Security Operating Systems Hardware Software Development Community Discussion View New Content
Geeks To Go is a helpful hub, where thousands of friendly volunteers serve up answers and support. Get free advice from the experts. Register now to gain access to all of our
features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow
members, get your own private messenger, post status updates, manage your profile and so much more. This message and all ads will be removed once you have signed in.
**********************************************************
Donation Information
While FRST is free it is the product of hours of work by Farbar. The program contains many thousands of lines of code,
and is updated often. In addition to maintaining the tool Farbar spends countless hours supporting forum helpers and
their malware victims. If you find his FRST tool helpful and would like to make a donation to support his efforts simply
click the Paypal button below:
(https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=3636066)
Tutorial Information
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 1/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
Translations
Table of Contents
1. Introduction (http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-
tool/page__view__findpost__p__2350712)
2. Canned Speeches/Download link (http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-
recovery-scan-tool/page__view__findpost__p__2350717)
3. Output (http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-
tool/page__view__findpost__p__2350718)
4. Default Scan Areas (http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-
tool/page__view__findpost__p__2350718)
5. Fixing (http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-
tool/page__view__findpost__p__2350719)
1.Processes
2.Registry
3.Internet
4.Hosts
5.Services/Drivers
6.NetSvcs
7.One Month Created Files and Folders and One Month Modified Files and Folders
8.AlternateDataStreams
9.Unicode
10.Files to move or delete
11.Some content of TEMP
12.Known DLLs
13.Bamital & volsnap Check
14.EXE ASSOCIATION
15.Restore Points
16.Memory info
17.Drives and MBR & Partition Table
18.LastRegBack
19.Addition.txt
6. Directives/Commands (http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-
scan-tool/page__view__findpost__p__2350720)
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 2/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
1.CloseProcesses:
2.CMD:
3.DeleteJunctionsInDirectory:
4.DeleteKey:
5.DeleteQuarantine:
6.DisableService:
7.EmptyTemp:
8.File: and Folder:
9.FindFolder:
10.Hosts:
11.ListPermissions:
12.Move:
13.nointegritychecks on:
14.Reboot:
15.Reg:
16.RemoveDirectory:
17.Replace:
18.RestoreQuarantine:
19.SaveMbr:
20.SetDefaultFilePermissions:
21.testsigning on:
22.Unlock:
23.VerifySignature:
Optional Scans
Drivers MD5
Shortcut.txt
Search features
Trusted helpers and experts who have the requisite access may keep abreast of the latest tool
developments at the FRST Discussion Thread
(http://www.bleepingcomputer.com/forums/t/360106/farbar-recovery-scan-tool/) .
Advertisement
Introduction
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 3/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
One of FRST's strengths is it's simplicity. It is designed to be user friendly. Lines containing references to infected items
can be identified, copied from the log, pasted into Notepad and saved. Then with a press of a button the tool does the
rest. This allows for great flexibility, as new infections appear they can be identified and included in a fix.
Farbar's Recovery Scan Tool is designed to run on Windows XP, Windows Vista, Windows 7 and Windows 8 Operating
Systems. There are two versions, a 32-bit and a 64-bit version.
Note: FRST64 is not designed to run on XP 64-bit systems.
Diagnosis
FRST creates a log covering specific areas of the Windows Operating System. This can be used for initial problem analysis
and to tell you some information about the system.
The tool is under constant development, part of which includes the addition of new malware identification labels.
Accordingly, it is strongly recommended to regularly update. If the computer is connected to the internet there will be an
automatic check for available updates when FRST is opened. A notification will appear and the latest version can then be
downloaded.
Where new infection manifests or update is not possible e.g. no internet connection for whatever reason, the expert
needs to be abreast of latest developments in the malware infection field to enable early pinpointing of the problem. The
lay user should seek expert help when new infections appear or when they find difficulty in identifying the problem on
their machine.
By default, like many other scanners, FRST applies whitelisting. This avoids very long logs. If you do want to see a full log;
then the relevant box on the Whitelist section should be unchecked. Be prepared for a very long log that may have to be
uploaded as an attachment for analysis.
FRST not only whitelists the default MS entries from the registry section but in some cases (like
ShellIconOverlayIdentifiers) also whitelists the safe entries from third party programs too.
In the case of Services and Drivers the whitelist covers not only the default MS services but also all other legitimate
services and drivers.
Any service or driver file without a company name is not whitelisted.
No security program (AV or Firewall) is whitelisted.
The SPTD service is not whitelisted.
Make sure FRST is run under administrator privileges. Only when the tool is run by a user that has administrator
privileges will it work properly. If a user doesn't have administrator privileges you will see a warning in the header of
FRST.txt about it.
In some cases a security program will prevent the tool from running fully. Generally there won't be a problem but be alert
to the possibility that when a scan is requested that a security program may prevent the running of the tool. When fixing
it is preferred to disable programs like Comodo that might prevent the tool from doing its job.
A general recommendation to everyone is that when you are dealing with a rootkit, it is better to do one fix at the time
and wait for the outcome before running another tool.
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 4/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
It is not necessary to create a registry backup. FRST makes a backup of the registry hives the first time it runs. The backup
is located in %SystemDrive%\FRST\Hives (in most cases C:\FRST\Hives) and will not be overwritten by the subsequent
runs of the tool
Running FRST
The user is instructed to download FRST to the Desktop. From there it is a simple matter to double click the FRST icon,
accept the disclaimer, and run it. The FRST icon looks like this:
(http://s739.photobucket.com/user/emeraldnzl/media/FRSTicon.jpg.html)
Note: You need to run the version compatible with the user's system. There are 32-bit and 64-bit versions. If you are
not sure which version applies, have the user download both of them and try to run them. Only one of them will run on
the system, that will be the right version.
Once FRST is opened the user is presented with a console looking like this:
(http://s739.photobucket.com/user/emeraldnzl/media/FRSTconsolelatest.jpg.html)
Canned Speeches
Example instruction for the malware helper expert to have the user run FRST in normal mode:
[color=green][b]Note[/b]: You need to run the version compatible with your system. If you are not sure which version applies to your system dow
nload both of them and try to run them. Only one of them will run on your system, that will be the right version.[/color]
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 5/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
[LIST]
[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click
[b]Yes[/b] to disclaimer.
[*]Press [b]Scan[/b] button.
[*]It will produce a log called [b]FRST.txt[/b] in the same directory the tool is run from.
[*]Please copy and paste log back here.
[*]The first time the tool is run it generates another log ([b]Addition.txt[/b] - also located in the same directory as FRST.exe/FRST64.exe). Plea
se also paste that along with the FRST.txt into your reply.
[/LIST]
Example instruction to run FRST on Vista, Windows 7 and Windows 8 in the Recovery Environment (RE):
[LIST]
[*]On a clean machine, please download [url=http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/]Farbar Recovery Scan To
ol[/url] and save it to a flash drive.
[color=green][b]Note[/b]: You need to run the version compatible with your system.[/color]
[color=#0000FF][b]To enter System Recovery Options from the Advanced Boot Options:[/b][/color]
[LIST]
[*]Restart the computer.
[*]As soon as the BIOS is loaded begin tapping the[b] F8[/b] key until Advanced Boot Options appears.
[*]Use the arrow keys to select the [b]Repair your computer[/b] menu item.
