ComboFix Deletion (Quarantine?) of User Files

What problems are you having? If you just want to restore those files, you should post in the software forum.

 

Hi there. You attached a log in the .rar format. I would like to see a proper .txt (text file) from combofix. It should be on the root of the drive that you boot from. Eg: C:\DeQuarantine.txt Attach that for TimW and he will be able to help you.

 

That is not the log that was asked for.

 

I apologise. You will have a dequarantine.txt soon. I worded it wrong. I have a fix for you but it is unfortunate that it's too large for the forum to handle inline. I have zipped up a script for you. So follow these instructions.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste all of the text in the below attached text file. (CFScript.txt) (You will need to unzip CFScript.zip first!) Ensure you scroll down to select ALL the lines:

• Save the CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected. You should now have a C:\Dequarantine.txt file to attach for me.

 

Bleeping computer version is just perfect. That's where it should always be downloaded from or from us which is the same version.

http://www.majorgeeks.com/files/details/combofix.html

 

The dequarantine.txt should be on the root of the drive you boot from.

 

I am just questioning something about how we go about this in the background. It's been such a long time since I've had to restore files which CF killed. Hang in there.

 

As I said please hang in there. I will get back to you asap.

 

You need to attach a file n: C:\QooBox\ComboFix-quarantined-files.txt Please do this braskys_scotch.

 

I think the "tech" you took your machine to has alot to answer for. He kept an outdated copy of Combofix and it's instability combined with the tech running it at that point is what wiped all those files. That file should be there, but who knows... the tech may have removed it.

I have a fix that will hopefully implememt; almost all worked up for you already. I am just running short of time this morning, and must return to you a little later on.

 

Same way as I laid out instructions for in my post #8 you need to do the same with this script that I have attached (as a zipped file - CFScript.txt inside of CFScript.zip)

After doing that you should now actually have a C:\Dequarantine.txt file to attach for us.

 

Have ANY of your files been restored? :confused

 

Have you tried a system restore to before you had the "tech" work on it?

 

Hang in there and hold off on the system restore. Trying to rework a fix up for you. My last was ineffective due to an error.

 

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

DeQuarantine::
C:\Qoobox\Quarantine\C\Users
QUIT::

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

• Do you now have a C:\Dequarantine.txt?
• Has anything been restored?
• This is just a test that may or may not fix everything that I wanted to try. If it is successful please be aware that all the nasties will have been restored too, but we can deal with that afterwards.

 

Try zipping the Dequarantine.txt file up for us and attach it.

Then you need to ENSURE you follow these procedures:

READ & RUN ME FIRST - Malware Removal Guide

 

The built in windows compression should work just fine, right click and send to compressed zipped folder. Also, any third party software should work too. However the limitations of this forum is 2.00MB for a zipped so you could split it into seperate parts, or........ use mediafire.com (we obviously don't do this usually, but this would be an exception)

Have a look here also c:\qoobox\quarantine ... does anything remain in that folder?

 

Yes it's extremely important that you follow our malware removal procedures now at this point. Attach all of the requested logs as soon as you are ready.

 

Looks like everything was restored. You can still check the contents of the c:\qoobox\quarantine <-- quarantine folder if you like. But just continue on with the other procedures too.

 

Just go through the malware removal procedures and attach all of the requested logs. Don't worry about anything else now at the moment. However we are going to reexamine the qoobox folder afterwards...

 

Try a different browser and let me know how you get on.

 

YOu cannot upload an 8 MB log file. It is this large due to all the stuff that you had removed with ComboFix.. If you looked inside MGlogs.zip you will most likely see a very large newfiles.txt log. You can delete this from the ZIP and then upload the ZIP file.

 

as a ONE time exception, upload the logs to mediafire.com

 

Not *quite* a complete set of logs. One text file is missing.

Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

• cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
• SN64 <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.

Upload to mediafire the new MGlogs.zip

 

This is quite a mess. It looks like lots WAS restored. And LOTS wasn't.
All of what has been restored seems to still have the .vir extension on the end. Do you still see any files that have been restored with the .vir extension??

 

Combofix does not remove the entries from the Qoobox folder when you run DeQuarantine. It just copies them back to the original location and strips the .vir extension.

What you need to do is make sure everything has really been restored and then delete the C:\Qoobox folder to avoid having problems which such large log files.

 

Thanks Chas. I understand that it is meant to strip the .vir extension.

But look at this dequarantine.txt log in post #3 http://forums.majorgeeks.com/showthread.php?t=264372 compared to ours. Ours has the .vir extension before AND after it's supposedly dequarantined. Is that okay? :confused