Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Documentation for Farbar Recovery Scan Tool (FRST)?


  • Please log in to reply
15 replies to this topic

#1 FalconFour

FalconFour

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 06 April 2013 - 07:49 AM

Hey there!
 

I'm looking for information on FRST. Today, I had a computer at the shop that was infected with Alureon, and after the Defender Offline Scan finished, the computer would no longer boot (BSOD 0x7B). I Googled and found a thread with someone having exactly the same problem (same cause, used Defender Offline Scan, 0x7b BSOD). The first recommendation was to run FRST with a "fixlist.txt" containing:

 

 

TDL4: custom:26000022 <===== ATTENTION!
CMD: bootrec /FixMbr

 

Now, the CMD part I can do myself. I did, in fact - using BootICE - try rewriting the MBR. It had no effect, still 0x7B. I then ran the suggested fix verbatim, using the recovery environment and FRST with that fixlist.txt file. It actually worked! The computer booted.

 

I'm a tech geek, so I must dig deeper. Obviously the "TDL4:" line is what did the fix - and it ran two "bcdedit" commands (among others - judging by the response and failures when bcdedit is not present in a MiniXP environment). What are these commands?

 

I've searched all different ways I can think of and I cannot for the life of me find any documentation on this utility. There are links to download it all over the internet (pointing to the download page here at BleepingComputer), but the download page has no documentation and no mention of fixlist.txt syntax.

 

I could much more effectively (and safely) use this tool if I had some documentation to help explain its usage. It might even be worth adding to my toolkit and Boot CD (FalconFour's Ultimate Boot CD) - with a donation as well if there's some documentation somewhere :)

 

edit: Also, hoping this is an OK forum for this. There's a forum for logs (don't need help with cleaning), news, "am I infected", and guides... but not much by way of tools. I figure this is the closest match.


Edited by FalconFour, 06 April 2013 - 07:57 AM.


BC AdBot (Login to Remove)

 


#2 TwinHeadedEagle

TwinHeadedEagle

  • Security Colleague
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:10:38 AM

Posted 07 April 2013 - 06:07 AM

There is no such documentation in public...

 

This tool is intended for helpers and because of that, documentation is available only to them...



#3 FalconFour

FalconFour
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 07 April 2013 - 08:42 PM

"TwinHeadedEagle"

Dude, you really need an avatar, because that sounds AWESOME. :3

 

 

But yeah, that response is really... Apple-esque. "Helpers"? Closed documentation? I dare say that's very creepy and malware-like on its own. Why would documentation for a tool like this be behind closed doors? There is no logical explanation I can think of for that.



#4 TwinHeadedEagle

TwinHeadedEagle

  • Security Colleague
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:10:38 AM

Posted 08 April 2013 - 03:19 AM

I am member of malware removal team within one forum and beleive me there are every sorts of fools that destroyed their system by using this tool or Combofix on their own. These tools are very powerfull and dangerous, and you probably saw hundred of times how helper warn user about any tool or script given for execution. That is one of many reasons why documentation for majority of tools is non-public.

 

I hope you now understand :)



#5 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:02:38 AM

Posted 08 April 2013 - 09:00 AM

The reason documentation is kept out of public view is due to the fact that malware creators scan the forums looking for bits of information. Having this information readily available for the malware creators often allows them to modify their malware to render the tools useless very quickly.

Often the tool creators make the request themselves that the information not be made publicly available to maintain the integrity of the tool. In those cases to be able to have the tool available for our malware helpers we honor the wishes of the tool authors.

If you wish to learn more about malware tools and gain access to the documentation. We suggest you enroll in one of the malware removal schools available.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#6 FalconFour

FalconFour
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 09 April 2013 - 08:31 AM

Hmm. Well... it certainly doesn't help out those of us that really just want to help people out. I do understand the power of these tools, but I guarantee that more people will smash their hand with the hammer that *doesn't* have instructions on it (the download, without even basic documentation), than they would if there was something to say "use this with nails". I'm not much of a fan of helping people via forums - I've learned everything I know from tons of hands-on experience and reading stuff online, but I have trouble seeing through most users' poor grammar and my lack of patience. I wouldn't make much of a great (online) helper, but I build and maintain a toolkit that thousands of people use, my BootCD (not linking because, well, it's "greyware" - just Google my name). It'd be really nice if I could at least understand what functions it performs and try to implement some of that information into the tools I maintain on there.

 

Really, I just want to understand - as a computer-repair "engineer" of sorts - just what it did to fix that computer that was BSOD'ing. Maybe that is a common trend (Googling that "TDL4" line produced tons of results with the same parameters) that has a more understandable explanation than "TDL4: custom:26000022" :)

 

Thanks for your replies though, none the less. Considering the policy of this tool, I guess I should be thankful someone even said "no"!



#7 TwinHeadedEagle

TwinHeadedEagle

  • Security Colleague
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:10:38 AM

Posted 09 April 2013 - 04:37 PM

Hmm. You seems like computer expert, why then don't you master this craft - malware removal. It's funny, and you are able to learn a lot about Windows itself. It's funny for me to write reg or batch scripts, and to slaughter malware, and best of the best feeling is when people thank you for your help in public :)


Edited by TwinHeadedEagle, 09 April 2013 - 04:37 PM.


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:38 AM

Posted 22 November 2013 - 09:10 AM

FRST tutorial is now available for public:

FRST Tutorial - How to use Farbar Recovery Scan Tool

FRST Tutorial Comment

 

French translation:

FRST: Tutoriel

FRST: Tutoriel - Commentaires



#9 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:05:38 AM

Posted 22 November 2013 - 02:19 PM

FRST tutorial is now available for public:

FRST Tutorial - How to use Farbar Recovery Scan Tool

FRST Tutorial Comment

 

French translation:

FRST: Tutoriel

FRST: Tutoriel - Commentaire

 

@ Farbar: TYVM!
    :thumbup2: :busy:


Edited by Union_Thug, 23 November 2013 - 03:21 AM.


#10 techgeek88

techgeek88

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:IL
  • Local time:03:38 AM

Posted 23 November 2013 - 12:48 AM

 

Thank you. Can't wait to start using this.

 

I've worked on PC's for many years and never felt obligated to take college courses, online classes, etc. I don't need a school to learn what I've already been doing for a long time. I've used the Service Scanner, Combofix, HijackThis, and OTL for years now and had no trouble. I've never been a fan of school though, I always felt it was unnecessary. I learn by doing. Same with when I learned guitar, I never took one lesson and I'm quite advanced now and play in a band. No one should be forced or required to go to school past high school, IMHO, if they are willing to learn it themselves and be ok with making mistakes and learning from them. Obviously if you can't understand it or pick it up over time, then lessons/classes are ok I suppose. I was homeschooled, hence my views on things I'm sure.

 

/rant



#11 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,071 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:38 AM

Posted 23 November 2013 - 06:27 AM

I've worked on PC's for many years and never felt obligated to take college courses, online classes, etc. I don't need a school to learn what I've already been doing for a long time. I've used the Service Scanner, Combofix, HijackThis, and OTL for years now and had no trouble. I've never been a fan of school though, I always felt it was unnecessary. I learn by doing. Same with when I learned guitar, I never took one lesson and I'm quite advanced now and play in a band. No one should be forced or required to go to school past high school, IMHO, if they are willing to learn it themselves and be ok with making mistakes and learning from them. Obviously if you can't understand it or pick it up over time, then lessons/classes are ok I suppose. I was homeschooled, hence my views on things I'm sure.

 

/rant

These schools are not setup like any other school; it's something anybody, any age can do. No traditional format, and nobody is forced into staying if they do not want to. The classes are not just for those who cannot pick it up; most can run a tool, but not everyone can understand it's output (this is a general statement aimed at nobody in particular). Plus, if you ever want to help out in a forum with logs then classes are really the only way since you are dealing with others' computers and they put their trust in you. You have to certain that those who you let post in the forums know what they are doing, and schools like this make sure of this.

 

I respect your opinion, and mine differs as you can see. I do these classes for many different reasons, but one of the most prominent reasons is hopefully being eventually to help users with malware problems on forums like this.

 

Anyway, Farbar and emeraldnzl have put lots of work into this, so it's nice to see the tutorial available for the public now.

 

xXToffeeXx~


Edited by xXToffeeXx, 23 November 2013 - 06:27 AM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#12 techgeek88

techgeek88

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:IL
  • Local time:03:38 AM

Posted 23 November 2013 - 06:34 AM

 

I've worked on PC's for many years and never felt obligated to take college courses, online classes, etc. I don't need a school to learn what I've already been doing for a long time. I've used the Service Scanner, Combofix, HijackThis, and OTL for years now and had no trouble. I've never been a fan of school though, I always felt it was unnecessary. I learn by doing. Same with when I learned guitar, I never took one lesson and I'm quite advanced now and play in a band. No one should be forced or required to go to school past high school, IMHO, if they are willing to learn it themselves and be ok with making mistakes and learning from them. Obviously if you can't understand it or pick it up over time, then lessons/classes are ok I suppose. I was homeschooled, hence my views on things I'm sure.

 

/rant

These schools are not setup like any other school; it's something anybody, any age can do. No traditional format, and nobody is forced into staying if they do not want to. The classes are not just for those who cannot pick it up; most can run a tool, but not everyone can understand it's output (this is a general statement aimed at nobody in particular). Plus, if you ever want to help out in a forum with logs then classes are really the only way since you are dealing with others' computers and they put their trust in you. You have to certain that those who you let post in the forums know what they are doing, and schools like this make sure of this.

 

I respect your opinion, and mine differs as you can see. I do these classes for many different reasons, but one of the most prominent reasons is hopefully being eventually to help users with malware problems on forums like this.

 

Anyway, Farbar and emeraldnzl have put lots of work into this, so it's nice to see the tutorial available for the public now.

 

xXToffeeXx~

 

 

And I respect that and your opinion and reply.

 

But I've been removing malware for several years now and do exclusively that at my own business. My intention was never to be certified to work on a forum (although kudos to those who do), my intention was to get to know FRST. I know how to read logs as I mentioned in my first post, and I know what the difference is between a false positive and a truly suspicious file. Like I said, I never wanted to be certified without skipping the classes, I was simply referring to this here tool and that's all. I just expressed some dissatisfaction on how secretive it all is when I know very well what I'm doing once I know the ins and outs of how to run and analyze the program. I've been doing HJT, OTL, etc for years now and it's become second language to me.

 

I respect that you want to certify those working for your forum, and that's fine. But I personally don't have to prove anything, I know I'm well and capable of doing this and that's why all local techs refer deep malware cases to me and I do this every day. In other words, I'm not just some kid who knows how to scan with Malwarebytes and that's it.

 

-techgeek88


Edited by techgeek88, 23 November 2013 - 06:35 AM.


#13 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:05:38 AM

Posted 23 November 2013 - 06:40 AM

Rant/

 

. :offtopic:.

 

/Rant

 

  :whistle:


Edited by Union_Thug, 23 November 2013 - 06:42 AM.


#14 techgeek88

techgeek88

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:IL
  • Local time:03:38 AM

Posted 23 November 2013 - 06:55 AM

Rant/

 

. :offtopic:.

 

/Rant

 

  :whistle:

 

*edit* - nevermind.


Edited by techgeek88, 23 November 2013 - 07:02 AM.


#15 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,071 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:38 AM

Posted 23 November 2013 - 07:05 AM

But I've been removing malware for several years now and do exclusively that at my own business. My intention was never to be certified to work on a forum (although kudos to those who do), my intention was to get to know FRST. I know how to read logs as I mentioned in my first post, and I know what the difference is between a false positive and a truly suspicious file. Like I said, I never wanted to be certified without skipping the classes, I was simply referring to this here tool and that's all. 

 

I respect that you want to certify those working for your forum, and that's fine. But I personally don't have to prove anything, I know I'm well and capable of doing this and that's why all local techs refer deep malware cases to me and I do this every day. In other words, I'm not just some kid who knows how to scan with Malwarebytes and that's it.

Oh, I wasn't doubting that, or your skill at your job. This kind of school is not for everyone, nor should anybody be forced into it. I find running the tools within a VM or on your own computer is a good way to get to know them. Sometimes that's better than a tutorial. We have to work it out similar to what you do sometimes. Nobody has to prove anything if you don't plan to work logs, only if you do plan to because of the reasons given before. AII (Am I Infected?) is a place where people who are not within a school or don't want anything like that to help users with malware or possible malware problems. I wish there were more places which have sub-forums like AII as there are plenty of those who are capable, but have not completed a school.

 

I just expressed some dissatisfaction on how secretive it all is when I know very well what I'm doing once I know the ins and outs of how to run and analyze the program. I've been doing HJT, OTL, etc for years now and it's become second language to me.

Yes, I agree and am happy that a tutorial has been made public. However it's best to respect the developer's wishes on how they want their tool to be used and what information is made available, and it's mostly to save some of the big tools from malware developers. Some parts of tools are not revealed to trainees either.

 

Anyway, I think it is best to leave it at this since it's slightly off-topic. No offence personally of course and I do agree with you on many points actually.

 

xXToffeeXx~


Edited by xXToffeeXx, 23 November 2013 - 07:05 AM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users