Jump to content

Welcome to Geeks to Go
Geeks to Go Welcome
Create Account Login to Account
Photo

FRST Tutorial - How to use Farbar Recovery Scan Tool

- - - - - FRST farbar scan tutorial how-to

  • This topic is locked This topic is locked
8 replies to this topic

#1
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,667 posts

Farbars%20avatar_1.jpg

Farbar's Recovery Scan Tool

 

The latest version may be downloaded from:

Link 1 | Link 2

 

Farbar Recovery Scan Tool (FRST) is a diagnostic tool incorporating the ability to execute prepared script solutions on malware infected machines. It will work equally well in normal or safe mode and where a machine has boot up problems it will work efficiently in the Windows Recovery Environment. Its ability to work in the recovery environment makes it particularly useful in dealing with problems associated with machines experiencing difficulty when booting up.

 

**********************************************************

 


Donation Information

While FRST is free it is the product of hours of work by Farbar. The program contains many thousands of lines of code, and is updated often. In addition to maintaining the tool Farbar spends countless hours supporting forum helpers and their malware victims. If you find his FRST tool helpful and would like to make a donation to support his efforts simply click the Paypal button below:

 

donatepaypal.gif


 
 
Tutorial Information

This tutorial has been created by emeraldnzl in consultation with farbar and with the kind co-operation of BC (Bleeping Computer) and G2G (Geeks to Go). Permission of both emeraldnzl and Farbar is required prior to using or quoting from the tutorial at other sites. Also note this tutorial was originally authored to offer guidance to helpers offering malware removal assistance at various forums. Further, we thank picasso who has a leading role with updating and maintaining the tutorial.


Translations

French: http://assiste.forum...p?f=162&t=28467
German: http://www.trojaner-...-anleitung.html
Polish: http://www.fixitpc.p...very-scan-tool/

Russian: http://safezone.cc/t...ool-frst.27540/

 

Table of Contents

1. Introduction
2. Default Scan Areas
3. Main scan (FRST.txt)

  • Processes
  • Registry
  • Internet
  • Services/Drivers
  • NetSvcs
  • One Month Created Files and Folders and One Month Modified Files and Folders
  • Unicode
  • Files to move or delete
  • Some content of TEMP
  • Known DLLs
  • Bamital & volsnap
  • Association
  • Restore Points
  • Memory info
  • Drives and MBR & Partition Table
  • LastRegBack

4. Additional scan (Addition.txt)

  • Accounts
  • Security Center
  • Installed Programs
  • Custom CLSID
  • Scheduled Tasks
  • Shortcuts
  • Loaded Modules
  • Alternate Data Streams
  • Safe Mode
  • Association
  • Internet Explorer trusted/restricted
  • Hosts content
  • Other Areas
  • MSCONFIG/TASK MANAGER disabled items
  • FirewallRules
  • Restore Points
  • Faulty Device Manager Devices
  • Event log errors
  • Memory info
  • Drives
  • MBR & Partition Table

5. Other optional scans

  • List BCD
  • Drivers MD5
  • Shortcut.txt
  • 90 Days Files
  • Search Files
  • Search Registry

6. Directives/Commands

  • CloseProcesses:
  • CMD:
  • CreateRestorePoint:
  • DeleteJunctionsInDirectory:
  • DeleteKey:
  • DeleteQuarantine:
  • DisableService:
  • EmptyTemp:
  • File: and Folder:
  • FindFolder:
  • Hosts:
  • ListPermissions:
  • Move:
  • nointegritychecks on:
  • Powershell:
  • Reboot:
  • Reg:
  • RemoveDirectory:
  • RemoveProxy:
  • Replace:
  • Restore From Backup:
  • RestoreErunt:
  • RestoreMbr:
  • RestoreQuarantine:
  • SaveMbr:
  • SetDefaultFilePermissions:
  • StartBatch: — EndBatch:
  • StartPowershell: — EndPowershell:
  • StartRegedit: — EndRegedit:
  • testsigning on:
  • Unlock:
  • VerifySignature:
  • Zip:

7. Canned Speeches

 


 


Trusted helpers and experts who have the requisite access may keep abreast of the latest tool developments at the FRST Discussion Thread.


  • 4

Advertisements


#2
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,667 posts

Introduction




One of FRST's strengths is its simplicity. It is designed to be user friendly. Lines containing references to infected items can be identified, copied from the log, pasted into Notepad and saved. Then with a press of a button the tool does the rest. This allows for great flexibility, as new infections appear they can be identified and included in a fix.
 
 
What it will work with

Farbar's Recovery Scan Tool is designed to run on Windows XP, Windows Vista, Windows 7, Windows 8 and Windows 10 Operating Systems. There are two versions, a 32-bit and a 64-bit version.
 
Note: FRST64 is not designed to run on XP 64-bit systems.
 
 
Diagnosis

FRST creates a log covering specific areas of the Windows Operating System. This can be used for initial problem analysis and to tell you some information about the system.

The tool is under constant development, part of which includes the addition of new malware identification labels. Accordingly, it is strongly recommended to regularly update. If the computer is connected to the internet there will be an automatic check for available updates when FRST is opened. A notification will appear and the latest version can then be downloaded.  

Where new infection manifests or update is not possible e.g. no internet connection for whatever reason, the expert needs to be abreast of latest developments in the malware infection field to enable early pinpointing of the problem. The lay user should seek expert help when new infections appear or when they find difficulty in identifying the problem on their machine.

By default, like many other scanners, FRST applies whitelisting. This avoids very long logs. If you do want to see a full log; then the relevant box on the Whitelist section should be unchecked. Be prepared for a very long log that may have to be uploaded as an attachment for analysis.

  • FRST not only whitelists the default MS entries from the registry section but in some cases (like ShellIconOverlayIdentifiers) also whitelists the safe entries from third party programs too.
  • In the case of Services and Drivers the whitelist covers not only the default MS services but also all other legitimate services and drivers.
  • Any service or driver file without  a company name is not whitelisted.
  • No security program (AV or Firewall) is whitelisted.
  • The SPTD service is not whitelisted.

 

Preparation for use

Make sure FRST is run under administrator privileges. Only when the tool is run by a user that has administrator privileges will it work properly. If a user doesn't have administrator privileges you will see a warning in the header of FRST.txt about it.

In some cases a security program will prevent the tool from running fully. Generally there won't be a problem but be alert to the possibility that when a scan is requested that a security program may prevent the running of the tool. When fixing it is preferred to disable programs like Comodo that might prevent the tool from doing its job.

A general recommendation to everyone is that when you are dealing with a rootkit, it is better to do one fix at the time and wait for the outcome before running another tool.

It is not necessary to create a registry backup. FRST makes a backup of the registry hives the first time it runs. The backup is located in %SystemDrive%\FRST\Hives (in most cases C:\FRST\Hives) and will not be overwritten by the subsequent runs of the tool.

FRST is available in a number of different languages. Helpers tend to use English as their language of choice for problem analysis. Where a helper or someone seeking help wishes to provide logs in English, just run FRST by adding the word English to the name e.g. EnglishFRST.exe or EnglishFRST64.exe or FRSTEnglish.exe or FRSTEnglish64.exe. The resultant log will be in English.
 
 
Running FRST

The user is instructed to download FRST to the Desktop. From there it is a simple matter to double click the FRST icon, accept the disclaimer, and run it. The FRST icon looks like this:

 

FRST%20icon%20May%202016.jpg

 
Note: You need to run the version compatible with the user's system. There are 32-bit and 64-bit versions. If you are not sure which version applies, have the user download both of them and try to run them. Only one of them will run on the system, that will be the right version.

When FRST is opened the user is presented with a console looking like this:
 

FRST%20Console%20with%2090days_1.jpg

 
 
Once FRST has completed its scan it will save notepad copies of the scan in the same location that FRST was started from. On the first scan both an FRST.txt log and an Addition.txt log will be produced. On subsequent scans, unless specifically requested (see optional scans in the Console), FRST will only produce a FRST.txt log.

Copies of logs are saved at %systemdrive%\FRST\Logs (in most cases this will be C:\FRST\Logs).
 
 
 
Fixing
 
Care, Very Important: Farbar Recovery Scan Tool is non invasive and in scan mode it cannot harm a machine. It just scans what is there and compiles a report.

However FRST is also very effective at carrying out instructions given to it. When applying a fix; if it is asked to remove an item; in 99% of cases it will do so. While there are some safeguards built in they are necessarily broad based and designed not to interfere with removal of infection. The user needs to be aware of that. Used incorrectly (that is if requested to remove essential files), the tool can render a computer unbootable.
 
 

If you are unsure about any items in a FRST report always seek expert help before administering a fix.

 
 
FRST has a range of commands and switches that can be used both to manipulate the computer's processes and to fix problems you have identified.

To fix identified problems, copy and paste the lines from the FRST logs to a text file named fixlist.txt using Notepad. The fixlist.txt is saved in the same location the tool is saved  to. In the case of a normal or safe mode scan this will be the Desktop. In the case of a recovery environment scan it will be a flash drive.

Note: It is important that Notepad is used. The fix will not work if Word or some other program is used.

Items moved by the fix are kept in %systemdrive%\FRST\Quarantine, in most cases this will be C:\FRST\Quarantine until clean up and deletion of FRST.

For detailed information about preparing fixes see sections below.


  • 5

#3
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,667 posts

Default Scan Areas


 

On the first run outside the Recovery Environment a FRST.txt log and an Addition.txt log are generated. Thereafter, if an Addition.txt scan is required then the appropriate box needs to be checked/ticked before running the scan. An Addition.txt log is not produced when FRST is run in the Recovery Environment.


Scans run in normal mode:

Main scan

Processes
Registry
Internet
Services
Drivers
NetSvcs
One Month Created Files and Folders
One Month Modified Files and Folders
Files in the root of some directories
Files to move or delete
Some content of TEMP
Some zero byte size files/folders
Bamital & volsnap
LastRegBack

Additional scan

Accounts
Security Center
Installed Programs
Custom CLSID
Scheduled Tasks
Shortcuts
Loaded Modules
Alternate Data Streams
Safe Mode
Association
Internet Explorer trusted/restricted
Hosts content
Other Areas
MSCONFIG/TASK MANAGER disabled items
FirewallRules
Restore Points
Faulty Device Manager Devices
Event log errors
Memory info
Drives
MBR & Partition Table

Optional scans

List BCD
Drivers MD5
Shortcut.txt
Addition.txt
90 Days Files

 

Search Files

Search Registry


Scans run in the Recovery Environment:

Main scan

Registry
Services
Drivers
NetSvcs
One Month Created Files and Folders
One Month Modified Files and Folders
Files to move or delete
Some content of TEMP
Known DLLs
Bamital & volsnap
Association
Restore Points
Memory info
Drives
MBR & Partition Table
LastRegBack

 

Optional scans

List BCD
Drivers MD5
90 Days Files

 

Search Files


 


  • 2

#4
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,667 posts

Main scan (FRST.txt)

 

Header

Here is an example header:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version:27-08-2015
Ran by Someperson (administrator) on SOMEPERSON-PC  (27-08-2015 11:26:18)
Running from C:\Users\Someperson\Desktop
Loaded Profiles: Someperson (Available profiles: Someperson & Administrator & DefaultAppPool)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English(United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

 

Perusal of the header can be very helpful:

First line: tells whether FRST 32-bit or 64-bit variant has been run. The version identifier of FRST is also shown. The version identifier is particularly important. An old version may not have the most up to date functionality.
 
Second line: shows what user ran the tool and under what permissions. This can alert you to whether the user has the appropriate permission rights. The line also shows you the computer name together with what date and time the tool was run. Sometimes a user will inadvertently post an old log.

Third line: tells you where FRST was run from. This may be relevant for fix instruction if it has run from somewhere other than the Desktop.

Fourth line: tells you what account  (profile) the user is logged in under i.e. the loaded user hive. Next, in parenthesis, the "Available profiles" records all profiles on the machine including those that are not currently loaded.

Note: When you log into Windows, only the user hive of the logged on user is loaded. If the user logs into another account without restarting (by using "Switch user" or "Log off"), the second user hive gets loaded but the first one doesn't get unloaded. In that situation FRST will list the registry entries of both the users but doesn't list the registry entries specific to any other users because those hives are not loaded.

Fifth line: records the version of Windows on the machine including Service Pack number together with the language used. This may alert you to a problem with updates if the Service Pack is not the latest.

Sixth line: gives you the version of Internet Explorer and the default browser.

Seventh line: tells you what mode the scan was run under.

Following that there is a line showing the tutorial link.

Note: The information in a header run in the Recovery Environment is similar although it is necessarily truncated as user profiles are not loaded.

 

 

 

 

Alerts that can show in the header:

When there are boot problems you may see something like "Attention: Could not load system hive". That tells you that system hive is missing. Restoring the hive using LastRegBack: may be a solution (see below).

"Default: Controlset001" - The notification tells you which CS on the system is default CS. Why do you need it? Normally you don't need it, but in a case where you want to look into or manipulate the CS that will be loaded when Windows booted, then you know which CS should be looked into or manipulated. Doing anything to other available CS has no effect on the system.

 

 
 

 

Processes

There are two reasons why you might want to stop a process. First, you may want to stop a security program that might get in the way of a fix. Secondly, you may want to stop a bad process and then remove the folder or file associated with it.

To stop a process include the appropriate lines from the FRST scan.

Example:
 

(Symantec Corporation) C:\Program Files\Norton Security Suite\Engine\5.2.2.3\ccSvcHst.exe
(IObit) C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe


A Fixlog.txt will be generated with this label Process name => Process closed successfully

If you have a bad process and wish to remove the associated file or folder you need to include the item separately in your fix like this:

Example:
 

(Spigot, Inc.) C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe
(Spigot Inc) C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings64.exe
C:\Program Files (x86)\Common Files\Spigot



Registry

Registry entries (keys or values) that are taken from FRST log and included in the fixlist to be deleted, will be deleted. FRST has a powerful deletion routine for keys and values. All the keys and values that resist deletion due to insufficient permissions or null embedded characters will be deleted. The only keys that will not be deleted are those keys that are protected by a kernel driver. Those keys/values should be deleted after the kernel driver that is protecting them is removed or disabled.

Copy and pasting the items from a log into a fix triggers FRST to perform one of the two actions on the listed registry key:

  • Restoring the default key or
  • deleting the key.

When the entries from the log related to Winlogon values (Userinit, Shell, System), LSA, and AppInit_DLLs are copied to the fixlist.txt the tool restores the default Windows values.

Note: With AppInit_DLLs where there is one bad path, FRST removes that particular path from the Applnit_DLLs value without removing the rest.

No need for any batch or regfix. The same applies to some other important keys that might be hijacked by the malware.

Note: FRST does not touch the files the registry keys are loading or executing. Files to be moved must be listed separately with the full path without any additional information.

Except for one case (see below) the Run and Runonce entries if copied to the fixlist.txt will be removed from the registry. The files they are loading or executing will not be removed. If you wish to remove them you must list them separately.

For example, to remove the bad run entry along with the file you would list them in the fixlist.txt as follows (the first line being copied directly from the log):
 

HKLM\...\Run: [3ktQnKPKDDuPsCd] C:\Users\Someperson 3\AppData\Roaming\xF9HhFtI.exe [334848 2012-08-03] ()
C:\Users\Someperson 3\AppData\Roaming\xF9HhFtI.exe


There is one case where a Run value is not removed but reset to its default path. In that case you will see this line in the log:
 

HKLM\...\Run: [MSC] - "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey [x] <===== ATTENTION (File name is altered)


When that line is included in fixlist the default entry will be restored.

In the case of Notify keys; where they are included in the fixlist.txt; if they are among the default keys the tool restores the value (DllName) data related to that key. If the key is not a default key it will be removed.

The Image File Execution Options entries when included in the fixlist.txt will be removed.

When a file or shortcut in the Startup folder is detected, FRST lists the file on the Startup: entries. If the file is a shortcut the next line will list the shortcut target ( i.e. the executable that is run by the shortcut). To remove both the shortcut and the target file you need to include both of them.

Example:
 

Startup: C:\Users\rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runctf.lnk [2013-09-11]
ShortcutTarget: runctf.lnk -> C:\Users\rob\1800947.exe ()


Note: The first line only moves the shortcut. Listing the second line moves the 1800947.exe file. If you only list the second line, the executable file will be removed but the shortcut will remain in Startup folder. The next time the system is started it will throw an error when the shortcut tries to run the executable and doesn't find it.

FRST detects the presence of either DisableSR or DisableConfig values under the HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore:

Example:


HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig] <===== ATTENTION


Including the line in the fixlist will trigger removing the whole key (it does not exist by default).

Note: FRST also generates a warning in Addition.txt if SR is disabled even if it is not disabled by Group Policy but by the user. In that case FRST doesn't do anything. The user should be instructed to enable System Restore. There is no Group Policy preventing enablement.
 

 

Internet

Apart from a few exceptions, items copied to fixlist.txt will be removed. Where folders/files are involved they must be copied separately to the fix.


Winsock

Items not on the default list will show in the log. If a Catalog5 entry is listed to be fixed, FRST will do one of two things:

1. In the case of hijacked default entries, it will restore the default entry.
2. In case of custom entries, it will remove it and re-number the catalog entries.

Where there are Catalog9 entries to be fixed, it is recommended to use "netsh winsock reset".

Where there are still custom Catalog9 entries to be fixed, they can be listed to be fixed. In that case FRST will remove the entries and re-number the catalog entries.

Care: a broken chain will prevent a machine connecting to the Internet.

A broken internet access due to missing winsock entries will be reported on the log like this:
 

Winsock: -> Catalog5 - Broken internet access due to missing entry. <===== ATTENTION
Winsock: -> Catalog9 - Broken internet access due to missing entry. <===== ATTENTION


To fix the issue, the entries can be included in the fixlist.txt.

In a case of ZeroAccess infection we might get a log like this:
 

Winsock: Catalog5 01 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 06 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9 01 mswsock.dll No File
Winsock: Catalog9 02 mswsock.dll No File
Winsock: Catalog5-x64 01 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 06 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9-x64 01 mswsock.dll No File
Winsock: Catalog9-x64 02 mswsock.dll No File


When included in the fixlist, FRST will reset the Catalog5 entries but doesn't do anything to problematic Catalog9 entries and tells you to use "netsh winsock reset" to deal with them.

A full fix script would look like this:
 

Winsock: Catalog5 01 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 06 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5-x64 01 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 06 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
cmd: netsh winsock reset

Note the cmd: netsh winsock reset included in the fix.

The Fixlog generated after the fix would look like this:
 

Winsock: Catalog5 000000000001\\LibraryPath => restored successfully (%SystemRoot%\system32\NLAapi.dll)
Winsock: Catalog5 000000000006\\LibraryPath => restored successfully (%SystemRoot%\System32\mswsock.dll)
Winsock: Catalog5-x64 000000000001\\LibraryPath => restored successfully (%SystemRoot%\system32\NLAapi.dll)
Winsock: Catalog5-x64 000000000006\\LibraryPath => restored successfully (%SystemRoot%\System32\mswsock.dll)

========= netsh winsock reset =========

"Successfully reset the Winsock Catalog. You must restart the computer in order to complete the reset."

========= End of CMD: =========


Note: In certain situations the netsh winsock reset command may not work. When that happens have the user reboot the machine and run cmd: netsh winsock reset again.


hosts

When there are custom entries in Hosts, you will get a line in Internet section on FRST.txt log saying:


Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt


If the hosts file is not detected, there will be an entry about not being able to detect hosts.

To reset the hosts just copy and paste the line into the fixlist.txt and the hosts will be reset. You will see a line in Fixlog.txt confirming the reset.


Tcpip

Tcpip and other entries when included in the fixlist.txt will be deleted.
 

 

 

Note: In the case of StartMenuInternet hijacking for IE, FF, Chrome and Opera. The default entries will be whitelisted. When the entry appears in a FRST log it means that a non-default path is shown. There may or may not be something wrong with the access path in the registry and further investigation should be made. Where there is a problem the entry can be included in the fixlist and the default registry entry will be restored.


Internet Explorer

Where the home page is pasted into fixlist.txt the value will be removed returning the browser setting to the default postion. The listing would be entered like this (the line is entered directly from the log):
 

HKU\S-1-5-21-1177238915-220523388-1801674531-1003\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://isearch.omiga-plus.com/?type=hp&ts=1416067288&from=adks&uid=WDCXWD2500BEVT-22ZCT0_WD-WX31A20C4172C4172


Where internet search providers are involved the item can be pasted into fixlist.txt and the key will be deleted. The items are entered as follows:
 

SearchScopes: HKU\S-1-5-21-1177238915-220523388-1801674531-1003 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://isearch.omiga-plus.com/web/?type=ds&ts=1416067288&from=adks&uid=WDCXWD2500BEVT-22ZCT0_WD-WX31A20C4172C4172&q={searchTerms}


Note: In the case of HKLM DefaultScope (hijacked or missing) however, it will be reset, not deleted.

Toolbars and BHO's (Browser Helper Objects) can be copied into the fix and the Key will be deleted. Accompanying files/folders must be entered separately if they need to be moved.

Example:


BHO: shopperz -> {d0174004-bb12-464b-b666-9ba9bdbd750a} -> C:\Program Files\shopperz\Gaalmi64.dll [2015-08-05] ()
BHO-x32: shopperz -> {d0174004-bb12-464b-b666-9ba9bdbd750a} -> C:\Program Files\shopperz\Gaalmi.dll [2015-08-05] ()
C:\Program Files\shopperz


ActiveX objects can be pasted into the fix and the item will be removed. Just enter the line like so:


DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab



Edge

FRST lists Edge HomeButtonPage pointing to a custom page, enabled Session Restore and installed extensions:


Edge HomeButtonPage: HKU\S-1-5-21-3306840180-458517910-2511866134-1001 -> hxxp://www.istartsurf.com/?type=hp&ts=1439478262&z=019d9423eacc473501fd356gez9c7t5z3mbb5g9g9q&from=obw&uid=CrucialXCT250MX200SSD1_1528100C4588100C4588
Edge Session Restore: HKU\S-1-5-21-3306840180-458517910-2511866134-1001 -> is enabled.
Edge Extension: Adblock Plus -> 10_EyeoGmbHAdblockPlus_d55gg7py3s0m0 => C:\Program Files\WindowsApps\EyeoGmbH.AdblockPlus_0.9.6.0_neutral__d55gg7py3s0m0 [2016-08-14]


The HomeButtonPage and Session Restore entries when included in the fixlist.txt will be deleted from registry.

For Extensions entries, when included in the fixlist.txt, the registry key will be deleted and the associated folder moved.


Firefox

FRST lists FF keys and profiles (if present) regardless of whether FF is installed or not. FF ProfilePath line indicates a default profile. Where there are multiple profiles FRST will list preferences of the default profile only. Extensions, SearchPlugins and user.js are detected in all profiles.

Where the preferences are pasted into fixlist.txt the values will be removed. Next time Firefox is started it will revert to its' default settings. The listing would be entered like this (the line is entered directly from the log):
 

FF Homepage: hxxp://www.ask.com/


FRST verifies Add-ons digital signatures. Unsigned Add-ons are labelled.

