Combofix problem

Discussion in 'Malware Help (A Specialist Will Reply)' started by Ches, Mar 30, 2010.

  1. Ches

    Ches Private E-2

    I am running Windows XP Pro on a Lenovo T61p laptop. This morning I ran Combofix and it looks like it deleted stuff I want to keep. When I ran Combofix it said there was a new up date and I so I "updated" it. Wish I had seen this forum before running it.

    I noted some "fixes" to this in this forum. Are they user specific or for XP in general. HELP!

    -ches
     
    Ches, Mar 30, 2010
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Exactly what do you mean by this? What files are you referring to?

    And how old was the version of ComboFix you initially ran?

    Do you have have the combofix.txt log?
     
    chaslang, Mar 30, 2010
    #2
  3. Ches

    Ches Private E-2

    I do have the combofix log. It quarantined a bunch of files that are not a problem and I want to recover them. I have attached the log for you to review. Can I just go back to a previous system restore point or is there a way to unquarantine and restore the files?

    BTW, I did notice a couple of suspect files: patchw32.dll and pw32a.dll. All the rest on the list are safe as far as I know.

    I do not know the version of ComboFix but when I ran it, a message said there was an update and would I like to update. I selected yes. So I would have to say it is whatever the current version is. If there is a way to check it for sure without running it again, please advise.

    ches
     
    Ches, Mar 31, 2010
    #3
  4. Ches

    Ches Private E-2

    I am not sure whether the previous post had the combofix log attachment. Here it is again.

    ches
     

    Attached Files:

    Ches, Mar 31, 2010
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    All of the files could be copied back manually from the locations indicated in the log you attached. You would just have to remove the extra .vir extension when copying. Alternatively, you can restore them using Combofix automatically by doing the below.



    Now we need to use ComboFix to restore files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Let me know if this successfully restores your files.
     
    chaslang, Mar 31, 2010
    #5
  6. Ches

    Ches Private E-2

    Thanks so much Chas it worked. I left out the Windows\patch32.dll and Windows\pw32a.dll. Are those legit files? If memory serves, sometimes they get altered by malware and are really not needed anyway. Everything seems to be working ok without them. Please advise. I don't want to do anything with this machine until I know we are good to go.

    Thanks again,
    Ches
     
    Ches, Apr 1, 2010
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes they are legit files. Whether you need them or not is a different question. Not sure what software you are using that put them into the Windows folder.

    If you have been running okay without them since initially running ComboFix then you most likely do not need them. You could make a backup copy of them by putting them into a ZIP file just in case it turns out later you need them. You should do this now as my final instructions will delete everything in the ComboFix Quarantine.


    If you are not having any other malware problems, it is time to do our final steps:

    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. After doing the above, you should work thru the below link:
     
    chaslang, Apr 1, 2010
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds