184 replies to this topic

[DanoNH]

@emeraldnzl, yeah I might have to do that... I have no Quote button and I seem to have moderation options...

Attached Thumbnails

• 

[farbar]

I have another question. Why do any Malware Removal Helper Team always ask to save Farbar to desktop before run it? Is it give a different result while we save farbar to another folder?

 

FRST gives the same result no matter where it is running from. Running FRST from a temporary folder is not a good idea but it could be run from another folder and running it from Desktop is the most convenient for running the tool, finding the logs and running fixes.

[DanoNH]

I have another question. Why do any Malware Removal Helper Team always ask to save Farbar to desktop before run it? Is it give a different result while we save farbar to another folder?

FRST gives the same result no matter where it is running from. Running FRST from a temporary folder is not a good idea but it could be run from another folder and running it from Desktop is the most convenient for running the tool, finding the logs and running fixes.

 

Not to mention that this is where our housekeeping tools primarily look when cleaning up any/all of the removal tools that we used...

 

This is one of the countless things that you learn in malware training. 

[Herman_Salim]

 

Not to mention that this is where our housekeeping tools primarily look when cleaning up any/all of the removal tools that we used...

 

This is one of the countless things that you learn in malware training.  

Do you mean Delfix can only remove disinfect tools from desktop?

Thank you for your answer.. 

 

 

 

FRST gives the same result no matter where it is running from. Running FRST from a temporary folder is not a good idea but it could be run from another folder and running it from Desktop is the most convenient for running the tool, finding the logs and running fixes.

 

Thank you for your explanation, today i testing a malware sample and then run Farbar, it gives some command report:
 

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

HKLM\...\regfile\shell\open\command: "C:\WINDOWS\system32\shell.exe" "%1" %* <===== ATTENTION
HKLM\...\batfile\shell\open\command: "C:\WINDOWS\system32\shell.exe" "%1" %* <===== ATTENTION
HKLM\...\comfile\shell\open\command: "C:\WINDOWS\system32\shell.exe" "%1" %* <===== ATTENTION

Thank you for include this for newest update. I also searching from google for another file association: inf, lnk, vbe, vbs, js, cpl, html,  txt, help, hlp.

 

If you don't mind, maybe some or all this assoc can be included next time.

 

In other case, today i saw a unique clever Malware that use camouflage tecnique here.

 

In that case, the threat is in: 

(Google lnc) C:\Program Files\Google\GoogleUpdate.exe

Normally, google file vendor is text like this:

(Google Inc.) 

Different in:

• The fake one with "EL" preifx, the real one with "Ai" prefix.
• The fake one without dot behind, the real one with dot

 

Maybe farbar can use some technique to clear up realize this camouflage with command: <==== ATTENTION, every time this file appear to FRST scan result.

 

Thank you..

Best Regards..

 

[DanoNH]

 

Do you mean Delfix can only remove disinfect tools from desktop?

No, that's not what I said...

[Herman_Salim]

Excuse me..
What is DeleteJunctionsInDirectory: for? I had read the farbar tutorial but still don't understand yet. In what case we should use it and what is the different with Delete folder?

 

Thanks..

[picasso]

Please read what NTFS junctions / symbolic links / reparse points are:

 

https://en.wikipedia..._junction_point

 

Old ZeroAccess infection was creating those special NTFS links. Eg. Windows Defender and Microsoft Security Essentials files were linked to C:\Windows\system32\config directory (holding vital "raw" registry files):

 

http://www.malwarere...ndows-defender/

 

Affected files / folders had to be unlinked, not deleted. DeleteJunctionsInDirectory: was designed to remove such links. Alternatively the following command could be used:

 

CMD: fsutil reparsepoint delete "source path"

[Herman_Salim]

Affected files / folders had to be unlinked, not deleted. 

 

Why we must unlinked and not to delete? So, after we use DeleteJunctionsInDirectory: command, we don't need to delete this file later?

[picasso]

Because you can't delete the legit files... and the files/folders no longer behave like normal files/folders, they redirect to another location. An improper attempt to delete a link might result in deleting a target.

