Jump to content

Recommended Posts

A team member recently tried to help me with a problem on my machine.

This caused two problems in itself.

First, the fix routines make MANY changes to a computer’s configuration, if only to establish a base starting point to work. However, users change their preferences over years of time, starting with the install process. There doesn’t seem to be a user-readable log of changes made – essentially an ‘I changed this setting from this to this’ and ‘I deleted this’ so that the user could restore individual settings if desired when done. I now have folders that I expect to show that aren’t showing and discovered a month after the fix that System Restore was off. While most things operate as expected, some program’s options are changed within those folders that no longer show even by using the Search function.

Since the fix there are things that happen that never have before. When Saving documents, I often get a message in the Save window something like ‘Generating List of Root Folders’ for 5 to 10 seconds before a save location appears. IE generates messages, and while there’s an option to not show the message again, I don’t know if it’s a new message or if I turned it off years ago.

In my case, the attempt at a fix did not completely solve the problem I was having. Since many configuration settings can be changed from different places within Windows and many of them have similar names, being able to see exactly what was changed would be beneficial. Settings could then be individually restored correctly and avoid conflict.

I also don’t know what I don’t know.

Second, after the fix, I had many files saved to the Desktop (and elsewhere?) as instructed, and no instructions on what could / should be deleted, and if so, whether to Uninstall or simply delete them. Few programs do a perfect job with their housecleaning, but the user should be able to finish it up easily.

Some programs are typically used for a quick clean before or during analysis that may not be desired to be resident under normal use. I’ve found nothing about their removal afterward.

I’ve PM’ed the team member for instructions, and his time spent on my messages could be better utilized helping others.

Suggestions:

  • Have the fix routines generate a log readable by the user showing what was changed to include the as-found and the as-left settings using the same names that Windows uses.
  • Create an easily findable forum Sticky / Permalink describing exactly which files downloaded or generated during the fix process can be removed, the proper method of doing so, and the order if it makes a difference.
  • Create an easily findable forum Sticky / Permalink with common 'You may see these unexpected changes from your normal operation after a fix' and their solutions.

My thanks go to all involved for their time and efforts.

Link to post
Share on other sites

Hi, Sawduster: :)

As just another home user myself, I can understand your frustration. I imagine it can be hard to keep track of what's happening during a complicated malware removal process.

Those are great ideas, and I'm sure the MBAM staff will provide good feedback. :)

A few thoughts come to mind:

  • No two computers or malware infections are the same, so creating some sort of "one size fits all" sticky topic would be hard, and likely impossible?
  • I agree that it might be a good idea, though, to post some sort of "You may see these unexpected changes from your normal operation after a fix" sticky topic in the malware removal section, after the other, existing verbiage: "A forum dedicated in removing malware. First, please follow the instructions in the pinned topics. All assistance here is used at your own risk and we take no responsibility should there be damage to the system in question."
  • Most/all of the helpers instruct the user to create a registry backup and/or restore point prior to malware removal, when such a step is both feasible and advisable (sometimes it is not, because of the infection) -- that way, the system can be restored, if need be.
  • Many of the changes one might experience after cleanup may be due to the infection itself causing system damage, rather than the cleanup process, per se.
  • I don't know that there would be any way, either, to create any sort of "changelog" during the malware removal process, but perhaps one of the more expert folks could weigh in on that suggestion?
  • To that end, I've always found it most helpful over the years to take careful notes when performing any sort of major hardware/software updates or changes (I even do it for monthly Windows updates) -- that way, if something does go wrong, I have a record that allows me to trouble-shoot or back-track. (99.9% of the time, it's not necessary, but when something does happen, I'm glad I have it.)
  • Printing out the malware helper's suggestions can be very useful and a good starting place to take these progress notes.
  • Most/all of the malware helpers provide a "clean up" post at the end of each thread, with instructions on how to remove/uninstall the various tools and scanners -- if they forget to do so, one can always ask the helper before he/she closes the topic, and/or one can PM the helper to re-open the topic if questions arise. (They close the topics only to prevent other members from piggy-backing. They are always happy to re-open them, as needed.)

Anyway, those are just a few random thoughts.

I'm sure the many expert members and MBAM staff will provide additional assistance. :)

Thanks for your suggestions!

daledoc1

Link to post
Share on other sites

Hello :)

Few things here:

1. We cannot guarantee that a fix will not cause other problems. Malware is always difficult to work with and such it may cause unexpected issues.

2. The fixes are tailored to the individual so it would be a huge waste of time and resources to create a sticky or page showing what files were removed. Sorry, but no one has the time for this as they wouldn't have time for anything else.

3. Because malware is so sophisticated and rapidly changing we require logs that only those trained can read. This prevents those that know very little from helping and offering advice which could result in lawsuits if they damaged others computers. It's best to leave this to the professionals. On another note we need to know specif details on the computers configuration in certain areas like the registry, internet option changes etc so it's critical that the logs display this information. Removing these types of things would make it harder to read.