[*]Select [b]US[/b] as the keyboard language settings, and then click [b]Next[/b].
[*]Select the operating system you want to repair, and then click [b]Next[/b].
[*]Select your user account an click [b]Next[/b].
[/LIST]
[color=green][b]Note[/b]: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc,
or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html[/color]
[*][color=#008000][b]On the System Recovery Options menu you will get the following options:[/b][/color]
[b]Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt[/b]
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 6/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
[b]Note:[/b] Replace letter [color=#FF0000]e[/color] with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press [b]Scan[/b] button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
[/LIST]
[/LIST]
Once FRST has completed its scan it will save notepad copies of the scan in the same location that FRST was started from.
On the first scan both an FRST.txt log and an Addition.txt log will be produced. On subsequent scans, unless specifically
requested (see optional scans in the Console), FRST will only produce a FRST.txt log.
Copies of logs are saved at %systemdrive%:\FRST\Logs (in most cases this will be C:\FRST\Logs).
Fixes
FRST has a range of commands and switches that can be used both to manipulate the computer's processes and to fix
problems you have identified.
To fix identified problems, copy and paste the line from the FRST.txt log to a text file named fixlist.txt using Notepad.
The fixlist.txt is saved in the same location the tool is saved to. In the case of a normal or safe mode scan this will be the
Desktop. In the case of a recovery environment scan it will be a flash drive.
Note: It is important that Notepad is used. The fix will not work if Word or some other program is used.
Example instruction for a fix carried out in normal or safe mode i.e. within Windows
[u][b]NOTE.[/b][/u] It's important that both files, [b]FRST/FRST64[/b] and [b]fixlist.txt [/b]are in the same location or the fix will not work.
[b][color=red]NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine
may cause damage to your operating system[/color][/b]
Run [b][color=#0000FF]FRST/FRST64[/color][/b] and press the [b]Fix[/b] button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select cop
y. Paste this into the open notepad. Save it on the flash drive as [b]fixlist.txt[/b]
[quote]
Script goes here
[/quote]
[color=red][b]NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine
may cause damage to the operating system
[/b][/color]
On Windows XP: Now please boot into the PE (Preinstallation Environment) disk.
Run [b]FRST/FRST64[/b] and press the [b]Fix[/b] button just once and wait.
The tool will generate a log on the flashdrive ([b]Fixlog.txt[/b]) please post it in your reply.
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 7/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
Items moved by the fix are kept in %systemdrive%\FRST\Quarantine, in most cases this will be C:\FRST\Quarantine
until clean up and deletion of FRST
For detailed information about preparing fixes see the Fixing section in the tutorial.
Download Links
The latest version of Farbar's Recovery Scan Tool may be downloaded from http://www.bleepingc...very-scan-tool/
(http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/)
Output
Header
Quote
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 08-10-2014 01
Ran by Someperson (administrator) on SOMEPERSON-PC on 10-10-2014 11:26:18
Running from C:\Users\Someperson\Desktop
Loaded Profile: Someperson (Available profiles: Someperson & Administrator)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/
(http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/)
First line: tells whether it has been run on a 32 or 64-bit machine. The version of FRST is also shown. The version number
is particularly important. An old version may not have the most up to date functionality.
Second line: shows what user ran the tool and under what permissions. This can alert you to whether the user has the
appropriate permission rights. The line also shows you the computer name together with what date and time the tool was
run. Sometimes a user will inadvertently post an old log.
Third line: tells you where FRST was run from. This may be relevant for fix instruction if it has run from somewhere
other than the Desktop.
Fourth line: tells you what account (profile) the user is logged in under i.e. the loaded user hive. Next, in parenthesis, the
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 8/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
"Available profiles" records all profiles on the machine including those that are not currently loaded.
Note: When you log into Windows, only the user hive of the logged on user is loaded. If the user logs into another
account without restarting (by using "Switch user" or "Log off"), the second user hive gets loaded but the first one
doesn't get unloaded. In that situation FRST will list the registry entries of both the users but doesn't list the registry
entries specific to any other users because those hives are not loaded.
Fifth line: records the version of Windows on the machine including Service Pack number together with the language
used. This may alert you to a problem with updates if the Service Pack is not the latest.
Seventh line: tells you what mode the scan was run under.
Note 2: The information in a header run in the Recovery Environment is similar although it is necessarily truncated as
user profiles are not loaded.
When there are boot problems you may see something like "Attention: Could not load system hive". That tells you that
system hive is missing. Restoring the hive using LastRegBack: may be a solution.(see below).
"The current controlset is ControlSet001" or "The current controlset is ControlSet002" - The notification tells you which
CS on the system is default CS. Why do you need it? Normally you don't need it, but in a case where you want to look into
or manipulate the CS that will be loaded when Windows booted, then you know which CS should be looked into or
manipulated. Doing anything to other available CS has no effect on the system.
On the first run outside the recovery environment a FRST.txt log and an Addition.txt log are generated. Thereafter, if an
Addition.txt scan is required then the appropriate box needs to be checked/ticked before running the scan. An
Addition.txt log is not produced when FRST is run in the recovery environment.
Processes
Registry
Internet
Services
Drivers
NetSvcs
One Month Created Files and Folders
One Month Modified Files and Folders
Files to move or delete
Some content of TEMP
Bamital & volsnap Check
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 9/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
LastRegBack:
Security Center
Installed Programs
Restore Points
hosts content
Scheduled Tasks
Loaded Modules
Alternate Data Streams
Safe Mode
EXE Association
MSCONFIG/TASK MANAGER disabled items
Accounts
Faulty Device Manager Devices
Event log errors
Memory info
Drives
MBR & Partition Table
Optional Scans
List BCD
Drivers MD5
Shortcut.txt (available only outside Recovery Environment)
Addition.txt (available only outside Recovery Environment)
Registry
Services
Drivers
NetSvcs
One Month Created Files and Folders
One Month Modified Files and Folders
Files to move or delete
Some content of TEMP
Known DLLs
Bamital & volsnap Check
EXE ASSOCIATION
Restore Points
Memory info
Drives
MBR & Partition Table
LastRegBack:
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 10/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
Fixing
Care, Very Important: Farbar Recovery Scan Tool is non invasive and in scan mode it cannot harm a machine. It just scans
what is there and compiles a report.
However FRST is also very effective at carrying out instructions given to it. When applying a fix; if it is asked to remove
an item; in 99% of cases it will do so. While there are some safeguards built in they are necessarily broad based and
designed not to interfere with removal of infection. The user needs to be aware of that. Used incorrectly (that is if
requested to remove essential files), the tool can render a computer unbootable.
If you are unsure about any items in a FRST report always seek expert help before administering a fix.
Fixlog header
Like the scan header the Fixlog header contains information that is useful.
Quote
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 12-10-2014 02
Ran by Owner at 2014-10-12 20:07:49 Run:7
Running from C:\Users\Owner\Downloads
Loaded Profile: Owner (Available profiles: Owner)
Boot Mode: Normal
Second line: tells you date and time the fix was run. It also tells you the Run number.
Third line: tells you where the fix was run from.
Fourth line: tells you what account (profile) the user is logged in under.
Fifth line: tells you what mode the fix was run under.
Processes
There are two reasons why you might want to stop a process. First, you may want to stop a security program that might
get in the way of a fix. Secondly, you may want to stop a bad process and then remove the folder or file associated with it.
To stop a process include the appropriate lines from the FRST scan.
Example:
Quote
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 11/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
(IObit) C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe
A Fixlog.txt will be generated with this label Process name => Process closed successfully
If you have a bad process and wish to remove the associated file or folder you need to include the item separately in your
fix like this:
Example:
Quote
Geeks to Go Blog Community (Spigot, Inc.) C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe Sign In Create Account
(Spigot Inc) C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings64.exe
C:\Program Files (x86)\Common Files\Spigot
Registry
Registry entries (keys or values) that are taken from FRST log and included in the fixlist to be deleted, will be deleted.
FRST has a powerful deletion routine for keys and values. All the keys and values that resist deletion due to insufficient
permissions or null embedded characters will be deleted. The only keys that will not be deleted are those keys that are
protected by a kernel driver. Those keys/values should be deleted after the kernel driver that is protecting them is
removed or disabled.
Copy and pasting the items from a log into a fix triggers FRST to perform one of the two actions on the listed registry key:
When the entries from the log related to winlogon values (Userinit, Shell, System), LSA, and AppInit_DLLs
are copied to the fixlist.txt the tool restores the default Windows values.
Note: With AppInit_DLLs where there is one bad path, FRST removes that particular path from the Applnit_DLLs
value without removing the rest.
No need for any batch or regfix. The same applies to some other important keys that might be hijacked by the malware.
Note: FRST does not touch the files the registry keys are loading or executing. Files to be moved must be listed
separately with the full path without any additional information.
Except for one case (see below) the Run and Runonce entries if copied to the fixlist.txt will be removed from the
registry. The files they are loading or executing will not be removed. If you wish to remove them you must list them
separately.
For example, to remove the bad run entry along with the file you would list them in the fixlist.txt as follows (the first line
being copied directly from the log):
Quote
Example
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 12/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
Quote
There is one case where a Run value is not removed but reset to its default path. In that case you will see this line in
the log:
Quote
HKLM\...\Run: [MSC] - "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey [x] <===== ATTENTION
(File name is altered)
When that line is included in fixlist the default entry will be restored.
In the case of Notify keys; where they are included in the fixlist.txt; if they are among the default keys the tool restores
the value (DllName) data related to that key. If the key is not a default key it will be removed.
The Image File Execution Options entries when included in the fixlist.txt will be removed.
When a file or shortcut in the Startup folder is detected, FRST lists the file on the Startup: entries. If the file is a shortcut
the next line will list the shortcut target ( i.e. the executable that is run by the shortcut). To remove both the shortcut and
the target file you need to include both of them.
Example:
Quote
Note: The first line only moves the shortcut. Listing the second line moves the 1800947.exe file. If you only list the
second line, the executable file will be removed but the shortcut will remain in Startup folder. The next time the system
is started it will throw an error when the shortcut tries to run the executable and doesn't find it.
Internet
Apart from a few exceptions, items copied to fixlist.txt will be removed. Where folders/files are involved they must be
copied separately to the fix.
Note: In the case of HKLM DefaultScope (hijacked or missing) however, it will be reset, not deleted. This applies to FF
and Chrome as well.
Note 2: In the case of StartMenuInternet hijacking for IE, FF and Chrome. The default entries will be whitelisted.
when the entry appears on FRST log, there should be something wrong with the path in the registry. The entry can be
included in the fixlist and the default registry entry will be restored.
Internet Explorer
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 13/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
Where the home page is pasted into fixlist.txt the value will be removed returning the browser setting to the default
postion. The listing would be entered like this (the line is entered directly from the log):
Quote
Where internet search providers are involved the item can be pasted into fixlist.txt and the key will be deleted. The items
are entered as follows:
Quote
Toolbars and BHO's (Browser Helper Objects) can be copied into the fix and the Key will be deleted. Accompanying
files/folders must be entered separately if they need to be moved.
Example:
Quote
ActiveX objects can be pasted into the fix and the item will be removed. Just enter the line like so:
Quote
Firefox
Where the home page is pasted into fixlist.txt the value will be removed. Next time Firefox is started it will revert to its'
default homepage. The listing would be entered like this (the line is entered directly from the log):
Quote
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 14/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
FF Homepage: hxxp://www.ask.com/
For Add-ons, Extensions and Plugins the entry from the log can be entered in the fixlist and the item will be moved.
Where there is a file to be moved for either an Add-on, or an Extension, it must be entered separately. For Plugins both
the registry entry and the file will be deleted (see below).
Quote
For Firefox Plugins, processing the entry will delete both elements, no need to include a file path.
Quote
Content of fixlist:
*****************
FF Plugin-x32: @tools.bdupdater.com/BonanzaDealsLive Update;version=3 - C:\Program Files
(x86)\BonanzaDealsLive\Update\1.3.23.0\npGoogleUpdate3.dll (BonanzaDeals)
FF Plugin-x32: @tools.bdupdater.com/BonanzaDealsLive Update;version=9 - C:\Program Files
(x86)\BonanzaDealsLive\Update\1.3.23.0\npGoogleUpdate3.dll (BonanzaDeals)
*****************
All other items; when the line is entered in fixlist.txt, it will be removed. Files/folders must be entered separately (just the
path) to be moved.
Chrome
FRST lists Chrome keys (if present) regardless of whether Chrome is installed or not.
Google Chrome DefaultSearchProvider is not fixed through FRST. In that case you will need to fix using the
"Settings" facility.
If the DefaultSearchProvider item is for some reason included in a fix FRST will return a label like this ==> The
Chrome "Settings" can be used to fix the entry.
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 15/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
Quote
This means that that particular file is missing and the plugin is not available. Including the entry in Fixlist will not remove
the entry.
"No file" entries can be removed by refreshing Google Chrome plugins cache.
To refresh Google Chrome plugins cache and remove the orphans, do the following:
Quote
Open Chrome.
Copy and paste the following in the address bar and press Enter:
chrome://plugins
You will get a page with all the plugins listed. There is an option to disable each plugin.
Press "Disable" under each plugin involved. Then press "Enable".
Close Chrome.
Deleting the extension folder using FRST does effectively remove the extension. It cannot run, and does not do any harm
to Chrome's operation, but the extension name remains in the prefs file. For that reason it is better to use Chrome's own
tools in this instance.
Processing a Registry type of an extension will delete both elements at once if found (no need to include a second line
pointing the file). You might see something like this in the FRST log:
Quote
Just include the lines in the fixlist and you will get this report after the fix:
Quote
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 16/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
Quote
Include the lines in fixlist and you see the following in the Fixlog.txt report.
Quote
Quote
Error reading preferences. Please check "preferences" file for possible corruption. <======= ATTENTION
"Preferences" is the core configuration file for Chrome where all the user's settings are saved there. There are cases
where malware corrupts "Preferences" file or just makes a zero byte preferences file. FRST alerts you to the problem.
The best action is to remove the "Preferences" file and restart Chrome.
Where you do wish to remove something other than a registry type of extension then instructions at FF above apply to
Add-ons, extensions, plugins and to all other items.
For browsers (Opera, Avant, Safari) that are not shown in the log then the best option is a complete uninstall followed by
a reboot and reinstall.
