ComboFix Deletion (Quarantine?) of User Files

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

DeQuarantine::
C:\QooBox\Quarantine\C\Program Files (x86)
QUIT::

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

Is there a C:\Dequarantine.txt?

Can you check again and see if anything is missing at all please and let me know?

 

Tell me exactly which files and folders you have issues with. For the files it's just videos and pictures that still have .vir extensions, correct? Does anything else have that extension?

 

Let's scan in a few key folders.


Using Internet Explorer download ( by using right click and select Save Target As ) and save the below to your PC (save it into the C:\Mgtools folder). If the file does not download as FindVir.bat then right click on it and select rename and change the name to FindVir.bat because the sometimes downloads save it as FindVir.txt. After renaming, right click and select Run As Administrator. Wait for it to finish ( the black command prompt box will disappear ). It could take quite awhile if there are lots of .vir files.

FindVir.bat


When it finishes, there will be a VirFix.zip file in the C:\MGtools folder. Attach this file here. If it is too large to attach, use mediafire like you did previously.

 

Okay now let's try a fix that will attempt to remove the .vir file extension from over 27000 files Download the below Fix1.zip file to your Desktop and then extract the Fix1.bat file from inside the ZIP file. Then right click on the Fix1.bat file and select run as Administrator to run it.

Fix1.zip


After the fix completes, the command prompt window should close. When it finishes, rerun the same FindVir.bat file that you previously ran and attach the new VirFix.zip file in the C:\MGtools folder.

I'm not sure the Fix1.bat file will be able to fix all files in one run because there are multiple user accounts that have files with the .vir extension.

 

Try it again now. The link was broken.

 

You're welcome. Well that still shows there all the same files with the .vir extension. So two conclusions can be made:

1. Something stopped the file renaming from occurring properly.
2. The actual file without the .vir file extension already exists and thus the rename would fail. This would mean you could delete the .vir files as dups.

Did you ever check to see if number 2 is the case? Are the .vir file actually duplicates?

 

Right click on one of the .vir files and select Rename. Then just remove the .vir extension. Does this work or do you get an error message?

Not a problem.

No. See my last sentence at the end of message # 57.

 

Let's see if there is an easier way to do the bulk renaming. See if you can make use of the below.

http://www.majorgeeks.com/files/details/bulk_rename_utility.html