Combofix - Deleted Desktop, docs, programs etc

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by stevep119, Jan 25, 2010.

  1. stevep119

    stevep119 Private E-2

    Hi,

    I need some help with Combofix.

    Its deleted all of my docs, userprofile and files from the systems32 folder

    Ive tried system restore but it didnt fix it..

    What do I need to provided to get things back?
     
  2. stevep119

    stevep119 Private E-2

    Sorry didnt have enough time earlier to fully explain whats happened.

    It all started when my PC was infected with win32.patched and a couple of other viruses

    I tried to remove then using AVG but AVG kept reporting that its own exe "avggui.exe" was infected.

    I tried Malwarebytes, Spybot and spyware doctor.

    None of these seemed to clean the system and so I downloaded Avast.

    Avast found the viruses in the memory and after a boot time scanned came back clean....

    It then reported I had a infection in firefox which kept forwarding me to upwin.co.cc

    After googling this a forum said "Combofix" would sort this out and so I downloaded it to my desktop, disabled avast and then set it off....

    It took HOURS for the scan to complete and then after the PC rebooted I logged back into my profile to find the desktop was blank and all of my documents and programs where missing....

    In a panic I restored the PC back to the last restore point but all it fixed was the missing icons on my desktop but still no documents or programs.

    I am also unable to open firefox and any other exe.

    I have found the backup files that combofix made under Qoobox but am unsure how I go about restoring things back?

    If someone could help me out that would be really great.

    Thanks in advance.
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    The ComboFix program bug has now been resolved and a new version is available. Also an automatic fix tool has been created to restore what it removed.


    Download the new version of combofix.exe and save it to your Desktop. DO NOT RUN IT YET!!! Just make sure you have the new version downloaded and saved.

    Now download this file > http://download.bleepingcomputer.com/sUBs/CFDQ-UsrPrf.exe

    You should be able to run it from any location but save it to your Desktop if possible. As long as Qoobox has not been tampered with, the tool shall be able to automatically do the below.
    • restore all the required files/folders
    • restore the perms
    • set the correct attributes for desktop.ini
    Now run the CFDQ-UsrPrf.exe program by double clicking on it.
    • Immediately after you run it, YOU MUST NOT reboot your PC. Don't do anything else but continue on with the below..
    • Now immediately run the new version of ComboFix that you saved to your Desktop earlier. This should cause a reboot of your PC after running if malware was detected and removed.
    • After reboot attach the C:\combofix.txt log.
    • Also please run the MGtools.exe program as specified here:Using MGtools Then attach the requesetd C:\MGlogs.zip file
    • (See: HOW TO: Attach Items To Your Post )
    Now tell us how things are working.
    • Do things seem to have been restored?
    • What malware problems are you having?
     
  4. stevep119

    stevep119 Private E-2

    Hi,

    when i run CFDQ-UsrPrf.exe I get the following error:

    "Windows cannot find "Nircmd" make sure yu typed the name correctly."


    any suggestions?
     
  5. stevep119

    stevep119 Private E-2

    Im now getting the following error:

    Error 0x00007766


    rolleyes
     
    Last edited: Jan 25, 2010
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is all of your protection software disabled. If not, it may be deleting the files the tool needs to use to run. Nircmd is one of the tools use by ComboFix
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    When exactly are you getting this and what else does it say.
     
  8. stevep119

    stevep119 Private E-2

    Hi,

    all of my virus protection is disabled

    when i double clicked "CFDQ" for the 1st time, it asked if I wanted to create a log file as it couldnt find one in the temp folder.

    I wasnt sure so I cancelled it....

    When i re-ran the program I got the "Nircmd" error....

    so I went to google and found the "Nircmd" program and followed the instructions putting it into the "systems32" folder.

    Straight after that I got the following error when I double clicked the "CFDQ" file:

    A black screen appears an then the following:

    Error

    Error: 0x00007766 !! Aborting


    Before I got your 1st instructions I used system restore thinking it might fix things...

    I dont know what else to try? All of the files are in the Qoobox folder along with the following:

    Add-remove programs.txt
    Combofix-quarantined-files.txt
    snapshot@2010-01-24

    Any ideas? I really need to get the system back as I had loads of work on my PC before...

    Thanks in advance
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please do the below portion and attach the MGlogs.zip file so I can get some insight into your system.


