Jsmply
asked on
Do you trust and use HitMan Pro?
Hi Experts
On our test machines lately we have found a few infections that hitman pro removed that mbam or sas did not. This is especially true of root kits. We are always weary before using new products on production machines. Do you use and/or trust hitman pro?
One thing we noticed is uninstalling seems to leave a few files on the system.
Thanks.
On our test machines lately we have found a few infections that hitman pro removed that mbam or sas did not. This is especially true of root kits. We are always weary before using new products on production machines. Do you use and/or trust hitman pro?
One thing we noticed is uninstalling seems to leave a few files on the system.
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks all, it's good to know and won't use Hitman then. Never had MBAM render a computer unbootable in lots of uses. Do you recommend anything in conjunction with MBAM as it does not seem to do very well with TDSS as RPGGamerGirl said. Had a machine recently that MBAM removed some infections from and was then reporting it was 100% clean (even a full scan) despite the fact it still would not show the desktop and was still infected with a root kit.
ASKER
We worked on another test machine in-house that had a TDSS infection. MBAM, SAS, and Kaspasky's TDSS Removal tool where unsuccessful in removing it. The only thing that worked is Combofix. Is there any tool that will work as well (or close) as Combofix with a less stringent disclaimer? Typically if Combofix is used on a production machine we will make a help post somewhere as bleepingcomputer recommends, but that is a pain if needing to attempt removal on the spot for an important machine.
RPG, is there a similar tool you recommend? If not, can Combofix be run without making a post someplace first as long as you let Combofix do it's own thing and not try to act upon the log without further instruction? It seems that it's able to remove a lot of nasty infections right out of the box and has never caused any problems on any test machines.
RPG, is there a similar tool you recommend? If not, can Combofix be run without making a post someplace first as long as you let Combofix do it's own thing and not try to act upon the log without further instruction? It seems that it's able to remove a lot of nasty infections right out of the box and has never caused any problems on any test machines.
"We worked on another test machine in-house that had a TDSS infection. MBAM, SAS, and Kaspasky's TDSS Removal tool where unsuccessful in removing it. The only thing that worked is Combofix."
It must've been a new variant of TDL4 that TDSSKiller didn't have updates yet. TDL4 modifies mbr and CF can detect and clean it. If CF detected a modified mbr but doesn't cure it, it then needs user interaction using a script to fix the mbr or fix via RC.
"Is there any tool that will work as well (or close) as Combofix with a less stringent disclaimer?"
There are other tools similar to ComboFix in a way that also has a script function, but it only removes files using a script, not an automated removal tool.
ComboFix is the only scanner that is so powerful, has many functions, and capable of detecting and removing multitude of infections.
If not, can Combofix be run without making a post someplace first as long as you let Combofix do it's own thing and not try to act upon the log without further instruction?"
ComboFix is supposed to be used with guidance from a helper so in case something happens someone can help you revert the proccess. BUT, if you want to use it on your own without a Helper no one will stop you... I'm not advising you should but that's up to you.
ComboFix is a very safe tool, it is better and has more safety nets than any other tool. So it should be okay if you don't act upon the log...
Bear in mind that ComboFix will not automatically remove all infections present in the system. Some viruses that it doesn't recognized had to be removed using a script(that's another reason a helper's guidance is needed).
And some infection that hooks to system's crucial files\reg entries CF will not attempt to remove unless RC is installed.
If you just let it do its own thing no harm will happen, though the system may not be thoroughly cleaned. You can show us the log after and ask further instructions.
Also remember, after running ComboFix, you must not uninstall it until you know that everything is running fine. If something happens due to CF, everything that CF did can be reversed even up to the point before the scan.
"It seems that it's able to remove a lot of nasty infections right out of the box and has never caused any problems on any test machines."
sUBs has done a very good job with ComboFix, and he updates it often. ComboFix is an awesome tool. When using ComboFix it should always be downloaded new and not a week or few days before. It is optimized to run in normal mode so safe mode is not necessary unless PC can't boot in normal mode. Also make sure AV shield is turned off when CF is running so it doesn't interfere with its scan.
ASKER
Thanks RPG. The reason for asking is it seems more and more of our users are ending up with infections that mbam sas and others can't remove on their own. This week alone several users ended up with "Windows Xp Recovery" which ended up hijacking the whole desktop, etc. Part of a non profit with volunteers is little opportunity for user education. Anyway, would it be safe in those situations where mbam and the like dont work that combofix be run? If it removes the symptoms of the problem is it safe to assume it was able to clean the infection? The issue is in a large user base there might be several issues a week and would take a lot of support posts lol.
Thanks as always, you are a huge asset to EE and as I've said before being able to learn from you is worth the membership fee alone!
Thanks as always, you are a huge asset to EE and as I've said before being able to learn from you is worth the membership fee alone!
You're welcome, glad to be of some help.
With Windows Xp Recovery, don't run ComboFix!
You need to use MalwareBytes for this(MalwareBytes will run just follow bleepingcomputer tutorial on Windows Recovery and then use the Unhide.exe to restore the hidden files and folders and restore desktop shortcuts and Program files menu shortcuts.
http://www.bleepingcomputer.com/virus-removal/remove-windows-recovery
If you use ComboFix you will end up not being able to recover those missing desktop shortcuts. Windows XP Recovery deletes desktop shortcuts and program files menu shortcuts and put them into this folder %temp%\smtmp.. and if you run ComboFix it will empty your temp folders and the smtmp folder will be gone.
So instead of the malware actually deleting those shortcuts for good, it stores them somewhere else so the user can still restore them...a very kind malware-writer huh?
With Windows Xp Recovery, don't run ComboFix!
You need to use MalwareBytes for this(MalwareBytes will run just follow bleepingcomputer tutorial on Windows Recovery and then use the Unhide.exe to restore the hidden files and folders and restore desktop shortcuts and Program files menu shortcuts.
http://www.bleepingcomputer.com/virus-removal/remove-windows-recovery
If you use ComboFix you will end up not being able to recover those missing desktop shortcuts. Windows XP Recovery deletes desktop shortcuts and program files menu shortcuts and put them into this folder %temp%\smtmp.. and if you run ComboFix it will empty your temp folders and the smtmp folder will be gone.
So instead of the malware actually deleting those shortcuts for good, it stores them somewhere else so the user can still restore them...a very kind malware-writer huh?
For those users whose systems were infected with Windows XP Recovery and had run CCleaner, ComboFix or other tools that clean the temp folders, all is not lost there are ways to recover them manually.
Often times a rogue(such as Windows Recovery) also comes with rootkits so after running Mbam and Windows Recovery is gone and unhide.exe has been run to restore those missing shortucts. It is then okay to run ComboFix to clean out what rootkits MalwareBytes had missed.
ASKER
Thanks RPG. I guess there are two questions now.
1 - Windows XP recovery was more of an example, but you sparked some curiosity and just went ahead and since we happened to have a machine that was sitting here from last week that had been infected with Windows Xp Recovery manager that we were planning to re-image and deploy to someone else anyway, we went ahead and ran Combofix on it first just for educational purposes. Upon a reboot, CF seems to have cleared it up and the desktop icons and program listings returned. was that not supposed to happen via CF?
2 - The original question still stands, Windows XP Recovery was more of an example but perhaps a bad one. For infections that cannot be cleaned via MBAM (rootkitds, etc) would it be SAFE to run CF and let it do its things automatically as long as all symptoms disappear? If it does, great and if not then request a script?
1 - Windows XP recovery was more of an example, but you sparked some curiosity and just went ahead and since we happened to have a machine that was sitting here from last week that had been infected with Windows Xp Recovery manager that we were planning to re-image and deploy to someone else anyway, we went ahead and ran Combofix on it first just for educational purposes. Upon a reboot, CF seems to have cleared it up and the desktop icons and program listings returned. was that not supposed to happen via CF?
2 - The original question still stands, Windows XP Recovery was more of an example but perhaps a bad one. For infections that cannot be cleaned via MBAM (rootkitds, etc) would it be SAFE to run CF and let it do its things automatically as long as all symptoms disappear? If it does, great and if not then request a script?
My bad... that was a wakeup question because it made me checked on CF updates.
Yes ComboFix has been updated for this variant... it still removes temp folders but will also take care/restore the files from the smtmp folder.
Yes ComboFix has been updated for this variant... it still removes temp folders but will also take care/restore the files from the smtmp folder.
ASKER
Thanks. When was it updated? The Combofix file downloaded was from last Monday (the 16th I believe) which is usually a no-no as you stated above but again this was just for fun/education on a machine that was about to be re-imaged anyway.
