ComboFix removing files - stopped after a hour.

Welcome to Major Geeks!

What do you mean the power went out? DO you mean you physically lost power while ComboFix was still running? This could be very bad!!!!!

A recent bug that just appeared with ComboFix is causing it to delete important files.

Get the C:\QooBox\ComboFix-quarantined-files.txt and attach it here so we can attempt to work up a fix to restore everything. We will need to use ComboFix to restore everything so we will have to restore it to since this bug has deleted ComboFix.exe from the Desktop too (or from whereever it was run).

We have already fixed several PCs where this problem has occurred.

Do not attempt to restore anything on your own. Make no more changes to your PC. Just get us the De-Quarantine file so we can make a fix. Also get the ComboFix.exe file out of the Quarantine and back onto your Desktop. If you don't know how to get this file back on to your Desktop, just tell us.

​

 

You did not answer my question about the power.

Does the below folder exist?

C:\QooBox


Do icons appear on your Desktop or is it blank?

 

How do you know this if you have not restarted the computer?

How are you looking at the Desktop if you have not restarted the computer?

 

I assume drive C is where Windows boots from?

Does the below file exist?

C:\QooBox\ComboFix-quarantined-files.txt

What about the below?

D:\QooBox\ComboFix-quarantined-files.txt

 

Are you seeing any files and folders under the quarantine folder?

What version of Windows are you running?

 

This sounds like only a small number of files may have been removed and can probably just be restored manually.

You will have to boot from drive C to try the below. But first get a copy of ComboFix.exe back onto the Desktop of the user account where you had the problem. You will need it to run the fix.



NOTE: This fix only applies to this user! It will definitely not work for anyone running Vista or Win 7 so do not attempt
to use this fix if you are not the user who created this thread.



Now we need to use ComboFix to restore files. This will only restore, it will not delete anything.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing
  ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad ( Click Start > Run, type notepad then press Enter ) and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall. Be patient. It can take awhile for all files
to restore. You will slowly notice things appearing on the Desktop. Wait for ComboFix to finish. It will show you a De-Quarantine log when it is
finished.


After reboot, tell us how things are looking. You should check each user account.

 

Wrong place to ever run ComboFix from whether it works or not. But yes you could do that.

That's because you did not read our required stickies before you posted here. Our cleaning process is in a sticky READ & RUN ME FIRST. Malware Removal Guide

 

Just try running the fix in safe boot mode.

 

Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

• Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
• Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -v

• Follow the instructions to type in "delete" when it asks you what to do when if finds something.
• When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

 

Looks like TDSSkiller fixed the source of your redirections. Are you having anymore problems. I'm still concerned there could be some lingering permissions issues due to the previous ComboFix bug.

 

This is one of the issues. I think it would be best to just run the automatic fix tool that was created along with the new version of ComboFix that has resolved the bug.

The below procedure with a new fixed version of ComboFix and new tool to repair the damage should automatically fix it and permissions problems.

Download the new fixed version of combofix.exe and save it to your Desktop. DO NOT RUN IT YET!!! Just make sure you have the new version downloaded and saved.

Now download this file > http://download.bleepingcomputer.com/sUBs/CFDQ-UsrPrf.exe

You should be able to run it from any location but save it to your Desktop if possible. As long as Qoobox has not been tampered with, the tool shall be able to automatically do the below.

• restore all the required files/folders
• restore the perms
• set the correct attributes for desktop.ini

Now run the CFDQ-UsrPrf.exe program by double clicking on it.

• Immediately after you run it, YOU MUST NOT reboot your PC. Don't do anything else but continue on with the below..
• Now immediately run the new version of ComboFix that you saved to your Desktop earlier. This should cause a reboot of your PC after running if malware was detected and removed.
• After reboot attach the C:\combofix.txt log.
• Also please run the MGtools.exe program as specified here:Using MGtools Then attach the requesetd C:\MGlogs.zip file
• (See: HOW TO: Attach Items To Your Post )

Now tell us how things are working.

• Do things seem to have been restored?
• What malware problems are you having?

 

According to your logs, nothing was removed from drive D, so nothing needs to be restored.

Other than what has already been fixed, your logs are clean.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!