FRST Tutorial - How to Use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials

10/29/2014

Security

Securi Se curity ty

FR ST ST Tutor ia ial - H ow ow to use Far ba bar R ec ecover y Scan Tool - M al al wa war e Removal Gui de des and Tutor ia ial s

Operating Systems

Hardware

Software

Development

Community

Geeks to Go Forum

Downloads

Live Chat

324,540 topics

1.5 million

23 in chat

Discussion

View New Content

Malware Mal ware Rem Removal oval Gui Guide dess and and Tut Tutorial orialss

Welcome to Geek Geeks s to Go Go - Register Register now for for FREE Geeks To Go is a helpful hub , where thousands of friend ly volunteers serve up answers and support. Get free advice from the experts. Register now to gain access to all all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message and all ads will be removed once you have signed in. Create an Account

Login to Account

FRST Tutorial - How to use Farbar Recovery Scan Tool Started by emeraldnzl , Nov 18 2013 05:41 PM

emeraldnzl

Farbar's Recovery Scan Tool

Farbar Recovery Scan Tool (FRST) is a diagnostic tool incorporating the ability to execute prepared script solutions on malware infected machines. It will work equally well in normal or safe mode and where a machine has boot up pr oblems it will work efficiently in the Windows Recover y Environment. It's ability to wor k in the recovery enviro nment makes makes it particularly useful in dealing with probl ems associated with machines experiencing experiencing difficulty when boo ting up.

******************************* *************** ******************************** *************************** *********** Donation Information While FRST is free it is the product of hours of wor k by Farbar. Farbar. The pro gram contains many thousands of lines of code, and is updated often. In addition to maintaining maintaining the tool Farbar spends countless hours supporting for um helpers and their malware victims. If you find his FRST to ol helpful and would like to make a donation to suppor t his effor ts simply click the Paypal button below:

(https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=363606 (https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclic k&hosted_button_id=363606 6)

Tutorial Information http://www.geekstogo.com /for um/topic/335081- fr st- tutor i al - how- to- use- far bar - r ecover y- scantool/

1/48

10/29/2014


This tutorial has been created by emeraldnzl (http://www.geekstogo.com/forum/user/229568-emeraldnzl/) in consultation with farbar (http://www.geekstogo.com/forum/user/329828-farbar/) and with the kind co-operation of BC (http://www.bleepingcomputer.com/) (Bleeping Computer) and G2G (http://www.geekstogo.com/forum/index.php?) (Geeks to Go). Permission of both emeraldnzl and Farbar is required prior to using or quoting from the tutorial at other sites. Also note this tutorial was originally authored to offer guidance to helpers offering malware removal assistance at various forums.

Translations French: http://assiste.forum...p?f=162&t=28467 (http://assiste.forum.free.fr/viewtopic.php?f=162&t=28467) German: http://www.trojaner-...-anleitung.html (http://www.trojaner-board.de/145752-frst-anleitung.html) Polish: http://www.fixitpc.p...very-scan-tool/ (http://www.fixitpc.pl/topic/23904-frst-tutorial-obs%C5%82ugi-farbarrecovery-scan-tool/)

Table of Contents 1. Introduction (http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scantool/page__view__findpost__p__2350712) 2. Canned Speeches/Download link (http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbarrecovery-scan-tool/page__view__findpost__p__2350717) 3. Output (http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scantool/page__view__findpost__p__2350718) 4. Default Scan Areas (http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scantool/page__view__findpost__p__2350718) 5. Fixing (http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scantool/page__view__findpost__p__2350719) 1.Processes 2.Registry 3.Internet 4.Hosts 5.Services/Drivers 6.NetSvcs 7.One Month Created Files and Folders and One Month Modified Files and Folders 8.AlternateDataStreams 9.Unicode 10.Files to move or delete 11.Some content of TEMP 12.Known DLL DLLss 13.Bamital & volsnap Check 14.EXE ASSOCIATIO ASSOCIATION N 15.Restore Points 16.Memory info 17.Drives and MBR & Partition Table 18.LastRegBack 19.Addition.txt 6. Directives/Commands (http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recoveryscan-tool/page__view__findpost__p__2350720) http://www.geekstogo.com /for um/topic/335081- fr st- tutor i al - how- to- use- far bar - r ecover y- scantool/

2/48

10/29/2014

FR ST ST Tutor ia ial - H ow ow to use Far ba bar R ec ecover y Scan Tool - M al al wa war e Removal Gui de des and Tutor ia ial s 7. Examples of use (http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scantool/page__view__findpost__p__2350720) 1.CloseProcesses: 2.CMD: 3.DeleteJunctionsInDirectory: 4.DeleteKey: 5.DeleteQuarantine: 6.DisableService: 7.EmptyTemp: 8.File: and Folder: 9.FindFolder: 10.Hosts: 11.ListPermissions: 12.Move: 13.nointegritychecks on: 14.Reboot: 15.Reg: 16.RemoveDirectory: 17.Replace: 18.RestoreQuarantine: 19.SaveMbr: 20.SetDefaultFilePermissions: 21.testsigning on: 22.Unlock: 23.VerifySignature: 8. Other features (http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scantool/page__view__findpost__p__2350722) Optional Scans Drivers MD5 Shortcut.txt Search features

Trusted helpers and experts who have the requisite access may keep abreast abreast of the latest tool developments at the FRST the FRST Discussion Thread (http://www.bleepingcomputer.com/forums/t/3601 (http://www.bleepingcomputer.com/for ums/t/3601 06/farbar 06/farbar-recovery -recovery-sca -scan-tool/) n-tool/) .

Advertisement Advertiseme nt

emeraldnzl

Introduction http://www.geekstogo.com /for um/topic/335081- fr st- tutor i al - how- to- use- far bar - r ecover y- scantool/

3/48

10/29/2014


One of FRST's stre ngths is it's simplicity. simplicity. It is designed to be user f riendly. Lines containing containing refer ences to infected items can be identified, copied from the log, pasted into Notepad and saved. Then with a press of a button the tool does the rest. T his allows for gr eat flexibility, as new infections appear they can be identified and included in a fix.

What it will work with Farbar's Recover y Scan Tool is designed to r un on Windows XP, Windows Vista, Windows 7 and Windows 8 Operating Systems. There are two versions, a 32-bit and a 64-bit version. Note: FRST64 Note: FRST64 is not designed to run run on XP 64-bit systems.

Diagnosis FRST creates a lo g covering specific areas of the Windows Operating System. T his can be used for initial problem analysis and to tell you some information about the system. The too l is under constant development, part of which includes includes the addition of new malware identification labels. Accordingly, it is strongly recommended to regularly update. If the computer is connected connected to the internet there will be an automatic check for available updates when FRST is opened. A notification will appear and the latest ver sion can then be downloaded. Where new infection manifests manifests or update is not not possible e.g. no internet connection for whatever reason, the expert needs to be abreast of latest developments in the malware infection field to enable early pinpointing of the problem. The lay user should seek expert help when new infections appear or when they find difficulty in identifying the problem on their machine. By default, like many other scanners, FRST applies whitelisting. This avoids very long logs. If you do want to see a full log; then the relevant box on the Whitelist section should be unchecked. Be prepared for a very long log that may have to be uploaded as an attachment for analysis. FRST not only whitelists the def ault MS entries fro m the registry section but in some cases (like ShellIconOverlayIdentifiers) also whitelists the safe entries from third party programs too. In the case of Services and Drivers the whitelist covers not only the default MS services but also all other legitimate services and drivers. Any service or driver file without a company name is not whitelisted. No security pro gram (AV or Firewall) is whitelisted. The SPTD service is not whitelisted.

Preparation for use Make sure FRST is run under administrator privile ges. Only when the tool is run by a user t hat has administrator administrator privileges will it work proper ly. If a user do esn't have administrator privileges yo u will see a warning in the header of FRST.txt about it. In some cases a security program will prevent the tool from running fully. Generally there won't be a problem but be alert to the possibility that when a scan is requested that a security pr ogram may prevent the r unning of the tool. When fixing it is preferred to disable programs like Comodo that might prevent the tool from doing its job. A general recommendation to everyone is that when you are dealing with a rootkit, it is better to do one fix at the time and wait for the outcome before running another tool.

http://www.geekstogo.com /for um/topic/335081- fr st- tutor i al - how- to- use- far bar - r ecover y- scantool/

4/48

10/29/2014

FR ST Tutor ial - H ow to use Far bar R ecover y Scan Tool - M al war e Removal Gui des and Tutor ial s It is not necessary to create a re gistry backup. FRST makes a backup of the r egistry hives the fir st time it runs. The backup is located in %SystemDrive%\FRST\Hives (in most cases C:\FRST\Hives) and will not be overwritten by t he subsequent runs of the tool

Running FRST The user is instructed to do wnload FRST to the Desktop. Fro m there it is a simple matter to do uble click the FRST icon, accept the disclaimer, and run it. The FRST icon loo ks like this:

(http://s739.photobucket.com/user/emeraldnzl/media/FRSTicon.jpg.html)

Note: You need to run the version compatible with the use r's system. There are 32-bit and 64-bit versions. If you are not sure which version applies, have the user download both of them and try to run them. Only one of them will run on the system, that will be the right version.

Once FRST is opened the user is presented with a console loo king like this:

(http://s739.photobucket.com/user/emeraldnzl/media/FRSTconsolelatest.jpg.html)

emeraldnzl

Canned Speeches Example instruction for the malware helper expert to have the user run FRST in normal mode:

Please download [url=http: //www.bleepingcomputer.com/download/farbar-recovery-scan-tool/]Farbar Recovery Scan Tool[/url] and save it to your Desktop. [color=green][ b]Note[/ b]: You need to run the version compatible with your system. If you are not sure which version applies to your system dow nload both of them and try to run them. Only one of them will run on your system , that will be the right version.[/color]

http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

5/48

10/29/2014

FR ST Tutor ial - H ow to use Far bar R ecover y Scan Tool - M al war e Removal Gui des and Tutor ial s [LIST] [*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click [ b] Yes[/ b] to disclaimer. [*]Press [ b]Scan[/ b] button. [*]It will produce a log called [ b]FRST.txt[/ b] in the same directory the tool is run from. [*]Please copy and paste log back here. [*]The first time the tool is run it generates another log ([ b] Addition.txt[/b] - also located in the same directory as FRST.exe/ FRST64.exe). Plea se also paste that along with the FRST.txt into your reply . [/LIST]

Example instruction to run FRST on Vista, Windows 7 and Windows 8 in the Recovery Enviro nment (RE):

[LIST] [*]On a clean machine, please download [url=http: //www.bleepingcomputer.com/download/farbar-recovery-scan-tool/]Farbar Recovery Scan To ol[/url] and save it to a flash drive. [color=green][ b]Note[/ b]: You need to run the version compatible with your system.[/color] Plug the flashdrive into the infected PC.