Has it been updated for over a week? Just to clarify, if it didn't work we would not see the shortcuts showing up at all right? Or would we have to go through and check that all the shortcuts actually work?
Has it been updated for over a week? Just to clarify, if it didn't work we would not see the shortcuts showing up at all right? Or would we have to go through and check that all the shortcuts actually work?
"would it be SAFE to run CF and let it do its things automatically as long as all symptoms disappear? If it does, great and if not then request a script?"
It's safe to run it(using it properly)...
When the symptoms is gone that doesn't always mean that the system is clean so it is always important to look at the CF log making sure that there are no bad files and reg entries showing in the log. So it doesn't hurt to post the log for us to look over, it's up to you.
It's safe to run it(using it properly)...
When the symptoms is gone that doesn't always mean that the system is clean so it is always important to look at the CF log making sure that there are no bad files and reg entries showing in the log. So it doesn't hurt to post the log for us to look over, it's up to you.
ASKER
Great, thanks. So is there ever a situation where you DONT want to run Combofix at all? Would this be a place where the "helper" would advise even before Combfix is run (perhaps with a HJT log or something similar)?
It seems like the situation you described above might have been one . . . where Combofix could have been run before it was updated to address the Windows Recovery Manager shortcut situation? Although it sounds like all that would have been lost is shortcuts, but perhaps some situations are more serious?
It seems like the situation you described above might have been one . . . where Combofix could have been run before it was updated to address the Windows Recovery Manager shortcut situation? Although it sounds like all that would have been lost is shortcuts, but perhaps some situations are more serious?
Sorry not sure exactly when CF was updated for Windows Recovery I don't have that info(had been few updates this month).
I can't think of a situation ever where you don't want to run ComboFix at all.
HijackThis is not bad for starter but no longer a reliable scanner as a lot of infections won't show up in the scan. So posting a Hijackthis log and getting a feedback that the system is clean gives you a false diagnosis. OTL log would be better, OTL is an excellent diagnostic tool because it does way a lot more than Hijackthis. The author even states it's a Hijackthis on steroid.
Hijackthis log is better than none I guess, at least the helper will know what is installed and running, some installed programs like CD emulators interfere rootkit scanners and CF fixes.
I can't think of a situation ever where you don't want to run ComboFix at all.
HijackThis is not bad for starter but no longer a reliable scanner as a lot of infections won't show up in the scan. So posting a Hijackthis log and getting a feedback that the system is clean gives you a false diagnosis. OTL log would be better, OTL is an excellent diagnostic tool because it does way a lot more than Hijackthis. The author even states it's a Hijackthis on steroid.
Hijackthis log is better than none I guess, at least the helper will know what is installed and running, some installed programs like CD emulators interfere rootkit scanners and CF fixes.
ASKER
Thx!
No problem.
Thank you for using Experts-Exchange!
Thank you for using Experts-Exchange!
Google redirect+Hitman Pro=unbootable system
http://www.geekstogo.com/forum/topic/298786-google-redirecthitman-prounbootable-system/
hitman pro now computer wont boot
http://www.geekstogo.com/forum/topic/298820-hitman-pro-now-computer-wont-boot/
Laptop boot BSOD after rootkit removal using Hitman pro
http://www.geekstogo.com/forum/topic/298965-laptop-boot-bsod-after-rootkit-removal-using-hitman-pro/
hit man killed my computer
http://www.geekstogo.com/forum/topic/296202-hit-man-killed-my-computer/
Windows vista won't boot after running Hitman
http://www.geekstogo.com/forum/topic/295049-windows-vista-wont-boot-after-running-hitman/
Used Hitman Pro now laptop wont boot up
http://www.geekstogo.com/forum/topic/293831-used-hitman-pro-now-laptop-wont-boot-up/
Windows XP won't boot after running Hitman
http://www.geekstogo.com/forum/topic/292770-windows-xp-wont-boot-after-running-hitman/
Can't reboot after using Hitman Pro
http://www.geekstogo.com/forum/topic/291441-cant-reboot-after-using-hitman-pro/
Hitman Pro 3.5 wiped system files, Laptop will not boot
http://www.geekstogo.com/forum/topic/290372-hitman-pro-35-wiped-system-files-laptop-will-not-boot/