SRS6 Admin USB tools(from these forums) possibly loaded a virus on my sisters Laptop

The other day I destroyed my recovery partitions and installed Linux. Later I realized this was the wrong decision and decided to go back to Windows 8. Long story short I first attempted to install Windows 8 through Samsung recovery USB admin tools that I found on this forum. I downloaded and installed UltraISO, Nero, and the admin tools as well as SWupdate that was with the admin tools. Now my sisters computer has a virus.

To make things worse a moderator viewed the posted tools and said "
Some members reported browser hijacking when using the file sharing link"

I want to know why those tools are still here. If they are the reason for viruses on my sisters computer then that means the probably have back doors or have been modified in some way as well. If the files themselves are not the problem and its the host that gave the virus then shouldn't they be moved to another host?

Another thing to note is that the virus is not obvious and just inserts random webpages into Chrome every now and then perhaps every 5 minutes or whenever you start. currently I am doing a virus scan with Norton(found 19 infections so far(Malware bytes found nothing)). Still I am afraid that I will have to wipe her pc clean now. God willing the virus scan will be enough but I am really upset that this happened in the first place.

I'm also making this post to warn users they should avoid using those tools and that they should just get the windows 8 ISO from the Microsoft website and use that to reinstall Windows 8 instead.

If anyone wants the link to the tools I will PM the link.

 

Hi @BobSwat, welcome to NBR, and thank you for your report.

The post by member @dosibox where those Admin Tools are shared is this one, and the complete moderator note which I inserted at the beginning of that post says the following:

We considered very seriously BOTH when that post was made AND after the report of browser hijacking (just one report) whether to leave the post in place. The Admin Tool files are indeed highly valuable for users who lost or deleted their Recovery, and as the mod note says, the files appear to be valid. I compared the SRS5 one to what I have on my laptop, and many members have used them in the last couple years with no reports of problems.

The way SRS Admin Tool works, it would be difficult for it to install any backdoors or malware in Windows: It creates a Recovery partition and places the SRS software there. Any vector for infection would have to be as a rootkit (in the boot record) and/or when you F4 boot SRS after having installed Windows. And again, until your post, we have received no reports of such problems.

The suspicion should likely be on, NOT the Admin Tool files, NOR the file hosting service, but the ads that might be displayed there. Nowadays, that's how most malware spreads: through ad networks. And that is exactly why the note mentions using a Chrome Incognito window and recommends caution when downloading.

Can you elaborate how you think a browser infection on your sister's computer was caused by your installing SRS on your laptop using these files? Was your sister's computer used to download the files? How long after you installed SRS did the malware attack happen?

I can understand why, having seen my note in that post, your suspicion would lead you there after the malware attack occurred. But I am trying to understand whether it is technically feasible that they are related.

Please be assured that I DO take your report seriously, and I will discuss again with my mod colleagues whether to keep the post up. If we have any reason to believe that the files are malicious, we will of course delete the post in a heartbeat. But if you knew how many requests for Admin Tool downloads we used to get here from users who lost or deleted their Samsung Recovery, you would also appreciate how valuable this resource is.

I want to point out that these Admin Tools files ONLY contain the tool to create Samsung Recovery partitions and the software that goes on those partitions. They contain no factory images, no Windows software whatsoever, and they are in NO WAY an alternative to obtain a Windows ISO or disc for use to install Windows.

Obviously, if any other members who see this have experienced malware infections after using those Admin Tool downloads, please come forward.

 

I used my sisters laptop to download the files after I destroyed my own recovery software. Later on in the day my sister told me triple x and other stuff was popping up.

I suspect it was either something on the file service, rigged links or Nero, UltraIso, and Samsung update(I thought if I could download Samsung recovery there I could use it to make my nonbootable back up bootable). If it was something that coincidentally happened while I was using then I would not know.

I really do understand the importance of these tools and would love them to stay if they are legitimate. I would love nothing more then to take my laptop back to the way it was before I messed with it. I feel like I'm going to cry whenever I think about it.

