phaZed
Well-Known Member
- Reaction score
- 2,961
- Location
- Richmond, VA
I have a client that has a fairly common virus infection on their machine.
The absolute last resort is Nuke 'n Pave because the sheer amount of database software, MLS, VPN, VPS - realtor stuff would set her back a week or more to be back up and running... not to mention the Gigs of real estate pics she has (A database listing tool) that would be virtually irreplaceable . No backups.
I can't seem to clean it up... pretty much every tool (Hitman, Malwarebytes, Bitdefender, etc) finds the infected bits but is blocked by Forticlient's AV (Version 5.4.0.0780), so the removal doesn't happen - it stalls the tools; it can't seem to access/delete the offenders.
Trying to delete infected files manually, Windows Explorer just goes non-responsive and nothing happens until I kill explorer from TM. I tried a few delete-on-reboot tools and still no joy.
Safe mode, I did remove a few files, but not all of them (File not found error - even though it's right there!). As soon as I reboot, the virus seems to be fully reinstated and the files I deleted are replaced with new ones.
I tried a wmi removal ("wmic product where name=”Forti%%” call uninstall /nointeractive") - completed, but still here!
The problem is that Forticlient was installed by Landis Realty (Previous employer) via their EMS (dashboard) and the dang thing is fairly well setup NOT TO BE removed... not without Fortinet supplying the official uninstaller (Which they are not doing for me, I tried three times - kudo's to their security practices) or Landis supplying the password and/or Remove the product from their dashboard (Which may or may not be an option, more below).
Apps and 'Programs and Features' have the uninstall button grayed out.
Forticlient seems to be taken over by (or busy with?) the virus.. It's always 90-100% CPU and reports itself as working, and disabled... depending at what part of Forticlient you look at. Windows reports it as the SecurityProvider and won't allow activation of Windows Security. The client purchased Norton two weeks back because "her computer was slow" - it installed, but doesn't register with Windows WMI. Neither did Trend Micro. I removed those for her.
There are a ton of svchost processes running which would appear to be spawned by Forticlient but I can't run ProcExplorer, procMon or Process Hacker to tell for sure - only Task Manager seems to work, otherwise, blocked by Fortinet.
The thing doesn't connect to the Fortinet Servers, so I'm worried that even if they disable the thing from the dashboard... it's never going to see it. Which leaves me with getting the password... which "un-locks" the client software and apparently allows the Uninstall button to work and CLI removal and the official removal tool.
I have the client calling Landis' IT dept tomorrow to see if they will supply the password.. but being as the client has been away from that job since 2017, I'm not hopeful that they are going to supply her with their management password. I'm 95% positive that Forticlient isn't connecting to the dashboard.. so if Landis removes it there, I doubt it will have any effect here.
I'm always leery when force-removing AV software as I've had my share of bricked systems this way.
Has anybody tried a GeekUninstaller/Revo on Forticlientt? Are we bootable afterwards? I am cloning the drive to my server overnight tonight, so if the client comes up empty tomorrow - I'll likely try it.
Please, if anybody has the FCRemove.exe as detailed at Fortinet here, would you be willing to pass along a copy? I'm not sure it will even work as I can't "unlock it", as it says it needs to be. Is there an alternate un-lock method?
Does anybody know the password convention, if there is one, for the Forticlient un-lock password?
Is there a minimum or max char length? Does it require numbers/symbols?
I can setup a Rubber Ducky or Bash Bunny type dictionary/rando HID attack, so it would help if I knew of any type of password conventions it uses... I'm trying to have this done before the end of our lifetimes ;-)
Thanks guys/gals!
The absolute last resort is Nuke 'n Pave because the sheer amount of database software, MLS, VPN, VPS - realtor stuff would set her back a week or more to be back up and running... not to mention the Gigs of real estate pics she has (A database listing tool) that would be virtually irreplaceable . No backups.
I can't seem to clean it up... pretty much every tool (Hitman, Malwarebytes, Bitdefender, etc) finds the infected bits but is blocked by Forticlient's AV (Version 5.4.0.0780), so the removal doesn't happen - it stalls the tools; it can't seem to access/delete the offenders.
Trying to delete infected files manually, Windows Explorer just goes non-responsive and nothing happens until I kill explorer from TM. I tried a few delete-on-reboot tools and still no joy.
Safe mode, I did remove a few files, but not all of them (File not found error - even though it's right there!). As soon as I reboot, the virus seems to be fully reinstated and the files I deleted are replaced with new ones.
I tried a wmi removal ("wmic product where name=”Forti%%” call uninstall /nointeractive") - completed, but still here!
The problem is that Forticlient was installed by Landis Realty (Previous employer) via their EMS (dashboard) and the dang thing is fairly well setup NOT TO BE removed... not without Fortinet supplying the official uninstaller (Which they are not doing for me, I tried three times - kudo's to their security practices) or Landis supplying the password and/or Remove the product from their dashboard (Which may or may not be an option, more below).
Apps and 'Programs and Features' have the uninstall button grayed out.
Forticlient seems to be taken over by (or busy with?) the virus.. It's always 90-100% CPU and reports itself as working, and disabled... depending at what part of Forticlient you look at. Windows reports it as the SecurityProvider and won't allow activation of Windows Security. The client purchased Norton two weeks back because "her computer was slow" - it installed, but doesn't register with Windows WMI. Neither did Trend Micro. I removed those for her.
There are a ton of svchost processes running which would appear to be spawned by Forticlient but I can't run ProcExplorer, procMon or Process Hacker to tell for sure - only Task Manager seems to work, otherwise, blocked by Fortinet.
The thing doesn't connect to the Fortinet Servers, so I'm worried that even if they disable the thing from the dashboard... it's never going to see it. Which leaves me with getting the password... which "un-locks" the client software and apparently allows the Uninstall button to work and CLI removal and the official removal tool.
I have the client calling Landis' IT dept tomorrow to see if they will supply the password.. but being as the client has been away from that job since 2017, I'm not hopeful that they are going to supply her with their management password. I'm 95% positive that Forticlient isn't connecting to the dashboard.. so if Landis removes it there, I doubt it will have any effect here.
I'm always leery when force-removing AV software as I've had my share of bricked systems this way.
Has anybody tried a GeekUninstaller/Revo on Forticlientt? Are we bootable afterwards? I am cloning the drive to my server overnight tonight, so if the client comes up empty tomorrow - I'll likely try it.
Please, if anybody has the FCRemove.exe as detailed at Fortinet here, would you be willing to pass along a copy? I'm not sure it will even work as I can't "unlock it", as it says it needs to be. Is there an alternate un-lock method?
Does anybody know the password convention, if there is one, for the Forticlient un-lock password?
Is there a minimum or max char length? Does it require numbers/symbols?
I can setup a Rubber Ducky or Bash Bunny type dictionary/rando HID attack, so it would help if I knew of any type of password conventions it uses... I'm trying to have this done before the end of our lifetimes ;-)
Thanks guys/gals!
Last edited:
