ComboFix deleted all icons and setting, need help!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by sdf1965, Jan 24, 2010.

  1. sdf1965

    sdf1965 Private E-2

    I am working with a friend who both of us has used ComboFix many times to correct problems. This time the program delete all the system icons and settings within the My Documents area.

    As this is a very important system, is there anyway to recover the system back to the starting point.
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes we have found there is a recent bug in ComboFix that has just started causing this problem.


    Get the C:\QooBox\ComboFix-quarantined-files.txt and attach it here so we can attempt to work up a fix to restore everything. We will need to use ComboFix to restore everything so we will have to restore it to since this bug has deleted ComboFix.exe from the Desktop too (or from whereever it was run).
     
  3. sdf1965

    sdf1965 Private E-2

    Sorry guys, this friend works for an orginization that will not allow him to copy any information to the internet. If he does he could be looking at losing his job, thats why he called me, I am a programmer for the same company and he knows I will not say anything. His son was playing with his home work computer and he tried to fix it himself.

    Can you tell me are the .vir files compressed in any way, as I have the log and the files and could write a program to read the logs and restore the files for him to the place where they belong according to the logs.

    Otherwise if they are compressed, what compression is used.

    Thanks
     
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please see this thread if running XP:

    Combo deleted everything..

    Do not attempt to restore anything on your own. Make no more changes to your PC. Just get us the De-Quarantine file so we can make a fix. Also get the ComboFix.exe file out of the Quarantine and back onto your Desktop.
     
    Last edited: Jan 24, 2010
  5. sdf1965

    sdf1965 Private E-2

    Sorry, I am doing this against his wishes.


    Thanks for the Help!!!
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    To copy ComboFix from quarantine back to desktop, click Start > Run > copy paste the below into the run box and then click OK.
    You should now have a ComboFix icon back on your desktop. Tell me if you see this icon now. This need to be done before we can restore the files.
    By the way, the .vir files are not compressed. They are just renamed.
     
  7. sdf1965

    sdf1965 Private E-2

    Just seating here talking to my friend, and he just told me he tried to do a System Restore from a restore point from yesterday before I got here.

    I really hope he didn't screw things up.

    Thanks again
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It may confuse things somewhat but the system restore would not correct all the problems. Just continue with what I posted to get the ComboFix program back on the Desktop.
     
  9. sdf1965

    sdf1965 Private E-2

    It is there!
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay let's do the De-Quarantine now!

    NOTE: This fix only applies to this user! It will definitely not work for anyone running Vista or Win 7 so do not attempt to use this fix
    if you are not the user who created this thread.




    Now we need to use ComboFix to restore files. This will only restore, it will not delete anything.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run
      properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad ( Click Start > Run, type notepad then press Enter ) and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall. Be patient. It can take awhile for the restore.


    After reboot, tell us how things are looking. You should check each user account.
     
  11. sdf1965

    sdf1965 Private E-2

    It is running, the screen says its scanning for infected files!!!

    Hope this is correct. It deleted the CFscript.txt from the desktop!

    Still running after

    Thanks again for the help
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just let it run. You will slowly see things start to appear on your Desktop and a De-Quarantine log will pop up when finished.
     
  13. sdf1965

    sdf1965 Private E-2

    Status Update: Same Screen still running!, Hard Drive Light on almost continuous. I believe it is copying approx. 50GB of data based on the files in the original log. I am updating here off a laptop while its running.;)
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay just be patient since there was so much to copy back.
     
  15. sdf1965

    sdf1965 Private E-2

    If finished!:-D I do not have a ComboFix.txt log on the C:\ to upload as requested. I do have a DeQuarantine.txt under the C:\ is that what you want.

    Also, the system rebooted, and when it came back up it is having a issue, no Icons, but in safe mode they are there now. I believe it is a issue with a service that was available at the restore point and not now or an issue I worked on for him this week, a winsock configuration problem, as it acts like it again.

    Let me know what you want.
    Thanks again.
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes!

    You also will have an issue with Desktop.ini popping up in a notepad Window at reboot. To fix this, do the below.

    Navigate to the below file with Windows Explorer:

    C:\Documents and Settings\Steve\Start Menu\Programs\Startup\desktop.ini

    Then right click on it and check the Hidden attribute. Then click Apply and OK.

    Do the same for the below file:

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini


    See if it still occurs.
     
  17. sdf1965

    sdf1965 Private E-2

    Here it is! Working on the others!
     

    Attached Files:

  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Looks good! Alot was restored.

    Let me know what problems you are still having. Any malware issues?
     
  19. sdf1965

    sdf1965 Private E-2

    Changed to hidden, still will not reboot, I disabled all services in safe mode and rebooted and it comes up as normal, therefore it tells me it must be a service load issue. Wish I had a good way to monitor the services being loaded during bootup.

    We usually start turning on services until it stops.
     
  20. sdf1965

    sdf1965 Private E-2


    To me it looks like something with the restore point and something being loaded after that and now.

    I am going to hang onto the Goobox folder for a while until we see if everything is doing OK
     
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not sure what you mean it will not reboot? Are you saying when you click to reboot the PC does not reboot? Or are you saying the PC reboots but when you log into Windows you are having some kind of problem?
     
  22. sdf1965

    sdf1965 Private E-2

    Sorry about that, when you login you get the screen, no icons, the start line comes up but you can not click on anything on it. ALT-CTRL-DEL works and the taskmanager only shows a handful of services running, no wheres close to the amount normally seen.

    I worked on the same type issue on this computer last week, just can not remember what I did to this one to correct it.

    If I use msconfig in safe mode to limit the services, I can get it to reboot, login, and work as normal, just don't have if pinned down yet which service is causing it.
     
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Normally this means explorer.exe is not running. Do you see it in the process list.

    This is very dangerous since this can totally disable a service and if you disable the wrong ones this way, you will be reinstalling. The proper way to disable services is via services.msc run from the Run box or thru Administrator Tools if you enabled them to show.
     
  24. sdf1965

    sdf1965 Private E-2

    Yes explorer.exe is running. I do know about the dangers with msconfig.
     
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay so you have a Desktop but it is empty?

    Do you have a Start button? Is this what you mean you clicked on and nothing happens?

    Had you started running our cleaning procedure before you came here to post about ComboFix?

    Have you downloaded MGtools yet?
     
  26. sdf1965

    sdf1965 Private E-2

    Yes

    As I said in the beginning, I was not the one who caused this mess the buddy I work with did. He says NO.

    NO as that system currently does not have any network access do to the problem.
     
  27. sdf1965

    sdf1965 Private E-2

    It looks to be the WIA service which is associated with VB.NET

    Still looking.
     
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download using another PC and a CD or flashdrive could be used. ;)


    This service provides image acquisition services for scanners and cameras. Normally it is set to Started and Automatic.
     
  29. sdf1965

    sdf1965 Private E-2

    He has a Cannon scanner setting here beside his desk, he didn't tell me he had it hooked up. That was it, system is back to the way it was.

    Thanks for all the help.
     
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    I assume you are therefore not having any malware problems?
     
  31. sdf1965

    sdf1965 Private E-2

    Not that I can tell, I am going home now, I will let him tell me in the morning if he is having any problems malware wise.

    Have a great day, or should I say night.
     
  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Good night!:)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds