|
E4C85D38 posted:What does Combofix even do? It appears to be nearly completely undocumented, and everything says "only use at the direction of a properly trained helper" or something. But still, what does it do?
|
#
?
Feb 21, 2014 21:18
|
|
|
|
| # ? Jun 1, 2024 16:01 |
|
|
Drunk Badger posted:But still, what does it do? Its a combination of anti-rootkit/anti-crapware that targets specific infections to remove things otherwise nearly impossible to clean, especially by standard AV/AM programs. Nothing it does can't be done with a combination of several other programs, regediting, and cleaning files. However, nothing else is quite as easy. I've used it a ton with great success - as someone else posted, yes, it can break things. However, those are few and far between. I'd say closer to 95/5 in terms of success-fail. What we always did at the shop I worked at was to quickly ghost any infected system that came in. Clean their drive off, and if something goes completely tits up, we have a backup.
|
|
#
?
Feb 21, 2014 22:11
|
|
|
Drunk Badger posted:But still, what does it do? it does everything. hit it with combofix, hit it with malwarebytes, and unless you have something particularly nasty, you're done. I'm near 100% success with combofix. I can only think of two times it made things worse - it completely hosed some graphics drivers once and windows wouldn't boot, but I just fixed that up manually - and another time when the MBR suddenly was pointing to a wrong partition - but again, I just booted my utility disk and fixed than manually and they were good to go. Occasionally there's stuff that neither combofix or MWBAM picks up, but again, easy enough to spot and remove manually in most cases. also, a good way to hedge your bets is to warn clients before you do any work on their system that virus removal is inherently risky, and that things like settings + bookmarks + 3rd party programs might be "infected by viruses" (I mean... yeah it's not technically true, but it's a good way to explain it), and could be removed during the cleanup process. Make sure they have a backup, or consent to you charging them to go ahead and make one before you continue. I won't work on a system unless I have in writing that they don't mind if some data is lost, or that they have a backup already in place (or I'm ghosting one for them, like Siochain mentioned)
|
|
#
?
Feb 21, 2014 23:21
|
|
|
mindphlux posted:I'm near 100% success with combofix. I've ran Combofix personally on over 500 machines and never really had a serious issue. Not to say that it isn't possible, just that I haven't experienced one and the "must have trained to use this program" is all nonsense. Take a backup if needed, warn the client, and run it when nothing else works to remove whatever infection is present. I run it very often, but that's likely due to the fact that I've never had an issue with it like others.
|
|
#
?
Feb 22, 2014 05:24
|
|
|
Heh. I think I've said as much before, but the reason combofix is undocumented is so that the 'staff' at the bleepingcomputer forums can feel self important, when they run through their ALL CAPS RED TEXT DO THIS OR LITERALLY DIE copy-pasta responses, that are literally identical no matter the problem. For all their "only use when a trained professional tells you to" their response, every time, no matter how trivial a manual fix would be, is to tell them to run combofix. But oh boy, will they yell at you if you did it without them telling you to. If you're able-minded, their forums can often be antagonizing; threads where people with simple problems have been made to scan their computer for hours or days, then told to run every tool under the sun, then yelled at when one of the tools broke their internet access. To answer the question, combofix does two things: - looks for and identifies the remnants of threats - runs the appropriate tool(s) to auto-fix the problems they're known to fix. For instance, if you had the zeroaccess rootkit, it would run a series of tools to restore DNS functionality. (- it removes some live threat by virtue of it's actions, but it's not really aimed at doing that.) There's really nothing to do other than "run it, see if the problem is fixed" and none of the so-called experts who will tell you to run it have any idea what it does either, and nor are there any ways of directing it. Khablam fucked around with this message at 21:00 on Feb 22, 2014 |
|
#
?
Feb 22, 2014 20:58
|
|
|
Khablam posted:
I had noticed a thread on their forums that hadn't been replied to so I posted a legit fix for the exact issue someone was having and the mod on there deleted my post and told me never to do it again. They're pretty dickish and not particularly helpful in some cases outside of telling people to run their shotgun blast (combofix) approach to malware removal.
|
|
#
?
Feb 23, 2014 10:16
|
|
|
Any good examples of them going crazy? I imagine there's some comedy to be enjoyed there 
|
|
#
?
