Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Hello


  • This topic is locked This topic is locked
10 replies to this topic

#1 Guest_oldmill_*

Guest_oldmill_*

  • Guests
  • OFFLINE
  •  

Posted 27 August 2009 - 11:59 AM

I've found that when I experience a computer mystery, someone else has also experienced the same issue and might even have solved it, so I troll the Internet looking for solutions to commonly shared problems. This website seems to figure prominently in many of the searches, so it's time to look closer.

I am not a newbie, and perhaps I can give back a few solutions or clues from time to time. I took my first computer class in 1962, when many of your parents weren't even a gleam in your grandparents' eyes, and I work full time with microcomputers every day. For me it is true that I've forgotten more than most of you know, but much of that wasn't worth remembering anyway. Having "retired" from military service in 1991, I started a one person small computer ombudsman service which has kept me manically busy ever since. Jack of all trades, master of none fits fairly well, although I prefer to refer to myself as the fellow who walks in the parade behind the elephants and horses.

One facet of this forum is mildly disturbing, and perhaps someone in a position of authority can explain it to me - we are enjoined from commenting upon or even solving some of the problems presented here, and that seems to me to be limiting the usefulness of the forum overall. We are expected to allow the resident experts free reign even if we see a flaw in the analysis or have the solution at hand. I understand that many well-intentioned comments (shots in the dark) can muddy a thread, but surely a few well placed observations would be welcome. For example, I have an identical problem to one currently under discussion, and feel the resident expert is approaching the problem all wrong - he has just declared it to be a probable false positive, but he is wrong, having failed to accommodate the symptoms presented. It appears that there is more interest is preserving the appearance of infallibility than there is in discovering solutions, but I hope I am wrong on that point. If we are proscribed from posting suggestions I will honor that. Perhaps one of the powers that be would be so kind to enlighten me on the posting do's and don't's.

Having glorified myself beyond reason, I remain a general practitioner, not a field specialist, and have much to learn about virus elimination, as it constitutes a major segment of my endeavors. Any help I can get will be appreciated, and any I can give will be offered.

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio

Posted 27 August 2009 - 03:04 PM

Welcome to Bleeping Computer

we are enjoined from commenting upon or even solving some of the problems presented here, and that seems to me to be limiting the usefulness of the forum overall


The only forum where we do not allow outside participation is the HJT forum
It is a highly skilled process, where team members undergo a rigorous training program and the Am I Infected forum where we limit the tools used to non-invasive tools, as not to cause harm to anyones computer
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Guest_oldmill_*

Guest_oldmill_*

  • Guests
  • OFFLINE
  •  

Posted 28 August 2009 - 12:35 AM

Welcome to Bleeping Computer

we are enjoined from commenting upon or even solving some of the problems presented here, and that seems to me to be limiting the usefulness of the forum overall


The only forum where we do not allow outside participation is the HJT forum
It is a highly skilled process, where team members undergo a rigorous training program and the Am I Infected forum where we limit the tools used to non-invasive tools, as not to cause harm to anyones computer


Thank you for the response ... as I wandered further in I was able to comment on a situation, one which I had seen and fixed many times before.

I was particularly upset on the responses being given by your colleague on the HJT Trojan Horse PSW.Agent.ABTK thread. I am working the same problem, and whereas your expert is hypothesizing a false positive, the virus is real and while the file itself is removed, a companion file remains to cause havoc. When any executable file (.com, .exe, .dll) is opened, a warning message "The application failed to start because msmbknl.dll was not found." Yes, it was not found on both our systems because AVG removed it. Further, there is no entry in the Registry that contains msmbknl.dll. So, some other file must be calling for it every time an executable program is launched. Somewhere in the Registry is the answer, but I haven't been able to find it. About ten or twelve years ago, there was a virus that launched itself every time an .exe file was executed, and you had to manually remove its reference from the Registry, even after the virus file itself was deleted. While the reference existed, no .exe files would execute. You couldn't just launch Regedit.exe, because it wouldn't, but you could search for regedit.exe and rename it to regedit.com and then proceed (did you know that?). This case must be different since apparently all executables cause the error message to appear - the programs do launch after acknowledging the message, another difference. What I do not know is whether there is a single key in the Registry that will launch an executable (the file calling for msmbknl.dll) to start whenever any executable file is requested. I thought that this piece of information would be helpful to your colleague but it was not possible to present it in the thread. This is not a single occurrence and I would like an answer as much as the other correspondent. I tried his Dr Web - Cure It suggestion - nada. Since the thread is closed to me perhaps you would be kind enough to pass this comment forward.

