Jump to content
El-Zabl007

A Malware that I have never seen like it

Recommended Posts

I gave my friend (overseas) access to my laptop to share files and download some programs. He accidentally downloaded a malware, that kept downloading programs on my machine and took over administration rights, turned off Windows Defender and wouldn't let me turn it on. It started popping up some "impolite" websites, and it deleted my restore points and created its own at the time it was infecting. I ran malwarebytes like 10 times, it caught 1000's of malwares. 

I ran FRST64 but it didn't give me the fix.txt file. It only gave me FRST.txt and Addition.txt

After malwareyte gave me that my system is clean, I installed malwarebytes anti-rootkit, I ran a scan and it caught another few malware. 

I also downloaded bit-defender, and launched a full system scan that took about an hour. It caught around 30. 

I can still see the malware folder. It is called Folder Share C:/VerySilent, however, I can't find it in the control panel Programs and Features. 

I need my google chrome history back tho there are tons of things I have saved on it. 

I would like to know if there are any important files or folder that were deleted by the malware or malwarebyte.

It made write-blocks for the USB's. However when I try to test them using CMD, it says "Read-Only : "NO"!

 

Share this post


Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

It only gave me FRST.txt and Addition.txt

That is all we need for the moment, post the logs in your next reply or attach them.

Wait for further instructions.

p.s.
How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Share this post


Link to post
Share on other sites


Hi,

Let start with this.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

--RogueKiller--

  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED  
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.


=======

Run Malwarebytes and if the SBRYBFIL.SYS IS SPAWNING AGAIN RUN THIS TOOL.

We will check your BIOS and Master boot record.

Read carefully and follow these steps.
TDSS

  • Download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application.
  • Then click on Start Scan.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.

  • If an infected file is detected, the default action will be Cure, click on Continue.

  • Important: Do NOT change the default action on your own unless instructed by a malware Helper! Doing so may render your computer unbootable.

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.

  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


===

Run the Farbar program and attache fresh FRST.TXT and Addition log for y review.
To create a new Addition.txt log make sure the box to create the file is checked.

Let me know what problem persists. 

fixlist.txt

Share this post


Link to post
Share on other sites

Hi, 

I have followed the instructions that you provided. However, I accidently followed them before I download the fixlist.txt. 

So I have submitted two zip folders: 1- Before.zip (Which contains the reports that created before I downloaded fixlist.txt) / 2- After.zip (Which contains the report after I downloaded fixlist.txt).

Although the scans were clean. I have attached a photo that shows the Malware is still there, it is called "FastFolders". I have never installed such a thing and I can't find it anywhere in my system but only when I right-click on any folder. 

 

Thank You 

El-Zabl007

After.zip

Before.zip

FastFolder.png

Share this post


Link to post
Share on other sites

Hi,

Will remove all items referring to FastFolder.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

If any pending issues after the restart please run the Farbar program and post FRST.TXT and Addition.txt log for my review.
To create a new addition.txt log make sure that the box to create the file is checked.

Let me know what the problem is.

fixlist.txt

Share this post


Link to post
Share on other sites

Hello,  

I have attached the fixlog.txt. I also ran Malwarebytes and KillerRogue, and there was nothing detected. 

Is there any other way I can make sure that there is no more malware on my laptop? Is there anyway I can make retrieve the missing programs and files such as (Google Chrome, Restore Points, etc..)?

 

 

Fixlog.txt

Share this post


Link to post
Share on other sites

Hi,

Is there anyway I can make retrieve the missing programs and files such as (Google Chrome, Restore Points, etc..)?

What is missing.
I did nothing to remove Chrome or the restore point.
What other programs?

As a matter of fact your Addition.txt log shows that the last saved point is.
06-12-2018 16:50:21 Malwarebytes Anti-Rootkit Restore Point

Share this post


Link to post
Share on other sites

Hi,

When the Malware infected my Laptop, it deleted google chrome by itself. I'm not sure if it deleted any other programs.

Two weeks ago I created a restore point using system restore. But, when the malware was installed it removed it and it created that point which is (06-12-2018 16:50:21) and that's when the malware was installed. So basically it created a restore point to its birth time!

Share this post


Link to post
Share on other sites

Hi,

There was a restore point created by my Fix.

Can you see it in the computer?

Were you able to reinstall Chrome?

