Posted 05 August 2009 - 01:19 AM
I am a late comer to Combofix, but that silly vundo pops up on customer computers from time to time. I've only used the Combofix a couple times, but I think I understand the scripts offered by the authorized helpers. The problem is, I'm not 100% certain, and I've had a terrible time finding much documentation about how a person learns to decipher the Combofix logs. Is there a resource available to those who want it?
(Basically, this is my (mis?)understanding of the log reports so far: the potentially infected drivers or files are listed in the R and S sections...the odd-named drivers (usually random-character-type stuff) is listed, followed by identical characters (or description), followed by the file path to the file in question. If the file is known bad, there is no question mark, but if there is a question mark, the file might or might not be infected, if there are two question marks, the file is doubtfully infected - in either question mark case, a person (not the program) should do further investigation in order to figure out if the files are valid or not. So - the non-questionmarked files (and possibly the questionmarked files - depending on research) need to be included in the Combofix script: KillAll:: <file paths of infected files - one to each line> Drivers:: <usually the "random" names given prior to the file paths in the R or S section - one to each line>. Is this close to being accurate at all?
Combofix appears to be a great tool, but I am not usually in a situation where I can post a logfile and then wait for a reply.
Any thoughts or information would be appreciated.