Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible CF bug again?


  • Please log in to reply
11 replies to this topic

#1 rossi420

rossi420

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 21 May 2011 - 04:19 PM

Hey folks, I'm a long time lurker & admirer on the site but up until now I've never had call to register.

Today I was doing doing a few scans on a friend's x86 XP SP3 PC (the joys of being an IT professional, these things tend to land in your lap) and my suspicions led me to run, amongst other things, ComboFix on the machine in question*. Now usually this tool behaves itself quite well but today it seems to have gone a little awry: After copying across and launching the version that resides on my USB stick (which was last manually updated perhaps a week ago) it began updating itself then proceeded to install the recovery console and begin scanning. During the scan, It decided that the entire contents of the Program Files folder required deletion and procedeed to quarantine the lot. Not a big problem really, it's easily enough restored (though I'll have to boot into linux as my batch scripting is awful, no idea how to mass rename!) but I was just wondering if perhaps the bug that popped up in January had made a reappearance? I couldn't find anything on the site that would indicate this and felt that if it had, it might be worth bringing it to the attention of the author and community.

Thanks in advance!
Ross

*Log on request, if I'm not mistaken they're not allowed in here!

BC AdBot (Login to Remove)

 


#2 Falcon Kirtaran

Falcon Kirtaran

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 21 May 2011 - 08:56 PM

I too, had this problem. I ran it twice today; on one machine it worked well, but on the other, it deleted nearly everything in the program files folder.

To compound my woes, I can't get the unquarantine script to work. I tried to do it like this:

<script removed>

Is that incorrect? I want to unquarantine everything.

Edited by elise025, 22 May 2011 - 03:26 AM.
script removed for security reasons ~Elise


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,205 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:14 PM

Posted 22 May 2011 - 03:32 AM

The developer is aware of this bug and it has been fixed with the next version. If you have been the victim of this bug and you need help restoring your Program Files content, please let us know.

Do NOT post any Combofix logs here, they will be removed. Instead, if you need help removing malware, follow the steps in the Preparation Guide.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 rossi420

rossi420
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 22 May 2011 - 09:06 AM

The developer is aware of this bug and it has been fixed with the next version. If you have been the victim of this bug and you need help restoring your Program Files content, please let us know.

Do NOT post any Combofix logs here, they will be removed. Instead, if you need help removing malware, follow the steps in the Preparation Guide.


Thanks for the confirmation Elise. I've restored everything on my end, but confirmation of the method Falcon was attempting would be appreciated for future reference.

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,205 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:14 PM

Posted 22 May 2011 - 09:34 AM

confirmation of the method Falcon was attempting would be appreciated for future reference.

Combofix's developer has requested that information on the inner workings of Combofix is restricted. At BC we respect this and for this reason the use of that particular script will not be discussed here. For the same reason I have also removed the posted script. Besides this, using scripts without proper understanding, can lead to a lot more damage and I strongly recommend against trying.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 rossi420

rossi420
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:14 PM

Posted 22 May 2011 - 10:03 AM

Combofix's developer has requested that information on the inner workings of Combofix is restricted. At BC we respect this and for this reason the use of that particular script will not be discussed here. For the same reason I have also removed the posted script. Besides this, using scripts without proper understanding, can lead to a lot more damage and I strongly recommend against trying.


Fairy snuff, it's easy enough to remedy without the script anyway.

Thanks again!

#7 Falcon Kirtaran

Falcon Kirtaran

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 22 May 2011 - 03:06 PM

Combofix's developer has requested that information on the inner workings of Combofix is restricted. At BC we respect this and for this reason the use of that particular script will not be discussed here. For the same reason I have also removed the posted script. Besides this, using scripts without proper understanding, can lead to a lot more damage and I strongly recommend against trying.


It would be incredibly nice to know if I was at least on the right track. I have since used Linux to restore the files, so it's no longer crucial. However, I would far rather not disassemble the application and experimentally determine how to restore mistakenly quarantined files; could I at least know whether the commands I was using were syntactically correct? I am not terribly worried about damaging windows installations as I have a test environment.

How does one determine if CF is even running the script? Does it intentionally appear to be doing the exact same thing it would if you had not run the script, or does it give an indication?

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,484 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:14 PM

Posted 22 May 2011 - 03:35 PM

As elise025 said, discussion pertaining to how Combofx works, what it can or cannot do, etc not available to the public. The primary reason is to safeguard and protect the integrity of the tool from malware writers.

Safeguarding ComboFix from malware writers is necessary and important so that we can continue to use it without attackers having knowledge how to defeat it. Everything we discuss can be read by the bad guys. Yes, they read forum topics looking for clues on how to circumvent our tools. We don't want to provide any information they can use against us so we deliberately limit discussion which sometimes may appear vague or not fully address a specific question.

As such, the developer does not want his tool discussed outside of private forums and therefore we cannot answer specific questions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Falcon Kirtaran

Falcon Kirtaran

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 22 May 2011 - 07:44 PM

I get that. Who or where can I ask?

Sorry to drag this so far off topic, though. It seems the bug has not shown its face again...

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,484 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:14 PM

Posted 22 May 2011 - 08:57 PM

If you want to learn more about ComboFix you will have to enroll in the Malware Removal Training Program here at BC (if space is available) or one of the other various Unite Schools where such training is offered. In that environment experts will train those interested in assisting others with malware removal and how to use specialized fix tools like ComboFix. Once training has been completed, you will have access to the ComboFix discussion thread to learn more specific information about the tool and ask any questions.

Edited by quietman7, 22 May 2011 - 09:01 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 JD13x

JD13x

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:14 PM

Posted 26 May 2011 - 08:45 PM

I have this same problem.
I ran the supposed solution only find it did nothing...
I've been pulling my hair out for the last 3 days. Luckily it isn't my main computer.
All my files have been mover to the quarantined folder with the vir extension.

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,484 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:14 PM

Posted 27 May 2011 - 07:47 AM

Hello JD13x

hamluis has already responded in your other thread here. If you have further questions, please continue in there. Please do not start new threads or duplicate topics as this causes confusion and makes it more difficult to get the help you need to resolve your issues. Further, it necessitates staff spending time with housecleaning to remove or close those duplicate postings...time which could have been provided to others needing assistance.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users