184 replies to this topic

[mrfixiter]

Hi picasso

 

My reference was to this line in a Search.txt log:

C:\Users\Public\Documents\iWin\engine\QwMSjsxFAJ.b3e3
[2016-11-11 19:00][2016-11-11 19:00] 0006036 ____A () A91761697A10479462BBF4A67AC337A4 [File not signed]

I understand that the archive bit is not helpful at all in this sense but I just wanted to make sure that the A actually meant what I thought it meant.

 

Thanks for your assistance.

 

mrfixiter

[picasso]

The tutorial description refers to FRST.txt output only. "A" is not present in FRST.txt log. But yes, the attribute is still listed in Search.txt log.

 

EDIT: Later removed too.

[DARYLN357357]

I'm a long time ComboFix user and as everyone knows by now it doesn't work on Windows 10 and probably all versions thereafter.   I would like to learn to fish and not just eat one day.  I reviewed a few post and the forum is helpful with helping people out with getting them the fixlist.txt that will correct their problem but not with actually teaching them how to do it themselves and what to look out for.  Below is FRST from a computer recently obtained.  Can anyone mark the entries they would paste to the Fixlist.txt and provide a brief reason why?

 

Edit

 

Log removed see post #144.

[picasso]

I'm a long time ComboFix user and as everyone knows by now it doesn't work on Windows 10 and probably all versions thereafter.   I would like to learn to fish and not just eat one day.  I reviewed a few post and the forum is helpful with helping people out with getting them the fixlist.txt that will correct their problem but not with actually teaching them how to do it themselves and what to look out for.  Below is FRST from a computer recently obtained.  Can anyone mark the entries they would paste to the Fixlist.txt and provide a brief reason why?

 
This topic is not meant to provide any logs analysing. Please see posts #85 and #116.
 

If you are interested in learning about malware removal you might consider applying to one of the training institutions.

Go here to find a list of approved malware removal schools.

 
 

For now I moved the log you posted to the spoiler. But I think it should be removed.

[emeraldnzl]

Hello and welcome to Geekstogo DARYLN357357,

 

I confirm picasso's comments.

 

You can open a topic here if you wish help with that log. Alternatively if you are looking to learn about fighting malware you can apply to one of the schools listed in the link picasso provided.

 

As this is not the place for log analysis I have removed it from your post.

 

regards

emeraldnzl

[Herman_Salim]

Does This Directive can be used in Recovery Environment? Although that the Alternate Data Streams Scan is not available in Recovery.

AlternateDataStreams:

[picasso]

Refer to "Default Scan Areas". You can't take detections specific only for Addition.txt not produced in Recovery Environment and process them from Recovery Environment. And that is not a directive in a meaning used in the tutorial: you can't type "AlternateDataStreams:" with a path not detected by FRST (manually chosen by you), only lines visible in Addition can be processed.

[AdvancedSetup]

I have not had to use FRST in the Recovery Environment now for a long time. However, I recently ran across an infection that was proving difficult to remove in Normal Mode so I went ahead and updated the canned message a little and thought I would share.

 

On a clean machine, please download Farbar Recovery Scan Tool and save it to a USB flash drive.
 
Note: You need to run the version compatible with your system.
 
You can check here if you're not sure if your computer is 32-bit or 64-bit
Plug the flash drive into the infected PC and start the computer into the Recovery Options for Command Prompt.

Windows Vista, 7

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

Windows 8, 8.1
Please see
How to use the Windows 8 System Recovery Environment Command Prompt
 
Windows 10
Please see
How to Start Windows 10 in Safe Mode with Command Prompt
How to Boot to Advanced Startup Options in Windows 10
 
Note: In case you can not enter System Recovery Options by using F8 method, you can use a Windows installation disc, or make a repair disc.
Any Windows installation disc or a repair disc made on another computer can be used.
Choose one of the options below to download and create a Windows Repair Disk or Installation Disk. Either one can be used.
 
