Posted 28 July 2010 - 03:28 PM
Hi all, first time poster here.
I work regularly with a commercial application, and I'm running into a rather odd situation that appears to be related to ComboFix.
As part of its basic functionality, the product creates log files of transactions that are transferred regularly (to the host server by a local service. For instance, when a user makes a data change in the application, the transaction is logged on the local computer; the service contacts the listener on the server, and assuming it receives a valid response from the listener, it pushes the transaction log up to the host.
I do know that the service is transferring the files via TCPIP. It determines the server name and port number of the listener based on the custom file extension of the transaction file.
Recently I've been doing some testing with ComboFix, based on reports that after running it, this process no longer works. I've been able to reproduce it myself - run ComboFix on a VMWare image (even without a malware infection), reboot, and afterward the transaction files are created but they are never transferred up to the host.
I've attempted to track down the exact cause of the problem myself, but haven't hit upon it yet. I do know that whatever change is made by ComboFix, it is not in the application's files or registry; if I run ComboFix on the image, then install the app, it's still broken. The only solution I've found so far is to reinstall the OS. The application vendor states that because they don't have any information on what ComboFix does, they can't help with a more graceful solution.
I'm hoping that someone can give me some thoughts on what ComboFix might change that could cause something like this. I understand that details on exactly what ComboFix does are guarded (and I understand WHY, as well), but if anyone could point me in the right direction, I would greatly appreciate it.