Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix recovery issues


  • This topic is locked This topic is locked
8 replies to this topic

#1 billyjean23

billyjean23

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 24 January 2010 - 03:38 PM

Greetings all -- just a quick question:

I had a PC that was infected with various incarnations of the Windows Antispyware virus, which I successfully cleaned manually and then by using combofix. However, when Combofix ran it also deleted everything on my desktop as well as everything in my My Documents folder. When I booted to my UBCD to restore to an external hard drive, none of the recovery software I used can find anything to recover. When Combofix deletes something, does it move it to a new folder first or, um, is it just ... gone?

Help?

BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:43 PM

Posted 24 January 2010 - 06:25 PM

Hi,

please do not make any changes to the system right now. ComboFix keeps backups of files and we should be able to restore them. Can you still boot?

If so please provide the combofix log and the content of the following file: C:\qoobox\combofix-quarantined-files.txt in your next reply. Do you have Combofix.exe still on your desktop?

regards myrti

Edited by myrti, 24 January 2010 - 06:27 PM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 billyjean23

billyjean23
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 24 January 2010 - 09:08 PM

I have not made any changes yet. I ran combofix from the desktop, but it was one of the files that it deleted... I can run it off a thumb drive if necessary to avoid overwriting deleted files. And yes, bootable.

Thanks

Edited by billyjean23, 24 January 2010 - 09:54 PM.


#4 billyjean23

billyjean23
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 24 January 2010 - 09:10 PM

EDIT: Found the quarantine in the Qoobox folder. Is there an easy way to rename the files so they dont end in .vir?

Edited by billyjean23, 24 January 2010 - 09:32 PM.


#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:43 PM

Posted 24 January 2010 - 09:33 PM

Hi,

can you please try to zip the file and upload it to the forums here?

Is the ComboFix version you have the one you just downloaded today or is it an old version?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 billyjean23

billyjean23
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 24 January 2010 - 09:54 PM

QUOTE(myrti @ Jan 24 2010, 10:33 PM) View Post
Hi,

can you please try to zip the file and upload it to the forums here?

Is the ComboFix version you have the one you just downloaded today or is it an old version?

regards myrti



It was downloaded today. I'll zip the files and upload them here in a second but just in case you didn't see my last edit, I found the quarantined files all named .vir -- if theres an easy way to change them back, I'll not take up any more of your time.

Thanks

Attached Files


Edited by billyjean23, 24 January 2010 - 09:56 PM.


#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:43 PM

Posted 24 January 2010 - 10:16 PM

Hi,

we are going to dequarantine the files that were accidentally deleted. Please copy your ComboFix.exe onto your desktop.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
DeQuarantine::
C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile
C:\Qoobox\Quarantine\C\Documents and Settings
Quit::


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at DeQuarantine_log.txt which I will require in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 billyjean23

billyjean23
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 25 January 2010 - 02:32 AM

The log is on a different PC now but rest assured, the allied forces secured victory in the end.


Thanks for all your help.

#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:43 PM

Posted 25 January 2010 - 08:21 AM

Heya,

glad we could help! thumbup.gif

Since this topic appears to be resolved, I will now close it.

If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users