How to Create a Windows 7 System Repair Disc
How to Create a System Repair Disc in Windows 10
Microsoft Windows and Office ISO Download Tool
 
You may also download from Microsoft but you will need to input your license key first. The above links do not require your key
 
Download Windows 7 Disc Images (ISO Files)
Download Windows 8.1
Download Windows 10
 
To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

• Startup Repair
• System Restore
• Windows Complete PC Restore
• Windows Memory Diagnostic Tool
• Command Prompt
• Select Command Prompt

Once in the Command Prompt:

• In the command window type in notepad and press Enter.
• Notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close notepad.
• In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
• Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to the disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach it to your reply.

On a clean machine, please download [url=http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/][color=#0000ff]Farbar Recovery Scan Tool[/color][/url] and save it to a USB flash drive.

 

[color=#008000][b]Note[/b]: You need to run the version compatible with your system. [/color]

 

You can check [url=http://support.microsoft.com/kb/827218][color=#0000FF]here[/color][/url] if you're not sure if your computer is 32-bit or 64-bit

Plug the flash drive into the infected PC and start the computer into the Recovery Options[color=#000000] for Command Prompt[/color][color=#e74c3c][b].



Windows Vista, 7[/b][/color]

[indent=1][color=#000000][b]To enter System Recovery Options from the Advanced Boot Options:[/b][/color][/indent]

[indent=1]Restart the computer

As soon as the BIOS is loaded begin tapping the[b] F8[/b] key until Advanced Boot Options appears.

Use the arrow keys to select the [b]Repair your computer[/b] menu item.

Select [b]US[/b] as the keyboard language settings, and then click [b]Next[/b].

Select the operating system you want to repair, and then click [b]Next[/b].

Select your user account an click [b]Next[/b].[/indent]

[indent=1] [/indent]

[color=#e74c3c][b]Windows 8, 8.1[/b][/color]

Please see

[url=http://www.bleepingcomputer.com/tutorials/windows-8-recovery-environment-command-prompt/][color=#0000ff]How to use the Windows 8 System Recovery Environment Command Prompt[/color][/url]

 

[color=#e74c3c][b]Windows 10[/b][/color]

Please see

[url=https://www.bleepingcomputer.com/tutorials/how-to-start-windows-10-in-safe-mode-with-command-prompt/][color=#0000ff]How to Start Windows 10 in Safe Mode with Command Prompt[/color][/url]

[url=https://www.tenforums.com/tutorials/2294-advanced-startup-options-boot-windows-10-a.html][color=#0000ff]How to Boot to Advanced Startup Options in Windows 10[/color][/url]

 

[color=green][b]Note[/b][/color][color=green]: In case you can not enter System Recovery Options by using F8 method, you can use a Windows installation disc, or make a repair disc.

Any Windows installation disc or a repair disc made on another computer can be used.

Choose one of the options below to download and create a Windows Repair Disk or Installation Disk. Either one can be used.[/color]

 

[url=https://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html][color=#0000ff]How to Create a Windows 7 System Repair Disc[/color][/url]

[url=https://www.tenforums.com/tutorials/36083-system-repair-disc-create-windows-10-a.html][color=#0000ff]How to Create a System Repair Disc in Windows 10[/color][/url]

[url=https://www.heidoc.net/joomla/technology-science/microsoft/67-microsoft-windows-iso-download-tool][color=#0000ff]Microsoft Windows and Office ISO Download Tool[/color][/url]

 

You may also download from Microsoft but you will need to input your license key first. The above links do not require your key

 

[url=https://www.microsoft.com/en-us/software-download/windows7][color=#0000ff]Download Windows 7 Disc Images (ISO Files)[/color][/url]

[url=https://www.microsoft.com/en-us/software-download/windows8][color=#0000ff]Download Windows 8.1[/color][/url]

[url=https://www.microsoft.com/en-us/software-download/windows10][color=#0000ff]Download Windows 10[/color][/url]

 

[color=#0000FF][b]To enter System Recovery Options by using Windows installation disc:[/b][/color]

