Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix and pciide.sys


  • Please log in to reply
3 replies to this topic

#1 yj7777

yj7777

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:01 PM

Posted 21 November 2009 - 07:13 PM

Hi
I am the guy who originally posted the message about combofix screwing up my two computers last night.
I find it very amusing that they locked the thread about combofix screwing up many computers so we wouldn't embarass the developers even further.

Like one of the people who posted a message to my thread i found out that combofix quarantined and deleted C:\Windows\System32\Drivers\pciide.sys from both my systems,
I found this out after i slaved one of the hardrives that wouldn't boot into one of my computers and i saw the pciide.sys file had been quarantined as a virus with yesterday's date, but after i scanned the quarantined file in totalvirus.com, the scan came back clean.

I've had to reinstall XP on one of my computers and right now i am going to reimport some of the software registry hives so i don't have to reinstall all the software.

I am going to slave the second's computer drive into one of my working computers and copy pciide.sys from a working system (they are both the same computer model) and i think that should make the system bootable again.

Please do not delete this thread, as i would like people to know that if they restore the C:\Windows\System32\Drivers\pciide.sys file that combofix quarantined and deleted, their system may have a chance to come back to life.

I can't believe the irresponsability of the combofix developers trying to sweep this matter under the rug.
The least thing you can do is to admit you guys screwed up.

I have been using combofix for years without any problems without "supervision" because i have over 15 years of administering servers professionally.
There is no excuse for shoddy programming, no matter how "powerful" Combofix may be.

Combofix is truly an amazing tool, and it has gotten rid of spyware no other software was able to get rid of..
Unfortunately combofix has managed to do what no spyware has ever done to two of my computers, which is to render them unusable.
It seems the cure has become worse than the disease.

Edited by yj7777, 21 November 2009 - 07:28 PM.


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:09:01 PM

Posted 21 November 2009 - 09:11 PM

I can't believe the irresponsability of the combofix developers trying to sweep this matter under the rug.
The least thing you can do is to admit you guys screwed up.


Again
one of the reasons it is not recommended to use ComboFix without supervision is because of these kinds of problems, as you already know. What hasn't been pointed out is that, if you had had supervision, your helper could have gotten in contact with CF's author to resolve the issue. He won't do that with people who ignore the disclaimer and run it on their own--he uses his time to make CF better.

I can't believe the irresponsability of the combofix developers trying to sweep this matter under the rug.
The least thing you can do is to admit you guys screwed up.


It never has been and never will be designed for the general public
Read the disclaimer. You were warned

Edited by garmanma, 21 November 2009 - 09:15 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:09:01 PM

Posted 21 November 2009 - 09:15 PM

I find it very amusing that they locked the thread about combofix screwing up many computers so we wouldn't embarass the developers even further.


Your are not embarrassing the creator of ComboFix at all. You are, however, going against his will not to discuss this tool outside of a forum that has helpers that are able to help you use the tool correctly. ComboFix isn't a piece of software to be used like you would Malwarebytes or Superantispyware. That is why there are warnings about its use everywhere, and why we only use the tool with supervised assistance. You failed to follow our advice, so don't fuss about your system crashing.

This thread will be temporarily closed. If this thread is to continue, it will be with people who are authorized to answer the questions posed. I am forwarding your concerns to the admins of the board who will address your concerns.



Edit: Allow me to add a few comments from a wise malware expert - Papakid

Running ComboFix by yourself is like performing open heart surgery on yourself--the scalpel and other surgical tools that is ComboFix is meant to be wielded by a highly trained surgeon only in emergencies or dire circumstances. When the surgeon is thru s/he leaves the room. So combofix should be removed from a system once it has accomplished its job, unlike an AV that is there to protect you from future infections.

. . . CF does make some alterations to your system if you run it. Even if you had no malware removed and run the uninstall command, some things may be different now on your system. I can tell you that one thing is that all your restore points will be flushed out and a new one created. There is a good reason to do that when you have a severe infection--but if you aren't infected you might need those restore points.

Read and abide by the disclaimer people. It's there for a reason. Stick to running and protecting yourself with a good AV and firewall and an anti-malware scanner or two. If you feel you need a second opinion, try running online scans. If you feel you might need surgery, come here to BC and ask for help--that is what we're here for.


From: http://www.bleepingcomputer.com/forums/ind...t&p=1159014

Edited by rigel, 21 November 2009 - 09:26 PM.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:01 PM

Posted 23 November 2009 - 03:22 PM

I find it very amusing that they locked the thread about combofix screwing up many computers so we wouldn't embarass the developers even further.


We have a general policy not to get into too much detail about the inner working of CF so that malware developers can't take advantage of it. It was for this reason that the topic was closed, not for any other reason. If we wanted to hide it, it would have just been deleted. In hindsight, though, we do feel that we prob jumped the gun and should have left the topic open for those who needed help fixing their computer from this FP that you had described. I apologize for that. Going forward we will treat any problem a person has after running CF just like any other problem a member would come to us with and help you resolve them.

Like one of the people who posted a message to my thread i found out that combofix quarantined and deleted C:\Windows\System32\Drivers\pciide.sys from both my systems,
I found this out after i slaved one of the hardrives that wouldn't boot into one of my computers and i saw the pciide.sys file had been quarantined as a virus with yesterday's date, but after i scanned the quarantined file in totalvirus.com, the scan came back clean.


Yup this was a FP that was addressed.

Please do not delete this thread, as i would like people to know that if they restore the C:\Windows\System32\Drivers\pciide.sys file that combofix quarantined and deleted, their system may have a chance to come back to life.


This is absolutely correct. Just replace the pciide.sys file and the computer will boot up normally again. This should work 100%.

I can't believe the irresponsability of the combofix developers trying to sweep this matter under the rug.
The least thing you can do is to admit you guys screwed up.


As discussed this was not an issue of the developer trying to sweep anything under the rug. The closing of the topic was simply our policy when it comes to CF topics. As stated above, we will be changing our policies in regards to topics, like this one, so that people can discuss how to resolve their problems.

I have been using combofix for years without any problems without "supervision" because i have over 15 years of administering servers professionally.
There is no excuse for shoddy programming, no matter how "powerful" Combofix may be.

Combofix is truly an amazing tool, and it has gotten rid of spyware no other software was able to get rid of..
Unfortunately combofix has managed to do what no spyware has ever done to two of my computers, which is to render them unusable.
It seems the cure has become worse than the disease.


I agree. CF is quite an amazing tool and does a better job than many commercial antivirus programs in getting rid of some of the most pervasive and nasty infections out there. If you only knew the amount of hours that the developer puts into this tool, I think you would be a little less harsh on your statements. Was this a disastrous FP? Yes. Does it make it worse than the disease? I don't think so. Let's also remember that disastrous false positives are not the sole provence of CF. I think if you googled around enough, you would find that many commercial programs have had similar situations in the past.

Let's take a look:

AVG
Kaspersky
Trend Micr
Sunbelt
McAfee

I am sure I could dig down more and find some others if I wanted to. I think, though, this is a good enough sample to show that no matter what security product you are going to use, there is always going to be the potential for FPs. So I do not think this one FP lessens the value of CF at all.

With that said, I think BC could have handled it better and we will do so in the future. Thanks and I appreciate any comments you may have.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users