Example:
 

FF Extension: Web Protector - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\v5uc809j.default\Extensions\{a95d417e-c6bc-decc-ba54-456315cd7f2d} [2015-09-06] [not signed]


For Add-ons (Extensions and Plugins), the entry from the log can be entered in the fixlist and the item will be moved. For Plugins and Extensions where the registry points at a file/folder, the registry entry will be deleted and the file/folder moved (see below).

Example for an Add-on or Extension:
 

FF HKU\S-1-5-21-2914137113-2192427215-1418463898-1000\...\Firefox\Extensions: [freegames4357@BestOffers] - C:\Users\Owner\AppData\Roaming\Mozilla\Extensions\freegames4357@BestOffers
FF Extension: Free Games 111 - C:\Users\Owner\AppData\Roaming\Mozilla\Extensions\freegames4357@BestOffers [2014-01-21]


Example for a Plugin:
 

fixlist content:
*****************
FF Plugin-x32: @staging.google.com/globalUpdate Update;version=10 -> C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\npglobalupdateUpdate4.dll [2015-10-12] (globalUpdate)
FF Plugin-x32: @staging.google.com/globalUpdate Update;version=4 -> C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\npglobalupdateUpdate4.dll [2015-10-12] (globalUpdate)
*****************

HKLM\Software\Wow6432Node\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10 => key removed successfully
C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\npglobalupdateUpdate4.dll => moved successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4 => key removed successfully
C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\npglobalupdateUpdate4.dll => not found


Note: This only applies to Firefox, Chrome and Opera. Other entries in the Internet section of the log that involve a registry key pointing at a file; the file/folder (just the path) should be listed separately to be moved.


Chrome

FRST lists Chrome keys and profiles (if present) regardless of whether Chrome is installed or not. Where there are multiple profiles FRST will read the last used profile and list preferences of that particular profile. Extensions are detected in all profiles.

Where you see something like this:


CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Users\Farbar\AppData\Local\Google\Chrome\Application\27.0.1453.94\gcswf32.dll => No File


This means that that particular file is missing and the plugin is not available. Including the entry in Fixlist will not remove the entry.

"No file" entries can be removed by refreshing Google Chrome plugins cache.

To refresh Google Chrome plugins cache and remove the orphans, do the following:
 

Open Chrome.
Copy and paste the following in the address bar and press Enter:

chrome://plugins

You will get a page with all the plugins listed. There is an option to disable each plugin.
Press "Disable" under each plugin involved. Then press "Enable".
Close Chrome.


Deleting the extension folder using FRST does effectively remove the extension. It cannot run, and does not do any harm to Chrome's operation, but the extension name remains in the prefs file. For that reason it is better to use Chrome's own tools, see below:
 

Click the Chrome menu on the browser toolbar.
Click Tools and select Extensions.
Click the trash can icon by the extension you'd like to completely remove.
A confirmation dialog appears, click Remove.


Processing a Registry type of an extension will delete both elements at once if found (no need to include a second line pointing the file). Just include lines in the fixlist and you will get this report after the fix:
 

fixlist content:
*****************
CHR HKLM-x32\...\Chrome\Extension: [emidjbenipnbgpknhjkkdfocdjbogooh] - C:\Program Files (x86)\MediaBuzzV1\MediaBuzzV1mode4046\ch\MediaBuzzV1mode4046.crx [2014-04-24]
CHR HKLM-x32\...\Chrome\Extension: [mmifolfpllfdhilecpdpmemhelmanajl] - C:\Program Files (x86)\BetterSurf\BetterSurfPlus\ch\BetterSurfPlus.crx <not found>
*****************

"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\emidjbenipnbgpknhjkkdfocdjbogooh" => key removed successfully
C:\Program Files (x86)\MediaBuzzV1\MediaBuzzV1mode4046\ch\MediaBuzzV1mode4046.crx => moved successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\mmifolfpllfdhilecpdpmemhelmanajl" => key removed successfully


Where you see something like this:
 

CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
GroupPolicy: Restriction - Chrome <======= ATTENTION


Some adware use Group Policy to block changes to extensions or other features.

Include the lines in fixlist and you see the following in the Fixlog.txt report.
 

HKLM\SOFTWARE\Policies\Google => Key deleted successfully.
C:\Windows\system32\GroupPolicy\Machine => Moved successfully.
C:\Windows\system32\GroupPolicy\GPT.ini => Moved successfully.


Where you see this:
 

CHR dev: Chrome dev build detected! <======= ATTENTION


This alert tells you it is likely that adware has silently updated Chrome to the "dev" (experimental build) version. FRST does not fix this, the alert is there to tell you to re-install (unless the user has specifically chosen to use "dev" build) Google Chrome to the normal/stable version once the adware is removed.

Where you do wish to remove something other than a registry type of extension then instructions at FF above apply to Add-ons, extensions, plugins and to all other items.


Opera

FRST lists Opera keys and profile (if present) regardless of whether Opera is installed or not.

Opera scan is currently limited to StartMenuInternet, StartupUrls, Session Restore and extensions:
 

OPR StartupUrls: "hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRggadghZAFsUQxhHIlxZTA1JEwEOeQsJWBQTFwQUIgoJAFhGFwMFIk0FA1oDB0VXfV5bFElXTwh3MlxZEkwDRGFRIVpT"
OPR Session Restore: -> is enabled.
OPR Extension: (iWebar) - C:\Users\operator\AppData\Roaming\Opera Software\Opera Stable\Extensions\gnjbfdmiommbcdfigaefehgdndnpeech [2015-01-15]


Including a StartupUrls or Session Restore entry into fixlist.txt triggers removal of the entry.

Including an extension entry into fixlist.txt triggers moving the extension. No need to include the path separately.

While no-longer active the entry showing in the browser "Extensions" panel will not be removed. Use Opera's own tools, see below:

Click top left Opera and in the drop down box click on Extensions
To remove individual extensions click on the X for each item and then OK.

 

 

For browsers that are not shown in the log then the best option is a complete uninstall followed by a reboot and reinstall.

 

 

 

Services and Drivers

The Services and Drivers are formatted as follows:

RunningState StartType ServiceName; ImagePath or ServiceDll [Size CreationDate] (CompanyName)

RunningState - the letter beside the number represents the Running State:

R=Running
S=Stopped
U=Undetermined.

The "StartType" numbers are:

0=Boot,
1=System,
2=Auto,
3=Demand,
4=Disabled
5=Assigned by FRST when it is unable to read the start type

Where you see [X] at the end of a listed entry that indicates that FRST could not find the files associated with the particular Service or Driver and has listed the ImagePath as it is in the registry instead.

FRST scans for a number of known infections and verifies the digital signature of the files for Services and Drivers. Where a file is not digitally signed it will be reported.

Example:
 

==================== Services (Whitelisted) =================

R2 DcomLaunch; C:\Windows\system32\rpcss.dll [512512 2010-11-20] (Microsoft Corporation) [File not signed]
R2 RpcSs; C:\Windows\system32\rpcss.dll [512512 2010-11-20] (Microsoft Corporation) [File not signed]


A Microsoft system file that is not signed needs to be replaced with a good copy. To fix, use the Replace: command.

Note: The digital signatures check is not available in the Recovery Environment.

To remove a bad service or driver service, copy the line from the scan log to fixlist.txt. Any associated file should be included separately.

Example:
 

R2 Khiufa; C:\Users\User\AppData\Roaming\Eepubseuig\Eepubseuig.exe [174432 2016-04-13] ()
C:\Users\User\AppData\Roaming\Eepubseuig


The tool closes any service entry that is included in the fixlist.txt and removes the service key.

There is one exception with Windows Management Instrumentation where it has been hijacked by Ransomware. In that case you will see something like:
 

S2 Winmgmt; C:\PROGRA~2\dfgujiynkowgcsquunu.bfg [x]


When that line is included in fixlist it will restore the Parameters.

Note: FRST will report success or failure of stopping services that are running. Regardless of if the service is stopped or not, FRST attempts to delete the service. Where a running service is deleted FRST will inform the user about completing the fix and the need to restart. Then FRST will restart the system. You will see a line at the end of Fixlog about the needed restart. If a service is not running, FRST will delete it without forcing a restart.

Note: If FRST is not able to access a service at all, the following will be printed in a log:
 

"1b36535375971e1b" => service could not be unlocked. <===== ATTENTION


Something like that may reflect rootkit modifications or registry corruption. Expert help should be sought to identify and deal with the problem.


NetSvcs

Known legitimate entries are whitelisted. As with other areas scanned and which have a white list it does not mean that items appearing in FRST.txt are all bad, just that they should to be checked.

The NetSvc entries are listed each on a line, like this:
 

NETSVC: NMSSvc -> C:\Windows\system32\smcservice.dll (Oak Technology Inc.) ATTENTION! ====> ZeroAccess
NETSVC: pMgt -> C:\Window\System32\dstor.dll ==> No File
NETSVC: WUSB54GCSVC -> No Filepath


The first entry is labelled with the infection =====> ZeroAccess and needs to be dealt with.

The second entry means there is a ServiceDll in the registry entry which is associated with pMgt service but the file is missing.

The third entry means the WUSB54GCSVC has no ServiceDll entry in the registry. The second and the third entries are left overs.

Note: Listing Netsvc only removes the associated value from the registry. The associated service should be listed for deletion separately.

Looking at the above example. There is a Service listed further back in the FRST log associated with the item showing in NETSVC; it looks like this:
 

R2 NMSSvc; C:\Windows\System32\smcservice.dll [6656 2009-07-13] (Oak Technology Inc.) ATTENTION! ====> ZeroAccess


To remove the Netsvc value, the associated service in the registry and the associated DLL file, the full script would look like this:
 

NETSVC: NMSSvc -> C:\Windows\system32\smcservice.dll (Oak Technology Inc.) ATTENTION! ====> ZeroAccess
R2 NMSSvc; C:\Windows\System32\smcservice.dll [6656 2009-07-13] (Oak Technology Inc.) ATTENTION! ====> ZeroAccess
C:\Windows\System32\smcservice.dll



One Month Created Files and Folders and One Month Modified Files and Folders

The "One Month Created" scan reports the file or folder's created date and time followed by the last modified date and time. The "Modified" scan reports the file or folder's modified date and time followed by the date and time it was created. The size of (number of bytes contained) the file is also shown. A folder will show 00000000 as the folder itself has no bytes.

 

Note: To avoid a very long scan time and the production of excessively large logs, the scan is limited to some predefined locations. Also, FRST only lists custom folders, but not their contents. If you wish to know the contents of a custom folder use the Folder: directive.

FRST adds notations to certain log entries:

C - Compressed
D - Directory
H - Hidden
L - Symbolic Link
N - Normal (does not have other attributes set)
O - Offline
R - Readonly
S - System
T - Temporary
X - No scrub (Windows 8+)

To remove a file or folder in the one month list just copy and paste the whole line to fixlist.txt like this:


2013-03-20 22:55 - 2013-03-20 22:55 - 00000000 ____D C:\Program Files (x86)\SearchProtect
2010-10-12 01:06 - 2008-11-07 18:18 - 0000406 _____ c:\Windows\Tasks\At12.job
2010-10-12 01:06 - 2008-11-07 18:17 - 0001448 ____S c:\Windows\System32\Drivers\bwmpm.sys

 
Listing the Symbolic Link attribute is especially helpful in recognizing the folders created by the ZeroAccess infection.

Example:


2013-07-14 18:17 - 2013-07-14 18:17 - 00000000 ___DL C:\Windows\system64


Before listing those Folders to be moved the DeleteJunctionsInDirectory: FolderPath should be used (it can be used in any mode).

