Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The locking of combofix/pciide.sys threads (not a tech problem)


  • Please log in to reply
10 replies to this topic

#1 Interested

Interested

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 22 November 2009 - 11:51 PM

First, I would like to thank those helpers in all the forums here. You all sacrifice a great deal, and help a lot of people. Now, on to the meat.

I recently discovered the pciide.sys issue with combofix. It wasn't a severe issue for me, and I have been using this sort of software, as well has sdfix, smitfraudfix, etc for a long time. I have occasionally had good files flagged/deleted by decent software, and it doesn't really bother me. Everyone makes mistakes, and there are plenty to make. Combofix is an amazing tool, but certainly not for someone unfamiliar with it.

However, I have to say I am disappointed with the locking of the threads regarding the pciide.sys problem. True, he may not have been in the right forum, but it looks overly defensive to lock the thread, and criticize someone for using CF without guidance. Anyone using Combofix *with* guidance under these circumstances will have pciide.sys flagged and quarantined. Upon reboot of the machine (happens automatically quite often) they will be in a reboot loop unless they have disabled auto restart.

EDIT: this may prevent them from coming back to the forum, leading the helper to think the problem is resolved and the thread abandoned

Please do not deflect from the issue at hand, which is that Combofix had a release that was deleting an important system file. Bug should be submitted, poster should be asked to post in the correct forum next time, and everyone should just move on. Having said that, that's what I am doing.

Thank you all, and thanks especially to the ComboFix author, who has saved so many so much time and money.

Edited by Interested, 22 November 2009 - 11:52 PM.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,257 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:09:51 AM

Posted 23 November 2009 - 07:44 AM

OK, thanks...happy computing :thumbsup:.

Louis

#3 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:10:51 AM

Posted 23 November 2009 - 07:48 AM

Please do not deflect from the issue at hand, which is that Combofix had a release that was deleting an important system file.


You are correct, but the issue wasn't deflected. It was in fact dealt with in a organized, effective manner. The issue has been resolved by the author.

The issue with using ComboFix without guidance is a big issue. Many members run into problems and then complain when their computer will not boot again. When ComboFiix was created, it was designed to be used with a trained person helping you. No arguments. In this case, the helper would have dealt with the error, contacted the author via internal channels, and then helped the member solve the issue with a tested solution.

We are here to help, but want to make sure that a quick fix doesn't do more harm than good.

If you are having trouble with the pciide.sys problem, please let us know and we will be glad to give assistance to get you running again.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#4 Interested

Interested
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 23 November 2009 - 08:58 AM

No problems here. Recovery console does not seemingly allow you to enter the Qoobox directory (permission denied), and I was actually looking forward to having a use for it (having installed it so many times by this point). Since I had another box handy that can read and write ntfs (ntfs-3g through FUSE) I just used that to move the file back into place. I have since looked through some documentation on the recovery console, and note a "logon" command that may be useful. I will certainly try it next time, since RC did not ask me for an admin password on entering that mode.

The only issue would be if that had been an end-user, who might not have a spare machine. I just don't feel that it's a helper/non-helper issue in that regard, since a reboot loop is likely, and unless the person has another computer, they aren't in a good situation for getting back in contact.

In any case, I appreciate your offer of help, and explanation, and wish you all the best as I resume my lurk.

#5 Ken-in-West-Seattle

Ken-in-West-Seattle

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 23 November 2009 - 09:20 AM

Can someone point me to he details on this issue? I have been a tech for 20 years but I don't consider myself trained in malware/rootkit issues. I would like to get up to speed on how to use combofix safely and appropriately and avoid this error.

I don't intend to offer help in any malware removal threads until I know what I am doing. I DO know hardware and laptop repair and do it everyday.

If links to this info should not be posted in public threads to avoid misunderstanding, perhaps a PM pointer?

#6 Beenthere

Beenthere

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 23 November 2009 - 09:49 AM

I can only assume that sUBs have rectified the issue already.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:51 AM

Posted 23 November 2009 - 10:01 AM

Can someone point me to he details on this issue? I have been a tech for 20 years but I don't consider myself trained in malware/rootkit issues. I would like to get up to speed on how to use combofix safely and appropriately and avoid this error.