 

Normal legit file:

 

C:\Program files\Windows Defender\MpSvc.dll

 

ZeroAccess link (no longer a normal file) created between two legit paths:

 

C:\Program files\Windows Defender\MpSvc.dll (source) > C:\Windows\system32\config (target)

 

If you try to access the source file, instead C:\Windows\system32\config is accessed. That's why a link between the source and target must be deleted, NOT the source or target. If you would do it, you would corrupt Windows.

 

Example output from DeleteJunctionsInDirectory: showing links deletion from the source:

 

*****************
DeleteJunctionsInDirectory: C:\Program Files\Windows Defender
*****************
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender\en-US" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpAsDesc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpClient.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCmdRun.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCommu.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpEvMsg.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpOAV.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpRTP.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSvc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MSASCui.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpCom.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpLics.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.

[emeraldnzl]

Hello Herman_Salim,

If you are interested in learning about malware removal you might consider applying to one of the training institutions.

Go here to find a list of approved malware removal schools.

[Herman_Salim]

 

Because you can't delete the legit files... and the files/folders no longer behave like normal files/folders, they redirect to another location. An improper attempt to delete a link might result in deleting a target.

 

Normal legit file:

 

C:\Program files\Windows Defender\MpSvc.dll

 

ZeroAccess link (no longer a normal file) created between two legit paths:

 

C:\Program files\Windows Defender\MpSvc.dll (source) > C:\Windows\system32\config (target)

 

If you try to access the source file, instead C:\Windows\system32\config is accessed. That's why a link between the source and target must be deleted, NOT the source or target. If you would do it, you would corrupt Windows.

 

Example output from DeleteJunctionsInDirectory: showing links deletion from the source:

 

*****************
DeleteJunctionsInDirectory: C:\Program Files\Windows Defender
*****************
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender\en-US" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpAsDesc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpClient.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCmdRun.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCommu.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpEvMsg.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpOAV.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpRTP.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSvc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MSASCui.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpCom.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpLics.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.

 

 

Thank you for your clear explanation 

 

Hello Herman_Salim,

If you are interested in learning about malware removal you might consider applying to one of the training institutions.

Go here to find a list of approved malware removal schools.

 

I have ever consider to take a malware removal school and ever contact Sari (Admin) for the information. She said that This process takes a year or more. So, I think i don't have enough free time for it. As a replacement, i study little by little from a few Malware Removal Thread.

Thanks for your offer. 

[Herman_Salim]

RestoreQuarantine:

You can restore the whole content of Quarantine or restore single or multiple file(s) or folder(s) from Quarantine.

 

 

Are there any way to Restore a spesific Service, Driver, Start Up Entry from Quarantine?

 

Many Thanks..

[emeraldnzl]

Please look at the RestoreQuarantine: directive under the link below:

http://www.geekstogo...l/#entry2350724
 

[Herman_Salim]

Please look at the RestoreQuarantine: directive under the link below:

http://www.geekstogo...l/#entry2350724
 

 

This tutorial said that this is for Folder and Files only..

If I want to restore "Entry" that was removed like startup, service, etc.. on Farbar, Does it can?

Edited by Herman_Salim, 10 June 2016 - 09:09 AM.

[Dragokas]

Hi, emeraldnzl and farbar !

 

Would you be so kind to explain more about wildcards (or append a little bit to the tutorial ) ?

 

As I see, currently there is an information about * wildcards.

But, FRST can accept '?' wildcard also. Can you add few words about its using in specific cases like:

 

1. Deleting files (by simple including it to the fixlog without directive)

2. FindFolder: directive

3. Search Files

4. Search Registry

 

All this cases for * wildcard have been already described in your tutorial,

but there are should be official confirmation that all this works for '?' wildcard also,

especially qualification of FRST behavior in specific cases like:

Where an asterisk ("*", also called "star") is added to the start or end of a registry search term, FRST will ignore it and will search for the search term without the asterisk.

 

Also, I think that it would be nice to append tutorial with these:

- SearchFiles is working with %SystemDrive% only.

- ? wildcard can be used as replacement of any 1 ANSI or 1 Unicode character.

 

Thanks, Alex.