#4 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:06:40 AM

Posted 28 August 2009 - 10:12 AM

Would you provide a link please

Like I said, In Am I Infected, There are limitations on what can be suggested


As a member you are allowed to interact with others that post in this area. Any advice given is subject to modification or removal by the moderating team. We appreciate the fact that you are trying to help others with your advice, but we require that this advice be kept general and minimally invasive. Preliminary scans, active scans and non-malware related tools are allowed to be used here, along with advice for A/V and other protection programs. Modification of OS settings and general tweaks to resolve problems is allowed, but advice for the removal of any files, folders or programs is restricted.

Posting instructions for the use of the following by non-staff members is prohibited in this area, as well as in all other areas of the forums. This list contains tools and procedures that are forbidden, the instructions for using similar tools or procedures should not be posted here, or elsewhere on Bleeping Computer forums, without prior Staff approval.

* Manual file removal instruction
* ComboFix instructions or discussion
* SDFix instruction
* Registry instruction
* Automated registry cleaners
* HiJackThis instructions (logs are for review only)
* Custom scripts, batch files


Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 Guest_oldmill_*

Guest_oldmill_*

  • Guests
  • OFFLINE
  •  

Posted 28 August 2009 - 11:55 AM

]

This is the thread I feel is heading in the wrong direction, per my previous post. The restrictions on what may be posted can be read two ways. On the one hand, you are protecting your readers from misguided or evil posters, but on the other, you are protecting yourselves from being made to look like something other than omniscient experts. Perhaps the two extremes are irreconcilable. I value the Internet greatly for being able to find others with similar/identical problems who have found and shared solutions, yet I recognize that at least ninety percent of the information scanned is worthless. The remaining ten percent is worth the effort. Perhaps you could establish a commentary feature that would allow you to screen entries before they post. I saw the bit about contacting you first, but is there a mechanism to smoothly do that? I wouldn't mind sending information directly to the "expert" for review and consideration. Give it some thought, and if you previously have, please advise.

Varon Mullis
Lieutenant Colonel
US Army, Ret.


EDIT: Removed link...Should have asked it privately

Edited by garmanma, 28 August 2009 - 05:24 PM.


#6 Galadriel

Galadriel

    Bleepin Elf


  • Malware Response Team
  • 2,753 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri, USA

Posted 28 August 2009 - 07:10 PM

Hello oldmill,

I'm going to go straight to the point... Whether you think we are protecting 'our reputation as omniscient experts' as you say doesn't change why we have set those restrictions in place. We have set those because people were providing inaccurate and sometimes dangerous advice. Period. We have training 'schools' to spread the "ways of the helper" and this system works fairly well. There are many Team members here and all are dedicated to further their learning, otherwise they would rapidly become out of date and their skills would become insufficient to deal with the "latest and greatest" malware. This 'field' is an ever changing, ever morphing one and each Team member has access to ongoing research and testing about the most recent threats. But do not forget that these are people, who have lives, families, jobs and/or other engagements and who give of their time freely, no one is paid to do this. The research on new threats is done as soon as they are found (new threats) but sometimes it takes a while to get to the good stuff.

The particular infection you referenced is one such newish threat that is as of this moment being researched and progress is being made towards ripping it apart. For security reasons, the research that is being done is not public. If and when appropriate, the results may be shared, in an easy to follow guide. (Not saying this infection will have a guide, it may, it may not.)

