combofix deleted system files

thebatfax · Apr 6, 2010

Hi, I recently ran combofix to get rid of some malware issues. However, after it finished, "rundll32.exe" was quarantined alongside it's false malware counterpart "rundll32 .exe." I came across another thread with instructions on how to unquarantine, but it didn't work, and I'm still stuck. Now, I can't access any of the control panel, firewall, or anything as they all require rundll32. How can i unquarantine the files without unquarantining the malware? I have the newest version of combofix, and here are my combofix log files, and the quarantine log file

TimW · Apr 7, 2010

You will need to follow all the instructions here:

READ & RUN ME FIRST. Malware Removal Guide

In the meantime,

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

DeQuarantine::
C:\Qoobox\Quarantine\C\Documents and Settings\Admin\rundll32.exe

FCopy::
c:\windows\ServicePackFiles\i386\explorer.exe | c:\windows\explorer.exe
c:\windows\$NtServicePackUninstall$\wscntfy.exe | c:\windows\System32\wscntfy.exe
C\Documents and Settings\Admin\rundll32.exe | C:\WINDOWS\system32\rundll32.exe
RenV::
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Creative\Software Update 3\softauto .exe
c:\program files\Diskeeper Corporation\Diskeeper\dkicon .exe
c:\program files\DivX\DivX Update\divxupdate .exe
c:\program files\Logitech\Logitech WebCam Software\lws .exe
c:\program files\PeerBlock\peerblock .exe
c:\program files\RocketDock\rocketdock .exe
c:\program files\SUPERAntiSpyware\superantispyware .exe
c:\windows\system32\config\systemprofile\Desktop\rundll32 .exe

AtJob::

File::
c:\program files\internet explorer\wmpscfgs.exe
c:\windows\system32\w.exe
c:\windows\system32\8921.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vilemorumi"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vilemorumi]
* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the prvevious file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
* SAS and MBAM
* C:\ComboFix.txt
* C:\MGlogs.zip

thebatfax · Apr 7, 2010

Thanks for the response, but I ended up formatting and reinstalling windows. I couldn't get all the malware off, and it seemed like the safest thing to do. But, again, thanks!

TimW · Apr 8, 2010

No problem. Safe surfing.

Log in or Sign up

combofix deleted system files

thebatfax Private E-2

Attached Files:

log.txt

ComboFix-quarantined-files.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

thebatfax Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member