BleepingComputer.com: Possible CF bug again?

Hey folks, I'm a long time lurker & admirer on the site but up until now I've never had call to register.

Today I was doing doing a few scans on a friend's x86 XP SP3 PC (the joys of being an IT professional, these things tend to land in your lap) and my suspicions led me to run, amongst other things, ComboFix on the machine in question*. Now usually this tool behaves itself quite well but today it seems to have gone a little awry: After copying across and launching the version that resides on my USB stick (which was last manually updated perhaps a week ago) it began updating itself then proceeded to install the recovery console and begin scanning. During the scan, It decided that the entire contents of the Program Files folder required deletion and procedeed to quarantine the lot. Not a big problem really, it's easily enough restored (though I'll have to boot into linux as my batch scripting is awful, no idea how to mass rename!) but I was just wondering if perhaps the bug that popped up in January had made a reappearance? I couldn't find anything on the site that would indicate this and felt that if it had, it might be worth bringing it to the attention of the author and community.

Thanks in advance!
Ross

*Log on request, if I'm not mistaken they're not allowed in here!

I too, had this problem. I ran it twice today; on one machine it worked well, but on the other, it deleted nearly everything in the program files folder.

To compound my woes, I can't get the unquarantine script to work. I tried to do it like this:

<script removed>

Is that incorrect? I want to unquarantine everything.

This post has been edited by elise025: 22 May 2011 - 03:26 AM
Reason for edit: script removed for security reasons ~Elise

The developer is aware of this bug and it has been fixed with the next version. If you have been the victim of this bug and you need help restoring your Program Files content, please let us know.

Do NOT post any Combofix logs here, they will be removed. Instead, if you need help removing malware, follow the steps in the Preparation Guide.

elise025, on 22 May 2011 - 03:32 AM, said:

Thanks for the confirmation Elise. I've restored everything on my end, but confirmation of the method Falcon was attempting would be appreciated for future reference.

Quote

Combofix's developer has requested that information on the inner workings of Combofix is restricted. At BC we respect this and for this reason the use of that particular script will not be discussed here. For the same reason I have also removed the posted script. Besides this, using scripts without proper understanding, can lead to a lot more damage and I strongly recommend against trying.

elise025, on 22 May 2011 - 09:34 AM, said:

Fairy snuff, it's easy enough to remedy without the script anyway.

Thanks again!

Quote

It would be incredibly nice to know if I was at least on the right track. I have since used Linux to restore the files, so it's no longer crucial. However, I would far rather not disassemble the application and experimentally determine how to restore mistakenly quarantined files; could I at least know whether the commands I was using were syntactically correct? I am not terribly worried about damaging windows installations as I have a test environment.

How does one determine if CF is even running the script? Does it intentionally appear to be doing the exact same thing it would if you had not run the script, or does it give an indication?

As elise025 said, discussion pertaining to how Combofx works, what it can or cannot do, etc not available to the public. The primary reason is to safeguard and protect the integrity of the tool from malware writers.

Safeguarding ComboFix from malware writers is necessary and important so that we can continue to use it without attackers having knowledge how to defeat it. Everything we discuss can be read by the bad guys. Yes, they read forum topics looking for clues on how to circumvent our tools. We don't want to provide any information they can use against us so we deliberately limit discussion which sometimes may appear vague or not fully address a specific question.

As such, the developer does not want his tool discussed outside of private forums and therefore we cannot answer specific questions.

I get that. Who or where can I ask?

Sorry to drag this so far off topic, though. It seems the bug has not shown its face again...

If you want to learn more about ComboFix you will have to enroll in the Malware Removal Training Program here at BC (if space is available) or one of the other various Unite Schools where such training is offered. In that environment experts will train those interested in assisting others with malware removal and how to use specialized fix tools like ComboFix. Once training has been completed, you will have access to the ComboFix discussion thread to learn more specific information about the tool and ask any questions.

This post has been edited by quietman7: 22 May 2011 - 09:01 PM

I have this same problem.
I ran the supposed solution only find it did nothing...
I've been pulling my hair out for the last 3 days. Luckily it isn't my main computer.
All my files have been mover to the quarantined folder with the vir extension.

Hello JD13x

hamluis has already responded in your other thread here. If you have further questions, please continue in there. Please do not start new threads or duplicate topics as this causes confusion and makes it more difficult to get the help you need to resolve your issues. Further, it necessitates staff spending time with housecleaning to remove or close those duplicate postings...time which could have been provided to others needing assistance.