Ran Combo Fix now my files are gone

Please see this thread if running XP:

Combo deleted everything..

Do not attempt to restore anything on your own. Make no more changes to your PC. Just get us the De-Quarantine file so we can make a fix. Also get the ComboFix.exe file out of the Quarantine and back onto your Desktop.

 

Have you been able to place Combo back on your desktop?

C:\Qoobox\Quarantine\C\Documents and Settings\Nicole Henry\Desktop\ComboFix.exe.vir

back to

C:\Documents and Settings\Nicole Henry\Desktop\ComboFix.exe

Have you now tried doing this fix:

Now we need to use ComboFix to restore files. This will only restore, it will not delete anything.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


After reboot, tell us how things are looking. You should check each user account.

 

Yes that is correct. Attach this dequarantine file to your next message. Also reboot your PC if it has not already rebooted and see how things are working.

 

Okay that looks good. Let us know how things look after the reboot.

If you were running the READ & RUN ME cleaning process due to malware problems, you should continue and attach all the requested logs. Do not attempt to run ComboFix again. Currently, it has even been taken offline to avoid additional problems.

 

You're welcome.

Just close it.


Where do your problems with malware stand? Why were you running ComboFix? I'm guessing browser redirects.

 

You're welcome Okay! Let me know if you see the

Code:

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

each time you startup.

 

Try the below.

Navigate to the below file with Windows Explorer:

C:\Documents and Settings\Administrator.ENAMARIE\Start Menu\Programs\Startup\desktop.ini

Then right click on it and check the Hidden attribute. Then click Apply and OK.

Do the same for the below file:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini


See if it still occurs.

 

Did you check both locations? One for the Administrator.ENAMARIE account and one for the All Users account. Both files have to be changed. These are actually two different files.

 

I just noticed that you have two more files to fix the hidden attribute on. Apply the same fix to the below files:

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\desktop.ini
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini

 

Not until we are sure that everything has been fixed. Since the bug not only removed files and folders, it also messed up some permissions and also the attributes of the desktop.ini files. Let's run the automated fix that was created along with a new version of ComboFix that has removed the bug.

The below procedure and new tool will automatically fix it and permissions problems.

Download the new fixed version of combofix.exe and save it to your Desktop. DO NOT RUN IT YET!!! Just make sure you have the new version downloaded and saved.

Now download this file > http://download.bleepingcomputer.com/sUBs/CFDQ-UsrPrf.exe


You should be able to run it from any location but save it to your Desktop if possible. As long as Qoobox has not been tampered with, the tool shall be able to automatically do the below.

• restore all the required files/folders
• restore the perms
• set the correct attributes for desktop.ini

Now run the CFDQ-UsrPrf.exe program by double clicking on it.

• Immediately after you run it, YOU MUST NOT reboot your PC. Don't do anything else but continue on with the below..
• Now immediately run the new version of ComboFix that you saved to your Desktop earlier. This should cause a reboot of your PC after running if malware was detected and removed.
• After reboot attach the C:\combofix.txt log.
• Also please run the MGtools.exe program as specified here:Using MGtools Then attach the requesetd C:\MGlogs.zip file
• (See: HOW TO: Attach Items To Your Post )

Now tell us how things are working.

• Do things seem to have been restored?
• What malware problems are you having?

 

You're welcome.

If you are not having any other malware problems, it is time to do our final steps:

1. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
2. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
4. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!