Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection support protocols ---- question from an experienced newbie


  • Please log in to reply
5 replies to this topic

#1 Ron Wolf

Ron Wolf

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Menlo Park, CA
  • Local time:08:31 AM

Posted 02 January 2009 - 08:05 AM

So far in my looong computer professional life, I've managed to avoid having to get too deep into the virus (etc) world. Maybe just luck. Well, that ended about two weeks ago. With the help of this site, I was able to finally cure (I hope) the infected system. The experience here was mostly good, but I have a few questions in the spirit of perhaps making things better, especially for those of us who don't live in the world of infection & cure.

- why ask users to post their logs right into the message body? this clutters up the messages and makes it hard to find responses as many logs are quite long. why not always ask for logs to be attached?

- why the substantial variety of suggested system log & fix tools? is this just the individual preference of the person offering to help? hijackThis is sometimes suggested, other times dds, sometimes adAware, sometimes ComboFix, and on and on and on. Especially in the beginning stages of investigation why so many choices? I would think one protocol would do for most.

- why so many scan programs? is it really necessary, as some posts have suggested, to run 5 or more scan programs? is this just superstition? why can't one just do it all?

- as many of the more insidious problems seem to be addressed with ComboFix, why not just suggest that as a first step? and why the caution regarding running comboFix? if it can really mess things up, then what sort of problems can it cause? if the caution is not based on anything real, then it would make our lives eaiser if it was suggested to just run it and then see if there is still a problem?

- given the wide variety of suggested approaches and complex protocols (run this scan, reboot, run that scan, reboot, send the log, reboot, ....), i was really not sure what to do. i am indebted to a friend who had just successfully used ComboFix. so i tried it too. trying it at first would have saved me lots of time. i'm sure that ComboFix isn't always the solution, but again, why not suggest it as a 1st effort.

ok, all ment in the spirit of being helpful. and i am grateful for all that all of you do,

______________Ron
____________________Ron

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 PM

Posted 02 January 2009 - 10:28 AM

Hello Ron.

why ask users to post their logs right into the message body? this clutters up the messages and makes it hard to find responses as many logs are quite long. why not always ask for logs to be attached?

We want all the content to be visible for future reference. Old attachments can be deleted (I'm not sure if this particular forum does so automatically). The content of the posts are preserved.

I find it easier to read the logs directly in the post. You will notice we do ask for certain logs to be attached, to, as you said, reduce clutter.

why the substantial variety of suggested system log & fix tools? is this just the individual preference of the person offering to help? hijackThis is sometimes suggested, other times dds, sometimes adAware, sometimes ComboFix, and on and on and on. Especially in the beginning stages of investigation why so many choices? I would think one protocol would do for most.

Yes, a lot of it is the helper's preference. Many of the logging tools give similar information about the computer, but the output is different. Some will output registry entries directly, while others (like HJT, shorten the registry entries.)

There are many, many types of infections. Some tools you see deal only with one type.

why so many scan programs? is it really necessary, as some posts have suggested, to run 5 or more scan programs? is this just superstition? why can't one just do it all?

You will notice that in almost every fix, the helper will request atleast one online scan. This is because the logging tools we use do not examine each file on the machine, only very specific points.

Online scans are used mostly after the main infection is taken out to check for leftover files. Personally, one of these scans is enough for me, sometimes two if the machine was heavily infected.

The variety is based on preference, and the fact that each scan does not detect the same items.

as many of the more insidious problems seem to be addressed with ComboFix, why not just suggest that as a first step? and why the caution regarding running comboFix? if it can really mess things up, then what sort of problems can it cause? if the caution is not based on anything real, then it would make our lives eaiser if it was suggested to just run it and then see if there is still a problem?

Unfortunately, per the request of the tool's writer, we cannot answer specific questions relating to ComboFix. This is to prevent the malware writers from finding ways to counteract ComboFix. This is true for many other tools as well.

I can say, though, there have been cases where ComboFix has caused problems.

Hope this has given you some insight. If you have further questions, please feel free to ask.

With Regards,
The Panda

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:31 PM

Posted 02 January 2009 - 01:34 PM

Please note that Combofix is NOT a general disinfection tool like an AntiSpyware program or an AntiVirus program.

ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

To suggest for someone to use Combofix right off the bat would be akin do a doctor prescribing Chemo-therapy every time someone felt sick.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 PM

Posted 02 January 2009 - 01:51 PM

Hello OB.

To suggest for someone to use Combofix right off the bat would be akin do a doctor prescribing Chemo-therapy every time someone felt sick.

I wouldn't take it that far.

It would, however, be like a doctor prescribing medication of some sort right away for every patient that comes into their office. First the problem needs to be diagnosed. For this tools like HijackThis and DDS are used. Removal tools are then used if deemed necessary.

With Regards,
The Panda

#5 Galadriel

Galadriel

    Bleepin Elf


  • Malware Response Team
  • 2,753 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri, USA
  • Local time:10:31 AM

Posted 02 January 2009 - 03:37 PM

- why ask users to post their logs right into the message body? this clutters up the messages and makes it hard to find responses as many logs are quite long. why not always ask for logs to be attached?


There are many reasons we ask most logs be posted and not attached. One is to enable search. The board search, and for that matter search engines like Google, do not search attachments. Sometimes reviewing a thread where a specific bit of information is posted helps anyone encountering it again. The other is to make the work our helpers do easier. Having to download a bunch of attachments and sift through several windows just to analyze one thread is inconvenient. And some attachments can get purged over time.

- why the substantial variety of suggested system log & fix tools? is this just the individual preference of the person offering to help? hijackThis is sometimes suggested, other times dds, sometimes adAware, sometimes ComboFix, and on and on and on. Especially in the beginning stages of investigation why so many choices? I would think one protocol would do for most.
- why so many scan programs? is it really necessary, as some posts have suggested, to run 5 or more scan programs? is this just superstition? why can't one just do it all?


Because some of the tools we use were built for a specific purpose, and neither is supposed to be a kill-all solution. Most tools don't show everything you'd need to see, to make the logs simpler and shorter to analyze. Once a specific type of infection is suspected, helpers will likely use the tool that best fits the needs of that particular problem. There is no fool proof one shot solution to problems we encounter here. Hence the variety in the tools we use.

- as many of the more insidious problems seem to be addressed with ComboFix, why not just suggest that as a first step? and why the caution regarding running comboFix? if it can really mess things up, then what sort of problems can it cause? if the caution is not based on anything real, then it would make our lives eaiser if it was suggested to just run it and then see if there is still a problem?


The caution is indeed based on real potential danger to the system. There's a reason it's there, it's not meant to annoy. I've seen cases where a certain baddie (at the time, new and undiscovered until that time) was messing with CF's routines, and causing it to behave in extremely unexpected and hazardous ways (i.e - making the machine litterally unbootable, a door stop was more useful than what that machine ended up being). The power of this tool is not something we take lightly. Our motto as helpers is to first, do no harm and that is why the author of ComboFix deemed it important to both keep the inner workings of CF out of the public, and to add the disclaimer.

- given the wide variety of suggested approaches and complex protocols (run this scan, reboot, run that scan, reboot, send the log, reboot, ....), i was really not sure what to do. i am indebted to a friend who had just successfully used ComboFix. so i tried it too. trying it at first would have saved me lots of time. i'm sure that ComboFix isn't always the solution, but again, why not suggest it as a 1st effort.


See above.


Edit - Oh and once I posted, look what I found... http://www.bleepingcomputer.com/forums/t/191429/combofix-appears-to-have-killed-my-computer/ :thumbsup:

Yes, the chemo comment was appropriate IMO.

Edited by Galadriel, 02 January 2009 - 03:39 PM.

I cemna prestar aen. Han mathon ne nen. Han mathon ne chae. A han noston ne 'wilith. - Galadriel
'The avatar is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.'

Phear teh ceiling cat, for he is roofkittehd! - Basement Cat

I'm a Bleeping Folder, are you? - Join BC in the fight against diseases - Click here
Become a BleepingComputer fan: Facebook

#6 Ron Wolf

Ron Wolf
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Menlo Park, CA
  • Local time:08:31 AM

Posted 04 January 2009 - 09:15 AM

Wonderful answers! Thank you! I am reassured on all issues. Hope my questions were not only annoying.
____________________Ron




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users