Example:
 

DeleteJunctionsInDirectory: C:\Windows\system64

 
To fix other files/folders the path could be listed in the fixlist.txt:


c:\Windows\System32\Drivers\badfile.sys
C:\Program Files (x86)\BadFolder

 
If you have more files with similar file name and wanted to move them with one script the wildcard * can be used.

So you can either list those files like:

C:\Windows\Tasks\At1.job
C:\Windows\Tasks\At8.job
C:\Windows\Tasks\At13.job
C:\Windows\Tasks\At52.job

Or just:

C:\Windows\Tasks\At*.job

 
Note: A question mark "?" character is ignored for safety reasons, no matter whether it is a wildcard or a substitution for Unicode characters (see "Unicode" section below). Also, wildcards are not supported for folders.

 

To remove files/folders with space in the path, there is no need to put them in the quote marks, you can simply put the path in the fixlist:


C:\Program Files (x86)\SearchProtect

 

 

Unicode

To fix an entry with Unicode characters in it, the fixlist.txt should be saved in Unicode otherwise the Unicode characters will be lost. The best way to deal with a line with Unicode is to save the fixlist.txt and upload it.

Example:
 

2013-07-07 19:53 - 2013-07-07 19:53 - 00000000 ____D C:\υλλογή

 
To move the above folder:

Copy and paste the entry into the open notepad, select Save As..., under Encoding: select Unicode, give it fixlist name and save it.

If you save it to a normal notepad without selecting Unicode; notepad will give you a warning, if you go on and save it, after closing it and opening it again you will get:
 

2013-07-07 19:53 - 2013-07-07 19:53 - 00000000 ____D C:\??????


And FRST will not be able to process it.


Files to move or delete

Files listed in this section are those that either, are bad, or are files in a bad location.

Examples of legitimate files are the files that users have downloaded and saved to the User's directory. Another example is when a legitimate third party software keeps one of its files in User's directory. That is a bad practice by any software vendor and those files should be moved even if they are legitimate. We have seen many infections hiding their fabricated files (seemingly legitimate but malware files) in that directory and running it from there.

Like Modified files the way files/folders are dealt with in a fix is the same as in the One Month Created Files and Folders section above.


Some content of TEMP

This is a non-recursive scan limited to some particular extensions to get a basic idea of whether a malware file is placed in Temp root. This section is not visible if no files meet the requirements of the search. That does not mean that Temp is empty or malware free (e.g. malware could be in a subfolder not expanded by FRST) just that it does not meet the particular search parameters. For a more comprehensive cleanup of temp files, use of the EmptyTemp: command is an option.


Known DLLs

Some items in this section if missing or patched or corrupted could cause boot issues. Accordingly this scan only appears when the tool is run in RE (Recovery Environment) mode.

Items are whitelisted unless they need attention.

Care is required in dealing with items identified in this section. Either a file is missing or it appears to have been modified in some way. Expert help is recommended to ensure the problematic file is correctly identified and dealt with in the appropriate way. In the majority of cases there is a good replacement on the system that should be found with the Search function of FRST. Please see the Directive section (Examples of use) of this tutorial on how to replace a file and Other features section for how carry out a search.


Bamital & volsnap

Primarily designed for a Bamital and volsnap malware check, currently extended to detect other anomalies.

Modified system files alert you to possible malware infection. Where infection is identified care needs to be taken with remedial action. Expert help should be sought as removal of a system file could render a machine unbootable.

When a file does not have a correct digital signature you will see file properties instead.

Example taken from a Hijacker.DNS.Hosts infection:
 

C:\WINDOWS\system32\dnsapi.dll
[2015-07-10 13:00] - [2015-07-10 13:00] - 0680256 ____A (Microsoft Corporation) 5BB42439197E4B3585EF0C4CC7411E4E

C:\WINDOWS\SysWOW64\dnsapi.dll
[2015-07-10 13:00] - [2015-07-10 13:00] - 0534064 ____A (Microsoft Corporation) 4F1AB9478DA2E252F36970BD4E2C643E


In that case the file needs to be replaced with a good copy. Use the Replace: command.

Note: The digital signatures check is not available in the Recovery Environment.


When a malware made custom entry in BCD is found you will see the following line:
 

TDL4: custom:26000022 <===== ATTENTION!


The entry in BCD might render a system unbootable if the bootkit malware was removed and the BCD entry left behind without attention. When the entry is included in the fixlist, the malware custom entry is removed from BCD and the default value is restored.
 
 
The safest way to boot to Safe Mode is to use F8 key at boot. In some cases the users use "System Configuration Utility" to boot to Safe Mode. In case the Safe Mode is corrupted the computer gets locked and the system will not boot to normal mode because it is configured to boot to Safe Mode. In that case you will see:
 

safeboot: ==> The system is configured to boot to Safe Mode <===== ATTENTION!


To fix the issue include the above line in the fixlist. FRST will set the normal mode as the default mode and the system will come out of the loop.

Note: This applies to Vista and later Windows versions.


Association

Note: The "Association" will appear on the FRST.txt log when FRST is run from the Recovery Environment. When FRST is run outside Recovery Environment the section will appear on the Addition.txt. The scan in the Recovery Environment is limited to .exe file association.

Lists machine-wide .exe file association like this:
 

HKLM\...\exefile\open\command: C:\Windows\svchost.com "%1" %* <===== ATTENTION


As with other registry entries you can just copy and past the entries with the issue in the fixlist.txt and they will be restored. No need to do registry fixes.


Restore Points

Note: The "Restore Points" will appear on the FRST.txt log when FRST is run from the Recovery Environment. When FRST is run outside Recovery Environment the section will appear on the Addition.txt.

The restore points are listed.

Note: Only in Windows XP can the hives be restored using FRST. The restore points listed on Vista and above should be restored from RE (Recovery Environment) using Windows System Recovery Options.

To fix include the line for the one you want to restore into the fixlist.txt script.

Example from an XP machine:
 

RP: -> 2010-10-26 19:51 - 024576 _restore{3216E3D3-FBC5-40AC-B583-63C1B9EE2B6F}\RP83
RP: -> 2010-10-24 13:57 - 024576 _restore{3216E3D3-FBC5-40AC-B583-63C1B9EE2B6F}\RP82
RP: -> 2010-10-21 20:02 - 024576 _restore{3216E3D3-FBC5-40AC-B583-63C1B9EE2B6F}\RP81


To restore the hives from the Restore Points 82 (dated 2010-10-24) the line will be copied and pasted to the fixlist.txt like so:
 

RP: -> 2010-10-24 13:57 - 024576 _restore{3216E3D3-FBC5-40AC-B583-63C1B9EE2B6F}\RP82

 

For a fix to restore from backup software (FRST saved Hives, ERUNT or CF) on Vista and above, refer to the Directive section of this tutorial.


Memory info

Note: The "Memory info" will appear on the FRST.txt log when FRST is run from the Recovery Environment. When FRST is run outside Recovery Environment the section will appear on the Addition.txt.

Tells you the amount of RAM (Random Access Memory) installed on the machine together with the available physical memory and percentage of free memory. Sometimes this can help explain a machine's symptoms. For example the number shown may not reflect the hardware position the user believes is present. RAM reported may appear lower than what is actually on the machine. This can happen when the machine cannot actually access all the RAM it has. Possibilities include faulty RAM or Motherboard slot problem or something preventing the BIOS recognising it (e.g. BIOS may need to be upgraded). Also, for 32 bit systems with more than 4GB of ram installed, the maximum amount reported will only be 4GB. This is a limitation on 32-bit applications.

Processor information, virtual memory and virtual memory available are also listed.


Drives and MBR & Partition Table

Note: The "Drives" and "MBR & Partition Table" will appear on the FRST.txt log when FRST is run from the Recovery Environment. When FRST is run outside Recovery Environment the sections will appear on the Addition.txt.

Enumerate what primary and extended partitions are on the machine, their size, and how much free space there is. Removable drives attached to the machine at time of the scan are included.

The MBR (Master Boot Record) code is listed.

You may see:
 

"ATTENTION: Malware custom entry on BCD on drive "Somedrive": detected." Check for MBR/Partition infection".


As with other complex infections expert help is recommended to find the correct solution. A wrong move here will render the users computer unbootable.

In some cases there will be other malware infection labels earlier in the FRST log which will point to a solution. In other cases, a fix may be necessary with a command using the RE (Recovery Environment). See the Directives section in this tutorial.

Where there is an indication of something wrong with the MBR an MBR check may be appropriate. To do this an MBR dump needs to be obtained. This is how:

Run the following fix with FRST in any mode:
 

SaveMbr: drive=0 (or appropriate drive number)


By doing this there will be MBRDUMP.txt saved where FRST/FRST64 has been downloaded to.

Note: While an MBR dump can be obtained either in Normal mode or RE some MBR infections are able to forge the MBR while Windows is being loaded. Accordingly it is recommend to do it in RE.


LastRegBack

FRST looks into the system and lists the last registry backup made by the system. The registry backup contains a backup of all the hives. It is different from the LKGC (Last Known Good Configuration) backup of the control set.

There are a number of reasons why you might want to use this backup as a solution to a problem but a common one is where loss or corruption has occurred.

You might see this in the FRST header:
 

"Attention: Could not load system hive"


To fix just include the line in fixlist like this:
 

LastRegBack: >>date<< >>time<<


Example:
 

LastRegBack: 2013-07-02 15:09

  • 2

#5
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,667 posts

Additional scan (Addition.txt)

 

 

The Additional scan is generated the first time FRST is run. On subsequent scans it is not carried out unless it is specifically requested in an optional scan (see box in Console). It lists the following:


Header

The Additional scan header the contains a brief summary of information that is useful.

Here is an example header:
 

Additional scan result of Farbar Recovery Scan Tool (x64) Version:06-09-2015 01
Ran by Someperson (2015-09-07 11:05:41)
Running from C:\Users\Someperson\Desktop
Windows 10 Pro (X64) (2015-08-30 03:01:13)
Boot Mode: Normal

 
First line: tells whether FRST 32-bit or 64-bit variant has been run. The version identifier of FRST is also shown.
Second line: shows what user ran the tool together with the date and time.
Third line: tells you where FRST was run from.
Fourth line: records the version of Windows and the installation date
Fifth line: tells you what mode the scan was run under


Accounts

Lists standard accounts on the system in the following format: Account Name (account SID -> Privileges - Enabled/Disabled) => Profile path

Example:
 

Administrator (S-1-5-21-12236832-921050215-1751123909-500 - Administrator - Enabled) => C:\Users\Administrator
Someperson (S-1-5-21-12236832-921050215-1751123909-1001 - Administrator - Enabled) => C:\Users\Someperson
Guest (S-1-5-21-12236832-921050215-1751123909-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-12236832-921050215-1751123909-1003 - Limited - Enabled)

 

Security Center

You might find that the list contains leftovers of a previously uninstalled security program. In that case the line can be included in the fixlist.txt to be removed.
There are some security programs (like Spybot S&D) that prevent removal of the entry if they are not fully uninstalled. In that case instead of a confirmation of removal on the Fixlog you will see:
 

Security Center Entry => The item is protected. Make sure the software is uninstalled and its services is removed.

 

Installed Programs

Lists all installed programs.

- FRST has a build-in database for flagging a number of adware/PUP programs.

Example:
 

DictionaryBoss Firefox Toolbar (HKLM\...\DictionaryBossbar Uninstall Firefox) (Version:  - Mindspark Interactive Network) <==== ATTENTION
Zip Opener Packages (HKU\S-1-5-21-3240431825-2694390405-104744025-1000\...\Zip Opener Packages) (Version:  - ) <==== ATTENTION

 
It is strongly recommended to uninstall the flagged program before running an automated tool to remove adware programs. The uninstaller of the adware program removes the majority of its entries and reverses the configuration changes.

- In cases where programs are not shown in the user's installed programs list, but are there, FRST will list them and append them with a label like this:
 

Google Update Helper (x32 Version: 1.3.22.3 - Google Inc.) Hidden

 
These programs are not necessarily bad... just hidden. They have a  value in the registry called "SystemComponent" with a REG_DWORD set to 1. Those programs are not visible in Add/Remove Programs (xp) or Programs and Features (Vista above) and the user can't uninstall them from there. FRST can remove "SystemComponent" and make the program visible to the user.

If the entry from Addition.txt log is included in the fixlist.txt you will get:
 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adwarestuff \\SystemComponent => Value deleted successfully.

 
Note: This fix only makes the program visible, it doesn't uninstall the program. The program should be uninstalled by the user.

As stated above not every hidden program is bad. There are a lot of legitimate programs (including MS programs) that are hidden for good reasons.


Custom CLSID

Lists custom CLSID entries created in user hive.

Example:
 

CustomCLSID: HKU\S-1-5-21-1659004503-1801674531-839522115-1003_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?

 
To fix malicious entries just add them to the fixlist.txt and FRST will remove them.

Note: Legitimate third party software can create a custom CLSID so care should be exercised as legitimate ones should not be removed.


Scheduled Tasks

Scheduled Tasks not whitelisted are shown. When an entry is included in a fixlist.txt  the task itself is fixed.

Example:
 

fixlist content:
*****************
Task: {41724A9A-4D5B-4BA0-BB3B-5E8527B95BDF} - System32\Tasks\FocusPick => c:\programdata\{21428fd3-d588-925d-2142-28fd3d583f4f}\708853146668916958b.exe [2014-07-05] () <==== ATTENTION
Task: C:\windows\Tasks\FocusPick.job => c:\programdata\{21428fd3-d588-925d-2142-28fd3d583f4f}\708853146668916958b.exe <==== ATTENTION
*****************

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{41724A9A-4D5B-4BA0-BB3B-5E8527B95BDF}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{41724A9A-4D5B-4BA0-BB3B-5E8527B95BDF}" => key removed successfully
C:\Windows\System32\Tasks\FocusPick => moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\FocusPick" => key removed successfully
C:\windows\Tasks\FocusPick.job => moved successfully.

 
Please note that FRST only removes the registry entries and moves the task file but does not move the executable. If the executable is bad it should be added in  separate line to the fixlist.txt to be moved.

 

Note that malware can use a legitimate executable (e.g. using sc.exe to run its own services) to run its own file. In other words you need to check the executable to ascertain if it is legitimate or not before taking action.


Shortcuts

Lists hijacked or suspicious shortcuts in the logged in user's path and in the root directories of C:\ProgramData\Microsoft\Windows\Start Menu\Programs and C:\Users\Public\Desktop.

Entries can be included in fixlist.txt for fixing - see Shortcut.txt in Other optional scans below.

Note: A Shortcut.txt scan contains all the shortcuts from all the users but the report in Addition.txt contains only hijacked/suspect shortcuts in the logged in user profile.

 

In case of WMI malware that hijacks shortcuts, you will see a warning like this:

 

WMI_ActiveScriptEventConsumer_ASEC: <===== ATTENTION

 

To remove the malicious script include the above line in the fixlist.txt.

 
Loaded Modules

Loaded Modules are white listed based on the presence of a company name. That is, items without a company name are shown. Keep this in mind because there could be a case of a bad module with a company name not showing in this scan.


Alternate Data Streams

FRST lists ADS like so:
 

==================== Alternate Data Streams (whitelisted) ==========

AlternateDataStreams: C:\Windows\System32\legitfile:malware.exe [134]
AlternateDataStreams: C:\malware:malware.exe [134]

 
The size of the ADS (number of bytes contained) is shown in brackets at the end of the path.

If the ADS is on a legitimate file/folder the fix will be copy and paste the whole line from the log into the fixlist.

Example:
 

AlternateDataStreams: C:\Windows\System32\legitfile:malware.exe [134]

 
If it is on a bad file/folder the fix will be:
 

C:\malware

 
In the first case FRST only removes the ADS from the file/folder.

In the latter case the file/folder will be removed.


Safe Mode

The default entries are whitelisted. So if the section is empty, there is no custom entry on the system.
If any of the main keys (SafeBoot, SafeBoot\Minimal and SafeBoot\Network) are missing, it will be reported. In that case it should be repaired manually.
If there is a malware made entry, it could be included in the fixlist.txt for removal.


Association - Refer to Association earlier in the tutorial

Lists .bat, .cmd, .com, .exe, .reg and .scr file associations. The default entries are whitelisted so unless there are modified or additional entries nothing will show in the report.
When any default modified entry is included in the fixlist.txt, the default entry will be restored. Any user key, if included in the fixlist.txt, will be deleted.


Internet Explorer trusted/restricted

Lists Internet Explorer trusted and restricted sites. See Security zones: adding or removing websites
If an entry is included in the fixlist, the associated entry will be removed from the registry.


Hosts content - Refer to Hosts earlier in the tutorial

Supplies more details related to the Hosts file: Hosts file properties and first 30 active entries. Inactive entries (commented out) are hidden.

Example:
 

2009-07-14 04:34 - 2016-04-13 15:39 - 00001626 ____A C:\Windows\system32\Drivers\etc\hosts

107.178.255.88 www.google-analytics.com
107.178.255.88 www.statcounter.com
107.178.255.88 statcounter.com
107.178.255.88 ssl.google-analytics.com
107.178.255.88 partner.googleadservices.com
107.178.255.88 google-analytics.com
107.178.248.130 static.doubleclick.net
107.178.247.130 connect.facebook.net
107.178.255.88 www.google-analytics.com
107.178.255.88 www.statcounter.com
107.178.255.88 statcounter.com
107.178.255.88 ssl.google-analytics.com
107.178.255.88 partner.googleadservices.com
107.178.255.88 google-analytics.com
107.178.248.130 static.doubleclick.net
107.178.247.130 connect.facebook.net


The lines can't be processed individually. To reset the file, use the Hosts: directive or include the Hosts warning line from main FRST.txt.


Other Areas

There are some items FRST scans that are not covered under other headings. Currently under this heading FRST reports Wallpaper paths, DNS servers, UAC (User Account Control) settings and Windows Firewall state. FRST only lists the entries. There is no automatic fix at the moment.

Wallpaper - Various crypto-malware variants use the setting to display a ransom screen.

Example:
 

Normal path might look like this:
HKU\S-1-5-21-2507207478-166344414-3466567977-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Someperson\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg

Bad path and file might look like this:
HKU\S-1-5-21-746137067-261478967-682003330-1003\Control Panel\Desktop\\Wallpaper -> C:\Documents and Settings\Someperson\My Documents\!Decrypt-All-Files-scqwxua.bmp

 
In case of malware entries, the file path can be included in the fix together with any related files found in FRST.txt.

Note: Removing the malware wallpaper file will remove the Desktop background.

The user should set the Desktop background.

In Windows XP:
To set the Desktop background, right-click on any place on the Desktop and select Properties, select Desktop tab, select a picture, click "Apply" and "OK".

In Windows Vista and above:
To set the Desktop background, right-click on any place on the Desktop and select Personalize, select Desktop Background, select one of the pictures and click "Save Changes".

DNS servers - This is useful to detect DNS/Router hijacking.

Example:
 

DNS Servers: 213.46.228.196 - 62.179.104.196

 
Note: The servers list is not read from registry so the system should be connected to internet.

Where FRST is run in Safe Mode or the system is not connect to internet you will get:
 

DNS Servers: "Media is not connected to internet."

 
Search the address on WhoisLookup for information about whether the server is legitimate or not.

UAC settings

Example:
 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)

 
The above example shows the default settings.
 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)

 
The above example shows the settings disabled. This can be because the user set them that way or as a side effect of malware activity. Unless it is clear that there is a malware cause, reference to the user should be made before a fix is attempted.

Windows Firewall

Example:
 

Windows Firewall is enabled.

 
Whether Windows firewall is enabled or disabled is also reported. When FRST is run in Safe Mode or, where there is something wrong with the system, then there will be no entry about the Firewall.


MSCONFIG/TASK MANAGER disabled items

The log is useful where a user has used MSCONFIG or TASK MANAGER to disable malware entries instead of removing them. Or, they have disabled too much and can't get some needed services or applications to run properly.

Example:

MSCONFIG in Windows 7 and older systems:
 

MSCONFIG\Services: gupdate => 2
MSCONFIG\Services: gupdatem => 3
MSCONFIG\Services: gusvc => 3
MSCONFIG\startupfolder: C:^Users^baman^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^HijackThis.exe => C:\Windows\pss\HijackThis.exe.Startup
MSCONFIG\startupreg: MSC => "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
MSCONFIG\startupreg: swg => "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"


They read as follows:

Disabled Services:

MSCONFIG\Services: ServiceName => Original start type

Disabled items in Startup folder:

MSCONFIG\startupfolder: Original Path (replaced "\" with "^" by Windows)  => Path to backup made by Windows.

Disabled Run entries:

MSCONFIG\startupreg: ValueName => Path to the file.

 
TASK MANAGER in Windows 8 and Windows 10:
 

HKLM\...\StartupApproved\StartupFolder: => "MobileGo Service.lnk"
HKLM\...\StartupApproved\Run: => "ShadowPlay"
HKLM\...\StartupApproved\Run32: => "Aeria Ignite"
HKU\S-1-5-21-3907122352-1245817153-3586606959-1001\...\StartupApproved\Run: => "join.me.launcher"

 
Note: Windows 8 and newer use msconfig only for Services. Startup items are moved to the Task Manager which stores disabled items in different keys. A disabled non-absent item is listed twice: in FRST.txt (Registry section) and in Addition.txt.

Currently FRST only lists those entries. There is no fix at the moment. The legitimate entries could be enabled again by the user. In case of malware entries disabled via msconfig, the file/s could be removed first. Then the user can be instructed to enable the items so that they appear on the main log to be removed.


FirewallRules

Lists FirewallRules, AuthorizedApplications and GloballyOpenPorts.

Example log (Win 7):

 

FirewallRules: [TCP Query User{7A1425F8-1CBB-4EC5-82B7-EB6A3F8DF412}C:\program files (x86)\filezilla ftp client\filezilla.exe] => (Block) C:\program files (x86)\filezilla ftp client\filezilla.exe
FirewallRules: [UDP Query User{8F78B075-D269-4D1A-A66B-36B59452534F}C:\program files (x86)\filezilla ftp client\filezilla.exe] => (Block) C:\program files (x86)\filezilla ftp client\filezilla.exe
FirewallRules: [{774ED1BC-0943-4C22-9944-17DDD44BF63F}] => (Allow) C:\Program Files (x86)\IDA 6.5\idaq.exe
FirewallRules: [{BDAB5E99-C0A4-429D-A82E-BBB44AEEBDC8}] => (Allow) C:\Program Files (x86)\IDA 6.5\idaq.exe
FirewallRules: [{4911A41A-D828-46D0-BF3E-6911F35726FA}] => (Allow) C:\Program Files (x86)\IDA 6.5\idaq64.exe
FirewallRules: [{7D5257BD-77C2-4796-B6D6-06990F618D7F}] => (Allow) C:\Program Files (x86)\IDA 6.5\idaq64.exe
FirewallRules: [{F274BD97-4899-44A9-82A6-90DC9A6E88D6}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{A3A02655-8020-47B6-9781-7175D035BFD6}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe

 
Example log (XP):

 

StandardProfile\AuthorizedApplications: [C:\Program Files\Google\Chrome\Application\chrome.exe] => Enabled:Google Chrome
StandardProfile\AuthorizedApplications: [C:\Documents and Settings\Farbar\Application Data\Dropbox\bin\Dropbox.exe] => Enabled:Dropbox
StandardProfile\GloballyOpenPorts: [2900:TCP] => Enabled:ztdtqhnh


If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.