[*]If you are using Windows 8 consult [url=http: //www.bleepingcomputer.com/tutorials/windows-8-recovery-environment-command-prompt/ ]How to use the Windows 8 System Recovery Environment Command Prompt[/url] to enter System Recovery Command prompt. If you are using Vista or Windows 7 enter [ b]System Recovery Options[/ b]. [color=#0000FF][ b]To enter System Recovery Options from the Advanced Boot Options:[/ b][/color] [LIST] [*]Restart the computer . [*] As soon as the BIOS is loaded begin tapping the[ b] F8 [/ b] key until Advanced Boot Options appears. [*]Use the arrow keys to select the [ b]Repair your computer[/ b] menu item . [*]Select [ b]US[/ b] as the keyboard language settings , and then click [ b]Next[/ b]. [*]Select the operating system you want to repair , and then click [ b]Next[/ b]. [*]Select your user account an click [ b]Next[/ b]. [/LIST] [color=green][ b]Note[/ b]: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used. To make a repair disk on Windows 7 consult: http: //www.sevenforums.com/tutorials/2083-system-repair-disc-create.html[/color] [color=#0000FF][ b]To enter System Recovery Options by using Windows installation disc:[/ b][/color] [LIST] [*]Insert the installation disc . [*]Restart your computer. [*]If prompted, press any key to start Windows from the installation disc . If your computer is not configured to start from a CD or DVD, check your BIOS settings.[ /*] [*]Click [b]Repair your computer[/b]. [*]Select [b]US[/b] as the keyboard language settings, and then click [b]Next[/b]. [*]Select the operating system you want to repair, and then click [b]Next[/b]. [*]Select your user account and click [b]Next[/b]. [/LIST] [*][color=#008000][b]On the System Recovery Options menu you will get the following options:[/b][/color]

[b]Startup Repair System Restore Windows Complete PC Restore Windows Memory Diagnostic Too l Command Prompt[/b]

Select [b]Command Prompt[/b] [*][color=#FF0000][b]Once in the Command Prompt:[/b][/color] [LIST] [*]In the command window type in [b]notepad[/b] and press [b]Enter[/b]. [*]The notepad opens. Under File menu select [b]Open[/b]. [*]Select "Computer" and find your flash drive letter and close the notepad. [*]In the command window type [b][color=#FF0000]e[/color]:\frst[/b] (for x 64 bit version type [b][color=#FF0000]e[/color]:\frst64[/b]) and pr ess [b]Enter[/b]


6/48

10/29/2014

FR ST Tutor ial - H ow to use Far bar R ecover y Scan Tool - M al war e Removal Gui des and Tutor ial s [b]Note:[/b] Replace letter [color=#FF0000]e[/color] with the drive letter of your flash drive. [*]The tool will start to run. [*]When the tool opens click Yes to disclaimer. [*]Press [b]Scan[/b] button. [*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply. [/LIST] [/LIST]

Once FRST has completed its scan it will save notepad copies of the scan in the same location that FRST was started from. On the first scan both an FRST.txt lo g and an Addition.txt log will be pr oduced. On subsequent scans, unless specifically requested (see optional scans in the Console), FRST will only produce a FRST.txt log. Copies of logs are saved at %systemdrive%:\FRST\Logs (in most cases this will be C:\FRST\Logs).

Fixes FRST has a range of commands and switches that can be used both to manipulate the computer's processes and to f ix problems you have identified. To fix identified problems, copy and paste the line from the FRST.txt log to a text file named fixlist.txt using Notepad. The fixlist.txt is saved in the same location the tool is saved to. In the case of a normal or safe mode scan this will be the Desktop. In the case of a recovery environment scan it will be a flash drive. Note: It is important that Note pad is used. The f ix will not wo rk if Word or some other program is used. Example instruction for a fix carried o ut in normal or safe mode i.e. within Windows

Download attached [ b]fixlist.txt[/ b] file and save it to the Desktop.

[u][ b]NOTE.[/b][/u] It's important that both files, [b]FRST/ FRST64[/ b] and [ b]fixlist.txt [/ b]are in the same location or the fix will not work . [ b][color=red]NOTICE: This script was written specifically for this user, for use on that particular machine . Running this on another ma chine may cause damage to your operating system [/color][/ b] Run [ b][color=#0000FF]FRST/FRST64[/color][/ b] and press the [ b]Fix[/ b] button just once and wait. If for some reason the tool needs a restart , please make sure you let the system restart normally . After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply .

Example instructions to run a fix in the Recovery Environment (RE):

Open notepad. Please copy the contents of t he quote box below . To do this highlight the contents of the box and right click on it and select cop y . Paste this into the open notepad. Save it on the flash drive as [ b]fixlist.txt[/ b] [quote] Script goes here [/quote]

[color=red][ b]NOTICE: This script was written specifically for this user, for use on that particular machine . Running this on another ma chine may cause damage to the operating system [/ b][/color]

On Vista or Windows 7: Now please enter System Recovery Options. On Windows XP: Now please boot into the PE (Preinstallation Environment) disk . Run [ b]FRST/FRST64[/ b] and press the [ b]Fix[/ b] button just once and wait. The tool will generate a log on the flashdrive ([ b]Fixlog.txt[/ b]) please post it in your reply .


7/48

10/29/2014

FR ST Tutor ial - H ow to use Far bar R ecover y Scan Tool - M al war e Removal Gui des and Tutor ial s Items moved by the fix are kept in %systemdrive%\FRST\Quarantine, in most cases this will be C:\FRST\Quarantine until clean up and deletion of FRST For detailed information about preparing fixes see the Fixing section in the tutorial.

Download Links

Direct Download Links The latest version of Farbar's Recovery Scan Tool may be downloaded from http://www.bleepingc...very-scan-tool/ (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/)

emeraldnzl

Output

Header Here is an example header:

Quote

Scan result of Farbar Recovery Scan Tool (FRST.txt ) (x64) Version: 08-10-2014 01 Ran by Someperson (administrator) on SOMEPERSON-PC on 10-10-2014 11: 26:18 Running from C:\Users\Someperson\Desktop Loaded Profile: Someperson (Available profiles: Someperson & Administrator) Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English(US) Internet Expl orer Version 11 Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/ (http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/)

Perusal of the header can be very helpful: First line: tells whether it has been run on a 32 o r 64-bit machine. The ver sion of FRST is also shown. The ver sion number is particularly important. An old ver sion may not have the most up to date functionality. Second line: shows what user ran the tool and under what permissions. This can alert yo u to whether the user has the appropriate per mission rights. The line also shows you the computer name together with what date and time the too l was run. Sometimes a user will inadvertently post an old log. Third line: tells you where FRST was run from. This may be relevant for fix instruction if it has run from somewhere other than the Desktop. Fourth line: tells you what account (profile) the user is logged in under i.e. the loaded user hive. N ext, in parenthesis, the


8/48

10/29/2014

FR ST Tutor ial - H ow to use Far bar R ecover y Scan Tool - M al war e Removal Gui des and Tutor ial s "Available profiles" records all profiles on the machine including those that are not currently loaded. Note: When you log into Windows, only the user hive of the logged on user is loaded. If the user logs into another account without restarting (by using "Switch user" or "Log off"), the se cond user hive gets loade d but the f irst one doesn't get unloaded. In that situation FRST will list the registry entries of both the users but doesn't list the registry entries specific to any other users because those hives are not loaded. Fifth line: records the versio n of Windows on the machine including Service Pack number together with the language used. This may alert you to a problem with updates if the Service Pack is not the latest. Sixth line: gives you the version of Internet Explorer. Seventh line: tells you what mode the scan was run under. Following that there is a line showing the tutorial link. Note 2 : The information in a header run in the Recov ery Environment is similar although it is necessarily truncated as user profiles are not loaded. Alerts th at can show in t he header When there are boot pro blems you may see something like "Attention: Could not load system hive". That tells you that system hive is missing. Restor ing the hive using LastRegBack: may be a so lution.(see belo w). "The current controlset is ControlSet001" or "The current controlset is ControlSet002" - The notification tells you which CS on the system is default CS. Why do you need it? Normally you don't need it, but in a case where you want to look into or manipulate the CS that will be lo aded when Windows booted, then yo u know which CS should be lo oked into or manipulated. Doing anything to other available CS has no effe ct on the system.

Default Scan Areas

On the first run outside the recovery environment a FRST.txt log and an Addition.txt log are generated. Thereafter, if an Addition.txt scan is required then the appropriate box needs to be checked/ticked befor e running the scan. An Addition.txt log is not produced when FRST is run in the recovery enviro nment.

Scans run in normal mode: Farbar Recovery Scan Processes Registry Internet Services Drivers NetSvcs One Month Created Files and Folders One Month Modified Files and Folders Files to move or delete Some content of TEMP Bamital & volsnap Check http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

9/48

10/29/2014

FR ST Tutor ial - H ow to use Far bar R ecover y Scan Tool - M al war e Removal Gui des and Tutor ial s LastRegBack:

Additional Scan (available only outside Recovery Environment) Security Center Installed Programs Restore Points hosts content Scheduled Tasks Loaded Modules Alternate Data Streams Safe Mode EXE Association MSCONFIG/TASK MANAGER disabled items Accounts Faulty Device Manager Devices Event log errors Memory info Drives MBR & Partition Table

Optional Scans List BCD Drivers MD5 Shortcut.txt (available only outside Recovery Environment) Addition.txt (available only outside Recovery Environment)

Scan run in the Recovery Environment: Farbar Recovery Scan Registry Services Drivers NetSvcs One Month Created Files and Folders One Month Modified Files and Folders Files to move or delete Some content of TEMP Known DLLs Bamital & volsnap Check EXE ASSOCIATION Restore Points Memory info Drives MBR & Partition Table LastRegBack:


10/48

10/29/2014

FR ST Tutor ial - H ow to use Far bar R ecover y Scan Tool - M al war e Removal Gui des and Tutor ial s

emeraldnzl

Fixing Care, Very Important: Farbar Re covery Scan To ol is non invasive and in scan mode it cannot harm a machine. It just scans

what is there and compiles a report . However FRST is also ver y effe ctive at carrying out instructions given to it. When applying a fix; if it is asked to remove an item; in 99% of cases it will do so. While there are some safeguards built in they ar e necessarily broad based and designed not to interfere with removal of infection. The user needs to be aware of that. Used incorrectly (that is if requested to remove essential files), the tool can render a computer unbootable.

If you are unsure about any items in a FRST report always seek expert help befo re administering a fix.

Fixlog header Like the scan header the Fixlog header contains information that is useful. Here is an example header:

Quote

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 12-10-2014 02 Ran by Owner at 2014-10-12 20:07:49 Run:7 Running from C:\Users\Owner\Downl oads Loaded Profile: Owner (Available profiles: Owner) Boot Mode: Normal

First line: tells you similar information to the scan header. Second line: tells you date and time the fix was run. It also tells y ou the Run number. Third line: tells you where the fix was run from. Fourth line: tells you what account (profile) the user is logged in under. Fifth line: tells you what mode the fix was run under.

