DoesNotBelong (Formerly Furtivex Malware Removal Script)

Hi,

Thank you for the feedback.

I can lessen the 'aggressiveness' of FMRS in the future, but it wasn't designed to allow video capturing software and Sandboxes to run alongside with it. FMRS goes off a whitelisting system regarding processes and tasks, this is why you experienced this issue

I feel I've already been transparent about this, both in this topic and on the website and knew I would receive some backlash about this (I already have), and that's OK. I think each person has the right to their own approach on how to remediate malware or optimize their computer. If the way FMRS does it is not to your liking, that's perfectly OK. I am also not trying to reinvent the wheel so to speak, but take a rather different approach.

I can attempt to explain my thought process on this subject, but if you're the type of person to shut down the computer via power switch, it worries me that you won't understand my perspective at all. This, as you should know is also highly not recommended and tends to lead to hardware failure and data corruption.

Cited from the resource page:

• Aggressive process termination. All non-essential processes are shut down while the program scans. A small whitelist is maintained.
  
• Aggressive RunOnce cleaning. All RunOnce entries are purged from the Windows Registry.
• Aggressive Task Scheduler cleaning. This is a unique feature of the tool compared to others in its category. A small whitelist is maintained. Tasks, are a primary persistence mechanism that the bad guys use to ensure that their malicious software continues to load on the system after a set amount of minutes / hours, etc..

While it could seem scary or worrisome that FMRS deleted many Tasks that fall into the legitimate category, I am of the perspective that your legitimate software will still continue to function, and 9/10 will recreate the entry (a new scheduled Task) next time you intentionally launch the application .

Tasks that are prohibited or protected from being deleted by Windows, are included in this task whitelist FMRS utilitizes. The rest, in my opinion are fair game to modification. Tasks from your antivirus software are also a part of this whitelist. If there is ever a problem with Windows Defender tasks being deleted for example, let me know as that's definitely a non-intended action, even though they are currently not 'protected' by the OS.

Tasks that are already damaged, or indicate their linked target FILE is no longer present, show up to clutter online forum logs with (No File) lines. This is yet another reason why FMRS purges tasks in such an aggressive manner. Many helpers opt to include as part of their fix to the infected user, to delete those tasks as well -- even though they are from legitimate software that no longer exists on the system. i.e. user uninstalled said software a while ago

I hope this helps to understand my position, once again, thank you for the honest feedback

 

Thank you for the feedback and for spending time to test the effectiveness of FMRS

 

v7.3.0 available now

• Process whitelist updated
  
• Database update

 

v7.4.7 available now

• Process whitelist updated
  
• Database update
• AV detection update

 

v7.5.8 available now

• Database update
• AV detection update
  
• Added Shortcut (.lnk) repairs for particular browser infection which hijacks shortcut arguments
• Several updates which aim to increase speed and stability during scan.

 

v7.7.3 available now

• New # Cache section of log file
  • Previous files and folders caches are now consolidated into a new section of the log labeled # Caches with their respective amounts listed
• More verbose File logging.
  • For example: If a folder gets deleted, FMRS will try to list its contents into the # Files subsection of the log

 

I have been asked to post my experience here as this tool caused some unexpected issues on my Window10 pc, where things happened, which should never happen.

This can be read in Dutch here, but I will try to translate into English.
https://www.pcwebplus.nl/phpbb/viewtopic.php?p=201828#p201828

So I ran the tool and after running it, various icons were missing from the taskbar. This can happen so I rebooted and now 1 item was not starting anymore. That was my Blomp clould login.
But this should not have been removed from startup, so I started to investigate further and discovered things which started to worry me from this tool.
I didn't trust the tool anymore, but it made a system backup point, so I used system restore.

Then I discovered files which were gone, even after I did the system restore.
These are the files which dissapeared by using this tool.