Thank you

 

(sorry for double posting but I forgot to add this XD)
The malware attack currently affects chrome and is undetected by both MalwareBytes and Norton antivirus. Reinstalling chrome does not help either. I think I will have to use a factory restore God willing.

 

Thank you for those updates, that is useful information: If you downloaded the Admin Tool file(s) on your sister's computer, but didn't run them on it (as I presume) then that confirms almost 100% that the problem is with the ads on mega.co.nz rather than the files themselves.

That is good news for Samsung users since it validates that @dosibox' Admin Tool files are probably good. At least we have no reports or indications so far of malicious code in them. I am glad you appreciate the value of them and why we hesitate to remove them.

But your report also confirms that the mega.co.nz hosting site has bad ads at least occasionally -- which is difficult to avoid these days, even for good sites.

I already sent member @dosibox a PM asking if he can host them somewhere else, and I'll await his response. He is the source of those files, and it would not be proper for NBR to host them directly (for several reasons).

Meantime I added a second note in the post saying:

As for your sister's computer, I can definitely understand the frustration of both you and her. I am surprised that Malwarebytes wasn't able to clean it. I suggest you try Malwarebytes again, using its Chameleon mode this time (Start Menu/All Programs/Malwarebytes/Tools). I have less confidence in Norton, but that is a personal preference of mine. Let's hope you won't have to factory restore her computer.

Thank you again for your report.

 

I end up restoring her laptop to the factory state. I also do not like Norton. This may have been the first time I willingly installed it(my end goal with Norton is to have it removed from my pc XD)

I guess I will try the recovery programs again God willing.

Thank you very much

 

It's most likely the hosting site. They are all looking for sources of revenue and some are more agressive than others.

Might this be relevant to the reported problem.

John

 

I don't I think I saw anything with megabrowse. In fact all the extensions were standard and nothing fishy which was weird for a Chrome virus(atleast to me) just random links with get thrown onto the screen. Perhaps Megabrowser was the problem and I didn't see it but I cannot confirm. The computer was wiped clean now.

Thanks

 

Thank you again for your updates. I am sorry you had to factory restore your sister's computer.

Assuming your own Samsung laptop is now wiped, you are in a great position to verify for us that the Admin Tools themselves are clean and working as they should. Once again, we have received no reports of problems with them, but other than comparing the SRS5 one to my own, I have not tried running them myself. I don't have a spare, blank Samsung computer or the time to do so.

If you will report back your findings after using the Admin Tool, that will be valuable to our community of Samsung users. Thank you in advance.

 

No problem. My laptop was wiped but I used a Windows 8.1 iso to reinstall an operating system. God willing I wish to get the laptop back to factory settings but I will need a few extra flash drives (They are coming on Thursday God willing).

I can confirm that I have download the admin tools and nothing has shown up on my PC. I used ad block and went into incognito and installed them through MediaFire rather then Mega.

God willing if the flash drives come on Thursday and I have no school to do I will report back then or some time over the weekend God willing.

Thank you friends.

side note: When buying USB 3.0 flash drives check out the Samsung ones on Amazon.com the 32GB(11.99$) is only 4$ more then the 16GB(7.99).

 

All my Clonix and Samsung files hosted on Mega and Mediafire are clean.

I think the problem is here dear BobSwat :



Nobody can control the ads displayed on Mega with the red button.

 

I just downloaded SRS5 and SRS6 Admin Tools using Chrome and didn't see any ads at all. I first opened the link in an Incognito window as a precaution, but Mega wouldn't save the files saying they were too big for Incognito mode. Then (feeling courageous) I opened a regular Chrome window and didn't see any ads either -- probably because I have AdBlock installed. I also have popups disabled in Chrome settings.

Thanks again to @dosibox for sharing them.

Users who have questions about these Admin Tools or about SRS backup/restore/re-creation in general, should post in our main thread on the subject ( here, with our general SRS guide covering several SRS versions in post #18 and dosibox's files in post #22) or in @Gulfmaster's new SRS6 guide and thread ( here).

This thread will be closed.