Restore Points - Refer to Restore Points earlier in the tutorial

Lists available Restore Points in the following format:
 

18-04-2016 14:39:58 Windows Update
18-04-2016 22:04:49 Restore Point Created by FRST


Disabled function will be reported:
 

ATTENTION: System Restore is disabled



Faulty Device Manager Devices


Event log errors:


- Application errors:
- System errors:
- CodeIntegrity:


 
Memory info - Refer to Memory info earlier in the tutorial


Drives


MBR & Partition Table - Refer to Drives and MBR & Partition Table earlier in the tutorial


  • 2

#6
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,667 posts

Other optional scans



Optional Scans

By checking a box under Optional Scan FRST will scan the requested items.


List BCD

Boot Configuration Data is listed.


Drivers MD5

Will produce a list of drivers and their MD5 sums that will look like this:
 

C:\Windows\System32\drivers\ACPI.sys 3D30878A269D934100FA5F972E53AF39
C:\Windows\System32\Drivers\acpiex.sys AC8279D229398BCF05C3154ADCA86813
C:\Windows\System32\drivers\acpipagr.sys A8970D9BF23CD309E0403978A1B58F3F
C:\Windows\System32\drivers\acpitime.sys 5758387D68A20AE7D3245011B07E36E7
C:\Windows\system32\drivers\afd.sys 239268BAB58EAE9A3FF4E08334C00451


These can then be checked for validity.


Shortcut.txt

Lists all types of shortcuts from all standard accounts. Hijacked entries can be included in the fixlist.txt to be restored or removed.

Example:
 

Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\jIxmRfR\jIxmRfR\chrome.exe (The jIxmRfR Authors)
Shortcut: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\jIxmRfR\jIxmRfR\chrome.exe (The jIxmRfR Authors)
Shortcut: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\jIxmRfR\jIxmRfR\chrome.exe (The jIxmRfR Authors)

ShortcutWithArgument: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> %SNP%
ShortcutWithArgument: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://trustedsurf.com/?ssid=1461248741&a=1003478&src=sh&uuid=56568057-03d0-4fdb-a271-15ae6cc4d336"
ShortcutWithArgument: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> %SNP%


To fix the ShortcutWithArgument: lines, just copy and paste the lines into the fixlist.txt. But to remove the Shortcut: objects add the paths separately to the fix.

A full script would look like this:
 

ShortcutWithArgument: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> %SNP%
ShortcutWithArgument: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://trustedsurf.com/?ssid=1461248741&a=1003478&src=sh&uuid=56568057-03d0-4fdb-a271-15ae6cc4d336"
ShortcutWithArgument: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> %SNP%
C:\Program Files (x86)\jIxmRfR
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
C:\Users\Public\Desktop\Google Chrome.lnk
C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk

.
Note: FRST removes the argument from shortcuts except for Internet Explorer (No Add-ons).lnk shortcut. That shortcut argument by default is not empty (the argument is -extoff) and is used to run Internet Explorer without add-ons. It is vital for troubleshooting IE issues so this shortcut argument will be restored.

Also note that if you run another removal tool to remove the argument from Internet Explorer (No Add-ons).lnk, FRST will not list it under ShortcutWithArgument: and so the argument can't be restored with FRST any more. In that case the user can restore the argument manually.


To restore the argument manually the user should navigate to Internet Explorer (No Add-ons).lnk:

Right-click and select Property.
In Target box Add two spaces and then -extoff to the listed path.
Click Apply and OK.


90 Days Files

When the "90 Days Files" option is checked, FRST will list "Three Months Created/Modified Files and Folders" instead of "One Month Created/Modified Files and Folders".


Search features


Search Files

There is a Search Files button on the FRST Console. To search for files you can type or copy and paste the names you wish to search for into the Search box. Wildcards are allowed. If you need to search for more than one file the file names should be separated by a semicolon ;

So each of the following options would work:
 

afd.sys
afd.sys*
afd.sys;ndis.sys
afd.sys*;ndis.sys*

 
When the Search Files button is pressed the user is informed that the search is started, a progress bar appears, then a message pops up indicating that the search is completed. A Search.txt log is saved at the same location that FRST is located.

The found files are listed along with creation date, modification date, size, attribute, company name, MD5 and digital signature in the following format:
 

C:\Windows\WinSxS\x86_microsoft-windows-ndis-minwin_31bf3856ad364e35_10.0.10586.212_none_6a600c6ece9d9f09\ndis.sys
[2016-04-13 06:24][2016-03-29 11:21] 0922456 ____A (Microsoft Corporation) 37256414284A0A85A3DDD3FB2A39874B [File is digitally signed]

C:\Windows\WinSxS\x86_microsoft-windows-ndis-minwin_31bf3856ad364e35_10.0.10586.0_none_89bc7b0a1a05cdb8\ndis.sys
[2015-10-30 07:44][2015-10-30 07:44] 0922464 ____A (Microsoft Corporation) 471CF5F6D7C5FDC912F52DF52C8C1E71 [File is digitally signed]

C:\Windows\System32\drivers\ndis.sys
[2016-04-13 06:24][2016-03-29 11:21] 0922456 ____A (Microsoft Corporation) 37256414284A0A85A3DDD3FB2A39874B [File is digitally signed]


Note: The digital signatures check is not available in the Recovery Environment.

Search Files option is limited to the system drive. There are cases where a legitimate system file is missing or corrupted causing boot issues and there is no replacement on the system. When Search Files option is used in Recovery Mode (Vista and above) the search includes the files in X: too (the virtual boot drive). In some cases it can be a life saver. An example is missing services.exe that could be copied from X:\Windows\System32 to C:\Windows\System32

Note: The X: partition will only contain 64bit executables for 64bit systems.


Search Registry

There is a Search Registry button on the FRST Console. You can type or copy and paste the item(s) names you wish to search for into the Search box. If you wish to search for more than one item, the names should be separated by a semicolon ;

An individual search would look like this:

websearch

A search for multiple items would look like this:

websearch;dealply;searchprotect

 
Contrary to a file search, when carrying out a registry search, adding wildcards to the search terms should be avoided because the wildcard characters will be interpreted literally. Where a wildcard ("*" or "?") is added to the start or end of a registry search term, FRST will ignore it and will search for the search term without the character.

 

A SearchReg.txt log is saved at the same location that FRST is located.

 

Note: The Registry search function will only work outside RE.


  • 3

#7
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,667 posts

Directives/Commands


All the commands/directives in FRST should be on one line as FRST processes the script line by line.



Quick reference of Directives/Commands

Note: Directives/Commands are not case sensitive.


For use only in Normal Mode.

CreateRestorePoint:

For use only in Normal Mode, Safe Mode

CloseProcesses:
DeleteKey:
EmptyTemp:

Powershell:
Reboot:
RemoveProxy:

StartPowershell: — EndPowershell:
VerifySignature:
Zip:

For use in Normal Mode, Safe Mode and in the Recovery Environment (RE)

cmd:
DeleteJunctionsInDirectory:
DeleteQuarantine:
DisableService:
File: and Folder:
FindFolder:
Hosts:
ListPermissions:
Move:
nointegritychecks on:
Reg:
RemoveDirectory:
Replace:
RestoreQuarantine:
SaveMbr:
SetDefaultFilePermissions:

StartBatch: — EndBatch:

StartRegedit: — EndRegedit:
testsigning on:
Unlock:


For use only in the Recovery Environment (RE)

LastRegBack:
RestoreErunt:
Restore From Backup:
RestoreMbr:



Examples of use


CloseProcesses:

Closes all the non-essential processes. Helps to make fixing more effective and faster.

Example:
 

CloseProcesses:

 
When this directive is included in a fix it will automatically apply a reboot. There is no need to use the Reboot: directive. The CloseProcesses: directive is not needed and not available in the Recovery Environment.


CMD:

Occasionally you need to run CMD command. In that case you must use "CMD:" directive.

The script will be:
 

CMD: command


If there is more than one command, start each line with CMD: to get an output log for each command.

Example:
 

CMD: copy /y c:\windows\minidump\*.dmp e:\
CMD: bootrec /FixMbr

 
The first command will copy the minidump files to flash drive ( if the drive letter for flash drive is E).
The second command is used to fix the MBR in Windows Vista and higher.

 

Alternatively, the StartBatch:EndBatch: directives could be used (see below).

Note: Unlike the native or other FRST directives the cmd commands should have the proper cmd.exe syntax, like use of " quotes in case of a space in the file/directory path.


CreateRestorePoint:

To create a restore point.

Example:
 

CreateRestorePoint:

 
Note:
This directive works only in normal mode. It also fails when System Restore has been disabled.



DeleteJunctionsInDirectory:

To remove junctions use the following Syntax:
 

DeleteJunctionsInDirectory: Path


Example:
 

DeleteJunctionsInDirectory: C:\Program Files\Windows Defender

 

DeleteKey:


To delete keys you may use DeleteKey: command like:
 

DeleteKey: HKLM\Software\Google


Or a regedit format like:
 

[-HKEY_LOCAL_MACHINE\Software\Google]


Or:
 

[-HKLM\Software\Google]


Note: This does not work for registry values.

Note: Because the deletion is meant to cover all kinds of keys (even classes keys that are often targeted) the feature is only available outside RE.

FRST key deletion has the ability to delete registry symbolic links, keys that are locked due to insufficient permissions, and keys that contain embedded-null characters.

For keys that are protected by a running software (those keys have access denied) you need to use Safe Mode (to circumvent the running software) or delete the main components before using the command.

Note: If the listed key for deletion is a registry link to another key, the (source) key which is the registry symbolic link, will be deleted. The target key will not be deleted. This is done to avoid removing both a bad registry symbolic link that might point at a legitimate key and the legitimate key itself. In a situation where both the source key and the target key are bad, then they both should be listed for deletion.


DeleteQuarantine:

After finishing with cleaning, the %SystemDrive%\FRST (usually C:\FRST) folder made by FRST tool should be removed from the computer. In some cases the folder can't be removed manually because the %SystemDrive%\FRST\Quarantine folder contains locked or unusual malware files or directories. The DeleteQuarantine: command will remove the Quarantine folder.

Tools that move files as opposed to deleting files should not be used to delete C:\FRST as those tools just move the files to their own directory and it remains on the system anyway.

The command just needs to be included in a fixlist.txt like so:
 

DeleteQuarantine:



DisableService:

To disable a service or driver service you can use the following script:
 

DisableService: ServiceName


Example:
 

DisableService: sptd
DisableService: Schedule
DisableService: Wmware Nat Service

 
FRST will set the service to Disabled and the service will not run at the next boot.

Note: The service name should be listed as it appears in the registry or FRST log, without adding anything. For example quotation marks are not required.


EmptyTemp:

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera cache, HTML5 storages, Cookies and History (Note: FF history is not removed)
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

When EmptyTemp: directive is used the system will be rebooted after the fix. No need to use Reboot: directive.
Also no matter if EmptyTemp: is added at the start, middle, or end of the fixlist it will be executed after all other fixlist lines are processed.

Important: When the EmptyTemp: directive is used items are permanently deleted. They are not moved to quarantine.

Note: The directive is turned off in the Recovery Environment to prevent harm.


File: and Folder:

Are used to see a file specifications or the content of a folder.
 