We have a great deal of tutorials and guides for some of the most 'popular' infections. Our focus is first and foremost our members. We strive to have user friendly and easy to follow directions so most anyone can follow them and get cleaned. Most of our member base is made up of people whose technical abilities with the computer are limited. They just want it to work, and we cater to that in our responses. We aim to help those who cannot help themselves. We also aim to broaden their knowledge about security. Most people don't want to know how the infection loads, they want it out, gone. We offer that. We are by no means infaillible, nor do we think we are.
I cemna prestar aen. Han mathon ne nen. Han mathon ne chae. A han noston ne 'wilith. - Galadriel
'The avatar is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.'

Phear teh ceiling cat, for he is roofkittehd! - Basement Cat

I'm a Bleeping Folder, are you? - Join BC in the fight against diseases - Click here
Become a BleepingComputer fan: Facebook

#7 Guest_oldmill_*

Guest_oldmill_*

  • Guests
  • OFFLINE
  •  

Posted 29 August 2009 - 12:39 AM

Galadriel - I've seen enough Gandalfs so I suppose Galadriel should be taken in stride.

You gave me a lot of words without saying a lot. My first career was as an Army Intelligence officer specializing in Cryptography. Such folks have highly evolved BS detectors.

The series I was commenting on, in its latest post by your expert, calls for using System Restore to backup a few days and reintroduce the virus file (he is skeptical, believing it to be a false positive). I am sure any number of followers of this thread could provide a copy of the relevant file, which is now missing from the original source. Correct me if I am wrong, but isn't the proper procedure for dealing with viruses to Turn off System Restore on all drives at the outset? At least Symantec preaches that procedure, and I have personally cleaned a virus, then rebooted, only to find System Restore has replaced it, so the cleaning process must be repeated until System Restore is disabled. Perhaps your training program has simply overlooked that problem.

You have told me that you don't want help, even from those who have relevant information. That certainly sounds like an ego problem to me. Perhaps all my years at MIT, et al, and working at the National Security Agency (seven years) don't qualify me to carry water for you. And the experience gained from working on over ten thousand computers is as dust in the wind. I took my first computer class in 1962. What were you doing then? I try my best not to eschew help wherever I can find it; conversely, it must be nice to have so much talent on staff that you don't need any more. The correct word for that is hubris.

You sent me a condescending message. Don't be surprised that one was returned.

Varon Mullis
Lieutenant Colonel
US Army, Ret.

#8 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,049 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:40 AM

Posted 29 August 2009 - 01:03 AM

Correct me if I am wrong, but isn't the proper procedure for dealing with viruses to Turn off System Restore on all drives at the outset?


Disabling System Restore as the first step when attempting to clean a system or when scanning for malware is not advisable. Unfortunately, some anti-virus vendors still recommend doing this before attempting malware removal and many folks follow that advice. This is really not a good practice when dealing with infected computer systems. Turning System Restore off and then turning it back on has some risk associated with it since that feature does not always work as intended. Further, there is always a possibility of something going wrong during the malware removal process and you end up with more problems. If an incident renders your system problematic or unbootable, you can use System Restore to return it to a previous working state. Without a restore point to fall back on, you are left with a limited means of restoring your system to a usable condition. Disabling this feature could mean having to perform a repair install (or reformat in worst case scenarios) if you're unable to fix any problems which System Restore may be able to correct. Although System Restore is not always 100% guaranteed to work all the time, it at least gives you another option before resorting to more drastic measures.

"System Restore and malware removal - what is best practice?"
"Should I purge all my restore point BEFORE removing infection?"

In the case of malware removal, the system restore is flushed once the malware has been removed.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#9 Galadriel

Galadriel

    Bleepin Elf


  • Malware Response Team
  • 2,753 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri, USA

Posted 29 August 2009 - 01:10 AM

Well, as a new member here, your alleged experience is, with all due respect, unproven. The Team members here were chosen based on their track record, and whether you think they are skilled or not, has little influence with the reality of this forum and 'field'. We've been online for over 5 years, and I personally have been involved in one way or another in this 'field' for a few more as a volunteer. In all those years, I have seen many people come and boast of their ability and yet they come to us to solve the problems they face. We must be doing something right. Many of our Team Members are recognized experts in their own right, some have been awarded Microsoft's MVP status in one area or another. But I do realise that some people are never satisfied. I may not be an army vet or an MIT grad, but what skills I do have, I give freely, without question and I support every team member on here and at other security boards. I could give you a list of my qualifications, but I know it would be a moot point, so I will say no more on that. What I will say however, is that as an Admin/Mod on several high profile security forums, I too have a highly developed BS detector skill. 'nuff said. Seems to me that the ego problem is not with our team members who give freely of their time and expertise, but with some who prefer boasting of their years and years of experience. Your assumptions, sir, make you appear to be the one with an ego issue. I don't see anyone boasting of their skills on the team. Yet a member who just joined here does.

System Restore is a personal choice and opinion, but I am of the school of thought that an infected restore point is better than a non functional OS.

As for your comment on my nickname, I fail to see what this has to do with anything this topic is about. If you feel this was condescending, perhaps you should read your own words and think of how they sound. If someone came to you with such an attitude when all you offer is free help, how would you react, sir?
I cemna prestar aen. Han mathon ne nen. Han mathon ne chae. A han noston ne 'wilith. - Galadriel
'The avatar is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.'

Phear teh ceiling cat, for he is roofkittehd! - Basement Cat

I'm a Bleeping Folder, are you? - Join BC in the fight against diseases - Click here
Become a BleepingComputer fan: Facebook

#10 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,260 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:04:40 AM

Posted 29 August 2009 - 02:40 AM

Reading this thread is like watching a pissing contest where only one contestant has his pants down and then proclaims himself the winner because no one else piddled on the floor.

I am not an MIT graduate, nor have I served in the military (I would have if they'd let me), nor have I had decades of experience with computers, nor have I programmed a VAX-11 using nothing but my field knife and my own sense of self importance, nor single-handedly taught the NSA everything it knows about cryptography. These things I have not done, and so I must genuflect before the mighty and awesome ego of one who claims to have done them, mustn't I?

One thing I have done, however, is spend a great deal of time on the internet. I have spent the better part of my adult life here, visiting various and sundry websites, forums, newsgroups, and the like. I have learned many, many things from this activity. Among the things I've learned is that whenever someone starts spouting off about their skills, experience, or credentials they are, almost without exception, full of crap. True experts let their actions prove their skill; all others just blow hot air and hope no one notices.

The members of the Hijack This team have demonstrated their abilities; you, sir, have done nothing but criticize and condescend. You joined the forum two days ago and have made only six posts. Four of these posts in this thread alone wherein you tell us just how badly we conduct ourselves, and how much we should be grateful for any assistance you offer. You have provided little but self-aggrandizing criticism. You will understand, then, why we don't just jump up and rearrange everything to suit your tastes.

#11 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia

Posted 29 August 2009 - 06:54 AM

I am closing this discussion, as it has degraded to nothing more than a waste of valuable time. Mr. Mullis, as a visitor here you were afforded free help in an attempt to resolve your computer problems. If you are uncomfortable with the advice given, feel free to seek counsel elsewhere. Your request for help will stay open as long as you want, I would suggest that you heed the advice given or inform the person that is helping you that you no longer wish to continue.

Perhaps all my years at MIT, et al, and working at the National Security Agency (seven years) don't qualify me to carry water for you. And the experience gained from working on over ten thousand computers is as dust in the wind.

Varon Mullis
Lieutenant Colonel
US Army, Ret.


With all that experience I find it hard to believe that you would require help, albeit help from an inferior source such as this site. Rest assured, I will be happy to forward your qualifications to the rest of the community at large.

Thank you for visiting Bleeping Computer.
Harry

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users