Combofix Deleting Files It shouldn't Even touch

Discussion in 'Malware Help (A Specialist Will Reply)' started by MSSmallBiz, May 13, 2013.

  1. MSSmallBiz

    MSSmallBiz Private E-2

    Having an issue with IE which would lead one to think the system was bugged I ran ComboFix. This was after running MS Security Scanner complete scan, Win Defender scan, aVast scan as well as Malwarebytes which all came back more or less clean, some expected files flagged, nothing major found. At that time I still had an issue with IE so ran ComboFix. After completing the scan ComboFix proudly announced it had DELETED TWO ACRONIS TIB BACKUP IMAGES made of another computer, a computer that is no longer in service and those backups were the backups!

    What in the world is Combofix doing deleting backup images, especially from something like Acronis with no confirmations? It appears they are deleted to the point I am going to have to do a low level scan with a boot CD as EaseUS doesn't see the files or folders ComboFix deleted.
     
    MSSmallBiz, May 13, 2013
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Combofix is not a program that you should be running on your own.

    Also if you have an issue with ComboFix, you need to report to the creator not us. ;)

    Combofix put copies of things it deletes in subfolders of the C:\Qoobox folder. You can manually restore the files you want from there.
     
    chaslang, May 13, 2013
    #2
  3. MSSmallBiz

    MSSmallBiz Private E-2

    With nearly 30 years supporting the PC along with networks of two Fortune 500 companies (one in the top 30) I feel I have some background on the subject, using it was not my first move in addressing an issue I am having with IE. I'll admit I did not know it placed those files in that location and thank you for reporting that as they are indeed there. This site, MajorGeeks forums as well as others, is listed as a location for users to visit in using, discussing or whatever Combofix. The mere fact comboFix deleted these files, especially the base image of a Win7 fresh install, is something that should be put in a public forum along with your answer that those files are still present but renamed in C:\Qoobox for others to find. The hope is that sUBS is active here or the forum senior members are in contact with sUBS to alert them of this false deletion as who knows when they check their email address or if an email would get any attention if for no other reason than the vast amount of junk email I am sure they get.

    I want to make the comment again that ComboFix deleted a backup image of a freshly installed Win7 using Microsoft Technet media which had no apps and only Windows Updates applied. This was a static image that had never been touched since that date. It also deleted an archived Image file from the same machine but prior to that Win7 fresh install along with the Base Folder. Thankfully they are located in the Qoobox Folder for recovery.

    Thank you.
     
    MSSmallBiz, May 14, 2013
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay this is true, but still the use of ComboFix should be limited to only being used as recommend by malware removal experts. I know you ran other things first, which is the correct approach, but still much care must be taken with high power tools like this.

    Yes we are but that is for reading the logs and helping to work up fix scripts to be run with ComboFix. And also to possible recover files from the quarantine as in your case. ComboFix does have the ability to DeQuarantine files/folders too by running a script designed to do this. For just a couple files, it is not worth doing as the manual recovery for someone who knows how to use a PC ( as yourself ) is easier and safer.

    sUBs is a member on Major Geeks but does not post here. Yes I could get in touch with him about this but I see you already did that:

    http://www.bleepingcomputer.com/forums/t/494453/combofix-deleting-files-it-shouldnt-be-touching/

    I would however recommend that you attach your combofix.txt log here so that we can all see exactly what was removed. At bleepingcomputer they do not want attachments but rather prefer the long logs inline with messages.
     
    Last edited: May 15, 2013
    chaslang, May 15, 2013
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds