184 replies to this topic

[Herman_Salim]

The difference is already stated in the tutorial description. The second command requires an external third-party tool and MBR dump made earlier by the tool.

 

 

I mean, if we can reset MBR with CMD: bootrec /FixMbr, why we must be bothered with RestoreMbr:? As RestoreMbr: also need Third Party and MBR.bin.

 

Thank You..

[picasso]

RestoreMbr: can be used to restore a copy made before altering MBR (eg. with the Microsoft tool) in case of a failure with the fixing or to load a manually edited MBR dump (prepared by an expert). There are no such possibilities with the Microsoft tool, no backup is made, the operation cannot be undone by the tool itself.

[Herman_Salim]

RestoreMbr: can be used to restore a copy made before altering MBR (eg. with the Microsoft tool) in case of a failure with the fixing or to load a manually edited MBR dump (prepared by an expert). There are no such possibilities with the Microsoft tool, no backup is made, the operation cannot be undone by the tool itself.

 

Thank you for your patience in explaining.

 

 

in case of a failure with the fixing or to load a manually edited MBR dump (prepared by an expert)

 

Do you mean that CMD: bootrec/fixmbr can't fix/reset/undone this failure?

[picasso]

I mean that the bootrec command overwrites MBR, but doesn't create any backup allowing to reverse the action in case of side effects. Also, keep in mind that the command writes a standard MBR code, special customizations done by an OEM manufacturer (eg. a pointer to a Recovery program) could be lost. So it is always a good option to create an MBR backup before trying to fix MBR.

[Herman_Salim]

I mean that the bootrec command overwrites MBR, but doesn't create any backup allowing to reverse the action in case of side effects. Also, keep in mind that the command writes a standard MBR code, special customizations done by an OEM manufacturer (eg. a pointer to a Recovery program) could be lost. So it is always a good option to create an MBR backup before trying to fix MBR.

 

Very clearly. I have understood now. Thank you.

[Herman_Salim]

Hello Malware Fighter and Instructor..

 

What is the different Between delete Folder with usual way and RemoveDirectory: ?

[picasso]

In the first case a folder is moved to the Quarantine and can be restored. RemoveDirectory: permanently removes a folder (no copy in the Quarantine).

[Herman_Salim]

In the first case a folder is moved to the Quarantine and can be restored. RemoveDirectory: permanently removes a folder (no copy in the Quarantine).

 

Thank you for your fast Response.

[mrfixiter]

Hi

 

There is a typo here:

Association

Note: The "Association" will appear on the FRST.txt log when FRST is run from the Recovery Environment. When FRST is run outside Recovery Environment the section will appear on the Addition.txt. The scan in the Recovery Environment is limited to .exe file association.

Lists machine-wide .exe file association like this:
 

Quote

    HKLM\...\exefile\open\command: C:\Windows\svchost.com "%1" %* <===== ATTENTION


As with other registry entries you can just copy and past the entries with the issue in the fixlist.txt and they will be restored. No need to do registry fixes.

 

Thanks for your help.

 

mrfixiter

[PeterJ]

Hi,

 

What is meant by "task is ontgrendeld." in a Addition log like below:

(Logfile created on a Windows 10 x64 machine)

==================== Geplande Taken (gefilterd) =============
...
"{01C7C80F-DA6A-4698-BA70-4DA27991C5A9}" task is ontgrendeld. <===== AANDACHT
"{08629A58-75ED-46AA-8646-8C7015698215}" task is ontgrendeld. <===== AANDACHT
"{094CD275-5C71-4753-B57E-5566CA859498}" task is ontgrendeld. <===== AANDACHT

[emeraldnzl]

When I translate that it appears to say "task is unlocked" Without looking at the whole path I don't know what it refers to but it is being signaled by FRST to be checked.

 

This is not the place to post logs for analysis.
 
You might like to open topic in the Malware forum here and post a FRST log so that an expert can have a look.

[emeraldnzl]

@ mrfixiter

 

Thank you for the heads up. It has been noted for correcting at next update.

[mrfixiter]

Hi
 
Regarding this entry in the tutorial:

FRST adds notations to certain log entries:

C - Compressed
D - Directory
H - Hidden
L - Symbolic Link
N - Normal (does not have other attributes set)
O - Offline
R - Readonly
S - System
T - Temporary
X - No scrub (Windows 8+)

There seems to be an overlap between the standard file attributes and other categories not documented in the Wikipedia article. One notable omission in the above list is the Archive bit. Was that just an oversight?

 

Thanks for your assistance.

 

mrfixiter

[Dragokas]

Hi, mrfixiter !

 

You can read official documentation:

File Attribute Constants

[picasso]

Hi
 
Regarding this entry in the tutorial:

FRST adds notations to certain log entries:

C - Compressed
D - Directory
H - Hidden
L - Symbolic Link
N - Normal (does not have other attributes set)
O - Offline
R - Readonly
S - System
T - Temporary
X - No scrub (Windows 8+)

There seems to be an overlap between the standard file attributes and other categories not documented in the Wikipedia article. One notable omission in the above list is the Archive bit. Was that just an oversight?

 

Thanks for your assistance.

 

mrfixiter

 

Hi,

 

The information in the tutorial is correct. "A" attribute is not shown in FRST log. It is filtered by purpose to prevent cluttering FRST log (most items would have this attribute). "A" was shown in FRST log in the past, but due to my request it was removed from the output.

 

EDIT: To be clear, FRST has a capability to list so called extended attributes, so the list in the tutorial is wider than on Wikipedia, except of those filtered by purpose.