[LIST]

[*]Insert the installation disc.[/*]

[*]Restart your computer.[/*]

[*]If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.[/*]

[*]Click [b]Repair your computer[/b].[/*]

[*]Select [b]US[/b] as the keyboard language settings, and then click [b]Next[/b].[/*]

[*]Select the operating system you want to repair, and then click [b]Next[/b].[/*]

[*]Select your user account and click [b]Next[/b].[/*]

[/LIST]

[color=#0000ff][b]On the System Recovery Options menu you will get the following options:[/b][/color]

[LIST]

[*][b]Startup Repair[/b][/*]

[*][b]System Restore[/b][/*]

[*][b]Windows Complete PC Restore[/b][/*]

[*][b]Windows Memory Diagnostic Tool[/b][/*]

[*][b]Command Prompt[/b][/*]

[*]Select [b]Command Prompt[/b][/*]

[/LIST]

[color=#FF0000][b]Once in the Command Prompt:[/b][/color]

[LIST]

[*]In the command window type in [b]notepad[/b] and press [b]Enter[/b].[/*]

[*]Notepad opens. Under File menu select [b]Open[/b].[/*]

[*]Select "[b]Computer[/b]" and find your flash drive letter and close notepad.[/*]

[*]In the command window type [b][color=#FF0000]e[/color][/b][b]:\frst[/b] (for x64 bit version type [b][color=#FF0000]e[/color][/b][b]:\frst64[/b]) and press [b]Enter[/b][/*]

[*][b]Note:[/b] Replace letter [color=#FF0000]e[/color] with the drive letter of your flash drive.[/*]

[*]The tool will start to run.[/*]

[*]When the tool opens click Yes to the disclaimer.[/*]

[*]Press the [b]Scan[/b] button.[/*]

[*]It will make a log ([b]FRST.txt[/b]) on the flash drive. Please attach it to your reply.[/*]

[/LIST]

[Herman_Salim]

Refer to "Default Scan Areas". You can't take detections specific only for Addition.txt not produced in Recovery Environment and process them from Recovery Environment. And that is not a directive in a meaning used in the tutorial: you can't type "AlternateDataStreams:" with a path not detected by FRST (manually chosen by you), only lines visible in Addition can be processed.

Thank you, I have Tried it and Sucess..

[Herman_Salim]

Maybe FRST can add a directive, which it can place a dummy file (same name and extension) after move a file to quarantine.

 

Thank you..

[emeraldnzl]

I am not sure of the purpose of that.

 

Perhaps I am missing something. Can you say why you are suggesting that?

[picasso]

I'm also not sure what is the purpose of that. Anyway, you can already imitate that functionality using command line directives (eg. Powershell). To create an empty file (path and file name to be filled) :

 

Powershell: New-Item -Path FolderPath -Name FileName -ItemType File

 

If needed, other extra commands could be added to lock the file ("R" attribute + permissions).

[farbar]

I understand the purpose of that. It might be useful sometimes when a bad file will be recreated after removal.  Of course the dummy should be removed after completing the removal when the infection doesn't return any more.

It will be included in the next update.

[farbar]

The directive is:

CreateDummy: path

 

Example:
 

CreateDummy: C:\ProgramData\test.exe

 

The dummy is a locked folder with hidden, write protected and system attributes.

[Herman_Salim]

Yes, the purpose of create a dummy file is like that.

 

Sometimes when we has deleted any bad file, it will be recreated. Due to User fault (accidentially run a bad file again in another Drive) or due to this sistem still have another bad process that still running. It will mess our fix.

 

 

The directive is:

CreateDummy: path

 

Example:
 

CreateDummy: C:\ProgramData\test.exe

 

The dummy is a locked folder with hidden, write protected and system attributes.

 

Thank you, you're very responsive.

 

 

The dummy is a locked folder with hidden, write protected and system attributes.

 

 

I already try it and yes, this folder is Write Protected. But i just wondering how can it be? Is it due to permission set like Picasso just said above?