The use of combofix!

polonus · 2008-01-01T03:22:37.000Z

Hi malware fighters,

When you read the postings in the “virus and worms” you often see the use of a special anti-malware
tool, named ComboFix. ComboFix should be used in the hands of those that understand hjt logs and the
implications thereof. So use ComboFix here under guidance of a trained malware fighter.

ComboFix specifically targets SurfSideKick, QooLogic, Look2Me or any combination of that malware group. It also nicely picks out Vundo infections and clears some, but not all.

One of the better things it does is pick files recently created which can give clues to other infections. It’s very robust too. You can use it to unhook any dll in the system32 folder. You can use it to delete up to as many as 8 files using its command line functions. It deletes a bunch of files related to the infections above automatically and is updated fairly regularly. There is more but that’s it in a nutshell.

You could run ComboFix on your machine, it will cause no ill effects, it just scans and looks for specific files\folders. All the ones targeted are malware, it does not reply on any type of heuristics, so it’s highly unlikely, if not impossible to remove something automatically.

There is even a list of files\folders it currently targets. So Combofix is a “point & shoot” tool. The user could d/l it, run it and it will fix many things without user intervention. It’s very popular and easy to recommend to a user.

There are free training places where you can learn the art of HJT fixing better than just “reading up” on it. Here are some of the best …

TechSupprtForums “Academy”
http://www.techsupportforum.com/tsf-academy/

Malware Removal “University”
http://forum.malwareremoval.com/viewtopic.php?t=233

Tom Coyote “Classroom” http://forums.tomcoyote.org/index.php?showtopic=1421

Bleeping Computer “HJT Study Hall”
http://www.bleepingcomputer.com/forums/topic4970.html

Geekstogo “Geek University” (GeekU)
http://www.geekstogo.com/forum/Would_you_like_to_learn_to_fight_malware-t4817.html

SpywareInfo “Boot camp” http://forums.spywareinfo.com/index.php?showtopic=34

Some of the people trained there or elsewhere are members of this forum, but if malware fighting
looks to be your thing, why not contemplate going there. Studying anti-malware routines teaches
you a lot, but always remember what is particular for that user cannot be used in another situation.

polonus

oldman960 · 2008-01-01T11:27:14.000Z

Hi polonus

You’re right, combofix is a very valuable tools for removing malware. The dedication of it’s author, sUBs is remarkable. It will do all you say and more, so care must be taken especially with the scripting feature.

Any one of those sites you listed is a good place to start for those interested.

essexboy · 2008-01-01T14:45:55.000Z

Bear in mind that is updated continuously with new elements in it e.g. the latest is the renv detector for the latest Vundo variant plus there are also boot driver removals within it. There is one particular nasty that it fixes C:\WINDOWS\system32\bcebaccdb.dll delete this any other way and you have a few pounds of metal on your desk that will need reformating

Announcements