C:\Program Files (x86)\putauohprq.dat
C:\Users\Tiger\AppData\Local\Resmon.ResmonCfg
C:\Users\Tiger\advanced_ip_scanner_Aliases.bin
C:\Users\Tiger\advanced_ip_scanner_Comments.bin
C:\Users\Tiger\advanced_ip_scanner_MAC.bin
C:\Users\Tiger\AppData\Local\{51FDEFD4-CECE-4DF1-8A0E-B41C7D0F8F40}
C:\Users\Tiger\AppData\Local\Microsoft\BGAHelperLib\BGAUpsell\Assets\Banner-img.png
C:\Users\Tiger\AppData\Local\Microsoft\BGAHelperLib\BGAUpsell\Assets\Dark-logo.png
C:\Users\Tiger\AppData\Local\Microsoft\BGAHelperLib\BGAUpsell\Assets\Light-logo.png
C:\Users\Tiger\AppData\Local\Microsoft\BGAHelperLib\BingChatInstaller\Assets\Hero.png
C:\Users\Tiger\AppData\Local\oobelibMkey.log
C:\WINDOWS\nsa2CE7.tmp
Browser: Google Chrome - pushmeldingen gevonden en verwijderd (Default)

The last one are push notices found and removed by default. However, imho this should not be done by default but should be a switchable option or an "ask" option. Often push options are wanted by the user.

Now this is unfortunately not all. These are all registry entry's which I could not find in my register anymore after system restore either.

* HKLM\Software\Policies\Google
* HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate
* HKLM\Software\Policies\Mozilla\Firefox
* HKLM\Software\Microsoft\Tracing\AgentTray_RASAPI32
* HKLM\Software\Microsoft\Tracing\AgentTray_RASMANCS
* HKLM\Software\Microsoft\Tracing\APCUpdates_RASAPI32
* HKLM\Software\Microsoft\Tracing\APCUpdates_RASMANCS
* HKLM\Software\Microsoft\Tracing\b4a8A57_RASAPI32
* HKLM\Software\Microsoft\Tracing\b4a8A57_RASMANCS
* HKLM\Software\Microsoft\Tracing\b4aB9DB_RASAPI32
* HKLM\Software\Microsoft\Tracing\b4aB9DB_RASMANCS
* HKLM\Software\Microsoft\Tracing\backupBootstrapper_RASAPI32
* HKLM\Software\Microsoft\Tracing\backupBootstrapper_RASMANCS
* HKLM\Software\Microsoft\Tracing\DLS_RASAPI32
* HKLM\Software\Microsoft\Tracing\DLS_RASMANCS
* HKLM\Software\Microsoft\Tracing\express_RASAPI32
* HKLM\Software\Microsoft\Tracing\express_RASMANCS
* HKLM\Software\Microsoft\Tracing\MailStoreHome_RASAPI32
* HKLM\Software\Microsoft\Tracing\MailStoreHome_RASMANCS
* HKLM\Software\Microsoft\Tracing\MailWasherPro_RASAPI32
* HKLM\Software\Microsoft\Tracing\MailWasherPro_RASMANCS
* HKLM\Software\Microsoft\Tracing\odm_RASAPI32
* HKLM\Software\Microsoft\Tracing\odm_RASMANCS
* HKLM\Software\Microsoft\Tracing\Squirrel_RASAPI32
* HKLM\Software\Microsoft\Tracing\Squirrel_RASMANCS
* HKLM\Software\Microsoft\Tracing\Update_RASAPI32
* HKLM\Software\Microsoft\Tracing\Update_RASMANCS

There were 2 other lines in this tool's log:
HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce\\OneDrive
HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce\\OneDrive

I did find those two, however they were not empty, they countained this value, or at least after system restore:
C:\Program Files\Microsoft OneDrive\OneDrive.exe /background /setautostart

Maybe those tracing parts can be removed and maybe it's not important, I don't know.
But I wonder why entries like WindowsUpdate and Firefox and Google were removed. Or did that happen because they were empty or something?

The rest of the log were caches and I did not check those anymore because caches and dumps can be cleaned up.

