1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Combofix - Deleted Desktop, docs, programs etc

Discussion in 'Malware Removal' started by stevep119, Jan 25, 2010.

  1. stevep119

    stevep119 Private E-2

    Hi,

    I need some help with Combofix.

    Its deleted all of my docs, userprofile and files from the systems32 folder

    Ive tried system restore but it didnt fix it..

    What do I need to provided to get things back?
     
  2. stevep119

    stevep119 Private E-2

    Sorry didnt have enough time earlier to fully explain whats happened.

    It all started when my PC was infected with win32.patched and a couple of other viruses

    I tried to remove then using AVG but AVG kept reporting that its own exe "avggui.exe" was infected.

    I tried Malwarebytes, Spybot and spyware doctor.

    None of these seemed to clean the system and so I downloaded Avast.

    Avast found the viruses in the memory and after a boot time scanned came back clean....

    It then reported I had a infection in firefox which kept forwarding me to upwin.co.cc

    After googling this a forum said "Combofix" would sort this out and so I downloaded it to my desktop, disabled avast and then set it off....

    It took HOURS for the scan to complete and then after the PC rebooted I logged back into my profile to find the desktop was blank and all of my documents and programs where missing....

    In a panic I restored the PC back to the last restore point but all it fixed was the missing icons on my desktop but still no documents or programs.

    I am also unable to open firefox and any other exe.

    I have found the backup files that combofix made under Qoobox but am unsure how I go about restoring things back?

    If someone could help me out that would be really great.

    Thanks in advance.
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    The ComboFix program bug has now been resolved and a new version is available. Also an automatic fix tool has been created to restore what it removed.


    Download the new version of combofix.exe and save it to your Desktop. DO NOT RUN IT YET!!! Just make sure you have the new version downloaded and saved.

    Now download this file > http://download.bleepingcomputer.com/sUBs/CFDQ-UsrPrf.exe

    You should be able to run it from any location but save it to your Desktop if possible. As long as Qoobox has not been tampered with, the tool shall be able to automatically do the below.
    • restore all the required files/folders
    • restore the perms
    • set the correct attributes for desktop.ini
    Now run the CFDQ-UsrPrf.exe program by double clicking on it.
    • Immediately after you run it, YOU MUST NOT reboot your PC. Don't do anything else but continue on with the below..
    • Now immediately run the new version of ComboFix that you saved to your Desktop earlier. This should cause a reboot of your PC after running if malware was detected and removed.
    • After reboot attach the C:\combofix.txt log.
    • Also please run the MGtools.exe program as specified here:Using MGtools Then attach the requesetd C:\MGlogs.zip file
    • (See: HOW TO: Attach Items To Your Post )
    Now tell us how things are working.
    • Do things seem to have been restored?
    • What malware problems are you having?
     
  4. stevep119

    stevep119 Private E-2

    Hi,

    when i run CFDQ-UsrPrf.exe I get the following error:

    "Windows cannot find "Nircmd" make sure yu typed the name correctly."


    any suggestions?
     
  5. stevep119

    stevep119 Private E-2

    Im now getting the following error:

    Error 0x00007766


    rolleyes
     
    Last edited: Jan 25, 2010
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is all of your protection software disabled. If not, it may be deleting the files the tool needs to use to run. Nircmd is one of the tools use by ComboFix
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    When exactly are you getting this and what else does it say.
     
  8. stevep119

    stevep119 Private E-2

    Hi,

    all of my virus protection is disabled

    when i double clicked "CFDQ" for the 1st time, it asked if I wanted to create a log file as it couldnt find one in the temp folder.

    I wasnt sure so I cancelled it....

    When i re-ran the program I got the "Nircmd" error....

    so I went to google and found the "Nircmd" program and followed the instructions putting it into the "systems32" folder.

    Straight after that I got the following error when I double clicked the "CFDQ" file:

    A black screen appears an then the following:

    Error

    Error: 0x00007766 !! Aborting


    Before I got your 1st instructions I used system restore thinking it might fix things...

    I dont know what else to try? All of the files are in the Qoobox folder along with the following:

    Add-remove programs.txt
    Combofix-quarantined-files.txt
    snapshot@2010-01-24

    Any ideas? I really need to get the system back as I had loads of work on my PC before...

    Thanks in advance
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please do the below portion and attach the MGlogs.zip file so I can get some insight into your system.


    Also please run the MGtools.exe program as specified here:Using MGtools Then attach the requesetd C:\MGlogs.zip file
    (See: HOW TO: Attach Items To Your Post )
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! This occurs because you tried to run the tool a second time. It only allows you to run the tools once.

    Let me see the MGlogs.zip file and then we will continue.
     
  11. stevep119

    stevep119 Private E-2


    Thanks for checking that out...

    Im just running MGtools now....

    I wish I had of known you can only run the above fix once....

    Really appreciate all your help :)
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There is a way to get to run again. After you attach your MGlogs.zip file, I will explain. Also I may have to send you a link to something via a private message (PM) when I have it available. You will not be able to respond to the PM when you get it, but you will be able to read it.
     
  13. stevep119

    stevep119 Private E-2

    Ok. logs are now attached:
     

    Attached Files:

  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! That confirms that your files are still present in the QooBox folders. And we will have the ability to restore them.

    Whatever you do, do not try to run System Restore again and DO NOT uninstall ComboFix or make any other changes to your PC in any form. Running System Restore the first time may be the reason why the fix tool could not run properly when you ran it the first time.

    Please hang on since I'm waiting for a special version of the tool to be built by the sUbs (the creator or ComboFix).
     
  15. stevep119

    stevep119 Private E-2

    Thanks :)

    I await further instructions

    :)
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry for the delay. It takes awhile to create the new version and also it takes additional time to run tests with it to make sure it works as desired before it can be release. In order to test it, a PC needs to be broken with the old verson of ComboFix first. ;) This is what is going on now.
     
  17. stevep119

    stevep119 Private E-2

    No worries....

    im just really greatfull that there's someone out there who can help....

    if you need a pc thats broken you can always have mine lol....

    I'll sit tight until the fix is ready.

    Thanks again for all your help :)
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'll be going out in a little while and will not be back until around 9 PM EST. So it would be good if you tried this ASAP before I go out.
     
  20. stevep119

    stevep119 Private E-2

    Trying it now

    Thanks
     

Share This Page

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds