[URGENT] ComboFix run removed items from the "Start" menu.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by ONEEYEMAN, Jan 24, 2010.

  1. ONEEYEMAN

    ONEEYEMAN Corporal

    Hi, ALL,
    I am trying to run the "READ AND RUN ME FIRST".
    The SAS and MBAM were run properly without any problems.

    Now I went and started the ComboFix.
    The program went thru, rebooted and created the log file. However, when I try to open the "Start" menu everything there was gone. When trying to open "All Programs" menu all I have is a "Startup" item, which is empty.
    All icons on the Desktop are gone as well, I only have an IE and Recycle Bin.
    The Norton Internet Security Suite is also gone from the Startup services.

    The program was downloaded from majorgeeks.com.

    I am running Windows XP on IBM ThinkPad.

    I don't know what should I do at this point.

    Any suggestions?

    Thank you.
     
    Last edited: Jan 24, 2010
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes we have found there is a recent bug in ComboFix that has just started causing this problem.


    Get the C:\QooBox\ComboFix-quarantined-files.txt and attach it here so we can attempt to work up a fix to restore everything. We will need to use ComboFix to restore everything so we will have to restore it to since this bug has deleted ComboFix.exe from the Desktop too (or from whereever it was run).
     
  3. ONEEYEMAN

    ONEEYEMAN Corporal

    chaslang,
    Is this a file that was created from the ComboFix run that deleted everything?

    Thank you.
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes! It should be in the QooBox folder. Just browse to it and attach it.
     
  5. ONEEYEMAN

    ONEEYEMAN Corporal

    chaslang,
    Here is the file requested.
    Should I follow the instructions given in this thread?

    Also keep in mind that I continued with running the "READ AND RUN ME FIRST" thread as I didn't pay too much attention to it.

    Did I screw everything up?

    Thank you.

    I just tried to copy the combofix.exe.vir as per the instructions in the thread above. The file was copied successfully and I do see the combofix icon on my desktop.
    Should I copy all user profiles back as per the thread above?
     

    Attached Files:

    Last edited: Jan 26, 2010
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Don't need it now since a fix has been developed along with a new version of ComboFix that does not have the bug.

    The below procedure and new tool will automatically fix it and permissions problems.

    Download the new fixed version of combofix.exe and save it to your Desktop. DO NOT RUN IT YET!!! Just make sure you have the new version downloaded and saved.

    Now download this file > http://download.bleepingcomputer.com/sUBs/CFDQ-UsrPrf.exe


    You should be able to run it from any location but save it to your Desktop if possible. As long as Qoobox has not been tampered with, the tool shall be able to automatically do the below.
    • restore all the required files/folders
    • restore the perms
    • set the correct attributes for desktop.ini
    Now run the CFDQ-UsrPrf.exe program by double clicking on it.
    • Immediately after you run it, YOU MUST NOT reboot your PC. Don't do anything else but continue on with the below..
    • Now immediately run the new version of ComboFix that you saved to your Desktop earlier. This should cause a reboot of your PC after running if malware was detected and removed.
    • After reboot attach the C:\combofix.txt log.
    • Also please run the MGtools.exe program as specified here:Using MGtools Then attach the requesetd C:\MGlogs.zip file
    • (See: HOW TO: Attach Items To Your Post )
    Now tell us how things are working.
    • Do things seem to have been restored?
    • What malware problems are you having?
     
  7. ONEEYEMAN

    ONEEYEMAN Corporal

    Good.
    Ok, please find the logs attached.
    Everything seems to be restored and working properly.
    Initially the scan was performed to make sure that the only issue here is the memory, and no other problems exists.

    If you can find any, please let me know.

    Do you want me to check if the C:\QooBox folder is "empty"?

    Thank you.
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are sure everything has been copied back and you are not having any malware problems, then do the below to cleanup.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds