Jump to content

Welcome to Geeks to Go
Geeks to Go Welcome
Create Account Login to Account
Photo

FRST Tutorial Comment

* * * * * 1 votes FRST farbar tutorial

  • Please log in to reply
184 replies to this topic

#1
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts

Tutorial is now hosted on BleepingComputer: Link

 

 

 

This is the place you can post if you have a question or comment about the FRST Tutorial.

Feedback is also important so if you have a comment please make it. smile.gif


  • 0

Advertisements


#2
Noob_B_Fershur

Noob_B_Fershur

    New Member

  • Member
  • Pip
  • 8 posts
Thank you for this wonderful tutorial, I am awed by the unselfish efforts of the helpers at forums like G2G & BC, well done.

I will report that the links to the individual sub-topics in the table of contents do not work (screenshot)
Posted Image
  • 0

#3
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hmm... Don't know what happened there.

I works for me now.

Please check it and tell me if it works for you. :)
  • 0

#4
vicky67

vicky67

    New Member

  • Member
  • Pip
  • 1 posts
The tutorial is just wonderful.
Of a great simplicity, in addition to an excellent explanation.
My compliments to Farbar and geekstogo for publication.
Hello from italy.
  • 0

#5
Noob_B_Fershur

Noob_B_Fershur

    New Member

  • Member
  • Pip
  • 8 posts

Hmm... Don't know what happened there.
I works for me now.
Please check it and tell me if it works for you. :)


Works for me now, thanks again!:cheers:
  • 0

#6
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
:thumbsup:
  • 0

#7
JBRare

JBRare

    New Member

  • Member
  • Pip
  • 1 posts
A really great tutorial and most useful.
However I have limited knowledge at this level of Windows.
My computer won't boot so I ran FRST from USB and got this report.
I really need some expert help as what to do next. I am not sure exactly what to remove or change.

Log removed.

See next post.
  • 0

#8
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Hello JBRare,
:welcome:
This is a forum for questions about the Farbar Recovery Scan tool. It is not the place to post logs and request help.
It appears that you have a zero access infection. Please start a new topic in the Virus, Spyware, Malware Removal forum and post the FRST log there.
  • 0

#9
Parvardigar

Parvardigar

    Member

  • Member
  • PipPip
  • 27 posts
How are other Rootkits shown in the log, such as TDL3 and TDL4 or some others..?
  • 0

#10
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello Parvardigar,

If you read the tutorial you will find an example under the Fixing section.

Check out under Bamital & volsnap Check.

This one:

Bamital & volsnap Check

Bamital and volsnap malware check.

Modified system files alert you to possible malware infection. Where infection is identified care needs to be taken with remedial action. Expert help should be sought as removal of a system file could render a machine unbootable.

When a malware made custom entry in BCD is found you will see the following line in the Bamital section:


TDL4: custom:26000022 <===== ATTENTION!





  • 0

Advertisements


#11
DanoNH

DanoNH

    Trusted Helper

  • Malware Removal
  • 2,155 posts

Nice to see that EmptyTemp: has made it into FRST!  Thanks Farbar!


  • 0

#12
Durad

Durad

    New Member

  • Member
  • Pip
  • 1 posts

Is there any open database where we can check if MD5 for drivers is correct?


  • 0

#13
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts

There are some tools with data bases out there but I find that the ones I have used are not fully reliable.

 

If you are worried about a file why not try Virscan. :)

 

Go to VirSCAN.org FREE on-line scan service


  • 0

#14
mrfixiter

mrfixiter

    Visiting Staff

  • Visiting Consultant
  • 9 posts

Hi there :)

 

While looking over a user's log, I found this warning:

testsigning: ==> Check for possible unsigned rootkit driver <===== ATTENTION!

According to the portion of the tutorial that covers the testsigning directive:
 

testsigning on:

Applys to Windows Vista  and later.

Malware will sometimes add an item to the BCD (Boot Configuration Data) to escape integrity checks at startup.  The malware needs to be cleaned from the machine and then the default BCD restored. Care manipulating the BCD is delicate work that if done wrongly will render a machine unbootable.

When FRST locates evidence of this sort of tampering it will report like this:
 

testsigning: ==> Check for possible unsigned rootkit driver <===== ATTENTION!


Where the malware is still present on the machine there will also be a (hidden) unsigned driver showing in the log like this:
 

0 442564429e863a90; C:\Windows\System32\Drivers\442564429e863a90.sys [75208 2012-06-26] ()

Also the user might say that he has seen this on his desktop:

"I've just noticed something, in the bottom right of my desktop it says Test Mode, Windows 7, Build 7601. I've never noticed that before"

The full removal script will be:

0 442564429e863a90; C:\Windows\System32\Drivers\442564429e863a90.sys [75208 2012-06-26] ()
C:\Windows\System32\Drivers\442564429e863a90.sys
testsigning: ==> Check for possible unsigned rootkit driver <===== ATTENTION!
Beside removing the malware driver, FRST will remove the value that is added to BCD. No further action is necessary.

Sometimes however other tools will have partially cleaned the machine but not repaired the BCD. In those cases the following may be used:

testsigning: ==> Check for possible unsigned rootkit driver <===== ATTENTION!
In a situation where; after setting testsigning to its default (turning it off); something goes wrong, then to enable the testsigning for further
troubleshooting use the following command:
 

testsigning on:

 

I can't figure out the connection between the testsigning directive and the presence of the warning in the log:

testsigning: ==> Check for possible unsigned rootkit driver <=====ATTENTION!

 

Is the only connection between the two is that the word testsigning appears in both? In other words, I think using the testsigning directive has nothing to do with the warning. Is that correct?

 

mrfixiter


  • 0

#15
farbar

farbar

    Developer

  • Expert
  • 503 posts

Hi mrfixiter,

 

testsigning: ==> Check for possible unsigned rootkit driver <=====ATTENTION!

 

 

For 64-bit versions of Windows Vista and above, all kernel-mode drivers should have a digital signature otherwise they will not be loaded. Testsigning is not set to on by default. Some legit programs might set the option in the testing phase in order to get their driver loaded. Necurs is known to set the option on in order to load its driver. The above warning tells you the testsigning is on.

 

On an infected 64-bit machine with Necurs, if you (before removing the rootkit driver) turn off the testsigning, the rootkit driver will not load any more but the system becomes unbootable.

 

When you include the above line in the Fixlist the testsigning will be set to off. The "testsigning on:" does the opposite. It sets the testsigning to on again.


  • 0





Also tagged with one or more of these keywords: FRST, farbar, tutorial

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured
Malware Removal How to Guides Windows 7 System Building Download Files Register welcome

Never used a forum? Learn how.