Processes There are two reasons why you might want to stop a process. First, you may want to stop a security program that might get in the way of a fix. Secondly, you may want to stop a bad process and then remove the folder or file associated with it. To stop a process include the appropriate lines from the FRST scan. Example:

Quote

(Symantec Corporation) C:\Program Files\Norton Security Suite\Engine\5.2.2.3\ccSvcHst. exe


11/48

10/29/2014

FR ST Tutor ial - H ow to use Far bar R ecover y Scan Tool - M al war e Removal Gui des and Tutor ial s (IObit) C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe

A Fixlog.txt will be generated with this label Process name => Process closed successfully If you have a bad process and wish to remove the associated file or folder you need to include the item separately in your fix like this: Example:

Quote

Community

(Spigot, Inc .) C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe Sign In (Spigot Inc) C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings64.exe

Create Account

C:\Program Files (x86)\Common Files\Spigot

Registry Registry entries (keys or values) that are taken from FRST log and included in the fixlist to be deleted, will be deleted. FRST has a powerful deletion ro utine for keys and values. All the keys and values that resist deletion due to insufficient permissions or null embedded characters will be deleted. The only keys that will not be deleted are those keys that are protected by a kernel driver. Those keys/values should be deleted after the kernel driver that is protecting them is removed or disabled. Copy and pasting the items from a log into a fix triggers FRST to perform one of the two actions on the listed registry key: 1. Restoring the default key or 2. deleting the key. When the entries from the log related to winlogon values (Userinit, Shell, System), LSA, and AppInit_DLLs are copied to the fixlist.txt the tool restores the default Windows values. Note: With AppInit_DLLs where there is o ne bad path, FRST removes t hat particular path from the Applnit_DLLs value without removing the rest. No need for any batch or regfix. The same applies to some other important keys that might be hijacked by the malware. Note: FRST does not touch the files the registry keys are loading or executing. Files to be moved must be listed separately with the full path without any additional information. Except for one case (see below) the Run and Runonce entries if copied to the fixlist.txt will be removed from the registry. The files they are loading or executing will not be removed. If you wish to remove them you must list them separately. For example, to remove the bad run entry along with the file you would list them in the fixlist.txt as follows (the first line being copied directly from the log):

Quote

HKLM\... \Run: [bad] "C:\Windows\bad.exe" [x] C:\Windows\bad.exe

Example http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

12/48

10/29/2014


Quote

HKLM\... \Run: [3ktQnKPKDDuPsCd] C:\Users\Someperson 3\App Data\Roaming\xF9HhFtI.exe [334848 2012-08-03] () C:\Users\Someperson 3\AppData\Roaming\xF9HhFtI.exe

There is one case where a Run value is not removed but reset to its default path. In that case you will see this line in the log:

Quote

HKLM\... \Run: [MSC] - "c:\Program Files\Microsoft Security Client\mssecex .exe" -hide -runkey [x] <===== ATTENTION (File n ame is altered)

When that line is included in fixlist the default entry will be restored. In the case of Notify keys; where they are included in the fixlist.txt; if they are among the default keys the tool restores the value (DllName) data related to that key. If the key is not a default key it will be r emoved. The Image File Execution Options entries when included in the fixlist.txt will be removed. When a file or shortcut in the Startup folder is detected, FRST lists the file on the Startup: entries. If the file is a shortcut the next line will list the shortcut target ( i.e. the executable that is run by the shortcut). To remove both the shortcut and the target file you need to include both of them. Example:

Quote

Startup: C:\Users\rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runctf.lnk ShortcutTarget: runctf.ln k -> C:\Users\rob\1800947.exe ()

Note: The first line only moves the shortcut. Listing the second line moves the 1800947.exe file. If you only list the second line, the executable file will be removed but the shortcut will remain in Startup folder. The next time the system is started it will throw an error when the shortcut tries to run the executable and doesn't f ind it.

Internet Apart from a few exceptions, items copied to fixlist.txt will be removed. Where folder s/files are involved they must be copied separately to the fix. Note: In the case of HKLM DefaultScope (hijacked or missing) howe ver, it will be reset, not deleted. Th is applies to FF and Chrome as well. Note 2 : In the case of StartMenuInternet hijacking for IE, FF and Chrome. The default e ntries will be whitelisted. when the entry appears on FRST log, there should be something wrong with the path in the registry. The entry can be included in the fixlist and the default registry entry will be restored.

Internet Explorer http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

13/48

10/29/2014


Where the home page is pasted into fixlist.txt the value will be removed returning the browser setting to the default postion. The listing would be entered like this (the line is entered directly from the log):

Quote

HKCU\Software\Microsoft\Internet Exp lorer\Main,Start Page = http://search.condui... &ctid=CT3244149 ()

Where internet search providers are involved the item can be pasted into fixlist.txt and the key will be deleted. The items are entered as follows:

Quote

SearchScopes: HKLM-x32 - {EEE6C360-6118-11D C-9C72-001320C79847} URL = http://search.sweeti...q={searchTerms} () SearchScopes: HKCU - {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://search.sweeti...q={searchTerms} ()

Toolbars and BHO's (Browser Helper Objects) can be copied into the fix and the Key will be del eted. Accompanying files/folders must be entered separately if they need to be moved. Example:

Quote

BHO: PriceGongBHO Class - {1631550F- 191D-4826-B069-D9439253D926} - C:\Program Files\PriceGong\2.1.0\PriceGongIE.dll (PriceGong) BHO: WhiteSmoke US New Toolbar - {462be121-2b54-4218-bf00-b9bf8135b23f} - C:\Program Files\WhiteSmoke_US_New\prxtbWhit.dll (Conduit Ltd.) BHO-x32: Yontoo - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x8 6)\Yontoo\YontooIEClient.dll (Yontoo LLC) C:\Program F iles\PriceGong C:\Program Files\WhiteSmoke_US_New C:\Program Files (x 86)\Yontoo

ActiveX objects can be pasted into the fix and the item will be remo ved. Just enter the line like so:

Quote

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (http://java.sun.com/...indows-i586.cab)

Firefox FRST lists FF keys (if present) regardless of whether FF is installed or not. Where the home page is pasted into fixlist.txt the value will be removed. Next time Firefox is started it will revert to its' default homepage. The listing would be entered like this (the line is entered directly from the log):

Quote


14/48

10/29/2014

FR ST Tutor ial - H ow to use Far bar R ecover y Scan Tool - M al war e Removal Gui des and Tutor ial s FF Homepage: hxxp: //www.ask. com/

For Add-ons, Extensions and Plugins the entry fr om the log can be entered in the f ixlist and the item will be moved. Where there is a file to be moved for either an Add-on, or an Extension, it must be entered separately. For Plugins both the registry entry and the file will be deleted (see below). Example for an Add-on or Exte nsion:

Quote

FF HKCU\.. .\Firefox\Extension s: [{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}] - C:\Program Files (x86)\Wajam\Firefox\ {5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}.xpi FF Extension : No Name - C:\Program Files (x86)\Wajam\Firefox\{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}.xpi [201302-08]

For Firefox Plugins, processing the entry will delete both elements, no need to include a file path. Example for a Plugin:

Quote

Content of fixlist: ***************** FF Plugin-x32: @tools.bdupdater.com/BonanzaDealsLive Update;version=3 - C:\Program Files (x86)\BonanzaDealsLive\Update\1.3.23.0\npGoogleUpdate3.dll (BonanzaDeals) FF Plugin-x32: @tools.bdupdater.com/BonanzaDealsLive Update;version=9 - C:\Program Files (x86)\BonanzaDealsLive\Update\1.3.23.0\npGoogleUpdate3.dll (BonanzaDeals) ***************** HKLM\Software\Wow6432Node\MozillaPlugins\@tools .bdupdater.com/BonanzaDealsLive Update;version=3 => Key deleted successfully. C:\Program Files (x86)\BonanzaDealsLive\Update\1.3.23.0\np GoogleUpdate3.dll => Moved success fully. HKLM\Software\Wow6432Node\MozillaPlugins\@tools .bdupdater.com/BonanzaDealsLive Update;version=9 => Key deleted successfully. C:\Program Files (x 86)\BonanzaDealsLive\Update\1.3. 23.0\npGoogleUpdate3.dll not found. ==== End of Fixlog ====

All other items; when the line is entered in fixlist.txt, it will be removed. Files/fo lders must be entered separately (just the path) to be moved.

Chrome FRST lists Chrome keys (if present) regardless of whether Chrome is installed or not. Google Chrome DefaultSearchProvider is not fixed through FRST . In that case you will need to fix using the "Settings" facility. If the DefaultSearchPr ovider item is fo r some reaso n included in a fix FRST will retur n a label like this ==> The Chrome "Settings" can be used to fix the entry . Where you see something like this: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

15/48

10/29/2014


Quote

CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File CHR Plugin: ( Shockwave Flash) - C:\Users\Farbar\AppData\Local\Google\Chrome\Application\27.0.1 453.94\gcswf32.dll No File

This means that that particular file is missing and the plugin is not available. Including the entry in Fixlist will not remove the entry. "No file" entries can be removed by refreshing Google Chrome plugins cache. To refresh Google Chrome plugins cache and remove the orphans, do the following:

Quote

Open Chrome. Copy and paste the following in the address bar and press Enter: chrome://plugins You will get a page with all the plugins listed. There is an option to disable each plugin. Press "Disable" under each plugin involved. Then press "Enable". Close Chrome.

Deleting the extension folder using FRST does effectively remove the extension. It cannot run, and does not do any harm to Chrome's operation, but the extension name remains in the prefs file. For that reason it is better to use Chrome's own tools in this instance. Processing a Registry type of an extension will delete both element s at once if found (no need to include a second line pointing the file). Yo u might see something like this in the FRST lo g:

Quote

CHR HKLM-x32\.. .\Chrome\Extens ion: [ejn mnhkgiphcaeefbaooconkceehicfi] - C:\Program Files (x86)\DealPly\DealPly.crx CHR HKLM-x 32\...\Chrome\Extension: [ejpbbhjlbipncjklfjjaedaieimbmdda] C:\Users\Agata\AppData\Local\CRE\ejpbbhjlbipncjklfjjaedaieimbmdda.crx

Just include the lines in the fixlist and you will get this report after the fix:

Quote

HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ejnmnhkgiphcaeefbaooconkceehicfi => Key deleted successfully. "C:\Program Files (x8 6)\DealPly\DealPly.crx" => File/Directory n ot found. HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ejpbbhjlbipncj klfjjaedaieimbmdda => Key deleted successfully. C:\Users\Agata\AppData\Local\CRE\ejpbbhjlbipncjklfjjaedaieimbmdda.crx => Moved s uccessfully.

Where you see this: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

16/48

10/29/2014


Quote

CHR HKLM\SOFTWARE\Policies\Google: Policy rest riction <======= ATTENTION GroupPolicy: Group Policy on Chrome detected <======= ATTENTION

Some adware use Gro up Policy to blo ck changes to extensions. Include the lines in fixlist and you see the f ollowing in the Fixlog.txt repor t.

Quote

HKLM\SOFTWARE\Policies\Google => Key deleted successfully. C:\Windows\system32\GroupPolicy\Machine => Moved successfully. C:\Windows\system32\GroupPolicy\GPT.ini => Moved successfully.