Winsock
Items not on the default list will show in the log. If a catalog 5 entry is listed to be fixed, FRST will do one of two things:
1. In the case of hijacked default entries, it will restore the default entry.
2. In case of custom entries, it will remove it and re-number the catalog entries.
Where there are catalog 9 entries to be fixed, it is recommended to use "netsh winsock reset".
Where there are still custom catalog 9 entries to be fixed, they can be listed to be fixed. In that case FRST will remove the
entries and re-number the catalog entries.
A broken internet access due to missing winsock entries will be reported on the log like this:
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 17/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
Quote
To fix the issue, the entry can be included in the fixlist.txt like this:
Quote
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be
"%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 06 mswsock.dll File Not found () ATTENTION: The LibraryPath should be
"%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9 01 mswsock.dll File Not found ()
Winsock: Catalog9 02 mswsock.dll File Not found ()
Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be
"%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 06 mswsock.dll File Not found () ATTENTION: The LibraryPath should be
"%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9-x64 01 mswsock.dll File Not found ()
Winsock: Catalog9-x64 02 mswsock.dll File Not found ()
When included in the fixlist, FRST will reset the Catalog5 entries but doesn't do anything to problematic Catalog9 entries
and tells you to use "netsh winsock reset" to deal with them.
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 06 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 06 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
cmd: netsh winsock reset
The Fixlog generated after the fix would look like this:
Quote
"Successfully reset the Winsock Catalog. You must restart the computer in order to complete the reset."
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 18/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
========= End of CMD: =========
Note: In certain situations the netsh winsock reset command may not work. When that happens have the user reboot
the machine and run cmd: netsh winsock reset again.
Tcpip
Tcpip and other entries when included in the fixlist.txt will be deleted.
hosts
When there are custom entries in Hosts (http://en.wikipedia.org/wiki/Hosts_(file)) , you will get a line in Internet
section on FRST.txt log saying "There are more than one entries detected in hosts" (see Addional Scan).
If the hosts file is not detected, there will be an entry about not being able to detect hosts.
To reset the hosts just copy and paste the line into the fixlist.txt and the hosts will be reset. You will see a line in Fixlog.txt
confirming the reset.
RunningState - the letter beside the number represents the Running State:
R=Running
S=Stopped
U=Undetermined.
0=Boot,
1=System,
2=Auto,
3=Demand,
4=Disabled
5=Assigned by FRST when it is unable to read the start type
FRST scans for a number of known infections and verifies the digital signature of the files for Services and Drivers.
Where a file is not digitally signed it will be reported.
Example:
Quote
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 19/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
To fix a file that is not signed it needs to be replaced with a good copy. Use the Replace: command.
To remove a bad service or driver service the line from the scan log is copied to fixlist.txt. The tool closes any service
entry that is included in the fixlist.txt and removes the service key, but it will not remove the file. The file should be
included separately. There is one exception - see below.
For example to remove the bad service or driver entry along with the file you would list them in the fixlist.txt as follows:
Quote
Quote
There is one exception with Windows Management Instrumentation where it has been hijacked by Ransomware. In
that case you will see something like:
Quote
Note: FRST will report success or failure of stopping services that are running. Regardless of if the service is stopped
or not, FRST attempts to delete the service. Where a running service is deleted FRST will inform the user about
completing the fix and the need to restart. Then FRST will restart the system. You will see a line at the end of Fixlog
about the needed restart. If a service is not running, FRST will delete it without forcing a restart.
Quote
NetSvcs
Known legitimate entries are whitelisted. As with other areas scanned and which have a white list it does not mean that
items appearing in FRST.txt are all bad, just that they should to be checked.
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 20/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
Quote
NETSVC: NMSSvc -> C:\Windows\system32\smcservice.dll (Oak Technology Inc.) ATTENTION! ====> ZeroAccess
NETSVC: pMgt -> C:\Window\System32\dstor.dll (No File)
NETSVC: WUSB54GCSVC -> No ServiceDLL Path.
The first entry is labelled with the infection =====> ZeroAccess and needs to be dealt with.
The second entry means there is a ServiceDll in the registry entry which is associated with pMgt service but the file is
missing.
The third entry means the WUSB54GCSVC has no ServiceDll entry in the registry. The second and the third entries are
left overs.
Note: that listing Netsvc only removes the associated value from the registry. The associated service should be listed
for deletion separately.
Looking at the above example. There is a Service listed further back in the FRST log associated with the item showing in
NETSVC; it looks like this:
Quote
To remove the Netsvc value, the associated service in the registry and the associated DLL file, the full script would look
like this:
Quote
NETSVC: NMSSvc -> C:\Windows\system32\smcservice.dll (Oak Technology Inc.) ATTENTION! ====> ZeroAccess
R2 NMSSvc; C:\Windows\System32\smcservice.dll [6656 2009-07-13] (Oak Technology Inc.) ATTENTION! ====>
ZeroAccess
C:\Windows\System32\smcservice.dll
One Month Created Files and Folders and One Month Modified Files and Folders
The scan reports the file or folder's created date and time. The "Modified" scan reports the file or folder's modified date
and time. The size (http://en.wikipedia.org/wiki/File_size) of (number of bytes contained) the file is also shown. A folder
will show 00000000 as the folder itself has no bytes.
C - Compressed
D - Directory
H - Hidden
L - Symbolic Link
N - Normal (does not have other attributes set)
O - Offline
R - Readonly
S - System
T - Temporary
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 21/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
To remove a file or folder in the one month list just copy and paste the whole line to fixlist.txt like this:
Listing the Symbolic Link attribute is especially helpful in recognizing the folders created by the ZeroAccess infection.
Example:
Quote
Before listing those Folders to be moved the DeleteJunctionsInDirectory: FolderPath should be used (it can be
used in any mode).
Example:
DeleteJunctionsInDirectory: C:\Windows\system64
c:\Windows\System32\Drivers\badfile.sys
C:\Program Files (x86)\BadFolder
If you have more files with similar file name and wanted to move them with one script the wild card * can be used (Note -
that will not work for Folders):
C:\Windows\Tasks\At1.job
C:\Windows\Tasks\At8.job
C:\Windows\Tasks\At13.job
C:\Windows\Tasks\At52.job
Or just:
C:\Windows\Tasks\At*.job
To remove files/folders with space in the path, there is no need to put them in the quote marks, you can simply put the
path in the fixlist:
AlternateDataStreams
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 22/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
Quote
AlternateDataStreams: C:\Windows\System32\legitfile:malware.exe
AlternateDataStreams: C:\test:malware.exe
AlternateDataStreams: C:\ProgramData\TEMP:1CE11B51
If the ADS is on a legitimate file/folder the fix will be copy and paste the whole line from the log into the fixlist.
Example:
AlternateDataStreams: C:\Windows\System32\legitfile:malware.exe
C:\test
In the first case FRST only removes the ADS from the file/folder.
Unicode
To fix an entry with a Unicode characters in it, the fixlist.txt should be saved in Unicode otherwise the unicode characters
will be lost. The best way to deal with a line with unicode is to save the fixlist.txt and upload it.
Example:
Copy and paste the entry into the open notepad, select Save As..., Under Encoding: select Unicode, give it fixlist name
and save it.