Any remaining issues?

Share this post


Link to post
Share on other sites

Hi, 

There were no restore points that I was able to find on my computer. 

Also, I was able to reinstall chrome, but all the saved history and cookies is gone. However, I had few Important links that I need. Is there anyway we can get to a point before the malware was installed?

Thank You

Share this post


Link to post
Share on other sites

Hi,

As you said the infection deleted Chrome so all was removed.

To save the setting Chrome must be prepared be before it is removed.
If ever you need to do it in the future and save your setting using these instructions.

step1.gif Remove Chrome from your Computer and reinstall a fresh copy later.

step2.gifIf you remove the syncing of your account you must remove it before you save your bookmarks etc...
Delete Your Google Chrome Browser Sync Data if you sync with other devices. <- Important ...
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

step3.gif Before you remove Chrome Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.
How To: http://ccm.net/faq/31791-how-to-backup-your-google-chrome-bookmarks

step4.gif Before you remove Chrome Export your Passwords
How to export your saved passwords from Chrome
https://betanews.com/2018/03/09/export-chrome-passwords/

step5.gif Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

step6.gif Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

step7.gif Re-install Chrome and the Bookmarks.
<<<>>>

As for your important links I hope this can help.
Replace the hxxp with https

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp15-comm.msn.com/?pc=HRTE
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp15-comm.msn.com/?pc=HRTE
HKU\S-1-5-21-2668122505-149627630-1942228131-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp15-comm.msn.com/?pc=HRTE
rX57NOQSeFrcjRKQcAyPAAVMUoXb4Onsk8RKJA4K1_UlWeTUiv18W5bt12shYh1fOoVieFsdAGRLy3ic9upFHQZOvyrlxdCjHpEyH_XEM6sKP9AJRHQtJIGZScVzffwDGM49xqHQmgZcnVAsGOwlU&q={searchTerms}
SearchScopes: HKLM-x32 -> {AC316082-E67E-4F3A-88B3-FB0DCE0E6B4F} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-2668122505-149627630-1942228131-1001 -> {AC316082-E67E-4F3A-88B3-FB0DCE0E6B4F} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
---

If ever you have used Firefox and or Internet explorer to visit these these sites you may have saved them in your Bookmarks.

Hi,

As you said the infection deleted Chrome so all was removed.

To save the setting Chrome must be prepared be before it is removed.
If ever you need to do it in the future and save your setting using these instructions.

step1.gif Remove Chrome from your Computer and reinstall a fresh copy later.

step2.gifIf you remove the syncing of your account you must remove it before you save your bookmarks etc...
Delete Your Google Chrome Browser Sync Data if you sync with other devices. <- Important ...
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

step3.gif Before you remove Chrome Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.
How To: http://ccm.net/faq/31791-how-to-backup-your-google-chrome-bookmarks

step4.gif Before you remove Chrome Export your Passwords
How to export your saved passwords from Chrome
https://betanews.com/2018/03/09/export-chrome-passwords/

step5.gif Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

step6.gif Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

step7.gif Re-install Chrome and the Bookmarks.
<<<>>>

As for your important links I hope this can help.
Replace the hxxp with https

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp15-comm.msn.com/?pc=HRTE
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp15-comm.msn.com/?pc=HRTE
HKU\S-1-5-21-2668122505-149627630-1942228131-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp15-comm.msn.com/?pc=HRTE
rX57NOQSeFrcjRKQcAyPAAVMUoXb4Onsk8RKJA4K1_UlWeTUiv18W5bt12shYh1fOoVieFsdAGRLy3ic9upFHQZOvyrlxdCjHpEyH_XEM6sKP9AJRHQtJIGZScVzffwDGM49xqHQmgZcnVAsGOwlU&q={searchTerms}
SearchScopes: HKLM-x32 -> {AC316082-E67E-4F3A-88B3-FB0DCE0E6B4F} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-2668122505-149627630-1942228131-1001 -> {AC316082-E67E-4F3A-88B3-FB0DCE0E6B4F} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
---

If ever you have used FireFox and or Internet explorer to visit these these sites you may have saved them in the Bookmarks.

Using Chrome you can Import bookmarks from other browsers.
Open Google Chrome, click on menu icon google-chrome-setting-icon.png or the 3 vertical dots located right side top of the google chrome.

Select Bookmarks and follow the instructions.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.