Where you see this:

Quote

Error reading preferences. Please check "preferences" file for possible corruption. <======= ATTENTION

"Preferences" is the core configuration file for Chrome where all the user's settings are saved there. There are cases where malware corrupts "Prefe rences" file or just makes a zero byte preferences file. FRST alerts you to the prob lem. The best action is to remove the "Preferences" file and restart Chrome. Where you do wish to remove something other than a registry type of extension then instructions at FF above apply to Add-ons, extensions, plugins and to all other items. For browsers (Opera, Avant, Safari) that are not shown in the log then the best option is a complete uninstall followed by a reboot and reinstall. Winsock Items not on the default list will show in the log. If a catalog 5 entry is listed to be f ixed, FRST will do o ne of two things: 1. In the case of hijacked default entries, it will restore the default entry. 2. In case of custom entries, it will re move it and re-number the catalog entries. Where there are catalog 9 entries to be fixed, it is recommended to use "netsh winsock reset". Where there are still custom catalog 9 entries to be fixed, they can be listed to be fixed. In that case FRST will remove the entries and re-number the catalog entries. Care: a broken chain will prevent a machine connecting to th e Internet. A broken internet access due to missing winsock entries will be reported on the log like this:


17/48

10/29/2014

FR ST Tutor ial - H ow to use Far bar R ecover y Scan Tool - M al war e Removal Gui des and Tutor ial s Quote

Winsock: Missing Catalog5 entry, broken internet access. <===== ATTENTION.

To f ix the issue, the entry can be included in the fixlist.txt like this:

Winsock : Missing Catalog5 entry , broken internet access. <===== ATTENTION.

In a case of ZeroAccess infection we might get a log like this:

Quote

Winsock : Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll" Winsock : Catalog5 06 mswsock.dll Fil e Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll" Winsock: Catalog9 01 mswsock.dll File Not found () Winsock: Catalog9 02 mswsock.dll File Not found () Winsock : Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll" Winsock : Catalog5-x64 06 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll" Winsock: Catalog9-x64 01 mswsock.dll File Not found () Winsock: Catalog9-x64 02 mswsock.dll File Not found ()

When included in the fixlist, FRST will reset the Catalog5 entries but doesn't do anything to problematic Catalog9 entries and tells you to use " netsh winsock reset" to deal with them. A full fix script would look like this:

Winsock : Catalog5 01 mswsock .dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll" Winsock : Catalog5 06 mswsock .dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll" Winsock : Catalog5-x64 01 mswsock .dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll" Winsock : Catalog5-x64 06 mswsock .dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll" cmd: netsh winsock reset

Note: the cmd: netsh winsock reset included in the fix. The Fixlog generated after the fix would look like this:

Quote

QuoteWinsock: Catalog5 entry 000000000001\\LibraryPath was set successfully to %SystemRoot%\System32\NLAapi.dll Winsock: Catalog5 entry 000000000006\\LibraryPath w as set successfully to %SystemRoot%\System32\mswsock. dll Winsock: Catalog5-x64 entry 000000000001\\LibraryPath was set successfully to %SystemRoot%\System32\NLAapi.dll Winsock: Catalog5-x64 entry 000000000006\\LibraryPath was set successfully to %SystemRoot%\System32\mswsock.dll ========= netsh winsock reset ========= "Successfully reset the Winsock Catalog. You must restart the computer in order to complete the reset."


18/48

10/29/2014

FR ST Tutor ial - H ow to use Far bar R ecover y Scan Tool - M al war e Removal Gui des and Tutor ial s ========= End of CMD: =========

Note: In certain situations the netsh winsock reset command may not wo rk. When that happens have the user reboot the machine and run cmd: netsh winsock reset again.

Tcpip Tcpip and other entries when included in the fixlist.txt will be deleted.

hosts When there are custom entries in Hosts (http://en.wikipedia.org/wiki/Hosts_(file)) , you will get a line in Internet section on FRST.txt lo g saying "There are mor e than one entries detected in hosts" (see Addional Scan). If the hosts file is not detected, there will be an entry about not being able to detect hosts. To r eset the hosts just copy and paste the line into the f ixlist.txt and the hosts will be reset. You will see a line in Fixlog.txt confirming the reset.

Services and Drivers The Services and Drivers are formatted as follows:

RunningState StartType ServiceName; ImagePath [Size CreationDate] (CompanyName)

RunningState - the letter beside the number represents the Running State: R=Running S=Stopped U=Undetermined. The "StartType" numbers are: 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled 5=Assigned by FRST when it is unable to r ead the start type FRST scans for a number o f known infections and verifies the digital signature of the files fo r Serv ices and Drivers. Where a file is not digitally signed it will be reported. Example:

Quote

==================== Services (Whitelisted) ================= R2 DcomLaunch; C:\Windows\system32\rpcss. dll [512512 2010-11-20] (Microsoft Corporation) [File not s igned] R2 RpcSs; C:\Windows\system32\rpcss. dll [512512 2010-11-20] (Microsoft Corporation) [File not signed]


19/48

10/29/2014


To fix a file that is not signed it needs to be replaced with a good copy. Use the Replace: command. To remove a bad service or driver service the line from the scan log is copied to fixlist.txt. The tool closes any service entry that is included in the fixlist.txt and removes the service key, but it will not remove the file. The file should be included separately. There is one exception - see below. For example to remove the bad service or driver entry along with the file you would list them in the fixlist.txt as follows:

Quote

R2 Bad service; C:\Windows\System32\Bad service.exe C:\Windows\System32\Bad service. exe

Quote

R3 WajamUpdater; "C:\Program Files (x8 6)\Wajam\Updater\WajamUpdater.exe" [109064 2013-01-09] (Wajam) C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe

There is one exception with Windows Management Instrumentation where it has been hijacked by Ransomware. In that case you will see something like:

Quote

S2 Winmgmt; C:\PROGRA~2\dfgujiynkowgcsquunu.bfg [x]

When that line is included in fixlist it will restore the Parameters. Note: FRST will report success or failure of stopping services that are running. Regardless of if the se rvice is stopped or not, FRST attempts to delete the service. Where a running service is deleted FRST will inform the user about completing the fix and the need to restart. Then FRST will restart the system. You will see a line at the end of Fixlog about the nee ded restart. If a service is not running, FRST will dele te it without f orcing a restart. Example for drivers:

Quote

S0 442564429e863a90; C:\Windows\System32\Drivers\442564429e863a90.sys [75208 2012-06-26] () C:\Windows\System32\Drivers\442564429e863a90.sys

NetSvcs Known legitimate entries are whitelisted. As with other areas scanned and which have a white list it does not mean that items appearing in FRST.txt are all bad, just that they should to be checked. The NetS vc entries are listed each on a line, like this:


20/48

10/29/2014


NETSVC: NMSSvc -> C:\Windows\system32\smcservice.dll (Oak Technology Inc.) ATTENTION! ====> ZeroAccess NETSVC: pMgt -> C:\Window\System32\dstor.dll (No Fil e) NETSVC: WUSB54GCSVC -> No ServiceDLL Path.

The first e ntry is labelled with the infection =====> ZeroAccess and needs to be dealt with. The second entry means there is a Se rviceDll in the registry entry which is associated with pMgt service but the file is missing. The third entry means the WUSB54GCSVC has no ServiceDll entry in the registr y. The second and the third entries ar e left overs. Note: that listing Netsvc only removes the associated value from the registry. The associated service should be listed for deletion separately. Looking at the above example. There is a Service listed further back in the FRST log associated with the item showing in NETSVC; it looks like this:

Quote

R2 NMSSvc; C:\Windows\System32\smcservice.dll [6656 2009-07-13] (Oak Technology Inc.) ATTENTION! ====> ZeroAccess

To remove the Netsvc value, the associated service in the registry and the associated DLL file, the full script would look like this:

Quote

NETSVC: NMSSvc -> C:\Windows\system32\smcservice.dll (Oak Technology Inc.) ATTENTION! ====> ZeroAccess R2 NMSSvc; C:\Windows\System32\smcservice.dll [6656 2009-07-13] (Oak Technology Inc.) ATTENTION! ====> ZeroAccess C:\Windows\System32\smcservice.dll

One Month Created Files and Folders and One Month Modified Files and Folders The scan reports the file or folder's created date and time. The "Modified" scan reports the file or folder's modified date and time. The size (http://e n.wikipedia.org/ wiki/File_size) of (number of bytes contained) the file is also shown. A folder will show 000000 00 as the folder itself has no bytes.

FRST adds notations to certain log entries:

C - Compressed D - Directory H - Hidden L - Symbolic Link N - Normal (does not have other attributes set) O - Offline R - Readonly S - System T - Temporary http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

21/48

10/29/2014


To remove a file or folder in the one month list just copy and paste the whole line to fixlist.txt like this:

2013-03-20 22:55 - 2013-03-20 22:55 - 00000000 ____D C:\Program Files (x86)\SearchProtect 2010-10-12 01:06 - 2008-11-07 18:18 - 0000406 _____ c:\Windows\Tasks\At12. job 2010-10-12 01:06 - 2008-11-07 18:17 - 0001448 ____S c:\Windows\System32\Drivers\bwmpm.sys

Listing the Symbolic Link attribute is especially helpful in recognizing the folders create d by the ZeroAccess infection. Example:

Quote

2013-07-14 18:17 - 2013-07-14 18 :17 - 00000000 ___DL C:\Windows\system64

Before listing those Folders to be moved the DeleteJunctionsInDirectory: FolderPath should be used (it can be used in any mode). Example: DeleteJunctionsInDirectory : C:\Windows\system64

To fix other files/folders the path could be listed in the fixlist.txt:

c:\Windows\System32\Drivers\badfile.sys C:\Program Files (x86)\BadFolder

If you have mor e files with similar file name and wanted to move them with one script the wild card * can be used (Note that will not work for Folders): So you can either list those files like:

C:\Windows\Tasks\At1. job C:\Windows\Tasks\At8. job C:\Windows\Tasks\At13. job C:\Windows\Tasks\At52. job

Or just:

C:\Windows\Tasks\At*. job

To r emove files/ folders with space in the path, there is no need to put them in the quote mar ks, you can simply put the path in the fixlist:

C:\Program Files (x86)\SearchProtect

AlternateDataStreams FRST lists ADS as a part of Addition.txt scans like so: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

22/48

10/29/2014


Quote

==================== Alternate Data Streams (whitelisted) ========== AlternateDataStreams: C:\Windows\system32\Drivers\qhjmiqwlh.sys:changelist AlternateDataStreams: C:\Windows\System32\legitfile:malware.exe AlternateDataStreams: C:\test:malware.exe AlternateDataStreams: C:\ProgramData\TEMP:1CE11B51

If the ADS is on a legitimate file/fo lder the fix will be copy and paste the whole line from the l og into the fixlist. Example:

AlternateDataStreams: C:\Windows\System32\legitfile:malware.exe

If it is on a bad file/folder the fix will be:

C:\test

In the first case FRST only removes the ADS from the file/folder. In the latter case the file/folder will be removed.

Unicode To f ix an entry with a Unicode characters in it, the fixlist.txt should be save d in Unicode otherwise the unicode characters will be lost. The best way to deal with a line with unicode is to save the fixlist.txt and upload it. Example:

2013-07-07 19:53 - 2013-07-07 19:53 - 00000000 ____D C:\υ λλογή

To move the above folder: Copy and paste the entry into the open notepad, select Save As..., Under Encoding: select Unicode, give it fixlist name and save it. If you save it to a normal notepad without selecting Unicode; notepad will give you a warning, if you go on and save it, after clo sing it and opening it again you will get:

Quote

2013-07-07 19:53 - 2013-07-07 19:53 - 00000000 ____D C:\??????