File: path
Folder: path


Example:
 

File: C:\Windows\System32\Drivers\afd.sys
Folder: C:\Windows\Boot

========================= File: C:\Windows\System32\Drivers\afd.sys ========================

File is digitally signed
MD5: 9A4A1EEE802BF2F878EE8EAB407B21B7
Creation and modification date: 2015-11-27 14:19 - 2015-10-13 18:41
Size: 0497664
Attributes: ----A
Company Name: Microsoft Corporation
Internal Name: afd.sys
Original Name: afd.sys
Product: Microsoft® Windows® Operating System
Description: Ancillary Function Driver for WinSock
File Version: 6.1.7601.19031 (win7sp1_gdr.151013-0600)
Product Version: 6.1.7601.19031
Copyright: © Microsoft Corporation. All rights reserved.

====== End of File: ======

========================= Folder: C:\Windows\Boot ========================

2012-09-27 08:49 - 2010-11-20 14:40 - 0383786 ____A () C:\Windows\Boot\PCAT\bootmgr
2012-09-27 08:47 - 2010-11-20 14:30 - 0485760 ____A (Microsoft Corporation) C:\Windows\Boot\PCAT\memtest.exe
2009-07-14 02:55 - 2009-07-14 03:17 - 0085056 ____A (Microsoft Corporation) C:\Windows\Boot\PCAT\en-US\bootmgr.exe.mui
2009-07-14 07:35 - 2009-07-14 04:11 - 0043600 ____A (Microsoft Corporation) C:\Windows\Boot\PCAT\en-US\memtest.exe.mui
2009-06-10 22:31 - 2009-06-10 22:31 - 3694080 ____A () C:\Windows\Boot\Fonts\chs_boot.ttf
2009-07-13 22:17 - 2009-06-10 22:31 - 3876772 ____A () C:\Windows\Boot\Fonts\cht_boot.ttf
2009-07-13 22:17 - 2009-06-10 22:31 - 1984228 ____A () C:\Windows\Boot\Fonts\jpn_boot.ttf
2009-07-13 22:17 - 2009-06-10 22:31 - 2371360 ____A () C:\Windows\Boot\Fonts\kor_boot.ttf
2009-07-13 22:17 - 2009-06-10 22:31 - 0047452 ____A () C:\Windows\Boot\Fonts\wgl4_boot.ttf
2012-09-27 08:48 - 2010-11-20 15:32 - 0672640 ____A (Microsoft Corporation) C:\Windows\Boot\EFI\bootmgfw.efi
2012-09-27 08:48 - 2010-11-20 15:32 - 0669568 ____A (Microsoft Corporation) C:\Windows\Boot\EFI\bootmgr.efi
2012-09-27 08:48 - 2010-11-20 15:33 - 0611200 ____A (Microsoft Corporation) C:\Windows\Boot\EFI\memtest.efi
2009-06-10 22:31 - 2009-06-10 22:31 - 0262144 ____A () C:\Windows\Boot\DVD\PCAT\BCD
2009-07-13 23:12 - 2009-06-10 23:06 - 3170304 ____A () C:\Windows\Boot\DVD\PCAT\boot.sdi
2009-06-10 23:14 - 2009-06-10 23:14 - 0004096 ____A () C:\Windows\Boot\DVD\PCAT\etfsboot.com
2013-03-03 18:19 - 2009-06-10 15:14 - 0001024 ____A () C:\Windows\Boot\DVD\PCAT\nl-NL\bootfix.bin
2009-07-14 07:35 - 2009-06-11 00:14 - 0001024 ____A () C:\Windows\Boot\DVD\PCAT\en-US\bootfix.bin
2009-06-10 22:31 - 2009-06-10 22:31 - 0262144 ____A () C:\Windows\Boot\DVD\EFI\BCD
2009-07-13 23:12 - 2009-06-10 23:06 - 3170304 ____A () C:\Windows\Boot\DVD\EFI\boot.sdi
2012-09-27 08:48 - 2010-11-20 11:19 - 1474560 ____A () C:\Windows\Boot\DVD\EFI\en-US\efisys.bin

====== End of Folder: ======



FindFolder:

To search for a folder on the system drive.

Wildcards are allowed. If you need to search for more than one folder the search terms should be separated by a semicolon ;

Example:
 

FindFolder: google
FindFolder: *google*;adobe


Both of the foregoing would work.


Hosts:

To reset the hosts. Also, see hosts in the Main scan (FRST.txt) section.


ListPermissions:

Used to list permissions on the files/directories/keys included in the script.
 

ListPermissions: path/key


Example:
 

Listpermissions: C:\Windows\Explorer.exe
Listpermissions: C:\users\farbar\appdata
ListPermissions: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip
ListPermissions: HKLM\SYSTEM\CurrentControlSet\services\afd

 

Move:


At times renaming or moving a file, specially when it is done across the drives, is troublesome and MS Rename command might fail. To move or rename a file use the following script:
 

Move: source destination


Example:
 

Move: c:\WINDOWS\system32\drivers\afd.sys c:\WINDOWS\system32\drivers\afd.sys.old
Move: c:\WINDOWS\system32\drivers\atapi.bak c:\WINDOWS\system32\drivers\atapi.sys

 
The tool moves the destination file to the Quarantine (if present) then moves the source file to destination location.

Note: Renaming can be carried out when using the Move: directive.

Note: The destination path should contain the file name even if the file is currently missing in destination directory.


nointegritychecks on:

This applies to Vista and later Windows versions.

When the integrity checks function is disabled you will see the following line under on the FRST log:
 

nointegritychecks: ==> Integrity Checks is disabled <===== ATTENTION!


It means the BCD is changed to skip integrity checks at boot. To enable the integrity checks copy and paste the above line into the fixlist.

In some unbootable computer disabling the integrity checks resolves the boot issue until we enable the function again. To disable the function for troubleshooting puposes or making backup in normal mode before reinstalling Windows use the following syntax:
 

nointegritychecks on:

 
 

Powershell:

To run PowerShell commands or script files.

 

1. To run a single independent PowerShell command and get the output in the Fixlog.txt the syntax is:

 

Powershell: command

 

Example:
 

Powershell: Get-Service

.

2. To run an independent PowerShell command and get the output in a text file (not in the Fixlog.txt) use redirection operators or Out-File cmdlet:

 

Powershell: command > "Path to a text file"

 

Powershell: command | Out-File "Path to a text file"

 

Example:
 

Powershell: Get-Service > C:\log.txt
Powershell: Get-Process >> C:\log.txt

 
3.
To run a ready script file (.ps1) containing one or more PowerShell commands/lines the syntax is:

 

Powershell: "Path to a script file"

 

Examples:
 

Powershell: C:\Users\UserName\Desktop\script.ps1
Powershell: "C:\Users\User Name\Desktop\script.ps1"

 
4. To run more PowerShell commands/lines of a script as they were in a script file (.ps1), but without creating the .ps1 file, use a semicolon ; instead of line breaks to separate them:

 

Powershell: line 1; line 2; (and so on)

 

Example:
 

Powershell: $WebClient = New-Object System.Net.WebClient; $WebClient.DownloadFile("http://server/file.exe", "C:\Users\User\Desktop\file.exe")

 

Alternatively, the StartPowershell:EndPowershell: directives could be used (see below).

 

 

Reboot:

To force a restart.

It doesn't matter where in the fixlist you put it. Even if you put it at the start, the reboot will be carried out after all the other fixes are completed.

Note: This command will not work and is not needed in the Recovery Environment.


Reg:

To manipulate Windows Registry using Reg command line tool.

 

The syntax is:
 

Reg: reg command


Example:
 

Reg: reg query "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32"
Reg: reg add hklm\system\controlset001\services\sptd /v Start /t REG_DWORD /d 0x4 /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SweetIM" /f

 

Note: Unlike the native FRST directives, the Reg command should have the proper reg.exe syntax, like use of " quotes in case of space in key/value name.

 

Note: The directive won't handle locked or invalid keys. The most efficient way to delete keys is to use the DeleteKey: directive or [-Key] format described earlier in the tutorial.


RemoveDirectory:

To remove (not move) directories with limited perms and invalid paths or names. This directive should be used for directories that resist the usual move operation. If it is used in Safe Mode it should be very powerful and in RE it should be most powerful.

The script will be:
 

RemoveDirectory: path



RemoveProxy:

Removes some Internet Explorer policy restriction settings like "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" or ProxySettingsPerUser in HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings. It removes "ProxyEnable" (if it is set to 1), "ProxyServer", "AutoConfigURL", "DefaultConnectionSettings" and "SavedLegacySettings" values from the machine and users keys. It also applies the BITSAdmin command with NO_PROXY.

In addition, it removes the default value of the "HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies" key if it is altered.

Note: Where there is a running software or a service, that restores those settings, the software should be uninstalled and the service should be removed before using the directive. This to ensure the proxy settings don't return.


Replace:

To replace a file use the following script:
 

Replace: source destination


Example:
 

Replace: c:\WINDOWS\ServicePackFiles\i386\afd.sys c:\WINDOWS\system32\drivers\afd.sys
Replace: c:\WINDOWS\ServicePackFiles\i386\atapi.sys c:\WINDOWS\system32\drivers\atapi.sys

 
The tool moves the destination file (if present) to Quarantine then copies the source file to destination location.

It will not move the source file and the source file is still in its original location. So in the above example afd.sys in i386 directory will be there for future.

Note: The destination path should contain the file name even if the file is currently missing in destination directory.

Note: In case of missing destination directory, the command will fail. FRST doesn't rebuild a complete directory structure.

 

Restore From Backup:

The first time the tool is run it copies the hives to %SystemDrive%\FRST\Hives (usually C:\FRST\Hives) directory as a back up. It will not be overwritten by subsequent running of the tool. If something went wrong either one of the hives could be restored. The syntax will be:
 

Restore From Backup: HiveName


Examples:
 

Restore From Backup: software
Restore From Backup: system

 

RestoreErunt:


To restore hives from Erunt: the script would be:
 

RestoreErunt: path


Restoring from backups made by CF (ComboFix) the script would be:
 

RestoreErunt: cf

 

RestoreMbr:


To restore the MBR, FRST will use MbrFix that is saved on the flash drive to write a MBR.bin file to a drive. What is needed is the MbrFix/MbrFix64 utility, the MBR.bin to be restored and the script showing the drive:
 

RestoreMbr: Drive=#


Example:
 

RestoreMbr: Drive=0

 
(Note: The MBR to be restored should be named MBR.bin and should be zipped and attached).

 

 

 

RestoreQuarantine:

You can restore the whole content of Quarantine or restore single or multiple file(s) or folder(s) from Quarantine.

To restore the whole content of Quarantine the syntax is either:

RestoreQuarantine:

Or:

RestoreQuarantine: C:\FRST\Quarantine

 
To restore a file or folder the syntax is:

 

RestoreQuarantine: PathInQuarantine

 

Example:

 

RestoreQuarantine: C:\FRST\Quarantine\C\Program Files\Microsoft Office
RestoreQuarantine: C:\FRST\Quarantine\C\Users\Someperson\Desktop\ANOTB.exe.xBAD

 

To find the path in the Quarantine you can use:

Folder: C:\FRST\Quarantine

Or:

CMD: dir /a/b/s C:\FRST\Quarantine

 
Note
: If a file already exists (outside Quarantine) in the destination path, FRST will not overwrite it. The original file will not be moved and will remain in Quarantine. If however, you still need to restore the file from Quarantine then the file in the destination path should be renamed/removed.

 

 

SaveMbr:

Refer Drives and MBR & Partition Table section in the tutorial.