However, most of the files shouldn't be removed to begin with. Removing logo's and files from ipscanner? I don't see any reason for that and such things could cripple programs.
Also removing the startup of Blomp without any mentioning of it being removed in the logfile is also questionable. So much room for improvement imho.

You can check the tool's log at the link I posted, or if you want I can post the full log here.

 

Hi Blacktiger

Thanks for trying out the tool and for bringing your concerns here. I'll attempt to break down most if not all entries to better explain what you noticed from the log. I'd also like to preface this by saying the tool was recently (about 4 days ago) renamed to "DoesNotBelong". I can't seem to update the title here on this thread. But essentially, the name comes The name comes from its ability to find and remove files in locations where files 'do not belong'. Legitimate or not, the tool targets both if they don't belong there. An example of this are chrome_url_fetcher folders created by Brave browser.

The logos were from this folder BGAUpsell. The tool doesn't like this type of nagging notification from Microsoft trying to get users to switch to Bing. [1] [2] [3] Check out these links for more information.

What's wrong with this detection? What does it belong to? It's a great example of what many antivirus will not flag just due to it probably not containing any harmful information, but it also shouldn't be in programfiles without an assigned subfolder.

These aren't the target for the tool, and I could add them to the whitelist, but they also get recreated when you re-run the Advanced IP Scanner program, which is not affected functionality wise.
They are deleted because they are .bin extension files at the root of the userprofile folder. The tool considers program that drop .bin extension files to this folder as suspicious and usually malicious. Most legitimate software doesn't drop files here. While Advanced IP Scanner is legitimate, it's not wise in my opinion to drop files onto the system in this location.

Not out of the ordinary either. These entries aren't there by default and are flagged by other malware scanners. The tool removes restrictions to the browsers. More information about the detection can be found here. [1] [2][3] Most of these are often linked to unwanted browser extensions that push notifications through the browser, and add a layer of difficulty to remove.

Documented here "Full RunOnce registry cleaning." Malware often uses this key as well. OneDrive, in this case should not be affected. It's still installed and functional.

Not saying the tool never causes false positives, but there aren't any in your case from what I am seeing. If you have any questions, please let me know and I'll try my best to answer

Regards
-thisisu

 

Hello thisisu

Thank you for explanation. I had a short look and will come back to it later, because it's night here now and I will take a better decent look tomorrow.
Just a few things I can say now.
I don't agree about removeing files from a working good program like advanced ip scanner. They might be re-created on start again, but then why remove them. It creates lack of trust to the tool because there is no good reason to remove them and who says no other good thing will be removed? That's what will be wondered about, so that's what could cause lack of trust this way.

Speaking of that, you didn't answer why my blomp startup link was deleted by the tool. Which is a false positive.
Neither was explained why all push notices where deleted from Chrome. Who says the user didn't choose to receive push notices. Yes he can turn them on again, but that's no argument.

As for the OneDrive entry's, I'm not sure anymore if they were deleted, I only noticed that in the tools log every registry key has all values mentioned too which is not the case with the OneDrive lines in the log, while in the registry it does contain the string which I posted.
So am I correct in concluding the tool leaves those lines but removes the value pointing to the autostart?
I'm not native English so as said, tomorrow I will have a closer look.

Most important thing missing in this tool compared to other tools (like ADWCleaner and others) is the lack of a scan option which gives the user at least the choice to cleanup the found things, or cancel it to either clean another time or get advise about the cleaning first for example.
To me this is the most important anyway, and I'm sure I know some malware experts will agree with me. So it would be great if such agree/cancel option could be build in.

 

Thanks @JRViejo

Hi, no problem, take your time @Black Tiger

Sorry, I forgot to respond to this one because I'm unfamiliar with that program. I don't doubt you though, the tool does delete a lot of legitimate items from startup. The goal is to speed up boot times by reducing the amount of programs that have to load before you can use the system. The program is still there (installed), it's just not starting up automatically as before. Does that make sense?

