Bleeping Computer problems

Hi everyone,

Just before I begin, I want to establish some credibility for myself (which unfortunately is necessary in this bureaucracy). I am a programmer and I am experienced in C, C# and Windows internals. Although I do lack knowledge about browser hijackers, etc. I do know quite a bit about rootkits and other malware.

I would like to help out here, but one problem I'm seeing is the use of automated malware removal tools (or detection) in situations which do not require their use. One example: a person is having BSODs and says that they have tried to use several virus/malware scanners to no avail. A staff member comes along and posts instructions (I'm guessing a copy+paste) on how to use DDS, which the OP has already said did not run. Now, the logical solution for diagnosing BSODs is to post a crash dump and analyze the BSOD using WinDbg. I don't know how using more automated scanners would help.

Here's another example: a person asks about the presence of $RECYCLE.BIN directories on their local hard drive and removable disks. A staff member posts instructions on how to use DDS (as usual). The scan reveals nothing significant (only PopCap). The staff member asks the OP to use Malwarebytes' anti-malware. Not to be rude, but this "staff member" should know what $RECYCLE.BIN and desktop.ini are. $RECYCLE.BIN is where recycled files are stored, and desktop.ini is a system file which tells explorer how to display a folder.

One more example: a person asks about a possible malware infection and attaches a DDS log. A staff member posts instructions on how to use DDS.

One example: a person is having BSODs and says that they have tried to use several virus/malware scanners to no avail. A staff member comes along and posts instructions (I'm guessing a copy+paste) on how to use DDS, which the OP has already said did not run. Now, the logical solution for diagnosing BSODs is to post a crash dump and analyze the BSOD using WinDbg. I don't know how using more automated scanners would help.

If the member starts off saying he/she suspects an infection, we generally try to rule that out first. However, are you sure you mean DDS? That is the log we ask folks to post in the specialized HiJack This log area, and it is merely a scan that doesn't do anything but provide information.

Here's another example: a person asks about the presence of $RECYCLE.BIN directories on their local hard drive and removable disks. A staff member posts instructions on how to use DDS (as usual). The scan reveals nothing significant (only PopCap). The staff member asks the OP to use Malwarebytes' anti-malware. Not to be rude, but this "staff member" should know what $RECYCLE.BIN and desktop.ini are. $RECYCLE.BIN is where recycled files are stored, and desktop.ini is a system file which tells explorer how to display a folder.

I know what topic you are referring to here, and therefore, I know you mean MBAM. I know that desktop.ini and $RECYCLE.BIN are generally legitimate files, however, there is bad malware that also creates these files. Also, I don't think that desktop.ini and $RECYCLE.BIN would appear on drives other than ones that an OS runs on. They certainly don't appear in my other drives. That said, we don't know in that other topic whether the OP has an OS installed on those other drives.

One more example: a person asks about a possible malware infection and attaches a DDS log. A staff member posts instructions on how to use DDS.

Again, are you sure you aren't referring to MBAM? If a post has a DDS log attached outside of HJT, we move the topic to the MisPlaced forum and provide instructions for posting in the proper place. If you are referring to topics in the HiJack This forum, the reason for asking the OP to run DDS is because of the time-lapse and updated information is needed. As I stated before, DDS is merely a diagnostic tool and doesn't do anything.

Orange Blossom

If the member starts off saying he/she suspects an infection, we generally try to rule that out first. However, are you sure you mean DDS? That is the log we ask folks to post in the specialized HiJack This log area, and it is merely a scan that doesn't do anything but provide information.

Yes, I do mean DDS, and it wasn't in the HJT area...

I know what topic you are referring to here, and therefore, I know you mean MBAM. I know that desktop.ini and $RECYCLE.BIN are generally legitimate files, however, there is bad malware that also creates these files. Also, I don't think that desktop.ini and $RECYCLE.BIN would appear on drives other than ones that an OS runs on. They certainly don't appear in my other drives. That said, we don't know in that other topic whether the OP has an OS installed on those other drives.