Link to post
Share on other sites

Thank you for your thoughts daledoc1. Maybe something can be implemented.

Yes, the complications and work involved are understood.

  • As I understand it, restore points are wiped out if System Restore is turned off. Restoring a registry backup might introduce its own problems if a partial clean-up were performed, but is safer than none at all.
  • In my case, as I understand it, no malware was detected, but since the main problem mostly went away, something in the cleanup helped. Here's where a user-readable log is handy.
  • The expert uses a log to review what's there. There's the as-found. Any setting changes are the as-left. What's left alone isn't in the user-log.
  • Notes are invaluable. But notes from when, and which might have been the change? With this, I really have no notes - I ran Combofix and magic happened. Some problems may manifest themselves only when a certain combination of programs/circumstances exist. Resolving those permutations is difficult since they may not show up for a long time. Remember, you're on an iffy machine to start with, and the team member has a very limited amount of time to spend with you. Same for PMing him afterward. I respect his time.

Link to post
Share on other sites

DSK-

That's understood on your first part.

Re: "Removing these types of things would make it harder to read." Nothing to be removed from the analysis log - that's critical. The change is for the end user to review. I cannot tell what or where I might have messed up from what I have.

Thanks for your reply.

Link to post
Share on other sites

http://forums.malwar...69

Your last reply to me was:

Thank you again.

Good job.

So your comment:

In my case, the attempt at a fix did not completely solve the problem I was having.
I don't understand.

As for programs / tools that we use, you'd need to ask the developer on how they work, etc., but I doubt they'd tell you exactly how they work.

I don't think they want the bad guys knowing.

You're issue was with IE8 and we solved that issue.

For items being items that appered on your desktop were probubly items that should be hidden.

Infections hide themselves so you can't find them so some of the tools we use unhide them so we can see them in the logs in order to remove them.

If combofix uninstalled correctly, it will re-hide the files that should be hidden and create a new clean restore point.

Link to post
Share on other sites

DSK-

That's understood on your first part.

Re: "Removing these types of things would make it harder to read." Nothing to be removed from the analysis log - that's critical. The change is for the end user to review. I cannot tell what or where I might have messed up from what I have.

Thanks for your reply.

Unfortunately that is not possible. For example these entries from HiJackThis on my computer are important. The way they are currently is important. Making the logs for the end user to read would render our help useless. The way they are is so that experts can help and that people who are not trained wouldn't be able to help. Also companies like Brightfort have products that we use for research like SystemLookUp that use identical log formatting in their search results.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cyberstealthlabs.org/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896

Link to post
Share on other sites

LD Tate-

A combination of things of things here that don't communicate well using text. Sorry.

Remember that there's somebody on the other end at some level of panic with a computer that may be in a very fragile state. He's asking a stranger for free help. My initial post was 15 July 2012 - 06:55 AM and your first reply was 18 July 2012 - 05:19 PM. In those three and a half days I saw a lot of solved problems as I slipped farther to the end of the line. Disconcerting, and terribly hard not try something that may only make the problem worse and invalidate the logs posted.

But once we got started on clean-up, it didn't take long. Now, the IE problem only happens maybe once a day instead of nearly every other time I open IE - hence, "not completely solved". That's still wonderful. Something got fixed, and my thanks to you still apply. (The weird command bar problem is still there, but still doesn't seem to affect anything. I'm researching fonts now.)

Like I said in my initial post, it was intermittent. Those problems are the hardest to find, often requiring just the right permutation of programs to be running to show up. Who knows when that might be, even on a system where only same half dozen applications are usually run? Days, weeks? Posts are often moved to 'Resolved' within hours.

I'm happy and thankful for the services provided here and provided some suggestions for a situation that applies to me. Not all suggestions are good ones, and mine might not be in the interests of MB to do.

Link to post
Share on other sites

@ sawduster

<comments / kibbitz>

It's hard for people with a pc-problem to remember, but in the case of malware infections, one needs to keep a calm/cool outlook.

Doing things in panic mode or trying fixes on their own will make things worse.

As to how fast a malware-help request gets a reply depends on several factors.

Whether the helper has a reasonable confidence he/she can help on the particular infection.

How much of a backlog they already have.

How well and how clear the poster describes their problem.

In any event, bottom line, it is not always the case that "first in/first out" is the general case.

Having said all that, if -you- have a unresolved problem with Internet Explorer or Windows, you are welcome to use the PC Help forum http://forums.malwarebytes.org/index.php?showforum=6

Just make a reasonably complete description of the issues when you post, including your Windows version, I.E version, etc.

Link to post
Share on other sites

Hi, Sawduster:

Four experienced forum members -- including two computer professionals who are forum moderators & malware experts -- tried to answer your questions as best as possible.

Some things you request simply are not possible or feasible.

I'm sorry if these responses haven't met your needs.

You are always welcome to follow MauriceNaggar's suggestion to open a new topic in the PC Help section for free assistance to address any lingering system performance issues. Forum members will try their best to help you to resolve them.

Thank you very much,

daledoc1

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.