If you save it to a normal notepad without selecting Unicode; notepad will give you a warning, if you go on and save it,
after closing it and opening it again you will get:
Quote
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 23/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
Files listed in this section are those that either, are bad, or are files in a bad location.
Examples of legitimate files are the files that users have downloaded and saved to the User's directory. Another example
is when a legitimate third party software keeps one of its files in User's directory. That is a bad practice by any software
vendor and those files should be moved even if they are legitimate. We have seen many infections hiding their fabricated
files (seemingly legitimate but malware files) in that directory and running it from there.
Like Modified files the way files/folders are dealt with in a fix is the same as in the One Month Created Files and Folders
section above.
This is a non-recursive scan limited to some particular extensions to get a basic idea of whether a malware file is placed in
Temp root. This section is not visible if no files meet the requirements of the search. That does not mean that Temp is
empty or malware free (e.g. malware could be in a subfolder not expanded by FRST) just that it does not meet the
particular search parameters. For a more comprehensive cleanup of temp files, use of the EmptyTemp: command is an
option.
Known DLLs
Some items in this section if missing or patched or corrupted could cause boot issues. Accordingly this scan only appears
when the tool is run in RE (Recovery Environment) mode.
Care is required in dealing with items identified in this section. Either a file is missing or it appears to have been modified
in some way. Expert help is recommended to ensure the problematic file is correctly identified and dealt with in the
appropriate way. In the majority of cases there is a good replacement on the system that should be found with the Search
function of FRST. Please see the Directive section (Examples of use) of this tutorial on how to replace a file and Other
features section for how carry out a search.
Modified system files alert you to possible malware infection. Where infection is identified care needs to be taken with
remedial action. Expert help should be sought as removal of a system file could render a machine unbootable.
When a file is not digitally signed you will see something like this one taken from a Zekos infection in a Bamital section:
Quote
C:\Windows\System32\rpcss.dll
[2011-05-21 16:29] - [2010-11-20 15:27] - 0512512 ____A (Microsoft Corporation)
8529DD0C546A5EC5B51572EEBE8D2D06
ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the
file is infected.
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 24/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
In that case the file needs to be replaced with a good copy. Use the Replace: command.
When a malware made custom entry in BCD is found you will see the following line in the Bamital section:
Quote
The entry in BCD might render a system unbootable if the bootkit malware was removed and the BCD entry left behind
without attention. When the entry is included in the fixlist, the malware custom entry is removed from BCD and the
default value is restored.
The safest way to boot to Safe Mode is to use F8 key at boot. In some cases the users use "System Configuration Utility"
to boot to Safe Mode. In case the Safe Mode is corrupted the computer gets locked and the system will not boot to normal
mode because it is configured to boot to Safe Mode. In that case you will see
Quote
safeboot: ==> The system is configured to boot to Safe Mode <===== ATTENTION!
To fix the issue include the above line in the fixlist. FRST will set the normal mode as the default mode and the system will
come out of the loop.
EXE ASSOCIATION
Note: the "EXE ASSOCIATION" will appear on the FRST.txt log when FRST is run from the Recovery Environment.
When FRST is run outside Recovery Environment the section will appear on the Addition.txt
Lists file associations for shell spawning values for .exe registry settings like this:
In cases where the exe association is hijacked you will see ATTENTION! instead of OK. You might see other lines, for
example, when the user's key has been hijacked.
As with other registry entries you can just copy and past the entries with the issue in the fixlist.txt and they will be
restored or taken care of. No need to do registry fixes.
Restore Points
Note only in Windows XP can the hives be restored using FRST. The restore points listed on Vista and above should be
restored from RE (Recovery Environment) using Windows System Recovery Options.
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 25/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
Note2: the "Restore Points" will appear on the FRST.txt log when FRST is run from the Recovery Environment. When
FRST is run outside Recovery Environment the section will appear on the Addition.txt
To fix include the line for the one you want to restore into the fixlist.txt script.
Quote
To restore the hives from the Restore Points 82 (dated 2010-10-24) the line will be copied and pasted to the fixlist.txt like
so:
For a fix to restore from backup software (FRST saved Hives, ERUNT or CF) on Vista and above, refer to the Directive
section of this tutorial.
Memory info
Tells you the amount of RAM (Random Access Memory) installed on the machine together with the available physical
memory and percentage of free memory. Sometimes this can help explain a machine's symptoms. For example the
number shown may not reflect the hardware position the user believes is present. RAM reported may appear lower than
what is actually on the machine. This can happen when the machine cannot actually access all the RAM it has. Possibilities
include faulty RAM or Motherboard slot problem or something preventing the BIOS recognising it (e.g. BIOS may need to
be upgraded). Also, for 32 bit systems with more than 4GB of ram installed, the maximum amount reported will only be
4GB. This is a limitation on 32-bit applications.
Processor information, page file size, page file space available, virtual memory and virtual memory available are also
listed.
Note: the "Memory info" will appear on the FRST.txt log when FRST is run from the Recovery Environment. When
FRST is run outside Recovery Environment the section will appear on the Addition.txt
Note: the "MBR & Partition Table" will appear on the FRST.txt log when FRST is run from the Recovery Environment.
When FRST is run outside Recovery Environment the section will appear on the Addition.txt
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 26/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
Quote
"ATTENTION: Malware custom entry on BCD on drive "Somedrive": detected." Check for MBR/Partition infection".
As with other complex infections expert help is recommended to find the correct solution. A wrong move here will render
the users computer unbootable.
In some cases there will be other malware infection labels earlier in the FRST log which will point to a solution. In other
cases, a fix may be necessary with a command using the RE (Recovery Environment). See the Directives section in this
tutorial.
Where there is an indication of something wrong with the MBR an MBR check may be appropriate. To do this an MBR
dump needs to be obtained. This is how:
Quote
By doing this there will be MBRDUMP.txt saved where FRST/FRST64 has been downloaded to.
Note: while an MBR dump can be obtained either in Normal mode or RE some MBR infections are able to forge the
MBR while Windows is being loaded. Accordingly it is recommend to do it in RE.
LastRegBack
FRST looks into the system and lists the last registry backup made by the system. The registry backup contains a backup
of all the hives. It is different from the LKGC (Last Known Good Configuration) backup of the control set.
There are a number of reasons why you might want to use this backup as a solution to a problem but a common one is
where loss or corruption has occurred.
Quote
Quote
Example:
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 27/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
Addition.txt
The Additions scan is generated the first time FRST is run. On subsequent scans it is not carried out unless it is specifically
requested in an optional scan (see box in Console). It lists the following:
Security Center
- You might find that the list contains leftovers of a previously uninstalled security program. In that case the line can be
included in the fixlist.txt to be removed.
There are some security programs (like Spybot S&D) that prevent removal of the entry if they are not fully uninstalled. In
that case instead of a confirmation of removal on the Fixlog you will see:
Quote
Security Center Entry => The item is protected. Make sure the software is uninstalled and its services is removed.
Example:
Quote
It is strongly recommended to uninstall the flagged program before running an automated tool to remove adware
programs. The uninstaller of the adware program removes the majority of its entries and reverses the configuration
changes.
