionality of Windows Update. I haven't seen any other tool doing this and see the malware helper community having to manually fix these cases, so I hope this is some added value of the program

 

I believe we misunderstood each other again. You are referring to a signature virus database, whereas I was trying to clarify if you wanted me to digitally sign the FMRS.exe file in an attempt to reduce false positives and I answered that question.

FMRS is not using the traditional virus signatures you're thinking of.

Thank you for your feedback guys

 

Glad you said that! Actually worms are quite in vogue currently and come in various forms. I'm in the process of defanging one that came as part of an application installer. It is a worm that will spread across Networks, drops a vbs script that will activate powershell (via a Scheduled task) in order to steal data. Think all bases will be covered with this one.

When I have a chance I'll post a video comparison of FMRS vs MB and HMP (if anyone is interested, anyway...).

 

Sorry. Yes I did misunderstand you. My bad. Thanks for clarifying.

 

That'd be great. I'd love to see it

 

Many would be absolutely interested! Please Do!

Thank you!

 

Thanks for the thoughtful and detailed response. Yeah, Steve Gibson finally got around to updating SpinRite, and the new version runs incomparably faster on large-capacity drives. Scans now take hours to complete, instead of weeks.

I appreciate the explanation re: Windows Update settings. Given that FMRS resets some WU settings, it does sound like Windows users who prefer to keep their own schedule over the installation of new Windows versions and feature updates with InControl might want to think before using FMRS, although if I'm reading this right, we could use FMRS and still control the selection and timing of regular monthly patches with Windows Update Manager.

 

I started making the video about FMRS using the new build and discovered things that were not acceptable. The malware that was tested achieved Persistence by both adding a startup entry (via the registry) as well as by adding a Scheduled Task.

Although after running FMRS all traces of the malware were gone, sadly also gone were some legitimate Startup entries as well as all of Scheduled Tasks.Please note that I did not find this to be the case with the initial version of FMRS that I tried (or at the least failed to notice).

But as of now, I wouldn't suggest using it until these issues are resolved.

 

I noticed this since day 1 (first release) so I stopped using it. I had to shut down the machine with the power switch.

All my legit startup and resident processes, such as Sandboxie, WFC, System Informer, POP Peeper, Shadow Defender, Secure Folders, FastStone Capture including Windows Network and Sound indicators where killed.

I didn't report earlier hoping someone else experienced it too.