I understand and agree -- that would be nice. It's something I'd like to do, but it's not very feasible or practical in the program's current language / state. With batch programs, it'd have to use the CHOICE command, which in my opinion is very clunky and kills the idea of quickly removing items that probably don't belong anyways.
I fix false positives as soon as I notice them, but honestly there have been very few since its inception. Most of the heuristic scans are as strict as possible and obviously prioritize not deleting something you actually needed/wanted.

Regards
-thisisu

 

I have taken another look now, and still I'm not really happy, rather still worried for using this tool. Which I won't do again at least until there is a scan option without action.

* HKLM\Software\Policies\Google
* HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate
* HKLM\Software\Policies\Mozilla\Firefox

Which malware scanners flag this entry's? Because as far as I know they were empty. I don't know if they are there by default, I would have to check on another PC. But I now for a fact that at least ADWCleaner and Malware Bytes do not flag these.
Which restrictions to browsers to they remove and how do you know the user did not request these restrictions.
So this is also a good reason a scan only option should be possible.

The "here" does not point to a link, and I don't see a reason to just bluntly remove things only because sometimes malware also uses it. It won't remove the runonce key anyway which malware could make use of.

Then it should not be removed anyway, but you acknowledge already the tool might remove more things present there which worry's me even more. Because there is no reason to remove valid tools the user wants to have started when windows starts. Especially beacuse there is no option to ignore the startup processes cleaning.

No that does not make sense. As I wrote before with the advance ip scanner, the fact that a tool still is installed is not a valid argument. Removing parts without option to put it back easily does not make sense.

That sounds to me as an invalid reason as the tool was not presented as such. It's presented as an anti malware tool and remove suspicious files.
From the first post here:

and

Not all startup items cripple functionallity or are threats and junk and malware. And I can't find any statement about speeding up the system or that being a goal of the tool.

The last point was the talk about the requirement of at least a scan only option.

It's not a "would be nice" it's a plain basic requirement for an antimalware tool. Especially because you don't want any users to just click the thing and things happen they don't want, as always advised with anti malware tools and which some users still always do.
This requirement is also there because there is no "undo and put everything back" option. You rely on system restore and I already prooved one can not rely on system restore as this does not put everything back.

As you can see I'm quite critical, but that is not to bring down the tool, but only to try to improve things and if they can or won't be made, to warn about things that may happen with this tool, which one may not want to happen.
And we all know loads of users think "ah nice, lets try" without thinking any further and then they come to us to help them fix things. And some things we can't fix then, because they are gone forever (like the push notices).

To me there is a difference between a malware tool and a "speed up your system" tool and the choices to be made with both of them.
Which again makes the necessity clear of at least a "scan only" option and an option to restore all things removed would be a nice thing.

 

Hey, sorry past few days have been very busy. I'll try to answer your concerns in segments over the weekend if not tonight @Black Tiger

I only know one, but it's used very often on several anti-malware forums. Farbar Recovery Scan Tool. A few of examples of helpers fixing them can be found here. [1][2][3][4]

I guess we have to disagree here. ComboFix by sUBs was also a batch program and didn't require user intervention / interaction for the most part. A goal of mine was to also make this a simple tool for users to run to repair systems. While I will admit there may be false positives from time to time, that's any anti-malware scanner, even the very popular ones that have prompts (choices) can end up causing a major disruption to the user.

It is a free tool after all, I can only try my best to resolve issues as soon as possible.

 

Here is the link: https://furtivex.net/scripts/fmrs/
Hmm, good point. I can do something about that. It should be safe enough to delete and restore the key.

Definitely a con of the tool. All I can say is maybe in the future there will be a way to restore from quarantine.

I understand, no worries. I wanted feedback after all. I know it has some weaknesses. Since it doesn't offer proactive protection, the main goal is to restore functionality to the system POST infection.