ComboFix is a specialized tool created for forum experts who assist others with removing malware infections.

Discussion pertaining to how Combofx works, what it can or cannot do, what the log results mean, any future plans, updates, etc is not available to the public in order to safeguard and protect the integrity of the tool from malware writers. As such, the developer does not want his tool discussed outside of private forums and therefore we cannot answer specific questions. ComboFix's disclaimer clearly states that it is intended by its creator to be "used under the guidance and supervision of an expert", NOT for general public or personal use. Please read Combofix's Disclaimer. That's the decision by the creator and we will abide by that decision.

The only public information that is available can be found in this authorized guide: How to use ComboFix

If you want to learn more about the program you will have to enroll in one of the Malware Removal Training Programs here at BC (if space is available) or one of the other major security communities where such training is offered. In that environment experts will train those interested in assisting others with malware removal and how to use specialized fix tools like ComboFix.

Edited by quietman7, 23 November 2009 - 10:03 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Ken-in-West-Seattle

Ken-in-West-Seattle

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 23 November 2009 - 12:04 PM

Thanks Quietman.
With google I found the admissions page and will check regularly for an open slot. I have the time, I have the brains and I have the experience and await an opportunity.

Meanwhile I will continue to fix computers and networks for those who cannot pay commercial repair shops and contribute here in forums where I have the expertise.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:51 AM

Posted 23 November 2009 - 12:27 PM

You're welcome.

If you need more information on BC's school and/or other training programs that are available, please send me a PM.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,472 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:51 AM

Posted 23 November 2009 - 03:01 PM

Interested, do you remember the link to the topic you are referring to in the first post? This one?

Ken-in-West-Seattle, I CF had a false positive on the pciide.sys system file. As has already been said, this has been resolved, so unless you had issues with this in a topic or client, you don't have to worry about it anymore.

ComboFix topics are a tricky business as we do not want to release to much information publicly where they may get into the hands of malware developers who could use that information to bypass the routines in CF. At the same time we have to weight the fact that we have users who need help when they have problems after running it, supervisor or unsupervised.

What was seen by the topics in question was not a cover up by any means. We just have a general policy to not go into specifics on the program. In this case, we may have jumped the gun to much and not allowed that topic to remain open so that others could benefit from the information. I personally reopened it in case people have the problem and need help.

With the popularity of CF, and the occasional hiccups that people run into from time-to-time, we will be relaxing how we deal with CF topics so the above situation does not occur again. We still stand by our stance that the only information available is the info in the guide, but we will make sure that we help those who have problems after running CF, just like we would help any other member who has a computer problem.

#11 Ken-in-West-Seattle

Ken-in-West-Seattle

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 23 November 2009 - 05:17 PM

No problem with restricting the info. I use combofix unsupervised on my own systems and cloned infested drives of some of the systems I have fixed or re installed so I am aware of several rather serious mistakes that can be made and how to recover from a few :thumbsup: I have network backup servers and use dd and clonezilla to backup images of everything I work on.

I realize I don't have enough info to use it effectively or safely on anyone's system but that is my goal.

I like complex puzzles and this area seems to be the hardest game in town :flowers: My local community college is infested with w32 autorun and koobface it at epidemic levels.

I am entirely self taught from auditing science courses at Harvard in the 70's to buying an auction lot of dead 286 and 386 systems in the late 80's and working out how to repair 60% of them. I heated my apartment with a system 370 and have used linux since Yggdrasil and solaris since it replaced sunOS 4.4. I had a really ugly web page on the CERN server Randall Schwartz installed on Teleport

I understand the prohibition on use of this tool by the general public but I have been struggling against information monopoly all my life and will continue to hack, disassemble and in some cases, utterly destroy my own equipment in the quest for knowledge :trumpet:

At the moment I have finally located the service manual for my saeco espresso machine (another freebie from someone who found it was "too complex") and will probably have to disassemble/reassemble it a few times to see how it works. That might keep me busy for a week or more.


I will sign up when a slot opens and investigate the other members of UNITE to see if their classes have room.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users