    Also please run the MGtools.exe program as specified here:Using MGtools Then attach the requesetd C:\MGlogs.zip file
    (See: HOW TO: Attach Items To Your Post )
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! This occurs because you tried to run the tool a second time. It only allows you to run the tools once.

    Let me see the MGlogs.zip file and then we will continue.
     
  11. stevep119

    stevep119 Private E-2


    Thanks for checking that out...

    Im just running MGtools now....

    I wish I had of known you can only run the above fix once....

    Really appreciate all your help :)
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There is a way to get to run again. After you attach your MGlogs.zip file, I will explain. Also I may have to send you a link to something via a private message (PM) when I have it available. You will not be able to respond to the PM when you get it, but you will be able to read it.
     
  13. stevep119

    stevep119 Private E-2

    Ok. logs are now attached:
     

    Attached Files:

  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! That confirms that your files are still present in the QooBox folders. And we will have the ability to restore them.

    Whatever you do, do not try to run System Restore again and DO NOT uninstall ComboFix or make any other changes to your PC in any form. Running System Restore the first time may be the reason why the fix tool could not run properly when you ran it the first time.

    Please hang on since I'm waiting for a special version of the tool to be built by the sUbs (the creator or ComboFix).
     
  15. stevep119

    stevep119 Private E-2

    Thanks :)

    I await further instructions

    :)
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry for the delay. It takes awhile to create the new version and also it takes additional time to run tests with it to make sure it works as desired before it can be release. In order to test it, a PC needs to be broken with the old verson of ComboFix first. ;) This is what is going on now.
     
  17. stevep119

    stevep119 Private E-2

    No worries....

    im just really greatfull that there's someone out there who can help....

    if you need a pc thats broken you can always have mine lol....

    I'll sit tight until the fix is ready.

    Thanks again for all your help :)
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'll be going out in a little while and will not be back until around 9 PM EST. So it would be good if you tried this ASAP before I go out.
     
  20. stevep119

    stevep119 Private E-2

    Trying it now

    Thanks
     
  21. stevep119

    stevep119 Private E-2

    Ok its looking good....

    CMD has loaded with the following:

    "Restoring - All Users ....."

    So fingers crossed it will complete successfully :)

    Once its complete I will re-run Combofix (the new version) and then everything should be ok? right?

    Thanks
     
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's the goal! Attach the log from the new ComboFix run when it finishes.

    Also describe any problems you may still be having.
     
  23. stevep119

    stevep119 Private E-2

    Ok, ran combofix at around 11pm and everything seemed to be going well...

    Then at around 11.50pm a window appeared saying something like "cannot open Nircmd.ecxe" and gave me an option to "open with"

    At this point the PC froze and I was unable to continue.

    What I found a bit weird was, the file extension it was looking for was not an EXE but a ECXE.

    Is this normal? Or do you think it was a glitch as the system hung?

    Anyways... after waiting around 10-20mins it didnt come back and so as it was getting late I had not choice but to hard reset the pc.

    I have not rebooted the PC since.

    Should I re-run combofix? should I try it in Safemode?

    Thanks in advance
     
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You mean cfexe not ecxe. This is normal as combofix renames the extensions.

    Hanging is not normal, but some people do have problems running combofix. Sometimes it is a matter of getting all protection shutdown or uninstalled. Sometimes it can be run in safe boot mode but not normal mode. As a whole most people do not have these problems.

    No! Was a combofix.txt log produced?

    Was everything restored okay?

    How are things working? Any malware problems?
     
  25. stevep119

    stevep119 Private E-2

    Hi,

    Sorry for the delayed reply. Have been out of the office a few days....

    I took your advice but system was totally screwed....

    In the end I took a backup of my "Docs & settings" folder and did a fresh install...

    Have run Avast and everything seems to be ok....

    Any suggestions on how to avoid this happening again?

    Thanks again for all you help. Hopefully this thread will help others who are having problems with Combofix....

    :)
     
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Which part? The problem with ComboFix or malware problems? For malware problems, see the below:

    How to Protect yourself from malware!

    For problems like you had with ComboFix, next time don't panic by running System Restore right away. This may be why you ran into problems getting the fix tool to work properly. Everyone else is running it successfully except one user but their issue is only due to not having enough free hard disk space.

    System Restore is not a backup program. If does not make copies of everything on your PC and backup them up in restore points.


    However we are happy to hear that you are up and running again.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds