Combofix - Deleted Desktop, docs, programs etc

[stevep119]

Hi,

I need some help with Combofix.

Its deleted all of my docs, userprofile and files from the systems32 folder

Ive tried system restore but it didnt fix it..

What do I need to provided to get things back?

[stevep119]

Sorry didnt have enough time earlier to fully explain whats happened.

It all started when my PC was infected with win32.patched and a couple of other viruses

I tried to remove then using AVG but AVG kept reporting that its own exe "avggui.exe" was infected.

I tried Malwarebytes, Spybot and spyware doctor.

None of these seemed to clean the system and so I downloaded Avast.

Avast found the viruses in the memory and after a boot time scanned came back clean....

It then reported I had a infection in firefox which kept forwarding me to upwin.co.cc

After googling this a forum said "Combofix" would sort this out and so I downloaded it to my desktop, disabled avast and then set it off....

It took HOURS for the scan to complete and then after the PC rebooted I logged back into my profile to find the desktop was blank and all of my documents and programs where missing....

In a panic I restored the PC back to the last restore point but all it fixed was the missing icons on my desktop but still no documents or programs.

I am also unable to open firefox and any other exe.

I have found the backup files that combofix made under Qoobox but am unsure how I go about restoring things back?

If someone could help me out that would be really great.

Thanks in advance.

[chaslang]

Welcome to Major Geeks!

The ComboFix program bug has now been resolved and a new version is available. Also an automatic fix tool has been created to restore what it removed.


Download the new version of combofix.exe and save it to your Desktop. DO NOT RUN IT YET!!! Just make sure you have the new version downloaded and saved.

Now download this file > http://download.bleepingcomputer.com/sUBs/CFDQ-UsrPrf.exe

You should be able to run it from any location but save it to your Desktop if possible. As long as Qoobox has not been tampered with, the tool shall be able to automatically do the below.

• restore all the required files/folders
• restore the perms
• set the correct attributes for desktop.ini

Now run the CFDQ-UsrPrf.exe program by double clicking on it.

• Immediately after you run it, YOU MUST NOT reboot your PC. Don't do anything else but continue on with the below..
• Now immediately run the new version of ComboFix that you saved to your Desktop earlier. This should cause a reboot of your PC after running if malware was detected and removed.
• After reboot attach the C:\combofix.txt log.
• Also please run the MGtools.exe program as specified here:Using MGtools Then attach the requesetd C:\MGlogs.zip file
• (See: HOW TO: Attach Items To Your Post )

Now tell us how things are working.

• Do things seem to have been restored?
• What malware problems are you having?

[stevep119]

Hi,

when i run CFDQ-UsrPrf.exe I get the following error:

"Windows cannot find "Nircmd" make sure yu typed the name correctly."


any suggestions?

[stevep119]

Im now getting the following error:

Error 0x00007766

[chaslang]

Quote:

Originally Posted by stevep119

when i run CFDQ-UsrPrf.exe I get the following error:

"Windows cannot find "Nircmd" make sure yu typed the name correctly."
any suggestions?

Is all of your protection software disabled. If not, it may be deleting the files the tool needs to use to run. Nircmd is one of the tools use by ComboFix

[chaslang]

Quote:

Originally Posted by stevep119

Im now getting the following error:

Error 0x00007766

When exactly are you getting this and what else does it say.

[stevep119]

Quote:

Originally Posted by chaslang

When exactly are you getting this and what else does it say.

Hi,

all of my virus protection is disabled

when i double clicked "CFDQ" for the 1st time, it asked if I wanted to create a log file as it couldnt find one in the temp folder.

I wasnt sure so I cancelled it....

When i re-ran the program I got the "Nircmd" error....

so I went to google and found the "Nircmd" program and followed the instructions putting it into the "systems32" folder.

Straight after that I got the following error when I double clicked the "CFDQ" file:

A black screen appears an then the following:

Error

Error: 0x00007766 !! Aborting


Before I got your 1st instructions I used system restore thinking it might fix things...

I dont know what else to try? All of the files are in the Qoobox folder along with the following:

Add-remove programs.txt
Combofix-quarantined-files.txt
snapshot@2010-01-24

Any ideas? I really need to get the system back as I had loads of work on my PC before...

Thanks in advance

[chaslang]

Please do the below portion and attach the MGlogs.zip file so I can get some insight into your system.


Also please run the MGtools.exe program as specified here:Using MGtools Then attach the requesetd C:\MGlogs.zip file
(See: HOW TO: Attach Items To Your Post )

[chaslang]

Quote:

Originally Posted by stevep119

Im now getting the following error:

Error 0x00007766

Okay! This occurs because you tried to run the tool a second time. It only allows you to run the tools once.

Let me see the MGlogs.zip file and then we will continue.

[stevep119]

Quote:

Originally Posted by chaslang

Okay! This occurs because you tried to run the tool a second time. It only allows you to run the tools once.

Let me see the MGlogs.zip file and then we will continue.

Thanks for checking that out...

Im just running MGtools now....

I wish I had of known you can only run the above fix once....

Really appreciate all your help

[chaslang]

Quote:

Originally Posted by stevep119

I wish I had of known you can only run the above fix once....

There is a way to get to run again. After you attach your MGlogs.zip file, I will explain. Also I may have to send you a link to something via a private message (PM) when I have it available. You will not be able to respond to the PM when you get it, but you will be able to read it.

[stevep119]

Ok. logs are now attached:

[chaslang]

Okay! That confirms that your files are still present in the QooBox folders. And we will have the ability to restore them.

Whatever you do, do not try to run System Restore again and DO NOT uninstall ComboFix or make any other changes to your PC in any form. Running System Restore the first time may be the reason why the fix tool could not run properly when you ran it the first time.

Please hang on since I'm waiting for a special version of the tool to be built by the sUbs (the creator or ComboFix).

[stevep119]

Thanks

I await further instructions

[chaslang]

Sorry for the delay. It takes awhile to create the new version and also it takes additional time to run tests with it to make sure it works as desired before it can be release. In order to test it, a PC needs to be broken with the old verson of ComboFix first. This is what is going on now.

[stevep119]

Quote:

Originally Posted by chaslang

Sorry for the delay. It takes awhile to create the new version and also it takes additional time to run tests with it to make sure it works as desired before it can be release. In order to test it, a PC needs to be broken with the old verson of ComboFix first. This is what is going on now.

No worries....

im just really greatfull that there's someone out there who can help....

if you need a pc thats broken you can always have mine lol....

I'll sit tight until the fix is ready.

Thanks again for all your help

[chaslang]

Okay download this new version

http://download.bleepingcomputer.com/sUBs/CFDQ-UsrPrf.exe

Run it by double clicking on it. Let me know if it runs or gives you the same error messages or if it works.

[chaslang]

I'll be going out in a little while and will not be back until around 9 PM EST. So it would be good if you tried this ASAP before I go out.

[stevep119]

Quote:

Originally Posted by chaslang

I'll be going out in a little while and will not be back until around 9 PM EST. So it would be good if you tried this ASAP before I go out.

Trying it now

Thanks