Feb 23, 2014 19:57
|
|
|
dox posted:Combofix and DelProf2 (to delete unused profiles) should be added to the list above, as well. CCleaner and Eusing Registry Cleaner will also help out. Your list and those four basically round out my "clean everything aside from a format" routine. Thanks for reminding me. We run CCleaner at the end of the clean out just to get rid of any temp files that it can replicate from. Also Tweaking.com is a great little tool for resetting busted permissions and the like. I've only had to use it three times, and that was because a Rootkit broke the users profiles. Tweaking takes forever to run with everything ticked, but it can be a great asset. We also run CCleaner, Auslogics Defrag and Spybot as our general cleanup. Amazing what a difference just those three can make to a slow machine. Seconding Bleeping Computer being sperg central. I ignore any search results when looking for virus solutions that appear from them, because it's always big red text 'THESE INSTRUCTIONS ARE MEANT FOR THIS PERSON ONLY EVEN THOUGH WE LITERALLY COPY AND PASTE EVERY loving REPLY'. I can't find any examples right now, but I have seen them talk down to people posting there, just because one of them ran chkdsk without being told. He was then told later in the thread to run it. 
|
|
#
?
Feb 24, 2014 00:01
|
|
|
I'm guessing they're like that for liability reasons, although I would think a big "DO THIS AT YOUR OWN RISK" disclaimer would be enough to cover their butts.
|
|
#
?
Feb 24, 2014 17:25
|
|
|
Drunk Badger posted:Any good examples of them going crazy? I imagine there's some comedy to be enjoyed there Skim any thread that's longer than the average, you should strike gold pretty quickly. Off the top of my head, there was a particularly good one where a SENIOR CLIPBOARD USER had someone run every anti-rootkit tool there was, which inevitably broke something completely, and had the user paying someone to re-install Windows. The required fix, had it been done at the start, was easily identifiable as "clear DNS cache" but when I posted "Have you tried clearing the DNS cache?" I got yelled at because I wasn't pasting something from a clipboard in font size 18. I've seen another when the issue described was a typical corrupt GPU driver, but at no point, on this machine that was hard-locking when doing anything GPU related, did the mod suggest reinstalling the drivers. No, it's probably a virus, lets scan that PC till next Tuesday. Lots of potential hardware issues brushed aside because the scan showed a toolbar, stuff like that as well. Needless to say, that's more computer users likely terrified to touch anything  asciidic posted:I'm guessing they're like that for liability reasons, although I would think a big "DO THIS AT YOUR OWN RISK" disclaimer would be enough to cover their butts. If the user fixes problem 1 of 2 by themselves, then asks for help on 2 of 2, they similarly will just close the thread because the user was obstructing the help. It's a bizarre place. Combofix is a useful tool though. fake edit: This is a good topic - http://www.bleepingcomputer.com/forums/t/524075/cannot-log-into-windows-7-pro-get-a-black-screen/ The first thing anyone would do there is do a disk check and/or look at the SMART information, and to backup whilst he still can. Random error states like that are so often being picked up because the drive is failing. The actual issue he has is a locked out/corrupt soundcard driver. So, failing a drive malfunction he should just update / replace the drivers. But no, a few days of running every tool under the sun, reverting windows, reverting windows using 3rd party tools, terminating parts of his sounddriver processes, all of which seems to be giving him more trouble than when he started. Fun site 
Khablam fucked around with this message at 23:15 on Feb 24, 2014 |
|
#
?
Feb 24, 2014 23:11
|
|
|
gently caress the forums but they make it very easy and convenient to download every useful piece of free virus removable tool.
|
|
#
?
Feb 25, 2014 00:24
|
|
|
After having some suspicions about being infected with something I decided to run ComboFix. I also have this program which checks for hidden changes not made for me, and a few minutes after rebooting from ComboFix I got this prompt Any idea what this could be? I keep denying the changes, but it pops back up every 5 minutes or so. Help would be greatly appreciated! edit: I attempted to remove the ieframe.dll file and got this prompt  Here is the ComboFix log edit2: Googled for a solution and here's what happened  edit3: After trying to get permissions for System32 I noticed my permissions were a bit odd. I can't modify my admin account's permissions at all. 
GIMMEL fucked around with this message at 20:48 on Feb 27, 2014 |
|
#
?
Feb 27, 2014 20:31
|
|
|
That's because you're trying to delete a system file. Don't gently caress with it. As for that error, apparently the ComboFix developers don't know what the gently caress they're doing. Big surprise. They changed a perfectly good file association to one that's equivalent at best and more easily exploited by malware at worst. 
|
|
#
?
Feb 27, 2014 21:04
|
|
|
dpbjinc posted:That's because you're trying to delete a system file. Don't gently caress with it. So should I accept the change prompted? Do I have anything to worry about? Thanks 
|
|
#
?
Feb 27, 2014 21:14
|
|
|
GIMMEL posted:So should I accept the change prompted? Do I have anything to worry about? It probably won't hurt anything, but it really shouldn't have been changed in the first place. The original entry specified exactly which programs should be loading the files (URL shortcuts, in this case), whereas the entries added by ComboFix say, "Just use the first program with the name rundll32.exe in the search path to load these files." If there just so happens to be a file named "rundll32.exe" in the same directory as "Cool Web Site.url", clicking on "Cool Web Site.url" is going to start the rundll32.exe in the same directory, not the one in System32. Also, if any directory is listed before System32 in the PATH variable, then that directory gets searched before System32. It's not very practical to exploit, but it's still less secure than telling the system, "Always use the rundll32.exe in System32 no matter what."
|
|
#
?
Feb 27, 2014 21:29
|
|
|
Khablam posted:fake edit: Jesus god, just reading that first reply from "HelpBot" was like   ALERTALERTAnd then it REALLY got ridiculous. No wonder I've always reflexively hit the back button every time I run into that site.
|
|
#
?
Feb 28, 2014 03:46
|
|
|
GIMMEL posted:After having some suspicions about being infected with something I decided to run ComboFix. I also have this program which checks for hidden changes not made for me, and a few minutes after rebooting from ComboFix I got this prompt Combofix needs to alter system files in it's run through, and you have a program running which blocks system changes. This is essentially the one thing you can do wrong with Combofix, and is the reason that lovely forum has ALL RED CAPS ALERTS about not running your AV and such when it runs. At a complete guess, it's a temporary change to allow a toolset to run, which it will then revert. Also combofix is not a diagnostic tool, nothing it will do will let you know whether you are infected or not, and any changes it reverts can/will be reset by any live malware. Additionally this adds steps, which makes it more likely something will break.
|
|
#
?
Feb 28, 2014 18:44
|
|
|
I just wanted to pop in and say thank you for the heads up about MSE being a bad AV. I was under the impression it was a good choice for "mom computers" and have installed it a few times.  I've just switched my netbook over to Avast and I'll use it from now... just need to remember to switch that voice off!
|
|
#
?
Mar 1, 2014 18:17
|
|
|
MSE is not a bad A/V, and it's fine for mom computers?
|
|
#
?
Mar 2, 2014 11:00
|
|
|
Chernori posted:I just wanted to pop in and say thank you for the heads up about MSE being a bad AV. I was under the impression it was a good choice for "mom computers" and have installed it a few times. I'll argue that. I've had great luck with MSE, and I've had less "bad luck" with it than with others. I've seen so many systems running like poo poo because Avast or AVG or Norton or McAffee or Vipre or whatever have hosed the bed and are just killing it. I'm running Eset right now, and its been solid, but MSE is still my go-to free AV.
|
|
#
?
Mar 2, 2014 15:48
|
|
|
It's not that MSE is a bad AV, it's simply that Microsoft has indicated that MSE should be supplemented by another AV, should the user wish. For a regular user, MSE is fine. I'd argue that a secured browser is more important (say, Firefox with AdBlock, FlashBlock and if you're feeling saucy, noScript), but Firefox / Chrome + Adblock is fine for users that don't want to tinker.
|
|
#
?
Mar 2, 2014 15:55
|
|
|
I believe its more Microsoft made MSE to be the low end of anti-virus but the competition is just bad at it so they are one of the better ones. They have no desire to stay top dog if some other free AV comes out. A secure browser is more important for you personally, sure but that is not going to stop dad from googling for iPhone ring tones and downloading flashPlayerPro.exe. You need good browsing habits for blocks and noScript to be effective and some people don't want to learn. MSE did catch flashPlayerPro.exe so its doing its job of saving me a headache of cleaning god knows what. There is only so much you can do outside of giving lectures to people who feel they are adults and you are treating them like a child.
|
|
#
?
Mar 2, 2014 16:19
|
|
|
pixaal posted:I believe its more Microsoft made MSE to be the low end of anti-virus but the competition is just bad at it so they are one of the better ones. One can argue that MSE is less likely to cause problems, but in reality if the AV installs and works, the chance of it going wrong over time is pretty slight, and any suggestion MSE is more reliable is anecdotal. Even from an "everything works" vs "everything works" perspective, MSE has more system impact than most other AVs these days. There's no compelling reason to use it other than troubleshooting. e: Counter-point to the "it's good on a mom PC" logic, is you're 3x more likely to get a tech support call and get to spend a day of fun trying to make the system usable. Most AVs are "set and forget" these days. ESET barely even pops up when you do get a virus, Avast! shows a warning but it requires no interaction. Most behave this way or similar. We're a long way past the default behaviour to be a full screen lock, and a text box asking what action to take. Khablam fucked around with this message at 17:29 on Mar 2, 2014 |
|
#
?
Mar 2, 2014 17:23
|
|
|
It comes down to a simple choice: Do you want your system to work, or do you want high scores in detection and blocking benchmarks? Those desires are mutually exclusive because the apps that achieve those high rates do so by aggressively blocking entire classes of content and using loose generic/heuristic detections. This is visible to users as certain websites and applications not working. It's perfectly reasonable to decide that you want to make an informed choice to trade functionality and performance for additional protection. It's not reasonable to pretend that tradeoff doesn't exist, especially when the way most users discover that is by spending hours troubleshooting issues caused by their malware protection application.
|
|
#
?
Mar 2, 2014 17:51
|
|
|
Alereon posted:It comes down to a simple choice: Do you want your system to work, or do you want high scores in detection and blocking benchmarks? Those desires are mutually exclusive because the apps that achieve those high rates do so by aggressively blocking entire classes of content and using loose generic/heuristic detections. This is visible to users as certain websites and applications not working. Realistically users getting hit by malware aren't going to avoid it more by having a different vendor solution in front of them. They'll still make the same ill-informed decisions as they've not been told to do anything else. It comes down to education, making sure their software auto-updates and ultimately reducing risk. Pay attention to when you're just treating symptoms rather than the underlying issue. It's a shame this thread turned into CJs yelling about how their favourite antivirus is better, or how another forum is incompetent. Has anyone seen any notable viruses lately? What propagation methods were they using? Any interesting vulnerabilities being leveraged or just phishing? How deep did it dig into the system and did it bring any friends? Got a sample variant for someone else to look at?
|
|
#
?
Mar 2, 2014 18:23
|
|
|
I've made no secret that the AV choice is mostly irrelevant and the most important factor is the person sitting at the computer.
|
|
#
?
Mar 2, 2014 21:38
|
|
|
bucketmouse posted:Just posting this because holy poo poo it took 4 hours to get rid of this loving thing: Khablam posted:If it helps anyone else, Adwcleaner does a good job of cleaning up after those extension-based malware threats. in the name of content I'm quoting myself since I've seen this twice more since that post and I'm fairly sure the browser extension is just one of many reinfection vectors the thing drops on you. I'm assuming this isn't the same Instant Savings App that's already widely reported around the net as adwcleaner/avast/nod32/superantispyware all miss it and I can't overstate how much of a bitch it is to remove completely.
|
|
#
?
Mar 2, 2014 22:59
|
|
|
Wiggly Wayne DDS posted:Has anyone seen any notable viruses lately? I've seen multiple instances of that Conduit Search adware recently. It's a pretty standard piece of junk that gets installed with utorrent and other free software from https://www.download.com kind of sites. It's easily removed with adwcleaner and malware bytes. Just don't uninstall it from the add/remove programs on an XP computer because it will delete critical files on the C directory and XP will not boot. It's a reminder that those malware uninstallers can do more damage than the programs themselves.
|
|
#
?
Mar 2, 2014 23:36
|
|
|
Zogo posted:Just don't uninstall it from the add/remove programs on an XP computer because it will delete critical files on the C directory and XP will not boot. It's a reminder that those malware uninstallers can do more damage than the programs themselves. That actually sounds like a good reason to do it that way on computers running XP.
|
|
#
?
Mar 3, 2014 03:08
|
|
|
Orcs and Ostriches posted:That actually sounds like a good reason to do it that way on computers running XP. 
|
|
#
?
Mar 3, 2014 03:15
|
|
|
Orcs and Ostriches posted:That actually sounds like a good reason to do it that way on computers running XP. Until its a critical system that requires XP even for the latest version of the software that came out a few months ago. Bonus points when the department refuses to listen to IT about why they should switch venders and pays for an additional 5 years of this software that is still running on access 2003 with a very specific series of patches installed going too far or not far enough makes it not work.
|
|
#
?
Mar 3, 2014 03:33
|
|
|
pixaal posted:Until its a critical system that requires XP even for the latest version of the software that came out a few months ago. Bonus points when the department refuses to listen to IT about why they should switch venders and pays for an additional 5 years of this software that is still running on access 2003 with a very specific series of patches installed going too far or not far enough makes it not work. Critical systems running on XP shouldn't have access to the general internet, so getting poo poo like Conduit won't be a problem. But I live in a pretty idealized world, so that might not apply.
|
|
#
?
Mar 3, 2014 16:51
|
|
|
Thank you for the different points of view about the AVs, everyone! I often get treated like the resident computer guy by friends and family, but my knowledge is really pretty limited. Thanks again for the info. Virus talk: I was on a 9 month overland trip through Africa (basically 20 of us driving around in a big truck) and most people were sharing USB sticks and flash cards. A couple months in, someone told me that their USB stick "had the wrong settings" and "made folders not open". They went on to explain that they had tried the USB stick on four different laptops recently and none of them could open the files. Unsurprisingly, someone picked up an infection from an internet cafe and caused an epidemic on our truck due to autorun on people's laptops. The virus would hide all your files and replace them with dummy .exe versions with the same name. It took forever to fix, because people kept reinfecting eachother's equipment. They probably infected dozens of internet cafes across the continent.
|
|
#
?
Mar 3, 2014 17:12
|
|
|
gosh darnit, this gosh darn USB stick just has the WRONG settings!! every time i try to open it, the durn thing just wont open! i wonder if I try it on another computer, if the settings will be right? nope! this durn computer has the wrong settings from the USB stick too! well fiddle my stick if it'll happen on a 3rd computer, the wind will whet my whistle by golly's sakes. whats that? wrong settings here? you're dunn tootin! I otta wrangle a cat's tail out of this schnauzers mouthpipe before I double back and up'n fix'ta have to deal with this again. what with the wrong-settings USB stick, I'll never get ANY gord durn werk done, inshallah!
|
|
#
?
Mar 4, 2014 10:25
|
|
|
mindphlux posted:what with the wrong-settings USB stick, I'll never get ANY gord durn werk done, inshallah! I remember thinking maybe it was some sort of file system problem, until I saw that everything was now "Africa photos.exe". They asked if I wanted to try the USB stick on my laptop to see if it "worked better" and I politely declined. I'm visiting a friend right now and she asked me to take a look at her netbook, because it's so slow all the time. I just found out that her netbook has had Windows updates disabled since 2011.
|
|
#
?
Mar 4, 2014 14:48
|
|
|
Chernori posted:I remember thinking maybe it was some sort of file system problem, until I saw that everything was now "Africa photos.exe". They asked if I wanted to try the USB stick on my laptop to see if it "worked better" and I politely declined. I would quite literally throw it into a fire. Just to be safe
|
|
#
?
Mar 4, 2014 16:03
|
|
|
Stanley Pain posted:I would quite literally throw it into a fire. Just to be safe You have to remember that Windows Update on Windows XP (and Vista as well)does make your PC run slower, because, due to a bug, it uses 100% of CPU. The solution is to update to SP3 (unless you've got Windows with SP3, then you're screwed, as it might not be included, and you cannot update, because you've already have SP3!), or disable Windows Update and install a standalone app.
|
|
#
?
Mar 8, 2014 14:54
|
|
|
Just got a client who got hit with Cryptobit. At least it's not CryptoLocker. It only seems to scramble the first 512 bytes of the file and copy it to the end of the file. Hopefully we can recover everything for them but I was about to get scared it was a full on encrypted problem.
|
|
#
?
Mar 8, 2014 18:12
|
|
|
Most interesting thing I've seen lately, and this was a few weeks ago, was a piece of Malware (Media Player, what a great name) installed in Chrome using enterprise policy. It would spew ads constantly and adwcleaner/mbam/jrt would not get rid of it. And you couldn't just disable or delete the extension because of the enterprise policy bullshit. Solution ended up being deleting all the folders in chromes extension folder and resetting Chrome. Pretty easy to fix it if I see it again, but god what a pain in the rear end and the guides that were out there on the net at the time were useless.
|
|
#
?
Mar 9, 2014 01:37
|
|
|
|
| # ? Jun 1, 2024 16:01 |
|
|
Questionable analogy used at work: "Blithely running random programs off the internet just because you have anti virus is like casually loving random people without a condom because you have a syringe of penicillin handy."
|
|
#
?
Mar 13, 2014 23:41
|
|