184 replies to this topic

[Herman_Salim]

Hello Farbar and All Expert here..
 

Installed Programs

Lists all installed programs.

- FRST has a build-in database for flagging a number of adware/PUP programs.

 
I have some PUP program for FRST build-in database to add, so farbar can add "<==== ATTENTION" warning behind this:
 
Internet Quick Access
 
I found this Entry today in adware infected system on Installed Programs list:
 

Internet Quick Access (HKU\S-1-5-21-434397099-2995631148-4127755246-1000\...\InternetQuickAccess) (Version: 45.0.2433.0 - Internet Quick Access)

Results on Google: https://www.google.c...=UTF-8&oe=UTF-8
 
I found some Entry Related on this program:
 

Task: {C8BF4100-5059-4EC5-85E2-C5047BC2DECF} - System32\Tasks\Internet Quick Access Updater => C:\Users\Mahdari\AppData\Local\Chromium\Application\45.0.2433.0\Installer\updater\updater.exe

 
Chromium
 
 Installed Programs list:
 
 

Chromium (HKU\S-1-5-21-2150650010-2770811924-2347199686-1001\...\Chromium) (Version: 46.0.2480.0 - Chromium)

 

Start up Entry:
 
 

HKU\S-1-5-21-2150650010-2770811924-2347199686-1001\...\Run: [GoogleChromeAutoLaunch_F65FB1B21A9336DA19D1174CC4FEC482] => C:\Users\Sinar Cempaka\AppData\Local\Chromium\Application\chrome.exe [667136 2015-08-11] (The Chromium Authors)

 
Bing Bar
 

Installed Program list:
 

Bing Bar (HKLM-x32\...\{16793295-2366-40F7-A045-A3E42A81365E}) (Version: 7.1.362.0 - Microsoft Corporation)

 
This PUP add Bing Toolbar to IE and doesn't allow user to remove it unless Bing Bar is uninstalled. Malwarebyte detect Bing Bar as PUP but no detect Bing Bar so far.. Much better if farbar can add Attention warning to Bing Bar.
 
Sorry for my bad English.. 
 
Sorry if I too concern about improving farbar. I just feel impressed with Malware Removal Expert here.. I enjoying help people fighting malware too..

[picasso]

Are there any way to Restore a spesific Service, Driver, Start Up Entry from Quarantine?

 
FRST creates a full registry backup in C:\FRST\Hives folder. To restore a Registry entry you have you manually mount a hive by using Windows reg command > export the entry to REG file > correct paths in the REG file > import the REG file. Run cmd on your system and type reg load /? and reg unload /? commands.

 

All this cases for * wildcard have been already described in your tutorial,
but there are should be official confirmation that all this works for '?' wildcard also,
especially qualification of FRST behavior in specific cases like:
 

Where an asterisk ("*", also called "star") is added to the start or end of a registry search term, FRST will ignore it and will search for the search term without the asterisk.

 

 
The "?" wildcard works in files removal and search. The "?" is not ignored in Search Registry, but I'm not sure if that is intentional.
 
I would rather remove completely "?" wildcard support from FRST to avoid confusions and problems with Fixes saved in ANSI instead of UTF-8 (in case of processing files with Unicode characters replaced with "?").

 

 

EDIT: As per my suggestion, the "?" no longer works in files removal and Search Registry.

Edited by picasso, 15 June 2016 - 06:32 PM.

[mrfixiter]

Hi
 
Regarding the instructions for the Zip directive:

To zip files/folders and save them to the users desktop for subsequent manual uploading by the user.

Zip: file/folderpath;file/folderpath

At first glance, it appears the correct syntax would be:

Zip: file_to_zip/folder_that_contains_the_file_to_zip

But the example shows otherwise:

zip: c:\test1.txt;c:\test2.txt;c:\test;C:\Users\win64\AppData\Roaming\Mozilla\Firefox\Profiles;c:\test.txt

I would suggest changing the instruction to:

Zip: folderpath\file;[folderpath2\file2]

 

The use of the forward slash as meaning and/or in the instructions could be confused with a forward slash as an additional argument in the Zip: directive.

 

Thanks for your help.

[picasso]

mrfixiter, thanks for the suggestion. I replaced the "file/folderpath" with "path" (used in other directives syntax).

 

To zip files/folders and save them to the users desktop for subsequent manual uploading by the user.
Zip: file/folderpath;file/folderpath

At first glance, it appears the correct syntax would be:
Zip: file_to_zip/folder_that_contains_the_file_to_zip
But the example shows otherwise:

Why would you expect the "/" working as directory path separator in Windows program? "/" is Unix/Linux directory separator.

 

I would suggest changing the instruction to:
Zip: folderpath\file;[folderpath2\file2]

This suggests that only files are allowed to be entered.