- In cases where programs are not shown in the user's installed programs list, but are there, FRST will list them and
append them with a label like this:
Quote
These programs are not necessarily bad... just hidden. They have a value in the registry called "SystemComponent" with
a REG_DWORD set to 1. Those programs are not visible in Add/Remove Programs (xp) or Programs and
Features (Vista above) and the user can't uninstall them from there. FRST can remove "SystemComponent" and make
the program visible to the user.
If the entry from Addition.txt log is included in the fixlist.txt you will get:
Quote
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 28/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
successfully.
Note: This fix only makes the program visible, it doesn't uninstall the program. The program should be uninstalled by
the user.
As stated above not every hidden program is bad. There are a lot of legitimate programs (including MS programs) that
are hidden for good reasons.
Example:
Quote
CustomCLSID: HKU\S-1-5-21-1659004503-1801674531-839522115-1003_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-
A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)
(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
To fix malicious entries just add them to the fixlist.txt and FRST will remove them.
Note: legitimate third party software can create a custom CLSID so care should be exercised as legitimate ones should
not be removed.
Scheduled Tasks
- Scheduled Tasks not whitelisted are shown. When an entry is included in a fixlist.txt the task itself is fixed.
Please note that FRST only removes the registry entries and moves the task file but does not move the executable.
If the executable is bad it should be added in separate line to the fixlist.txt to be moved.
Note that malware can use a legitimate executable (e.g. using sc.exe to run its own services) to run its own file. In other
words you need to check the executable to ascertain if it is legitimate or not before taking action.
Loaded Modules
Loaded Modules are white listed based on the presence of a company name. That is, items without a company name are
shown. Keep this in mind because there could be a case of a bad module with a company name not showing in this scan.
Alternate Data Streams - Refer Alternate Data Streams earlier in the tutorial
Safe Mode
- The default entries are whitelisted. So if the section is empty, there is no custom entry on the system.
If any of the main keys (SafeBoot, SafeBoot\Minimal and SafeBoot\Network) are missing, it will be reported. In that case
it should be repaired manually.
If there is a malware made entry, it could be included in the fixlist.txt for removal.
EXE Association
-The default entries are whitelisted so unless there are modified or additional entries nothing will show in the report.
When any default modified entry is included in the fixlist.txt, the default entry will be restored. Any user key, if included
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 29/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
-The log is useful where a user has used MSCONFIG to disable malware entries instead of removing them. Or, they have
disabled too much and can't get some needed services or applications to run properly.
Example:
Quote
MSCONFIG\startupfolder: Original Path (replaced "\" with "^" by Windows) => Path to backup made by Windows.
Currently FRST only lists those entries. There is no fix at the moment. The legit entries could be enabled again by the
user. In case of malware entries, the file could be removed first. Then the user can be instructed to enable the item so that
they appear on the main log to be removed.
Accounts
-Lists all accounts on the system. Account Name (account SID -> Privileges - Enabled/Disabled) => Profile path
Example:
Quote
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 30/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
- Application errors
- System errors
- CodeIntegrity Errors
Drives
MBR & Partition Table - Refer Drives and MBR & Partition Table earlier in the tutorial
Directives/Commands
All the commands/directives in FRST should be on one line as FRST processes the script line by line.
CloseProcesses:
DeleteKey:
EmptyTemp:
Reboot:
VerifySignature:
For use in Normal Mode, Safe Mode and in the Recovery Environment (RE)
cmd:
DeleteJunctionsInDirectory:
DeleteQuarantine:
DisableService:
File: and Folder:
FindFolder:
Hosts:
ListPermissions:
Move:
nointegritychecks on:
Reg:
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 31/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
RemoveDirectory:
Replace:
RestoreQuarantine:
SaveMbr:
SetDefaultFilePermissions:
testsigning on:
Unlock:
LastRegBack:
RestoreErunt:
Restore From Backup:
RestoreMbr:
Examples of use
CloseProcesses:
Closes all the none essential processes. Helps to make fixing more effective and faster.
Example:
CloseProcesses:
When this directive is included in a fix it will automatically apply a reboot. There is no need to use the Reboot: directive.
The CloseProcesses: directive is not needed and not available in the Recovery Environment.
CMD:
Occasionally you need to run CMD command. In that case you must use "CMD:" directive.
Quote
CMD: >Command<
If there is more than one command, start each line with CMD: to get an output log for each command.
Example:
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 32/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
The first command will copy the minidump files to flash drive ( if the drive letter for flash drive is E).
The second command is used to fix the MBR in Windows Vista and Windows 7.
Note: Unlike the native or other FRST directives the cmd commands should have the proper cmd.exe syntax, like use of
" quotes in case of a space in the file/directory path.
DeleteJunctionsInDirectory:
Quote
DeleteJunctionsInDirectory: Path
Example:
DeleteKey:
To delete keys that are locked due to insufficient permissions, and keys that contain embedded-null characters.
Quote
DeleteKey: Key
Example:
DeleteKey: HKLM\Software\something\something
DeleteKey: HKEY_USERS\S-1-5-21-946498238-3666816333-1564132055-1000\Software\aname
DeleteKey: hkcu\Software\Dit\searchbar
Note: Because the deletion is meant to cover all kinds of keys (even classes keys that are often targeted) the feature
is only available outside RE.
For keys that are protected by a running software (those keys have access denied) you need to use Safe Mode (to
circumvent the running software) or delete the main components before using the command.
Note: If the listed key for deletion is a registry link to another key, the (source) key which is the registry symbolic link,
will be deleted. The target key will not be deleted. This is done to avoid removing both a bad registry symbolic link that
might point at a legitimate key and the legitimate key itself. In a situation where both the source key and the target key
are bad, then they both should be listed for deletion.
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 33/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
DeleteQuarantine:
After finishing with cleaning, the %SystemDrive%\FRST (usually C:\FRST) folder made by FRST tool should be removed
from the computer. In some cases the folder can't be removed manually because the %SystemDrive%\FRST\Quarantine
folder contains locked or unusual malware files or directories. The DeleteQuarantine: command will remove the
Quarantine folder.
Tools that move files as opposed to deleting files should not be used to delete C:\FRST as those tools just move the files
to their own directory and it remains on the system anyway.
Quote
DeleteQuarantine:
DisableService:
To disable a service or driver service you can use the following script:
Quote
DisableService: ServiceName
Example:
DisableService: sptd
DisableService: Schedule
DisableService: Wmware Nat Service
FRST will set the service to Disabled and the service will not run at the next boot.
Note: The service name should be listed as it appears in the registry or FRST log, without adding anything. For
example quotation marks are not required.
EmptyTemp:
When EmptyTemp: directive is used the system will be rebooted after the fix. No need to use Reboot: directive.
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 34/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
Also no matter if EmptyTemp: is added at the start, middle, or end of the fixlist it will be executed after all other fixlist
lines are processed.
Important: When the EmptyTemp: directive is used items are permanently deleted. They are not moved to
quarantine.
Note: The directive is turned off in the Recovery Environment to prevent harm.
Quote
File: path
Folder: path
Example
File: C:\Windows\System32\Drivers\afd.sys
Folder: C:\Windows\Boot
Quote
MD5: 1C7857B62DE5994A75B054A9FD4C3825
Creation and modification date: 2012-09-27 01:44 - 2011-12-28 05:59
Size: 0498688
Attributes: ----A
Company Name: Microsoft Corporation
Internal Name: afd.sys
Original Name: afd.sys.mui
Product Name: Microsoft Windows Operating System
Description: Ancillary Function Driver for WinSock
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Product Version: 6.1.7600.16385
Copyright: Microsoft Corporation. All rights reserved.
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 35/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
2009-07-13 22:17 - 2009-06-10 22:31 - 0047452 ____A () C:\Windows\Boot\Fonts\wgl4_boot.ttf
2012-09-27 08:48 - 2010-11-20 15:32 - 0672640 ____A (Microsoft Corporation) C:\Windows\Boot\EFI\bootmgfw.efi
2012-09-27 08:48 - 2010-11-20 15:32 - 0669568 ____A (Microsoft Corporation) C:\Windows\Boot\EFI\bootmgr.efi
2012-09-27 08:48 - 2010-11-20 15:33 - 0611200 ____A (Microsoft Corporation) C:\Windows\Boot\EFI\memtest.efi
2009-06-10 22:31 - 2009-06-10 22:31 - 0262144 ____A () C:\Windows\Boot\DVD\PCAT\BCD
2009-07-13 23:12 - 2009-06-10 23:06 - 3170304 ____A () C:\Windows\Boot\DVD\PCAT\boot.sdi
2009-06-10 23:14 - 2009-06-10 23:14 - 0004096 ____A () C:\Windows\Boot\DVD\PCAT\etfsboot.com
2013-03-03 18:19 - 2009-06-10 15:14 - 0001024 ____A () C:\Windows\Boot\DVD\PCAT\nl-NL\bootfix.bin
2009-07-14 07:35 - 2009-06-11 00:14 - 0001024 ____A () C:\Windows\Boot\DVD\PCAT\en-US\bootfix.bin
2009-06-10 22:31 - 2009-06-10 22:31 - 0262144 ____A () C:\Windows\Boot\DVD\EFI\BCD
2009-07-13 23:12 - 2009-06-10 23:06 - 3170304 ____A () C:\Windows\Boot\DVD\EFI\boot.sdi
2012-09-27 08:48 - 2010-11-20 11:19 - 1474560 ____A () C:\Windows\Boot\DVD\EFI\en-US\efisys.bin
FindFolder
Wild cards are allowed. If you need to search for more than one folder the search terms should be separated by a
semicolon ;
Example
Quote
FindFolder: google
FindFolder: *google*;adobe
Hosts:
ListPermissions:
Quote
ListPermissions: path/key
Example:
Listpermissions: C:\Windows\Explorer.exe
Listpermissions: C:\users\farbar\appdata
ListPermissions: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip
ListPermissions: HKLM\SYSTEM\CurrentControlSet\services\afd
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 36/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
Move:
At times renaming or moving a file, specially when it is done across the drives, is troublesome and MS Rename command
might fail. To move or rename a file use the following script:
Quote
Example
The tool moves the destination file to the Quarantine (if present) then moves the source file to destination location.
Note: Renaming can be carried out when using the Move: directive.
Note 2: The destination path should contain the file name even if the file is currently missing in destination directory.
nointegritychecks on:
When the integrity checks function is disabled you will see the following line under on the FRST log:
Quote
It means the BCD is changed to skip integrity checks at boot. To enable the integrity checks copy and paste the above line
into the fixlist.
In some unbootable computer disabling the integrity checks resolves the boot issue until we enable the function again. To
disable the function for troubleshooting puposes or making backup in normal mode before reinstalling Windows use the
following syntax:
nointegritychecks on:
Reboot:
To force a restart.
It doesn't matter where in the fixlist you put it. Even if you put it at the start, the reboot will be carried out after all the
other fixes are completed.
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 37/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
Note: This command will not work and is not needed in the Recovery Environment.
Reg:
Quote
Example:
Note: Unlike the native FRST directives, the Reg command should have the proper reg.exe syntax, like use of " quotes
in case of space in key name.
RemoveDirectory:
To remove (not move) directories with limited perms and invalid paths or names. This directive should be used for
directories that resist the usual move operation. If it is used in Safe Mode it should be very powerful and in RE it should
be most powerful.
Quote
RemoveDirectory: path
Replace:
Quote
Example
The tool moves the destination file (if present) to Quarantine then copies the source file to destination location.
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 38/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
It will not move the source file and the source file is still in its original location. So in the above example afd.sys in i386
directory will be there for future.
Note: The destination path should contain the file name even if the file is currently missing in destination directory.
RestoreQuarantine:
You can restore the whole content of Quarantine or restore single or multiple file(s) or folder(s) from Quarantine.
RestoreQuarantine:
Or:
RestoreQuarantine: C:\FRST\Quarantine
Quote
RestoreQuarantine: PathInQuarantine
Example:
Quote
Folder: C:\FRST\Quarantine
Or:
Note: If a file already exists (outside Quarantine) in the destination path, FRST will not overwrite it. The original file
will not be moved and will remain in Quarantine. If however, you still need to restore the file from Quarantine then the
file in the destination path should be renamed/removed.
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 39/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
The first time the tool is run it copies the hives to %SystemDrive%\FRST\Hives (usually C:\FRST\Hives) directory as a
back up. It will not be overwritten by subsequent running of the tool. If something went wrong either one of the hives
could be restored. The syntax will be:
Quote
Examples:
RestoreErunt:
Quote
RestoreErunt: path
RestoreErunt: cf
RestoreMBR:
To restore the MBR, FRST will use MbrFix that is saved on the flash drive to write a MBR.bin file to a drive. What is
needed is the MbrFix/MbrFix64 utility, the MBR.bin to be restored and the script showing the drive:
Quote
RestoreMbr: Drive=#
Example:
RestoreMbr: Drive=0
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 40/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
(Note: The MBR to be restored should be named MBR.bin and should be zipped and attached).
SaveMbr:
Refer Drives and MBR & Partition Table section in the tutorial.
Quote
SaveMbr: Drive=#
Example:
SaveMbr: Drive=0
Note: By doing this there will be MBRDUMP.txt made on the flash drive that should be attached to the post by the user.
SetDefaultFilePermissions:
Created for locked system files. It sets group "Administrator" as owner and depending on the system gives/grants access
rights to the groups.
Note: that it will not set Trusted-installer as the owner but still it could be used for system files that are locked by the
malware.
Quote
SetDefaultFilePermissions: path
testsigning on:
When FRST locates evidence of this sort of tampering it will report like this:
Quote
testsigning: ==> Check for possible unsigned malware driver <===== ATTENTION!
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 41/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
Where the malware is still present on the machine there will also be a (hidden) unsigned driver showing in the log like
this:
Quote
Also the user might say that he has seen this on his desktop:
"I've just noticed something, in the bottom right of my desktop it says Test Mode, Windows 7, Build 7601. I've never
noticed that before"
Beside removing the malware driver, FRST will remove the value that is added to BCD. No further action is necessary.
Sometimes however other tools will have partially cleaned the machine but not repaired the BCD. In those cases the
following may be used:
testsigning: ==> Check for possible unsigned malware driver <===== ATTENTION!
In a situation where; after setting testsigning to its default (turning it off); something goes wrong, then to enable the
testsigning for further troubleshooting use the following command:
Quote
testsigning on:
Unlock:
This directive, in the case of file/directories, sets group "Administrator" as owner, grants access to everyone and works
recursively when applied on directories. It should be used for bad files/directories.