Try cmd + dir /a. They will appear in most disks (probably not flash drives), even on non-OS partitions. Think about it; if you recycle a file from another partition, explorer wouldn't go through the effort of copying the file to your main OS partition. Instead it moves the file to the $RECYCLE.BIN on that partition, speeding things up significantly since moving files/directories is a quick operation.

Again, are you sure you aren't referring to MBAM? If a post has a DDS log attached outside of HJT, we move the topic to the MisPlaced forum and provide instructions for posting in the proper place. If you are referring to topics in the HiJack This forum, the reason for asking the OP to run DDS is because of the time-lapse and updated information is needed. As I stated before, DDS is merely a diagnostic tool and doesn't do anything.

Nope, I'm not referring to MBAM. But I do understand about the time-lapse now .

Thanks for addressing my concerns. My point was that there seems to be an overuse of automated detection tools - in some posts staff members simply keep on asking people to scan with DDS, MBAM and ComboFix even though the solution lies elsewhere.

Yes, I do mean DDS, and it wasn't in the HJT area...

----------------------

Thanks for addressing my concerns. My point was that there seems to be an overuse of automated detection tools - in some posts staff members simply keep on asking people to scan with DDS, MBAM and ComboFix even though the solution lies elsewhere.

If you happen to see someone telling someone to run Combofix outside of the HiJack This forum, please inform a moderator or post about it here: http://www.bleepingcomputer.com/forums/t/137145/bleeping-computer-tidiness/ Also, please do the same if you see someone telling someone to post a DDS log outside of the HiJack This forum.

We do tell folks to run DDS if we are referring them to the HiJack This forum; however, Combofix is restricted to the HiJack This forum as it is very powerful and can wreak terrible havoc if not used properly including turning the computer into an expensive doorstop to quote galadriel. The HiJack This forum focuses solely on malware removal. Sometimes folks have issues with malware and also have system or hardware problems. Generally we work to rid the system of malware - some malware in fact does cause BSODs - then work to resolve the other issues as doing too many things at once causes confusion for everyone. Once infections are taken care of, the OP is referred to other forums to address the other issues.

We certainly could use someone with your knowledge of Windows etc. to help us out in the OS forums and in the programming area at the least. Welcome aboard.

Orange Blossom

If you are reading these posts in the Am I Infected forum, There are certain guidelines that must be followed:

Instructions for posting advice in Am I Infected

As a member you are allowed to interact with others that post in this area. Any advice given is subject to modification or removal by the moderating team. We appreciate the fact that you are trying to help others with your advice, but we require that this advice be kept general and minimally invasive. Preliminary scans, active scans and non-malware related tools are allowed to be used here, along with advice for A/V and other protection programs. Modification of OS settings and general tweaks to resolve problems is allowed, but advice for the removal of any files, folders or programs is restricted.

Posting instructions for the use of the following by non-staff members is prohibited in this area, as well as in all other areas of the forums. This list contains tools and procedures that are forbidden, the instructions for using similar tools or procedures should not be posted here, or elsewhere on Bleeping Computer forums, without prior Staff approval.

* Manual file removal instruction
* ComboFix instructions or discussion
* SDFix instruction
* Registry instruction
* Automated registry cleaners
* HiJackThis instructions (logs are for review only)
* Custom scripts, batch files
http://www.bleepingcomputer.com/forums/t/182397/am-i-infected-what-do-i-do-how-do-i-get-help-who-is-helping-me/

If the matter cannot be resolved, then they are referred to the HJT preparation guide where they create a log and submit it to the HJT forum where they have permission to alter the registry and such

Edited by garmanma, 22 June 2009 - 09:37 AM.

Hello wj32.

First of all, I would like to respond to this statement.

Just before I begin, I want to establish some credibility for myself (which unfortunately is necessary in this bureaucracy).