And FRST will not be able to process it.


23/48

10/29/2014

FR ST Tutor ial - H ow to use Far bar R ecover y Scan Tool - M al war e Removal Gui des and Tutor ial s Files to move or delete: Files listed in this section are those that either, ar e bad, or are files in a bad location. Examples of legitimate files are the files that users have downloaded and saved to the User's directory. Another example is when a legitimate third party software keeps one o f its files in User's dire ctory. T hat is a bad practice by any software vendor and those files should be moved even if they are legitimate. We have seen many infections hiding their fabricated files (seemingly legitimate but malware files) in that directory and running it fro m there. Like Modified files the way files/fo lders are dealt with in a fix is the same as in the One Month Created Files and Folders section above.

Some content of TEMP: This is a non-recursive scan limited to some particular extensions to get a basic idea of whether a malware file is placed in Temp root. This section is not visible if no files meet the requirements of the search. That does not mean that Temp is empty or malware free (e.g. malware could be in a subfolder not expanded by FRST) just that it does not meet the particular search parameters. Fo r a more compre hensive cleanup of temp files, use of the EmptyTemp: command is an option.

Known DLL s Some items in this section if missing or patched or corrupted co uld cause boot issues. Accordingly this scan only appears when the tool is run in RE (Recovery Enviro nment) mode. Items are whitelisted unless they need attention. Care is required in dealing with items identified in this section. Either a file is missing or it appears to have been modified in some way. Expert help is recommended to e nsure the probl ematic file is correctly identified and dealt with in the appropriate way. In the majority of cases there is a goo d replacement on the system that should be f ound with the Search function of FRST. Please see the Directive section (Examples of use) of this tutorial on how to replace a file and Other features section for how carry out a search.

Bamital & volsnap Check Bamital (http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2FBamital) and volsnap (http://home.mcafee.com/v irusinfo/viruspro file.aspx?key=457262#none) malware check. Modified system files aler t you to po ssible malware infection. Where infection is identified care needs to b e taken with remedial action. Expert help should be sought as removal of a system file could render a machine unbootable. When a file is not digitally signed you will see something like this one taken from a Zekos infection in a Bamital section:

Quote

C:\Windows\System32\rpcss.dll [2011-05-21 16:29] - [2010-11-20 15:27] - 0512512 ____A (Microsoft Corporation) 8529DD0C546A5EC5B51572EEBE8D2D06 ATTENTION ======> If the system is having audio adware rpcss .dll i s patched. Google the MD5 , if t he MD5 is unique the file is infected.


24/48

10/29/2014


In that case the file needs to be re placed with a good copy. Use t he Replace: command. When a malware made custom entry in BCD is found you will see the following line in the Bamital section:

Quote

TDL4: custom:26000022 <===== ATTENTION!

The entry in BCD might render a system unboot able if the bo otkit malware was removed and the BCD entry left b ehind without attention. When the entry is included in the fixlist, the malware custom entry is removed fro m BCD and the default value is restored . The safest way to boot to Safe Mode is to use F8 key at boot. In some cases the users use "System Configuration Utility" to boot to Safe Mode. In case the Safe Mode is corrupted the computer gets locked and the system will not boot to normal mode because it is configured to boot to Safe Mode. In that case you will see

Quote

safeboot: ==> The system is configured to boot to Safe Mode <===== ATTENTION!

To f ix the issue include the above line in the fixlist. FRST will set the no rmal mode as the default mo de and the system will come out of the loop. Note: This applies to Vista and later Windows versions.

EXE ASSOCIATION Note: the "EXE ASSOCIATION" will appear on the FRST.txt lo g when FRST is run from the Recov ery Environment. When FRST is run outside Recov ery Environment the section will appear on the Addition.txt Lists file associations for shell spawning values for .e xe registry settings like this: HKLM\...\.exe: exefile => OK HKLM\...\exef ile\DefaultIcon: %1 => OK HKLM\...\exef ile\open\command: "%1" %* => OK In cases where the exe association is hijacked you will see ATTENT ION! instead of OK. You might see o ther lines, fo r example, when the user 's key has been hijacked. As with other registry entries you can just copy and past the entries with the issue in the fixlist.txt and they will be restored or taken care of. No need to do registry fixes.

Restore Points The restore points are listed. Note only in Windows XP can the hives be restored using FRST. The restore points listed on Vista and above should be restored from RE (Recovery Environment) using Windows Syste m Recovery Options.


25/48

10/29/2014

FR ST Tutor ial - H ow to use Far bar R ecover y Scan Tool - M al war e Removal Gui des and Tutor ial s Note2: the "Restore Points" will appear on the FRST.txt log when FRST is run from the Recovery Environment. When FRST is run outside Recovery Environment the section will appear on the Addition.txt To fix include the line for the one you want to restore into the fixlist.txt script. Example from an XP machine:

Quote

RP: -> 2010-10-26 19:51 - 024576 _restore{3216E3D3-FBC5-40AC-B583-63C1B9EE2B6F}\RP83 RP: -> 2010-10-24 13:57 - 024576 _restore{3216E3D3-FBC5-40AC-B583-63C1B9EE2B6F}\RP82 RP: -> 2010-10-21 20:02 - 024576 _restore{3216E3D3-FBC5-40AC-B583-63C1B9EE2B6F}\RP81

To restore the hives from the Restore Points 82 (dated 2010-10-24) the line will be copied and pasted to the fixlist.txt like so:

RP: -> 2010-10-24 13:57 - 024576 _restore{3216E3D3-FBC5-40AC-B583-63C1B9EE2B6F}\RP82

For a fix to restore fro m backup software (FRST saved Hives, ERUNT or CF) on Vista and above, re fer to the Directive section of this tutorial.

Memory info Tells yo u the amount of RAM (Random Access Memory) installed on the machine together with the available physical memory and percentage of free memor y. Sometimes this can help explain a machine's symptoms. For example the number shown may not reflect the hardware position the user believes is present. RAM reported may appear lower than what is actually on the machine. This can happen when the machine cannot actually access all the RAM it has. Possibilities include faulty RAM or Mo therboar d slot prob lem or something preve nting the BIOS recognising it (e.g. BIOS may need to be upgraded). Also, for 32 bit systems with more than 4GB of ram installed, the maximum amount reported will only be 4GB. This is a limitation on 3 2-bit applications. Processor information, page file size, page file space available, virtual memory and virtual memory available are also listed. Note: the "Memory info" will appear on the FRST.txt log when FRST is run from the Recovery Environment. When FRST is run outside Recovery Environment the section will appear on the Addition.txt

Drives and MBR & Partition Table Enumerate what primary (http://windows.microsoft.com/en-nz/windows-vista/what-are-partitions-and-logical-drives) and extended partitions are on the machine, their size, and how much free space there is. Removable dr ives attached to the machine at time of the scan are included. Note: the "MBR & Partition Table" will appear on the FRST.txt log when FRST is run from the Recovery Environment. When FRST is run outside Recov ery Environment the section will appear on the Addition.txt The MBR (http://en.wikipedia.org/wiki/Master_boot_record) (Master Boot Record) code is listed. You may see:


26/48

10/29/2014


"ATTENTION: Malware custom en try on BCD on drive "Somedrive": detected." Check for MBR/Partition infecti on".

As with other complex infections expert help is recommended to find the corre ct solution. A wrong move here will render the users computer unbootable. In some cases there will be other malware infection labels earlier in the FRST log which will point to a solution. In other cases, a fix may be necessary with a command using the RE (Recover y Environment). See the Directives section in this tutorial. Where there is an indication of something wrong with the MBR an MBR check may be appropriate. To do this an MBR dump needs to be obtained. T his is how: Run the follo wing fix with FRST in any mode:

Quote

SaveMbr: drive=0 (or appropriate drive number)

By doing this there will be MBRDUMP.txt saved where FRST/FRST64 has been downloaded to. Note: while an MBR dump can be obtained eith er in Normal mode or RE some MBR infe ctions are able to fo rge the MBR while Windows is being loaded. Accordingly it is recommend to do it in RE.

LastRegBack FRST loo ks into the system and lists the last registry backup made by the system. The re gistry backup contains a backup of all the hives. It is different fr om the LKGC (Last Known Good Configuration) backup of the control set. There ar e a number of r easons why you might want to use this backup as a solution to a problem but a common o ne is where loss or corruption has occurred. You might see this in the FRST header:

Quote

"Attention: Could not load system hive"

To f ix just include the line in fixlist like this:

Quote

LastRegBack: >>date<< >>time<<

Example:

LastRegBack : 2013-07-02 15:09


27/48

10/29/2014


Addition.txt The Additions scan is generated the f irst time FRST is run. On subsequent scans it is not carried o ut unless it is specifically requested in an optional scan (see box in Console). It lists the f ollowing: Security Center - You might find that the list contains leftove rs of a pr eviously uninstalled security program. In that case the line can be included in the fixlist.txt to be removed. There are some security programs (like Spybot S&D) that prevent removal of the entry if they are not fully uninstalled. In that case instead of a confirmation of removal on the Fixlog you will see:

Quote

Security Center Entry => The item is protected. Make sure the software is uninstalled and its services is removed.

Installed Programs

- Lists all installed programs.

- FRST has a build-in database for flagging a number of adware/PUP programs. Example:

Quote

DictionaryBoss Firefox Toolbar (HKLM\...\Dict ionaryBossbar Uninst all Firefox) (Version: - Mindspark Interactive Network) <==== ATTENTION Zip Opener Packages (HKCU\...\Zip Open er Packages) (Version: - ) <==== ATTENTION

It is strongly recommended to uninstall the flagged program before running an automated tool to remove adware programs. The uninstaller of the adware program removes the majority of its entries and reverses the configuration changes. - In cases where pro grams are not shown in the user's installed progr ams list, but are ther e, FRST will list them and append them with a label like this:

Quote

Google Update Helper (x32 Version: 1.3.22.3 - Google Inc.) Hidden

These progr ams are not necessarily bad... just hidden. They have a value in the registry called "SystemComponent" with a REG_DWORD set to 1. Those pro grams are not visible in Add/Remove Programs (xp) or Programs and Features (Vist a above) and the user can't uninstall them from there. FRST can remove "SystemComponent" and make the program visible to the user. If the entry fr om Addition.txt log is included in the fixlist.txt you will get:

Quote

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion \Unins tall\Adwarestuff \\SystemComponent => Value deleted


28/48

10/29/2014

FR ST Tutor ial - H ow to use Far bar R ecover y Scan Tool - M al war e Removal Gui des and Tutor ial s successfully.

Note: This fix only makes the program visible, it doe sn't uninstall the program. The program should be uninstalled by the user. As stated above not every hidden program is bad. There are a lot of legitimate programs (including MS programs) that are hidden for good reasons. Custom CLSID - lists custom CLSID entries created in u ser hive Example:

Quote

CustomCLSID: HKU\S-1-5-21-1659004503-1801674531-839522115-1003_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\.. \mshtml,RunHTMLAppl ication ";eval("epdvnfou/xsjuf) (=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?