To make a copy of MBR the following syntax is used:
 

SaveMbr: Drive=#


Example:
 

SaveMbr: Drive=0

 
Note: By doing this there will be MBRDUMP.txt made on the flash drive that should be attached to the post by the user.


SetDefaultFilePermissions:

Created for locked system files. It sets group "Administrators" as owner and depending on the system grants access rights to the standard groups.

Note: The directive will not set TrustedInstaller as the owner but still it could be used for system files that are locked by the malware.

The script will be:
 

SetDefaultFilePermissions: path

 

 

StartBatch:EndBatch:

 

To create and run a batch file.

 

The syntax is:
 

StartBatch:
Line 1
Line 2
Etc.
EndBatch:

 
The output will be redirected to the Fixlog.txt.

 

 

StartPowershell:EndPowershell:

 

A better alternative to create and run a PowerShell file containing multiple lines (see the Powershell: directive earlier in the tutorial).

 

The syntax is:
 

StartPowershell:
Line 1
Line 2
Etc.
EndPowershell:

 
The output will be redirected to the Fixlog.txt.

 

 

StartRegedit: — EndRegedit:
 
To create and import a registry file (.reg).
 
The syntax is:

 

StartRegedit:
.reg file format
EndRegedit:

 

Including Windows Registry Editor Version 5.00 header is optional, but REGEDIT4 header is required.
 
Example:
 

StartRegedit:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc]
"Start"=dword:00000002
EndRegedit:

 
You will get a confirmation in the Fixlog.txt:
 

====> Registry

 
Note: The confirmation line appears regardless of any eventual errors in your .reg file.

 

Note: The directives won't handle locked or invalid keys. The most efficient way to delete keys is to use the DeleteKey: directive or [-Key] format described earlier in the tutorial.

 

 

testsigning on:

Applies to Windows Vista and later.

Malware will sometimes add an item to the BCD (Boot Configuration Data) to escape integrity checks at startup. The malware needs to be cleaned from the machine and then the default BCD restored. Care manipulating the BCD is delicate work that if done wrongly will render a machine unbootable.

When FRST locates evidence of this sort of tampering it will report like this:
 

testsigning: ==> 'testsigning' is set. Check for possible unsigned driver <===== ATTENTION


Where the malware is still present on the machine there will also be a (hidden) unsigned driver showing in the log like this:
 

S0 442564429e863a90; C:\Windows\System32\Drivers\442564429e863a90.sys [75208 2012-06-26] ()


Also the user might say that he has seen this on his desktop:

"I've just noticed something, in the bottom right of my desktop it says Test Mode, Windows 7, Build 7601. I've never noticed that before"

The full removal script will be:
 

S0 442564429e863a90; C:\Windows\System32\Drivers\442564429e863a90.sys [75208 2012-06-26] ()
C:\Windows\System32\Drivers\442564429e863a90.sys
testsigning: ==> 'testsigning' is set. Check for possible unsigned driver <===== ATTENTION

 
Beside removing the malware driver, FRST will remove the value that is added to BCD. No further action is necessary.

Sometimes however other tools will have partially cleaned the machine but not repaired the BCD. In those cases the following may be used:
 

testsigning: ==> 'testsigning' is set. Check for possible unsigned driver <===== ATTENTION

 
In a situation where; after setting testsigning to its default (turning it off); something goes wrong, then to enable the testsigning for further troubleshooting use the following command:
 

testsigning on:



Unlock:

This directive, in the case of files/directories, sets group "Everyone" as owner, grants access to everyone and works recursively when applied on directories. It should be used for bad files/directories.

In the case of registry items it sets group "Administrators" as owner and grants the groups the usual access and works only on the key applied. It can be used for both bad and legitimate keys.

The script will be:
 

Unlock: path


Sometimes the usual move operation doesn't work due to permissions. You will notice it when you get "Could not move File/Directory" on the Fixlog.txt. In that case you can use the "Unlock:" directive on those files or folders.

Example:
 

Unlock: C:\Windows\badfile.exe
Unlock: C:\Windows\System32\badfile.exe

 
To remove the file/folder altogether just add the path separately to the fix:
 

Unlock: C:\Windows\System32\bad.exe
C:\Windows\System32\bad.exe

 
You can use the command to unlock the registry items where a registry item is locked. For example if you are running the fix in the recovery mode and the current control set is ControlSet001 the following would apply:
 

Unlock: hklm\system\controlset001\badservice\subkeyname

 
To remove the entry use Reg: directive. The full syntax would be:
 

Unlock: hklm\system\controlset001\badservice\subkeyname
Reg: reg delete hklm\system\controlset001\badservice /f

 

VerifySignature:


To check the digital signature for a file.

 

VerifySignature: path


Example:
 

VerifySignature: C:\Windows\notepad.exe

 

Zip:


To zip files/folders and save them as Upload.zip to the users desktop for subsequent manual uploading by the user.
 

Zip: path;path


As many files/folders as needed can be listed separated by semicolons.

Example:
 

Zip: C:\malware.exe;C:\Windows\Minidump;C:\Windows\Logs\CBS\CBS.log

  • 3

#8
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,667 posts

Canned Speeches


 

Scans

 

Example instruction for the malware helper expert to have the user run FRST in normal mode:
 

Please download [url=http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/]Farbar Recovery Scan Tool[/url] and save it to your Desktop.

[color=green][b]Note[/b]: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.[/color]

[LIST]
[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click [b]Yes[/b] to disclaimer.
[*]Press [b]Scan[/b] button.
[*]It will produce a log called [b]FRST.txt[/b] in the same directory the tool is run from.
[*]Please copy and paste log back here.
[*]The first time the tool is run it generates another log ([b]Addition.txt[/b] - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.
[/LIST]

 
Example instruction to run FRST on Vista, Windows 7 and Windows 8 in the Recovery Environment (RE):
 

[LIST]
[*]On a clean machine, please download [url=http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/]Farbar Recovery Scan Tool[/url] and save it to a flash drive.

[color=green][b]Note[/b]: You need to run the version compatible with your system.[/color]

Plug the flashdrive into the infected PC.

[*]If you are using Windows 8 consult [url=http://www.bleepingcomputer.com/tutorials/windows-8-recovery-environment-command-prompt/]How to use the Windows 8 System Recovery Environment Command Prompt[/url] to enter System Recovery Command prompt.

If you are using Vista or Windows 7 enter [b]System Recovery Options[/b].

[color=#0000FF][b]To enter System Recovery Options from the Advanced Boot Options:[/b][/color]
[LIST]
[*]Restart the computer.
[*]As soon as the BIOS is loaded begin tapping the[b] F8[/b] key until Advanced Boot Options appears.
[*]Use the arrow keys to select the [b]Repair your computer[/b] menu item.
[*]Select [b]US[/b] as the keyboard language settings, and then click [b]Next[/b].
[*]Select the operating system you want to repair, and then click [b]Next[/b].
[*]Select your user account an click [b]Next[/b].
[/LIST]
[color=green][b]Note[/b]: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html[/color]

[color=#0000FF][b]To enter System Recovery Options by using Windows installation disc:[/b][/color]
[LIST]
[*]Insert the installation disc.
[*]Restart your computer.
[*]If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.[/*]
[*]Click [b]Repair your computer[/b].
[*]Select [b]US[/b] as the keyboard language settings, and then click [b]Next[/b].
[*]Select the operating system you want to repair, and then click [b]Next[/b].
[*]Select your user account and click [b]Next[/b].
[/LIST]

[*][color=#008000][b]On the System Recovery Options menu you will get the following options:[/b][/color]

[b]Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt[/b]

Select [b]Command Prompt[/b]

[*][color=#FF0000][b]Once in the Command Prompt:[/b][/color]
[LIST]
[*]In the command window type in [b]notepad[/b] and press [b]Enter[/b].
[*]The notepad opens. Under File menu select [b]Open[/b].
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type [b][color=#FF0000]e[/color]:\frst[/b] (for x64 bit version type [b][color=#FF0000]e[/color]:\frst64[/b]) and press [b]Enter[/b]
[b]Note:[/b] Replace letter [color=#FF0000]e[/color] with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press [b]Scan[/b] button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
[/LIST]
[/LIST]

 
Fixes


Example instruction for a fix carried out in normal or safe mode i.e. within Windows:
 

Download attached [b]fixlist.txt[/b] file and save it to the Desktop.

[u][b]NOTE.[/b][/u] It's important that both files, [b]FRST/FRST64[/b] and [b]fixlist.txt [/b]are in the same location or the fix will not work.

[b][color=red]NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system[/color][/b]

Run [b][color=#0000FF]FRST/FRST64[/color][/b] and press the [b]Fix[/b] button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

 
Example instructions to run a fix in the Recovery Environment (RE):
 

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it on the flash drive as [b]fixlist.txt[/b]

[quote]
Script goes here
[/quote]

[color=red][b]NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
[/b][/color]

On Vista or Windows 7: Now please enter System Recovery Options.

On Windows XP: Now please boot into the PE (Preinstallation Environment) disk.

Run [b]FRST/FRST64[/b] and press the [b]Fix[/b] button just once and wait.
The tool will generate a log on the flashdrive ([b]Fixlog.txt[/b]) please post it in your reply.

  • 2

#9
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,667 posts

Comment to the tutorial may be made here.

Tutorial revisions:

Press "Show" to see previous years amendments.

Spoiler

01/04/2016 Attention flag removed from Shortcuts explanation
01/04/2016 GloballyOpenPorts added to FirewallRules
03/05/2016 Alternate Data Streams section amended to include size information
03/05/2016 Zip: directive added
04/20/2016 Opera description updated
04/20/2016 Services and Drivers section amended for more clarity
04/20/2016 X attribute added under One month... scans
04/20/2016 Alternate Data Streams reference removed from Fixing
04/20/2016 Bamital & volsnap section updated
04/20/2016 Internet Explorer zones reference link replaced
04/20/2016 Hosts content and Restore Points descriptions added to Addition.txt section
04/20/2016 Steam HTML cache added and BITS cleanup clarified in EmptyTemp: listing
04/20/2016 Search Files description updated to include the digital signatures check
04/20/2016 Added notes that the digital signatures check is not available in the Recovery Environment
04/20/2016 Various smaller and cosmetic changes
04/28/2016 Note related to One Month... scan limitations added
04/28/2016 WMI malware detection added to Shortcuts scan in Addition.txt
04/28/2016 Shortcut.txt explanation updated
05/10/2016 "EXE Association" renamed to "Association" (in all scans) and extended (only in Addition.txt scan)
05/10/2016 File: directive output corrected
05/12/2016 Table of Contents reorganisations and simplifications
06/11/2016 Russian translation link added
06/16/2016 Default Scan Areas listing updated
06/16/2016 Explanation of "?" characters usage added to One Month... and Search Registry descriptions
06/16/2016 Powershell: directive added
06/16/2016 Zip: directive description amended
06/16/2016 Scan area limitations specified in the FindFolder: and Search Files descriptions
06/16/2016 "90 Days Files" description amended to include the "Modified Files and Folders"
06/18/2016 Icon cache added to EmptyTemp: listing
07/05/2016 Powershell: directive description updated
07/22/2016 StartBatch: — EndBatch: and StartPowershell: — EndPowershell: directives added
07/22/2016 SetDefaultFilePermissions: and Unlock: descriptions corrected
07/22/2016 "Search Registry" log renamed to SearchReg.txt
07/25/2016 StartRegedit: — EndRegedit: directives added
07/25/2016 Reg: directive description updated
08/15/2016 Edge section amended to cover extensions


  • 0





Also tagged with one or more of these keywords: FRST, farbar, scan, tutorial, how-to

3 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users

As Featured On:

featured
Malware Removal How to Guides Windows 7 System Building Download Files Register welcome

Never used a forum? Learn how.