I have to disagree here. The opinions of all members, regardless of their experience, are respected. You won't find a response that sounds like, "Who are you question what we do?"

From my experience BC is a very friendly community in that sense and others.

It's a bit different if you want to provide help that requires advanced knowledge, I'm sure you'd understand.

Getting to purpose of your post, you do bring up a valid point. (Just notice that this was already explained. Sorry if it sounds repetitive.)

The main reason that you see antimalware tools being run is simply: that forum is a Malware Removal Forum.

Preferably, members will only post in that forum if they know they have an infection. Any posts in that forum are treated as such. However, many members post there with problems that are not malware related, such as, as you mentioned, BSODs, which are more likely caused by other factors.

We try to encourage members to go through the Am I Infected forum if they are not sure they are infected.

We currently have a large backlog of topics in the Malware Removal forum from the large number of requests for help. Trying to work on a first come first served basis, the older topics are replied to first.

The problem is that the old topics have gone over a week without a reply, and often times the poster has "disappeared". All old topics are responded to with the post here (requesting a DDS log) to check that the user is still around.

With over 400 topics, it's more feasible to first make sure the user is active and then put the effort to diagnos the issue.

---

If it's determined in the Malware Removal forum that the issue is caused by something else, the user is asked to start a topic elsewhere.

You can see that, if a user posts with a non malware problem in the Malware Removal Forum, they may wait over a week only to be told to post elsewhere.

With Regards,
The Panda

I have to disagree here. The opinions of all members, regardless of their experience, are respected. You won't find a response that sounds like, "Who are you question what we do?"

From my experience BC is a very friendly community in that sense and others.

It is very friendly but the rules do not sound like it. From what I can deduce non-staff members cannot help users with problems in the HJT log area, which is a little too restrictive. Sure, some people may give bad advice, but what's the chance that a newbie will delete C:\Windows\explorer.exe or something just because someone says so? And I'm a bit frustrated that the training program never seems to have any slots available... (but that's another issue)

EDIT: Take a look at this (directed at me in the $RECYCLE.BIN thread):

Hello.... To all involved in this thread..
We apprciate all those trying to help,but this is getting very muddled..Some advice is not needed and some improper. For Omac's sake I will ask that only Superbird,Stang77 or other staff complete the assistance in this thread,

Now this staff member is calling my advice improper when it has actually solved the OP's problem and is 99.99% likely to be correct. This is the kind of thing I'm talking about. No offense to those involved, but this is just incompetence on the part of the staff members. Two malware scanners have already been used, both reporting absolutely no malware, yet the message is "keep on using malware scanners". (and this is in the "am I infected" forum)

The main reason that you see antimalware tools being run is simply: that forum is a Malware Removal Forum.

Yes, I completely agree with the use of anti-malware tools. Just that I'm seeing some (not a lot of) situations where people are being told (endlessly) to use all kinds of anti-malware tools when the problem could be resolved using other means. (EDIT: see above)

Edited by wj32, 23 June 2009 - 02:02 AM.

Hi wj32,

I will reply you here too.
As already said above, there is malware that creates the desktop.ini files. You don't have to worry that I don't know what RECYCLE.BIN is, I know that. That's where I didn't worry about, but I advised MBAM because those desktop.ini files are present.
So I posted MBAM instructions there, and it showed malware (Popcap). Then it's normal we first clean the system: make sure the user is clean.
Now, I've advised to let the user run Kaspersky Online. After this, the files that Kaspersky found have to be removed. Then, the user is clean. I planned to redirect the user to the windows section, if he still has those problems. But then I know sure it wasn't malware. That's the normal way of dealing with topics in A.I.I. here at BC.

Ans I do not agree with your point about the HJT area: It would be dangerous if others then HJT Team Members could reply there. You don't see the danger of the tools. You can only see them once you completed the training, and you are a HJT Team Member yourself. Then you would agree with me no one should reply there without a HJT Team rank.

Not to be agressive to you, but this is our way of handling malware related issues. First the malware, then other problems that are left.

Not to be agressive to you, but this is our way of handling malware related issues. First the malware, then other problems that are left.

I was not talking about using the malware scanners. I was talking about how the other staff member told me my advice was wrong (without explanation), which is just completely ridiculous. This contradicts what PropagandaPanda said about "The opinions of all members, regardless of their experience, are respected." Clearly, the staff member involved was implying their superiority, which again, is completely ridiculous in this place.

Of course, my other point was on malware scanners. IMO using even 2 malware scanners is a bit excessive for a computer which has absolutely no symptoms of malware infection (or even any problems). As they say, if it ain't broke, don't fix it .

Edited by wj32, 23 June 2009 - 05:14 AM.

No, the reply from boopme wasn't rediculous. Normally 1 person helps 1 person. If the help9ing person doesn't know it, he can call in staff, or other qualified people.
It just doesn't work when 2,3 or more people are helping someone, it's going to be a mess then.

And this person WAS infected with Popcap. He had malware symptoms. That's why we put in several scanners. Believe me, we don't do it without a reason.

First, thank you for bringing up your concerns and what you perceive as illogical practices here at the site. These types of topics do help and are appreciated in fine tuning how do we do things here.

I would like to help out here, but one problem I'm seeing is the use of automated malware removal tools (or detection) in situations which do not require their use. One example: a person is having BSODs and says that they have tried to use several virus/malware scanners to no avail. A staff member comes along and posts instructions (I'm guessing a copy+paste) on how to use DDS, which the OP has already said did not run. Now, the logical solution for diagnosing BSODs is to post a crash dump and analyze the BSOD using WinDbg. I don't know how using more automated scanners would help.

In some situations you are right and others I disagree. BSOD can be debugged using WinDbg. Culprits can also be seen by certain log creators as certain malware device drivers are known to blue screen due to poor programming. It depends on where the person posts their problem. If they post in AII, then it is typically accompanied by a message like "I opened an attachment I shouldn't have and now get blue screens.". That alludes to a malware infection, so we go down that route.

If someone posts in the Windows section stating that they installed new drivers recently and now they are bluescreening then WinDbg would be a good place to start.

Here's another example: a person asks about the presence of $RECYCLE.BIN directories on their local hard drive and removable disks. A staff member posts instructions on how to use DDS (as usual). The scan reveals nothing significant (only PopCap). The staff member asks the OP to use Malwarebytes' anti-malware. Not to be rude, but this "staff member" should know what $RECYCLE.BIN and desktop.ini are. $RECYCLE.BIN is where recycled files are stored, and desktop.ini is a system file which tells explorer how to display a folder.

Your right, $RECYCLE.BIN is used by Vista. The Recycler folder is used for older versions, including XP, and are contained in the root of each drive partition. Staff members at BC are not necessarily known for their technical knowledge, but for their help moderating the board. A good moderator does not necessarily mean that the person is an expert technically.

One more example: a person asks about a possible malware infection and attaches a DDS log. A staff member posts instructions on how to use DDS.

Can't really argue that one

From what I can deduce non-staff members cannot help users with problems in the HJT log area, which is a little too restrictive. Sure, some people may give bad advice, but what's the chance that a newbie will delete C:\Windows\explorer.exe or something just because someone says so? And I'm a bit frustrated that the training program never seems to have any slots available... (but that's another issue)

I disagree entirely with it. It is because people were acting on unsound advice that we put in those restrictions in the first place. Many of our users do not have a lot of computer knowledge and may use wrong instructions without realizing they are doing more harm to their computer than good. As the malware removal section uses programs that can cause a computer to not boot up properly, it was required that we restrict it only to people who we/I feel know what they are doing.

As for the trainee program, you can message one of the study hall admins to get on the waiting list.

Now this staff member is calling my advice improper when it has actually solved the OP's problem and is 99.99% likely to be correct. This is the kind of thing I'm talking about. No offense to those involved, but this is just incompetence on the part of the staff members. Two malware scanners have already been used, both reporting absolutely no malware, yet the message is "keep on using malware scanners". huh.gif (and this is in the "am I infected" forum)

Norton 360 is not realiable enough. I would have recommended a different scan as well. As you can see from a KAS scan there is some questionable items there. So the advice was not necessarily wrong to continue down the malware approach. As you can see there are a variety of keygen/cracks/warez there. I know you think those are mostly false positives, but I can tell you for sure this is not the case. In fact if I want to find the latest malware, I typically infect myself from files found at crack/warez/p2p sites.

As for your advice, it was correct. The information you gave does indeed fix the problem of the recycler and desktop.ini files from showing. What though caused them to be seen in the first place? Had to be something, right? ShowSuperHidden and other hiding file entries are user specific, not local machine. So my guess is some malware did it or the user did it. You are right that malware typically makes that entry have a value of 0. On the other hand, malware writers are sloppy and i have seen the reverse happen from time to time.

I was not talking about using the malware scanners. I was talking about how the other staff member told me my advice was wrong (without explanation), which is just completely ridiculous. This contradicts what PropagandaPanda said about "The opinions of all members, regardless of their experience, are respected." Clearly, the staff member involved was implying their superiority, which again, is completely ridiculous in this place.

I agree, you should not be told you are wrong without a reason giving why. Can you point me out the thread where a staff member said this?

I also have to admit that We do tend to be a bit heavy handed with anti-malware scanners in the AII forum for a few reasons:

• Because users are posting there because they think they are infected.
• We do not allow certain tools to be used that give us more information as to what is running (DDS, Hijackthis, or Combofix)

I am not saying we are always right in how we do things, as we are not and we are constantly evolving our approach. Also members are all welcome to help in AII using the guides found here. On the other hand, if someone gives bad advice, we are going to call them out on it, not to make the member feel like an idiot, but to protect our members, which takes precedence. If anyone feels they are not receiving fair treatment in how they express their knowledge or suggestions, then please let a Site Admin know.

Hello.

EDIT: I see Grinler replied first. It took awhile to write the post.

From what I can deduce non-staff members cannot help users with problems in the HJT log area, which is a little too restrictive. Sure, some people may give bad advice, but what's the chance that a newbie will delete C:\Windows\explorer.exe or something just because someone says so? And I'm a bit frustrated that the training program never seems to have any slots available... (but that's another issue)

The experience of members in the forum ranges from experts who work in the field to those who have just purchased their first computer. I think if my machine was infected, and someone who is suppose to be trustworthy is helping me, I would carry out whatever instructions they give.

Some time ago, there was no forum restriction (a message that tells you that you can't post in the HJT forum). There were problems with people trying to help, but giving inadequet advice.

Look at it this way. Computer repair shops don't hire just anyone they find. The restriction is in place only in the HJT Forum at BC because the malware removal process requires tasks that could potentially be dangerous compared to some of the other sections of the forum.

Let's look at some random example that I just pulled from the air. An infection has infected the explorer.exe. A tool is run to replace the explorer with a good copy. However, something goes wrong and the bad copy is deleted, but the good copy didn't get there. Now Windows is stuck booting.

The helper would know to use a Recovery Console to manually replace the file. If, however, the helper did not know how to do this . . . the machine is as good as toast. My point is, we can't take the risk. We have to make sure those providing help know what to do in such situations.

Don't get it wrong; we would absoulutely welcome more help. There is a shortage of staff, thus we have the problem with the backlog. This is done because we put the safety of the members we provide help to as top priority.

With Regards,
The Panda

Edited by PropagandaPanda, 23 June 2009 - 10:57 AM.

I completely agree with what you've (plural) said. This is not about me or any advice I may have given. I take back what I said about the HJT area and training. My main point remains that malware scanners are sometimes overused, and so let's end it at that .