To f ix malicious entries just add them to the fixlist.txt and FRST will remov e them. Note: legitimate third party software can create a custom CLSID so care should be exercised as legitimate ones sho uld not be removed. Restore Points - Refer Restore Points earlier in the tutorial Hosts content - Refer Hosts earlier in the tutorial Scheduled Tasks - Scheduled Tasks not whitelisted are shown. When an entry is included in a fixlist.txt the task itself is fixed. Please note that FRST only removes the registry entries and moves the task file but does not move th e executable. If the executable is bad it should be added in se parate line to the fixlist.txt to be move d. Note that malware can use a legitimate executable (e.g. using sc.exe to run its own services) to run its own file. In other words you nee d to check the exe cutable to ascertain if it is legitimate or not bef ore taking action. Loaded Modules Loaded Modules are white listed based o n the presence of a company name. That is, items without a company name are shown. Keep this in mind because ther e could be a case of a b ad module with a company name not sho wing in this scan. Alternate Data Streams - Refer Alternate Data Streams earlier in the tutorial Safe Mode - The default entries are whitelisted. So if the section is empty, there is no custom entry on the system. If any of the main keys (SafeBoot, SafeBoot\Minimal and SafeBoot\Network) are missing, it will be reported. In that case it should be repaired manually. If there is a malware made entry, it could be included in the fixlist.txt for removal. EXE Association -The default entries are whitelisted so unless there are modified or additional entries nothing will show in the report. When any default modified entry is included in the fixlist.txt, the default entry will be restored. Any user key, if included http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

29/48

10/29/2014

FR ST Tutor ial - H ow to use Far bar R ecover y Scan Tool - M al war e Removal Gui des and Tutor ial s in the fixlist.txt, will be deleted. MSCONFIG/TASK MANAGER disabled items -The log is useful wher e a user has used MSCONFIG to disable malware entries instead of remo ving them. Or, they have disabled too much and can't get some needed services or applications to r un properly. Example:

Quote

==================== MSCONFIG/TASK MANAGER disabled items ========= (Currently there is no automatic fix for this section.) MSCONFIG\Services: gupdate => 2 MSCONFIG\Services: gupdatem => 3 MSCONFIG\Services: gusvc => 3 MSCONFIG\startupfolder: C:^Users^baman^AppD ata^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^HijackThis.exe => C:\Windows\pss\HijackThis. exe.Startup MSCONFIG\startupreg: MSC => "c:\Program Files\Microsoft Security Client\msseces.ex e" -hide -runkey MSCONFIG\startupreg: swg => "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

They read as follows:

MSCONFIG\Services : ServiceName => Original start type

Disabled items in startup folder:

MSCONFIG\startupfolder: Original Path (replaced "\" with "^" by Windows) => Path to backup made by Windows.

Disabled Run entries:

MSCONFIG\startupreg: ValueName => Path to the file.

Currently FRST only lists those entries. There is no fix at the moment. The legit entries could be enabled again by the user. In case of malware entries, the file could be removed first. Then the user can be instructed to enable the item so that they appear on the main log to be removed. Accounts -Lists all accounts on the system. Account Name (account SID -> Privileges - Enabled/Disabled) => Prof ile path Example:

Quote

Administrator (S-1-5-21-12236832-921050215-1751123909-500 - Administ rator - Enabled) => C:\Users\Administrator Someperson (S-1-5-21-12236832-921050215-1751123909-1001 - Administrator - Enabled) => C:\Users\Someperson Guest (S-1-5-21-12236832-921050215-1751123909-501 - Limited - Dis abled) HomeGroupUser$ (S-1-5-21- 12236832-921050215-17511 23909-1003 - Limited - Enabled)


30/48

10/29/2014


Faulty Device Manager Devices Event log errors:

- Application errors - System errors - Microsoft Office Sessions - CodeIntegrity Errors

Memory info - Refer Memory info earlier in the tutorial Drives MBR & Partition Table

- Refer Drives and MBR & Partition Table earlier in the tutorial

emeraldnzl

Directives/Commands

All th e commands/directives in FRST should be on one line as FRST processes the script line by line.

Quick reference of Directives/Commands Note: Directives/Co mmands are not case sensitive .

For use only in Normal Mode, Safe Mode CloseProcesses: DeleteKey: EmptyTemp: Reboot: VerifySignature: For use in Normal Mode, Safe Mode and in the Recovery Environment (RE) cmd: DeleteJunctionsInDirectory: DeleteQuarantine: DisableService: File: and Folder: FindFolder: Hosts: ListPermissions: Move: nointegritychecks on: Reg: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

31/48

10/29/2014

FR ST Tutor ial - H ow to use Far bar R ecover y Scan Tool - M al war e Removal Gui des and Tutor ial s RemoveDirectory: Replace: RestoreQuarantine: SaveMbr: SetDefaultFilePermissions: testsigning on: Unlock:

For use only in the Recovery Environment (RE) LastRegBack: RestoreErunt: Restore From Backup: RestoreMbr:

Examples of use

CloseProcesses: Closes all the none essential pro cesses. Helps to make fixing more effective and faster . Example:

CloseProcesses :

When this directive is included in a fix it will automatically apply a reboot. There is no need to use the Reboot: directive. The CloseProcesses: directive is not needed and not available in the Recovery Environment.

CMD: Occasionally you need to r un CMD command. In that case you must use "CMD:" directive. The script will be:

Quote

CMD: >Command<

If there is more than one command, start each line with CMD: to get an output lo g for each command. Example:

CMD: copy / y c:\windows\minidump\* .dmp e:\ CMD: bootrec /FixMbr


32/48

10/29/2014

FR ST Tutor ial - H ow to use Far bar R ecover y Scan Tool - M al war e Removal Gui des and Tutor ial s The first command will copy the minidump files to flash drive ( if the drive letter for flash drive is E). The second command is used to fix the MBR in Windows Vista and Windows 7. Note: Unlike the native o r other FRST directives the cmd commands should have the proper cmd.exe syntax, like use o f " quotes in case of a space in the file/directory path.

DeleteJunctionsInDirectory: To remove junctions use the following Syntax:

Quote

DeleteJunction sInDirectory: Path

Example:

DeleteJunctionsInDirectory : C:\Program Files\Windows Defender

DeleteKey: To delete keys that are locked due to insufficient permissions, and keys that contain embedded-null characters. The syntax is:

Quote

DeleteKey: Key

Example:

DeleteKey : HKLM\Software\something\something DeleteKey : HKEY_USERS\S-1-5-21-946498238-3666816333-1564132055-1000\Software\aname DeleteKey : hkcu\Software\Dit\searchbar

Note: Because the dele tion is meant to cover all kinds of keys (eve n classes keys that are often targeted) the feature is only available outside RE. For keys that are pro tected by a running software (those keys have access denied) you need to use Saf e Mode (to circumvent the running software) or delete t he main components before using the command. The DeleteKey: has the ability to delete registry symbolic links. Note: If the listed key for deletio n is a registry link to another key, the (source) key which is the registry symbolic link, will be deleted. The target key will not be deleted. This is done to avoid removing both a bad registry symbolic link that might point at a legitimate key and the legitimate key itself. In a situation where b oth the source key and the target key are bad, then they both should be listed for deletion.


33/48

10/29/2014


DeleteQuarantine: After finishing with cleaning, the %SystemDrive%\FRST (usually C:\FRST) folder made by FRST too l should be removed from the computer. In some cases the folder can't be removed manually because the %SystemDrive%\FRST\ Quarantine folder contains locked or unusual malware files or director ies. The DeleteQuarantine: command will remove t he Quarantine folder. Tools that move files as opposed to deleting files should not be used to delete C:\FRST as those tools just move the files to their o wn directory and it remains on the system anyway. The command just needs to be included in a fixlist.txt like so:

Quote

DeleteQuarantine:

DisableService: To disable a service or driver service you can use the following script:

Quote

DisableService: ServiceName

Example:

DisableService: sptd DisableService: Schedule DisableService: Wmware Nat Service

FRST will set the ser vice to Disabled and the service will not run at the next boo t. Note: The service name should be liste d as it appears in the registry or FRST log, without adding anything. For example quotatio n marks are not required.

EmptyTemp: The following directories are emptied: - Windows Temp. - Users Temp folders - IE, FF and Chrome cache, Coo kies and History. - Recently opened files cache. - Flash Player cache. - Java cache. - Explorer thumbnail cache and network qmgr?.dat files. - Recycle Bin. When EmptyTemp: directive is used the system will be rebooted after t he fix. No need to use Reboot: directive. http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

34/48

10/29/2014

FR ST Tutor ial - H ow to use Far bar R ecover y Scan Tool - M al war e Removal Gui des and Tutor ial s Also no matter if EmptyTemp: is added at the start, middle, or end of the fixlist it will be executed after all other fixlist lines are processed. Important: When the EmptyTemp: directive is used items are permanently deleted. They are not moved to quarantine. Note: The directive is turned off in the R ecove ry Environment to prevent harm.

File: and Folder: Are used to see a file specifications or the content of a folder.

Quote

File: path Folder: path

Example

File: C:\Windows\System32\Drivers\afd.sys Folder: C:\Windows\Boot

Quote

========================= File: C:\Windows\System32\Drivers\afd.sys ======================== MD5: 1C7857B62DE5994A75B054A9FD4C3825 Creation and modification date: 2012-09-27 01:44 - 2011 -12-28 05:59 Size: 0498688 Attributes: ----A Company Name: Microsoft Corporation Internal Name: afd.sys Original Name: afd.sys.mui Product Name: Microsoft® Windows® Operating System Descript ion: Ancil lary Function Driver for WinSock File Version: 6. 1.7600.16385 (win7_rtm.090713-1255) Product Version: 6.1.7600.16385 Copyright: © Microsoft Corporation. Al l rights reserved. ====== End Of File: ====== ========================= Folder: C:\Windows\Boot ======================== 2012-09-27 08:49 - 2010-11-20 1 4:40 - 0383786 ____A () C:\Windows\Boot\PCAT\bootmgr 2012-09-27 08:47 - 2010-11-20 1 4:30 - 0485760 ____A (Microsoft Corporation) C:\Win dows\Boot\PCAT\memtest.exe 2009-07-14 02:55 - 2009-07-14 03:17 - 0085056 ____A (Microsoft Corporation) C:\Windows\Boot\PCAT\enUS\bootmgr.exe.mui 2009-07-14 07:35 - 2009-07-14 04:11 - 0043600 ____A (Microsoft Corporation) C:\Windows\Boot\PCAT\enUS\memtest.exe.mui 2009-06-10 22:31 - 2009-06-10 22:31 - 3694080 ____A () C:\Windows\Boot\Font s\chs_boot.ttf 2009-07-13 22:17 - 2009-06-10 22:31 - 3876772 ____A () C:\Windows\Boot\Font s\cht_boot.ttf 2009-07-13 22:17 - 2009-06-10 22:31 - 1984228 ____A () C:\Windows\Boot\Fonts \jpn_boot.tt f 2009-07-13 22:17 - 2009-06-10 22:31 - 2371360 ____A () C:\Windows\Boot\Fonts\kor_boot.tt f


