Solved

Can Running ComboFix Make the Situation Worse?

Posted on 2010-08-23
15
804 Views
Last Modified: 2013-11-22
I have used ComboFix multiple times to successfully clean PCs infected w/ malware. However, in the past 2 months I had two separate experiences where running ComboFix seems to have cause the systems to become even slower & more unstable than they were originally. In both cases, they were older laptops (about 5 years old) running Windows XP Home w/ SP2 or SP3.

Has anyone else experienced this?
0
Comment
Question by:anuneznyc
  • 5
  • 4
  • 2
  • +3
15 Comments
 
LVL 24

Expert Comment

by:B H
ID: 33505424
sometimes that happens - combofix does a lot... but usually only good things.  

you can have situations where combofix removes a virus that was so embedded, that windows is never the same without the virus.  in some cases, if the virus was a device driver, windows might not even boot up anymore

i haven't seen anything that i can nail down to a specific OS service pack or update, or even specific viruses... just seems to be case by case, you just never know.

i only run combofix when everything else fails, it's either combofix or a reinstall anyway, so can't hurt that much if i've already blocked out the time to do a reinstall
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 33505468
There could be some other reason(s) for system to go slow, however I have never seen Combofix causing system to slow down.

Sudeep
0
 

Author Comment

by:anuneznyc
ID: 33507433
Bryon, curious to know what other anti-spyware programs you run and in what order. In the past I have successfully used Malware Bytes to remove spyware, but in some cases had to also run ComboFix to clean infections that MB did not remove. But now that I've had these 2 negative experiences, thinking I should take your approach and only run CF as a last resort.
0
 
LVL 27

Assisted Solution

by:Jonvee
Jonvee earned 100 total points
ID: 33508387
You should find this article by rpggamergirl helpful>
http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/A_1979-THINGS-YOU-NEED-TO-DO-WHEN-YOUR-PC-IS-INFECTED.html

See under sub-heading "Download the Tools and start the cleanup".  
Some users may opt for not initially running Cleaners(or not even at all) and starting with Malwarebytes, leaving ComboFix until last (as you intimated).

My own more recent thoughts are to run Malwarebytes, followed by Hitman Pro 3 a 'Second Opinion Malware Scanner'    
which uses Scan Cloud ....well worth reading this whole article:
http://www.surfright.nl/en/hitmanpro
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 33508454
Further thoughts ... imho i believe that running ComboFix does present a ~very slight~ risk to a system, but it's a risk worth taking especially when a machine is suspected to be quite infected ....but i'm not aware of any slowness caused by running ComboFix, and it has to date proved to be an excellent tool ... i think of it as being 'one of the big guns' perhaps!
0
 
LVL 24

Accepted Solution

by:
B H earned 250 total points
ID: 33509591
usually i go in an order like this - of course it varies depending on what symptoms are present

1. kill all running processes that dont belong there - if one keeps coming back, make a note of it
2. check the common regedit startup locations (user/machine/winlogon-notify) and liberally delete things (adobe, java, viruses, etc)
3. kill the common temp places: locals~1\temp, locals~1\tempor~1, windows\temp, windows\prefetch
4. kill anything weird in programfiles
5. run malwarebytes (goes faster after 1-4 above
6. deal with anything left over, like a repeating process from #1
     (find that process on the drive, loop a batch file "del %1, if exist repeat, if not exist quit" while ending the process manually, that way it really really goes away
7. if symptoms are still present (popups, clickjacks, redirects, etc) then we have to use tdsskiller
8. if symptoms are still present, it's a driver that tdsskiller can't get so at that point, combofix slash repair install
9. i've had things live thru a repair install - well not necessarily live past but the network drivers were still destroyed because one virus might like to change all your windows/inf files - at that point it's easier to just format/reinstall

that whole process 1-7 above usually takes me about 20-30 minutes depending on temp files.  combofix can be another 30 minutes.

after i'm confident the machine is clean, i'll usually recommend the client buy malwarebytes so we can leave it auto-run, auto-update, auto-scan, auto-delete, while watching connections 24x7.  i'll also remove whatever crap antivirus they used to have (usually norton) and replace it with the free version of avast - then i'll set avast to auto-chest > auto-delete without asking and without notification - so the user can't accidentally let the virus live next time.

if time allows i'll get them on the right track with microsoft updates, or at least leave them a text document on how to perform basic maintenance.  if they're really nice i'll go a few extra steps and ccleaner their registry and set them up with defragller (god forbid they install it themselves, with all those "optional" checkmarks installing more junk)

in some extreme cases i'll start adding keywords to the avast url block list, like limewire, frostwire, bearshare, etc.

the first time i see limewire caused it, i tell the kid "next time i delete all you're music" and that's usually good... and explain why to their parents.  but if i have to go back after that, i'll make sure they don't get any allowance for a few months - never had to go back after that.
0
 
LVL 24

Expert Comment

by:B H
ID: 33509690
in my first comment where i said :sometimes that happens - combofix does a lot... but usually only good things.  

the intent was "combofix does a lot of things" and not "combofix fails a lot".  combofix is a great tool, but it does have a small percentage of a chance to do more harm than good.  which is probably why you have to keep re-downloading it, since the authors made it expire every few days.

i had one users who was like "wow leave me that program i'll run it every day" i was like, no.

i do it in my order above more because if combofix is going to take 30 minutes anyway, i may as well do it by hand so i can see any other issues along the way... and if that fails, then run combofix which is helpful most of the time

i didnt mention disabling system restore but that's up there too pretty early in the list - i usually don't re-enable it because i can count on one finger all the times it actually worked.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 100 total points
ID: 33519873
I can't see why running ComboFix would caused the system to slowdown, it has to be something else.
ComboFix removes itself and its files including the backup upon its uninstallation. And yes it's not recommended that ComboFix be kept in the system for safety reason, so there is no chance for the user having to run an outdated ComboFix.

It is much safer to run tools like MalwareBytes, ComboFix etc than doing a manual removal of any infection first, because if you missed their loading points the PC may not boot, whereas using tools like ComboFix it is designed with safety nets.
It actually has more safety nets than most tools,that's why there are times when ComboFix will not try and remove a particular malware unless RC is installed.

It is often advised to be used as a last resort mainly because it's not a generic "cure all" scanner, CF sometimes needs a script to finish the removal. That's why it's supposed to be used only under guidance by a Helper
ComboFix was created to aid malware Helpers in removing malware when other scanners fail.
0
 
LVL 1

Assisted Solution

by:jasonlcss
jasonlcss earned 50 total points
ID: 33519917
After running Combofix, I usually run ccleaner as it cleans out all "dead links" in your registry as well as cleans out all your temp data from your temp folders, this I have found speeds up the PC's quite a bit.

Heres a download link: http://www.piriform.com/ccleaner
0
 

Author Comment

by:anuneznyc
ID: 33524307
Thanks to everyone who posted their comments. Yeah, I don't know what happened in these 2 instances, but running CF definitely caused the system to slow down even more. Granted, both systems had Windows XP installs that were over 5 years old, which means they were slow & unstable to begin with, but it got worse after CF did its thing.

I'm starting to think that from now on, if I come across a client system w/ a XP install more than 4 yrs old, I'm going to insist on a "backup, wipe & reinstall" approach. Just seems that XP (not to mention Vista) simply become too bloated & unstable after 4 years of use.
0
 
LVL 1

Expert Comment

by:jasonlcss
ID: 33524833
Ccleaner would have removed alot of the backup built up over the years...try it you have nothing to loose.
0
 

Author Comment

by:anuneznyc
ID: 33524866
I'm skeptical of the actual value of registry cleaners, but I suppose I could give it a try.
0
 
LVL 24

Expert Comment

by:B H
ID: 33524990
ccleaner does a really decent job, and it DOES ask you if you want to make a backup.reg file of what's going to be whacked.  if bad things happen after the reboot, just click the backup.reg file that was created in 'mydocuments' and it'll put them all back in there
0
 

Author Comment

by:anuneznyc
ID: 33643719
Thank you all.
0
 

Author Closing Comment

by:anuneznyc
ID: 33643733
Thanks!
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Sub-Titled: “My Way” (with apologies to Francis Albert Sinatra) Let me start by stating emphatically that I am one of those Experts who prefer doing things “My Way”. It’s kind of a no-brainer. “The following procedure works for me, so here is …
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now