In the case of registry items it sets group "Administrators" as owner and grants the groups the usual access and works
only on the key applied. It can be used for both bad and legitimate keys.
Quote
Unlock: path
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 42/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
Sometimes the usual move operation doesn't work due to permissions. You will notice it when you get "Could not move
File/Directory" on the Fixlog.txt. In that case you can use the "Unlock:" directive on those files or folders.
Example
Unlock: C:\Windows\badfile.exe
Unlock: C:\Windows\System32\badfile.exe
To remove the file/folder altogether just add the path separately to the fix:
Unlock: C:\Windows\System32\bad.exe
C:\Windows\System32\bad.exe
You can use the command to unlock the registry items where a registry item is locked. For example if you are running the
fix in the recovery mode and the current control set is ControlSet001 the following would apply:
Unlock: hklm\system\controlset001\badservice\subkeyname
To remove the entry use Reg: directive. The full syntax would be:
Unlock: hklm\system\controlset001\badservice\subkeyname
Reg: reg delete hklm\system\controlset001\badservice /f
VerifySignature:
Quote
VerifySignature: path
Example
VerifySignature: C:\Windows\notepad.exe
Other features
Optional Scans
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 43/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
By checking a box under Optional Scan FRST will scan the requested items.
Drivers MD5
Will produce a list of drivers and their MD5sums that will look like this:
Quote
C:\Windows\System32\drivers\ACPI.sys 3D30878A269D934100FA5F972E53AF39
C:\Windows\System32\Drivers\acpiex.sys AC8279D229398BCF05C3154ADCA86813
C:\Windows\System32\drivers\acpipagr.sys A8970D9BF23CD309E0403978A1B58F3F
C:\Windows\System32\drivers\acpitime.sys 5758387D68A20AE7D3245011B07E36E7
C:\Windows\system32\drivers\afd.sys 239268BAB58EAE9A3FF4E08334C00451
Shortcut.txt
Quote
Example:
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 44/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
fox\firefox.exe (Mozilla Corporation) -> hxxp://www.sweet-page.com/?
type=sc&ts=1393154122&from=tugs&uid=531364863_1782_000B768F
ShortcutWithArgument: C:\Users\Someperson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Int
ernet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.sweet-page.c
om/?type=sc&ts=1393154122&from=tugs&uid=531364863_1782_000B768F
ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporati
on) -> hxxp://www.sweet-page.com/?type=sc&ts=1393154122&from=tugs&uid=531364863_1782_000B768F
Note: FRST removes the argument from shortcuts except for Internet Explorer (No Add-ons).lnk shortcut. That
shortcut argument by default is not empty (the argument is -extoff) and is used to run Internet Explorer without add-
ons. It is vital for troubleshooting IE issues so this shortcut argument will be restored.
Also note that if you run another removal tool to remove the argument from Internet Explorer (No Add-ons).lnk,
FRST will not list it under ShortcutWithArgument: and so the argument can't be restored with FRST any more. In that
case the user can restore the argument manually.
To restore the argument manually the user should navigate to Internet Explorer (No Add-ons).lnk:
In Target box Add two spaces and then -extoff to the listed path.
Search features
Search Files
There is a Search Files button on the FRST Console. To search for files you can type or copy and paste the names you wish
to search for into the Search box. Wild cards are allowed like afd.sys*. If you need to search for more than one file the file
names should be separated by a semicolon ;
afd.sys
afd.sys*
afd.sys;ndis.sys
afd.sys*;ndis.sys*
When the Search Files button is pressed the user is informed that the search is started, a progress bar appears, then a
message pops up indicating that the search is completed. A Search.txt log is saved at the same location that FRST.exe is
located.
The found files are listed along with creation date, modification date, size, attribute, company name and MD5 in the
following format:
Quote
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 45/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
[2004-08-04 11:00] - [2008-04-13 20:20] - 0182656 ____N (Microsoft Corporation)
c:\WINDOWS\system32\drivers\ndis.sys
1DF7F42665C94B825322FAE71721130D
There are cases where a legitimate system file is missing or corrupted causing boot issues and there is no replacement on
the system. When Search Files option is used in Recovery Mode (Vista and above) the search includes the files in X: too
(the virtual boot drive). In some cases it can be a life saver. An example is missing services.exe that could be copied from
X:\Windows\System32 to C:\Windows\System32
Note: The X: Partition will only contain 64bit executables for 64bit systems.
Search Registry
There is a Search Registry button on the FRST Console. You can type or copy and paste the item(s) names you wish to
search for into the Search box. If you wish to search for more than one item, the names should be separated by a
semicolon ;
websearch
websearch;dealply;searchprotect
Note: The Registry search function will only work outside RE.
Contrary to a file search, when carrying out a registry search, adding wild cards to the search terms should be avoided
because the wildcard characters will be interpreted literally. Where an asterisk ("*", also called "star") is added to the
start or end of a registry search term, FRST will ignore it and will search for the search term without the asterisk.
Tutorial revisions:
08/30/2013 Added ADS (Alternate Data Streams) under the "Fixing" section
08/31/2013 Loaded Modules - added to Additional Scan list in the "Output" section
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 46/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
08/31/2013 5=Assigned by FRST when it is unable to read the start type - added to The "StartType" numbers are: under the "Fixing" section
09/11/2013 addition of clarifications Run values, StartMenuInternet hijacking, Chrome explanations, Services
09/24/2013 Security Center and Safe Mode scan explanations added to Addition.txt
11/01/2013 Winsock: Catalog5 section amended to carry out the netsh winsock reset after reboot where it doesn't work first time
12/15/2013 Winsock: Catalog5 section amended for inclusion of broken internet access fix example
01/19/2014 Statement added that FRST will not work with XP 64-bit machines
01/29/2014 Search explanation amended to record that X: search happens in Recovery Mode
01/29/2014 Search explanation amended to record that X: search happens in Recovery Mode
02/12/2014 Installed programs list explanation under Addition.txt amended to cover hidden programs
03/15/2014 Example fix added for when Group Policy is used to block changes to Google Chrome extensions
04/24/2014 Explanation of how FRST deals with Services fixes added under the Fixing
05/08/2014 Exe Association explanation added under the Addition.txt heading in the Fixing section
05/16/2014 The Search Features section updated with the Search Files section amended for clarification and the Search Registry feature added
06/02/2014 The Chrome section in Fixing amended to cover "Preferences" file error
06/24/2014 Default Scan Areas explanation and listing amended for clarity
07/22/2014 Firefox explanation expanded to record that FF keys are listed whether or not FF is installed
07/22/2014 The Deletekey: command has the ability to delete registry symbolic links
08/14/2014 Java cache added to EmptyTemp: list and Processor information added under Memory info
08/19/2014 Chrome section amended. All items except DefaultSearchProvider can now be fixed through FRST
08/28/2014 In One Month Created Files and Folders and One Month Modified Files and Folders section, a note added that a wild card will not work for Folders.
08/28/2014 Explanation of where a section will be found in and outside RE for scan areas EXE ASSOCIATION, Restore Points and Memory info added.
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 47/48
10/29/2014 FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials
Advertisement
View New Content View all categories Status Updates Add on Facebook
The Moderating Team New files since last visit Today's Top Posters
Content
Help
http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ 48/48