[mrfixiter]

Hi picasso

Why would you expect the "/" working as directory path separator in Windows program? "/" is Unix/Linux directory separator.

I am not very familiar with Unix/Linux so that thought didn't pop into my head. I thought it was either a typo or the forward slash had to be interpreted as something else. That's when I realized it meant and/or.
 

I would suggest changing the instruction to:
Zip: folderpath\file;[folderpath2\file2]

This suggests that only files are allowed to be entered.

Fair point.
 
How about this?
Zip: folderpath[\file];folderpath2[\file2] (where items in brackets are optional)

[picasso]

How about this?
Zip: folderpath[\file];folderpath2[\file2] (where items in brackets are optional)

 
vs.
 

I replaced the "file/folderpath" with "path" (used in other directives syntax).

 
Zip: path;path
 
The simpliest version. No need to specify more details, because those are in the attached example. The example is self-explanatory.

[Dragokas]

Except "?" and "*", are there any other wildcards support (like in regexp) ?

[picasso]

As far as I'm aware, no support for regular expressions.

[Herman_Salim]

Why we must always include this entry to filxlist.txt:

 

• No file
• [x]
• No image path (Driver)

Thank you..

 

Regards,

 

Herman Salim

[picasso]

Why we must always include this entry to filxlist.txt:

 

"Must" is an overkill. That is a choice of a specific helper based on a whole analysis. Those entries mean "a file not found on disk" or "no reference to a file". In most cases those entries are really empty, just leftovers after an uninstallation / removal, and they can generate some startups errors. But there are cases when the "not found" might be a false positive. For example:

- An entry uses a relative path, but Path environmental variable is broken. FRST will falsely show "not found" and nothing can be done about it. Path variable is required to search for files specified in relative manner. In this case you have to correct Path variable and rescan with FRST. No longer valid (Path corruption detection introduced)

- A legit registry entry was modified in malicious way and the malicious file was already removed. In this case you have to be aware how a normal entry looks like and manually correct the registry path instead of removing the entry.

That's why a careful log analysis is required. You can't blindly process those lines, you have to think.

[Herman_Salim]

 

 

An entry uses a relative path

 

What do you mean of Relative Path?

 

 

 

In this case you have to correct Path variable and rescan with FRST

 

How can we correct the path variable?

 

Sorry if I ask to deep about troubleshooting.

 

Thank you, Picasso..

[Herman_Salim]

 

 

An entry uses a relative path

 

What do you mean of Relative Path?

 

 

 

In this case you have to correct Path variable and rescan with FRST

 

How can we correct the path variable?

 

Sorry if I ask too deep about troubleshooting.

 

Thank you, Picasso..

[picasso]

What do you mean of Relative Path?

 

Absolute and relative paths

 

Absolute: C:\Folder\file.exe

Relative: file.exe

 

Good example of broken Path variable in this topic on my forum.

 

Filter: application/octet-stream - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll Brak pliku
Filter: application/x-complus - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll Brak pliku
Filter: application/x-msdownload - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll Brak pliku
CustomCLSID: HKU\S-1-5-21-2807787745-202846158-3995719364-1000_Classes\CLSID\{1796F774-EE54-A145-E57A-7EE1D0B1E6BE}\InprocServer32 -> ole32.dll => Brak pliku
Task: {AC4E5ACF-89F7-4220-BA21-81EE183975E2} - System32\Tasks\Microsoft\Windows\Application Experience\AitAgent => aitagent.exe
Task: {E3163C33-301D-4730-A266-5518C5ED3967} - System32\Tasks\Microsoft\Windows\Bluetooth\UninstallDeviceTask => BthUdTask.exe
S3 WinHttpAutoProxySvc; winhttp.dll [X]

 

["Brak pliku" = "No file"]

 

=========  SET =========

ALLUSERSPROFILE=C:\ProgramData
(...)
Path=C:\ProgramData\Oracle\Java\javapath;C:\Program Files (x86)\Skype\Phone\;C:\Program Files\Common Files\Microsoft Shared\Windows Live
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
(...)

========= Koniec  CMD: =========

 

[Default string missing]

 

 

How can we correct the path variable?

 

In Windows options or by importing REG file. The Path variable is definied in the following key:

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment

[Herman_Salim]

Hello..

What is the Different between SetDefaultFilePermissions: and Unlock: ?

 

Thank you..

[emeraldnzl]

I am not an expert in the various Microsoft OSs but here are my thoughts.

SetDefaultFilePermissions: in general, sets permissions that might have been changed by malware, back to their default position. FRST sets ownership to Administrator group.
However, system files controlled by TrustedInstaller will not be set back to their default position although the command can still be used for system files.

Unlock: where malware has blocked access this command sets ownership of the item as Administrator and grants access to all groups.

 

Someone with a better understanding may like to add or expand on what I have said.