35/48

10/29/2014

FR ST Tutor ial - H ow to use Far bar R ecover y Scan Tool - M al war e Removal Gui des and Tutor ial s 2009-07-13 22:17 - 2009-06-10 22:31 - 0047452 ____A () C:\Windows\Boot\Fonts\w gl4_boot.tt f 2012-09-27 08:48 - 2010-11-20 15:32 - 0672640 ____A (Microsoft Corporation) C:\Windows\Boot\EFI\bootmgfw.efi 2012-09-27 08:48 - 2010-11-20 15:32 - 0669568 ____A (Microsoft Corporation) C:\Windows\Boot\EFI\bootmgr.efi 2012-09-27 08:48 - 2010-11-20 15:33 - 0611200 ____A (Microsoft Corporation) C:\Windows\Boot\EFI\memtest. efi 2009-06-10 22:31 - 2009-06-10 22:31 - 0262144 ____A () C:\Win dows\Boot\DVD\PCAT\BCD 2009-07-13 23:12 - 2009-06-10 23:06 - 3170304 ____A () C:\Win dows\Boot\DVD\PCAT\boot.sdi 2009-06-10 23:14 - 2009-06-10 23:14 - 0004096 ____A () C:\Wi ndows\Boot\DVD\PCAT\etfsboot.com 2013-03-03 18:19 - 2009-06-10 15:14 - 0001024 ____A () C:\Windows\Boot\DVD\PCAT\nl-NL\bootfix.bin 2009-07-14 07:35 - 2009-06-11 00:14 - 0001024 ____A () C:\Win dows\Boot\DVD\PCAT\en-US\bootfix.bin 2009-06-10 22:31 - 2009-06-10 22:31 - 0262144 ____A () C:\Win dows\Boot\DVD\EFI\BCD 2009-07-13 23:12 - 2009-06-10 23:06 - 3170304 ____A () C:\Win dows\Boot\DVD\EFI\boot.sdi 2012-09-27 08:48 - 2010-11-20 11: 19 - 1474560 ____A () C:\Win dows\Boot\DVD\EFI\en-US\efisys.bin ====== End of Folder: ======

FindFolder To search for a folder. Wild cards are allowed. If you need to search for more than one folder the search terms should be separated by a semicolon ; Example

Quote

FindFolder: google FindFolder: *google*;adobe

Both of the foregoing would work.

Hosts: To reset the hosts. Also, see hosts in the Fixing section.

ListPermissions: Used to list per missions on the files/directories/ keys included in the script.

Quote

ListPermission s: path/key

Example:

Listpermissions : C:\Windows\Explorer.exe Listpermissions : C:\users\farbar\appdata ListPermissions : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip ListPermissions : HKLM\SYSTEM\CurrentControlSet\services\afd


36/48

10/29/2014


Move: At times renaming or moving a file, specially when it is done across the drives, is troublesome and MS Rename command might fail. To move or rename a file use the following script:

Quote

Move: source destination

Example

Move: c:\WINDOWS\system32\drivers\afd.sys c:\WINDOWS\system32\drivers\afd.sys.old Move: c:\WINDOWS\system32\drivers\atapi. bak c:\WINDOWS\system32\drivers\atapi.sys

The tool moves the destination file to the Quarantine (if present) then moves the source file to destination location. Note: Renaming can be carried out w hen using the Move : directive. Note 2 : The destination path should contain the f ile name even if th e file is currently missing in destination directory.

nointegritychecks on: This applies to Vista and later Windows versions. When the integrity checks function is disabled you will see the following line under on the FRST log:

Quote

nointegritychecks: ==> Integrity Checks is disabled <===== ATTENTION!

It means the BCD is changed to skip integrity checks at boot. To enable the integrity checks copy and paste the abo ve line into the fixlist. In some unbootable computer disabling the integrity checks resolves the boot issue until we enable the f unction again. To disable the function for troublesho oting puposes or making backup in normal mode befo re reinstalling Windows use the following syntax:

nointegritychecks o n:

Reboot: To force a restart. It doesn't matter where in the fixlist you put it. Even if you put it at the start, the reboot will be carried out after all the other fixes are completed. http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

37/48

10/29/2014


Note: This command will not work and is not needed in the Re covery Environment.

Reg: To manipulate Windows Registry use the following script:

Quote

Reg: reg command

Example:

Reg: reg query "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" Reg: reg add hklm\system\controlset001\services\sptd / v Start /t REG_DWORD /d 0x4 /f Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SweetIM"

Note: Unlike the native FRST directives, the Reg command should have the proper reg.exe syntax, like use of " quotes in case of space in key name.

RemoveDirectory: To remove (not move) directories with limited perms and invalid paths or names. This directive should be used for directories that resist the usual move operation. If it is used in Safe Mode it should be very powerful and in RE it should be most powerful. The script will be:

Quote

RemoveDirectory: path

Replace: To replace a file use the following script:

Quote

Replace: source destination

Example

Replace: c:\WINDOWS\ServicePackFiles\i386\afd.sys c:\WINDOWS\system32\drivers\afd.sys Replace: c:\WINDOWS\ServicePackFiles\i386\atapi.sys c:\WINDOWS\system32\drivers\atapi.sys

The tool moves the destination file (if present) to Quarantine then copies the source file to destination location. http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

38/48

10/29/2014


It will not move the sour ce file and the source file is still in its or iginal location. So in the above example af d.sys in i386 directory will be there for future. Note: The destination path sho uld contain the file name ev en if the f ile is currently missing in destination directory. RestoreQuarantine: You can restore the whole content of Quarantine or restor e single or multiple file(s) or folder (s) from Quarantine. To restore the whole content of Quarantine the syntax is either:

RestoreQuarantine:

Or:

RestoreQuarantine: C:\FRST\Quarantine

To restore a file or folder the syntax is:

Quote

RestoreQuarantine: PathInQuarantine

Example:

Quote

RestoreQuarantine: C:\FRST\Quarantine\C\Program Files\Microsoft Office RestoreQuarantine: C:\FRST\Quarantine\C\Users\Someperson\Deskt op\ANOTB.exe.xBAD

To f ind the path in the Quarantine you can use:

Folder: C:\FRST\Quarantine

Or:

CMD: dir /a/ b/s C:\FRST\Quarantine

Note: If a file already exists (outside Quarantine) in the destination path, FRST will not o verwrite it. The original file will not be moved and will remain in Quarantine. If howe ver, you still nee d to restore the file from Quarantine then the file in the destination path should be renamed/removed.


39/48

10/29/2014


Restore From Backup: The first time the tool is run it copies the hives to %SystemDrive%\FRST\Hives (usually C:\FRST\Hives) directory as a back up. It will not be overwritt en by subsequent running of the tool. If something went wrong either one of the hives could be restored. The syntax will be:

Quote

Restore From Backup: HiveName

Examples:

Restore From Backup: software Restore From Backup: system

RestoreErunt: To restore hives from Erunt: the script would be:

Quote

RestoreErunt: path

Restoring fr om backups made by CF (ComboFix) the script would be:

RestoreErunt: cf

RestoreMBR: To restore the MBR, FRST will use MbrFix that is saved on the flash drive to write a MBR.bin file to a drive. What is needed is the MbrFix/MbrFix64 utility, the MBR.bin to be restored and the script showing the drive:

Quote

RestoreMbr: Drive=#

Example:

RestoreMbr: Drive=0


40/48

10/29/2014

FR ST Tutor ial - H ow to use Far bar R ecover y Scan Tool - M al war e Removal Gui des and Tutor ial s (Note: The MBR to be restored should be named MBR.bin and should be zipped and attached).

SaveMbr: Refer Drives and MBR & Partition Table section in the tutorial. To make a copy of MBR the foll owing syntax is used:

Quote

SaveMbr: Drive=#

Example:

SaveMbr: Drive=0

Note: By doing this there will be MBRDUMP.txt made on the flash drive that should be attached to the post by the user.

SetDefaultFilePermissions: Created fo r locked system files. It sets gro up "Administrator " as owner and depending on the system gives/grants access rights to the groups. Note: that it will not set Trusted-installer as the owner but still it could be used for system files that are locked by the malware. The script will be:

Quote

SetDefaultFilePermissi ons: path

testsigning on: Applys to Windows Vista and later. Malware will sometimes add an item to the BCD (http://en.wikipedia.org/wiki/Boot_Configuration_Data#Boot_Configuration_Data) (Boot Configuration Data) to escape integrity checks at startup. The malware needs to be cleaned from the machine and then the default BCD restored. Care manipulating the BCD is delicate work that if done wrongly will render a machine unbootable . When FRST locates evidence of this sort of tampering it will report like this:

Quote

tests igning: ==> Check for p ossible unsigned malware driver <===== ATTENTION!


41/48

10/29/2014


Where the malware is still present on the machine there will also be a (hidden) unsigned driver showing in the log like this:

Quote

0 442564429e863a90; C:\Windows\System32\Drivers\442564429e863a90.sys [75208 2012-06-26] ()

Also the user might say that he has seen this on his desktop: "I've just noticed something, in the bottom r ight of my desktop it says Test Mode, Windows 7, Build 7601 . I've never noticed that before" The full removal script will be:

0 442564429e863a90; C:\Windows\System32\Drivers\442564429e863a90.sys [75208 2012-06-26] () C:\Windows\System32\Drivers\442564429e863a90.sys testsigning: ==> Check for possible unsigned malware driver <===== ATTENTION!

Beside removing the malware driver, FRST will remove the value that is added to BCD. No further action is necessary. Sometimes however other to ols will have partially cleaned the machine but not repaired t he BCD. In those cases the following may be used:

testsigning: ==> Check for possible unsigned malware driver <===== ATTENTION!

In a situation where; after setting testsigning to its default (turning it off); something goes wrong, then to enable the testsigning for further troubleshooting use the following command:

Quote

testsigning on:

Unlock: This directive, in the case of file/directories, sets group "Administrator" as owner, grants access to everyone and works recursively when applied on directories. It should be used for bad files/directories. In the case of registry items it sets gr oup "Administrators" as owner and grants the groups the usual access and works only on the key applied. It can be used for both bad and legitimate keys. The script will be:

Quote

Unlock: path


42/48

10/29/2014

FR ST Tutor ial - H ow to use Far bar R ecover y Scan Tool - M al war e Removal Gui des and Tutor ial s Sometimes the usual move operation doesn't work due to permissions. You will notice it when you get "Could not move File/Directory" on the Fixlog.txt. In that case you can use the "Unlock:" directive on those files or folders. Example

Unlock : C:\Windows\badfile.exe Unlock : C:\Windows\System32\badfile.exe

To remove the file/folder altogether just add the path separately to the fix:

Unlock : C:\Windows\System32\bad.exe C:\Windows\System32\bad.exe

You can use the command to unlock the registry items where a registry item is locked. For example if you are running the fix in the recovery mode and the current control set is ControlSet001 the following would apply:

Unlock : hklm\system\controlset001\badservice\subkeyname

To remove the entry use Reg: directive. The full syntax would be:

Unlock : hklm\system\controlset001\badservice\subkeyname Reg: reg delete hklm\system\controlset001\badservice /f

VerifySignature: To check the digital signature for a file .