Yes true! Since both can be achieved within the same program during a single scan without any major performance impact, I opt to do it

Not forever, visiting the same site once again will typically offer you the option to receive push notifications to the browser. I am operating under the pretense that the user is experiencing push notifications that they don't want should they decide to run the tool. But I understand it can be annoying to re-allow up your legitimate ones. e.g. Facebook

 

Hello.
No problem about a later reply. I also have other things to do and it's just an open discussion, so no need to answer within 24 hours or so anyway.

Back to business.
As for Farbar, I don't understand Russion and I don't see any report of the flagged situation in the 4th link. However Farbar is a scan only tool, that's a big difference.
And Farbar does nothing further, it just says the entry needs attention. That is because it -might- also be used for malware. So attention to check if that is the case. Not a default advise to be removed and they won't be removed by default either.

Well we will keep disagreeing on that. Because Combofix was a tool from the history and is not further developped anymore after Windows 8. So indeed it was a tool. In the past.
However, I don't think you really can compare Combofix with Doesnotbelong. Also I think comparison should be taken against modern tools.

First of all Combofix did not check for random malware but worked via a pattern.
Next to that, heuristics detections were more default in those days.
Most important difference is that Combofix never worked as an allround cleaning tool by itself. To really clean up a system well, scripts an directives made by an expert were used to clean up a system thoroughly.
I als remember very well (as I had a fair discussion those days) that it was advised by various to me known experts, to not use this tool as a user. The discussion I had in that time was that it could run without too much issues.
However. In certain rare situations it could break things. Since for good cleaning those scripts were required, it's not comparible.
I'm aware that you wrote "for the most part", but as said, users were discouraged to use it on their own. I presume that is not the goal of "doesnot belong" or is it?
If that is the case, it's a bit dangerous to just bring it out as kind of the best tool around on Majorgeeks because unexperienced users will maken use of it without thinking any further.

I agree that -any- anti-malware scanner can gives false positives. That's a logical situation. But that's also part of the reason a scan option is just a must have in modern days.

Glad we agree about the con concerning removing things without option to put it back. If some quarantaine feature can be made in the future that is a positive development.

Exactly... during scan. At this moment it's both scan and remove, no scan and "what do you want to do". Because some things which slow down are not to be removed because they are put there on choice by the user.
Hence extra argument for a scan option.

Sorry. My fault. With "forever" I ment it was gone and not put back with system restore. Not always when visiting the same site the offer is visible again. I've seen users complaining about and the cause was that cookies or popup-killers prevented the question from being shown.
You say your operating under the pretense that the user is experiencing push notifications that they don't want. Question is if this is the correct way to operate. Hence mostly, like you said before, users are asked if they want push notifications and have to accept them. So chances are that for this reason most likely less people benefit from this removal than get harmed (well.. need enable them again) from the removal.
Not to give you feature idea's, but I'm sooooo happy that I'm using Firefox. Because luckily none of my push notices were deleted.

I know a little bit about malware, I'm no expert in these things but I read a lot. However I am an experienced pc tech, been busy with pc's repair and building (and other things) since 1990. I've seen various anti-malware tools come and go over the years.
But this one is the first one which spooked me after it had finished running, and scared me even more when I discovered certain things weren't even restored on system restore. Which I hate to use by the way. So I use that seldom. I have great image backups made regularly.
Anyway if I as experienced user was spooked by this tool, then one can think of what a regular user feels like when he sees things suddenly gone unexpectedly or not starting anymore when rebooting the pc. And try to get us to help and we don't know what happened. You know them. They don't want to get blaimed. And instead of keeping at least a log, they delete everything and say "it just happened, I don't know, I didn't do anything". Right.

That is the only reason that I registered here, to make known that this tool spooked me and to see if we can get some improvement in the tool and at least improve before having users without having consult on a forum like this or another expert, using it on their own. For now.
So if you wondered about the fact that a new user is writing all this here... that's my reason, being spooked after 35 years of ICT and only spooked before by some 0 day virus.