Jump to content

Welcome to Geeks to Go
Geeks to Go Welcome
Create Account Login to Account
Photo

FRST Tutorial Comment

* * * * * 1 votes FRST farbar tutorial

  • Please log in to reply
183 replies to this topic

#181
picasso

picasso

    Trusted Helper

  • Malware Removal
  • 113 posts
  • MVP
==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)

WMI:subscription\__FilterToConsumerBinding->CommandLineEventConsumer.Name=\"BVTConsumer\"",Filter="__EventFilter.Name=\"BVTFilter\":
WMI:subscription\__EventFilter->BVTFilter:
WMI:subscription\CommandLineEventConsumer->BVTConsumer:
What is this lines mean?

Those are legit entries. More about BVTConsumer / BVTFilter here and here.


  • 0

Advertisements


#182
PeterJ

PeterJ

    Visiting Consultant

  • Visiting Consultant
  • 26 posts

The scan log file FRST.TXT sometimes shows a line like this example:

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

"Path" (%INTEL_DEV_REDIST%redist\intel64\compiler;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\VulkanSDK\1.0.65.0\Bin;c:\programdata\oracle\java\javapath;c:\program files\common files\microsoft shared\windows live;c:\program files (x86)\common files\microsoft shared\windows live;c:\windows\system32;c:\windows;c:\windows\system32\wbem;c:\windows\system32\windowspowershell\v1.0\;c:\program files\microsoft network monitor 3\;c:\program files (x86)\windows live\shared;C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common -> %SystemRoot%\System32;%SystemRoot%;%SystemRoot%\System32\Wbem;%INTEL_DEV_REDIST%redist\intel64\compiler;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\VulkanSDK\1.0.65.0\Bin;c:\programdata\oracle\java\javapath;c:\program files\common files\microsoft shared\windows live;c:\program files (x86)\common files\microsoft shared\windows live;c:\windows\system32;c:\windows;c:\windows\system32\wbem;c:\windows\system32\windowspowershell\v1.0\;c:\program files\microsoft network monitor 3\;c:\program files (x86)\windows live\shared;C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common) <==== Repaired successfully

It repaired the environ variable "Path" but what was wrong with it ?

I couldn't find it in de manual.


Edited by PeterJ, 28 December 2018 - 05:48 PM.

  • 0

#183
farbar

farbar

    Developer

  • Expert
  • 402 posts

The reason is the order of the paths in the string. Those paths should be placed at the start of the string:

 

%SystemRoot%\System32;%SystemRoot%;%SystemRoot%\System32\Wbem;

 

Instead, they are placed after some other custom paths:

 

%INTEL_DEV_REDIST%redist\intel64\compiler;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\VulkanSDK\1.0.65.0\Bin;c:\programdata\oracle\java\javapath;c:\program files\common files\microsoft shared\windows live;c:\program files (x86)\common files\microsoft shared\windows live;c:\windows\system32;c:\windows;c:\windows\system32\wbem;

 

In this case when Windows starts the autorun entries, when it encounters a file name instead of the full path, Windows start to look into those paths for the existence of the file in the order is given. So if a malware adds its own path to the start of the string and creates its own file with a legit system file name, instead of the legit file the fake one will run.

 

However, the automatic repairing will be changed shortly and FRST will only report the deviation from default value instead of repairing it.

 

 


  • 0

#184
PeterJ

PeterJ

    Visiting Consultant

  • Visiting Consultant
  • 26 posts

Ok, thanks for the explanation.


  • 0





Also tagged with one or more of these keywords: FRST, farbar, tutorial

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured
Malware Removal How to Guides Windows 7 System Building Download Files Register welcome

Never used a forum? Learn how.