Quote

VerifySignature: path

Example

VerifySignature: C:\Windows\notepad.exe

emeraldnzl

Other features Optional Scans


43/48

10/29/2014

FR ST Tutor ial - H ow to use Far bar R ecover y Scan Tool - M al war e Removal Gui des and Tutor ial s By checking a box under Optional Scan FRST will scan the re quested items.

Drivers MD5 Will produce a list of drivers and their MD5sums that will look like this:

Quote

========================== Drivers MD5 ======================= C:\Windows\System32\drivers\ACPI.sys 3D30878A269D934100FA5F972E53AF39 C:\Windows\System32\Drivers\acpiex.sys AC8279D229398BCF05C3154ADCA86813 C:\Windows\System32\drivers\acpipagr.sys A8970D9BF23CD309E0403978A1B58F3F C:\Windows\System32\drivers\acpitime.sys 5758387D68A20AE7D3245011B07E36E7 C:\Windows\system32\drivers\afd.sys 239268BAB58EAE9A3FF4E08334C00451

These can then be checked for validity.

Shortcut.txt Will produce a list of shortcuts that will look like this:

Quote

==================== Shortcuts ============================= Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\µTorrent.ln k -> C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.) Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk -> C:\Windows\ehome\ehshell.exe (Microsoft Corporation) Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.l nk -> C:\Program Files\Microsoft Security Client\msseces. exe (Microsoft Corporation) Shortcut: C:\Users\Someperson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CCleaner\CCleaner.ln k > C:\Program Files\CCleaner\CCleaner.exe (Piriform Ltd) Shortcut: C:\Users\Someperson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CCleaner\Uninst all CCleaner.lnk -> C:\Program Files\CCleaner\uninst .exe (Piriform Ltd) Shortcut: C:\Users\Someperson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Command Prompt.ln k -> C:\Windows\System32\cmd.exe (Microsoft Corporation) ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files\Mozill a Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www. sweet-page.com/? type=sc&ts=1393154122&from=tugs&uid=531364863_1782_000B768F ShortcutWithArgument: C:\Users\Someperson\App Data\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Expl orer (No Add-ons). lnk -> C:\Program Files\Internet Explorer\iexplore. exe (Microsoft Corporation) -> hxxp://www. sweet-p age.com/? type=sc&ts=1393154122&from=tugs&uid=531364863_1782_000B768F ShortcutWithArgument: C:\Users\Public\Deskt op\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.sweet-page.com/? type=sc&ts=1393154122&from=tugs&uid=531364863_1782_000B768F

The hijacked entries can be included in a fixlist.txt to be f ixed. Example:

ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Fire


44/48

10/29/2014

FR ST Tutor ial - H ow to use Far bar R ecover y Scan Tool - M al war e Removal Gui des and Tutor ial s fox\firefox .exe (Mozilla Corporation) -> hxxp: //www.sweet-page.com/? type=sc&ts=1393154122&from=tugs&uid=531364863 _1782_000 B768F ShortcutWithArgument: C:\Users\Someperson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Int ernet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer \iexplore.exe (Microsoft Corporation) -> hxxp: //www.sweet-page.c om/?type=sc&ts=1393154122&from=tugs&uid=531364863_1782_000B768F ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox .exe (Mozilla Corporati on) -> hxxp: //www.sweet-page.com/?type=sc&ts=1393154122&from=tugs&uid=531364863_1782_000B768F

Note: FRST removes the argument from shortcuts except for Internet Explorer (No Add-ons).lnk shortcut. That shortcut argument by default is not empty (the argument is -extoff ) and is used to run Internet Explorer without addons. It is vital for troublesh ooting IE issues so this shortcut argument will be restored. Also note that if you run another removal tool to remove the argument from Internet Explorer (No Add-ons).lnk, FRST will not list it under ShortcutWithArgument: and so the argument can't be restored with FRST any more. In that case the use r can restore the argument manually. To restore the argument manually the user should navigate to Internet Explorer (No Add-ons).lnk : Right-click and select Property . In Target box Add two spaces and then -extoff to the listed path. Click Apply and OK .

Search features Search Files There is a Search Files button on the FRST Console. To search for files you can type or copy and paste the names you wish to search for into the Search box. Wild cards are allowed like afd.sys*. If you need to search for more than one file the file names should be separated by a semicolon ; So each of the following options would work:

afd.sys

afd.sys*

afd.sys;ndis.sys

afd.sys*;ndis.sys*

When the Search Files button is pressed the user is informed that the search is started, a progress bar appears, then a message pops up indicating that the search is completed. A Search.txt lo g is saved at the same location that FRST.e xe is located. The fo und files are listed along with creation date, modif ication date, size, attribute, company name and MD5 in the following format:

Quote

================== Search: ndis.sys ===================


45/48

10/29/2014

FR ST Tutor ial - H ow to use Far bar R ecover y Scan Tool - M al war e Removal Gui des and Tutor ial s [2004-08-04 11:00] - [2008-04-13 20:20] - 0182656 ____N (Microsoft Corporation) c:\WINDOWS\system32\drivers\ndis.sys 1DF7F42665C94B825322FAE71721130D [2004-08-04 11:00] - [2008-04-13 20:20] - 0182656 ___AC (Microsoft Corporation) c:\WINDOWS\system32\dllcache\ndis.sys 1DF7F42665C94B825322FAE71721130D [2008-04-13 20:20] - [2008-04-13 20:20] - 0182656 ____N (Microsoft Corporation) c:\WINDOWS\ServicePackFiles\i386\ndis.sys 1DF7F42665C94B825322FAE71721130D [2008-11-07 17:47] - [2004-08-04 11:00] - 0182912 ____C (Microsoft Corporation) c:\WINDOWS\$NtServicePackUninstall$\ndis.sys 558635D3AF1C7546D26067D5D9B6959E

There ar e cases where a legitimate system file is missing or corrupted causing boot issues and there is no r eplacement on the system. When Sear ch Files option is used in Recovery Mode (Vista and above) the sear ch includes the files in X: too (the virtual boo t drive). In some cases it can be a life saver. An example is missing services.exe that could be copied fr om X:\Windows\System32 to C:\Windows\System32 Note: The X: Partition will only contain 64bit exe cutables for 64bit systems. Search Registry There is a Search Registry button on the FRST Console. You can type or copy and paste the item(s) names you wish to search for into the Search box. If you wish to search for more than one item, the names should be separated by a semicolon ; An individual search would look like this:

websearch

A search for multiple items would look like this:

websearch;dealply ;searchprotect

Note: The Re gistry search function will only w ork outside RE. Contrary to a file search, when carrying out a registry search, adding wild cards to the search terms should be avoided because the wildcard characters will be interpreted literally. W here an asterisk ("*", also called "star") is added to the start or end of a registry search term, FRST will ignore it and will search for the search term without the asterisk.

emeraldnzl Comment to the tuto rial may be made here (http://www.geekstogo.com/forum/topic/335083-frst-tutorialcomment/) .

Tutorial revisions: 08/30/2013 Added ADS (Alternate Data Streams) under the "Fixing" section 08/31/2013 Loaded Modules - added to Additional Scan list in the "Output" section 08/31/2013 Loaded Modules - added to Addition.txt in the "Fixing" section


46/48

10/29/2014

FR ST Tutor ial - H ow to use Far bar R ecover y Scan Tool - M al war e Removal Gui des and Tutor ial s 08/31/2013 5=Assigned by FRST when it is unable to read the start type - added to The "StartType" numbers are: under the "Fixing" section 09/11/2013 addition of clarifications Run valu es, StartMenuInternet hijacking, Chrome explanations, Services 09/11/2013 attribute N added 09/11/2013 paragraph added covering Unicode 09/11/2013 explanatory note added to DeleteJunctionsInDirectory: 09/24/2013 Security Center and Safe Mode scan explanations added to Addition.txt 11/01/2013 Winsock: Catalog5 section amended to carry out t he net sh winsock reset after reboot where it doesn't work first time 11/19/2013 Fixing - information about Fixlog header adde d 12/15/2013 DeleteJunct ionsInDirectory: n ow able to be used in any mode 12/15/2013 Winsock: Catalog5 section amended for inclusion of broken internet access fix example 12/30/2013 RemoveDirectory: and SetDefaultFilePermissions: added to Commands/Directives 12/30/2013 Explanation of what the Unlock: directive sets, added: 12/30/2013 Further explanation added to the Search Feature. 01/19/2014 Statement added that FRST will not work with XP 64-bit machines 01/19/2014 Whitelisting explanation added 01/19/2014 Header example amended and updated 01/22/2014 Explanation note added for Applnit_Dlls fixing under Registry 01/29/2014 Search explanation amended to record that X: search happens in Recovery Mode 01/29/2014 Search explanation amended to record that X: search happens in Recovery Mode 02/12/2014 Installed programs list explanation under Addition.txt amended to cover hidden programs 02/12/2014 Disabled items from MSCONFIG report added under Addition.txt 03/04/2014 Console image and Optional Scan list updated 03/06/2014 Reboot: command added 03/14/2014 RestoreQuarantine: command added 03/14/2014 Optional Scans, Drivers MD5 and Shortcut.txt added 03/15/2014 Example fix added for when Group Policy is used to block changes to Google Chrome extensions 03/18/2014 Winsock entries section explanation expanded for more clarity 04/24/2014 ListPermissions: command added 04/24/2014 Explanation of how FRST deals with Services fixes added under the Fixing 04/24/2014 SaveMbr: added to listing at the head of Directives/Commands section 05/02/2014 DeleteKey: added to Directives/Commands 05/08/2014 Exe Association explanation added under the Addition.txt heading in the Fixing section 05/16/2014 The Search Features section updated with the Search Files section amended for clarification and the Search Registry feature added 06/02/2014 The Chrome section in Fixing amended to cover "Preferences" file error 06/10/2014 VerifySignature: command added. 06/10/2014 Registry explanation expanded under the Fixes section 06/24/2014 Default Scan Areas explanation and listing amended for clarity 07/22/2014 Firefox explanation expanded to record that FF keys are listed whether or not FF is installed 07/22/2014 The Deletekey: command has the ability to delete registry symbolic links 07/29/2014 Custom CLSID list added to the Additions scan 08/11/2014 EmptyTemp: directive added 08/14/2014 Java cache added to EmptyTemp: list and Processor information added under Memory info 08/19/2014 Chrome section amended. All items except DefaultSearchProvider can now be fixed through FRST 08/24/2014 DeleteJunctionsInDirectory: paragraph amended 08/27/2014 Explanation of "Some content of TEMP:" added 08/27/2014 Hosts: command added 08/27/2014 Some names updated and Platform: added to example header 08/28/2014 In One Month Created Files and Folders and One Month Modified Files and Folders section, a note added that a wild card will not work for Folders. 08/28/2014 Explanation of where a section will be found in and outside RE for scan areas EXE ASSOCIATION, Restore Points and Memory info added. 08/31/2014 Polish translation link added 09/02/2014 Under LastRegBack an explanation of the LKGC acronym added in parenthesis 09/02/2014 Under Installed Programs an explanation of flagging of adware/PUP programs added 09/02/2014 An explanation added under Loaded Modules 09/02/2014 An explanation of fixing plugins in Firefox added 09/07/ 2014 Explanation of Firefox Add-ons, Extensions and Plugins simplified


47/48

FRST Tutorial - How to Use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials

Recommend Documents