Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix deleted everything #2


  • This topic is locked This topic is locked
13 replies to this topic

#1 tekky

tekky

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 24 January 2010 - 05:40 PM

I ran ComboFix on a customer's machine (yes, a customer!) and it deleted all of their personal files.

I see someone else has posted a report of the same problem, and since I was unable to post in their thread I am reporting it here instead.

The quarantined files log is rather large, and all of the files appear to still be there. I have ghosted the hard drive just incase something goes wrong.

Please just tell me how to go about restoring all of the quarantined files, I will deal with the rest.

Thank you

BC AdBot (Login to Remove)

 


#2 tekky

tekky
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 24 January 2010 - 05:58 PM

will this script restore everything?

Dequarantine::
C:\
D:\
Quit::

Please, I just want the computer back the way it was, I don't care if any viruses are there... I can deal with that after.

Edited by tekky, 24 January 2010 - 05:58 PM.


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:49 PM

Posted 24 January 2010 - 06:00 PM

Hi,

please don't run random scripts, this may lower your chances of recovering your files.

Please provide the combofix log and the contents of the following file in your next reply: C:\qoobox\combofix-quarantined-files.txt

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 tekky

tekky
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 24 January 2010 - 06:05 PM

Logs are attached

please remove after you view, I do not wish to violate the customer's privacy.

Edited by myrti, 24 January 2010 - 09:22 PM.


#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:49 PM

Posted 24 January 2010 - 06:22 PM

Hi,

ComboFix is meant for private use only, it is not meant to be used for business use and that includes people removing malware for a living. In addition, ComboFix should only be used by people that have the necessary knowledge to use the tool and recover from set backs like these.

Combofix has currently been pulled. Do you still have a copy on your desktop?

If so please run the following script:
CODE
DeQuarantine::
C:\Qoobox\Quarantine\C\Documents and Settings
Quit::


let me know if that restored the files you needed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 tekky

tekky
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 24 January 2010 - 06:35 PM

I do not have a copy of Combofix on my desktop, when I try to run the old one that I had on my flash drive it says "would i like to update" and then regardless of whether i update or not it tells me that combofix is out of date and will run in reduced functionality mode..... but then nothing ever happens

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:49 PM

Posted 24 January 2010 - 06:38 PM

Hi,

the log indicates that ComboFix was run from C:\combofix\combofix.exe. That file should still be there.

Can you please check.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 tekky

tekky
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 24 January 2010 - 06:40 PM

there is no c:\combofix folder

[hidden and system files are visible.. its definitely not there]

#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:49 PM

Posted 24 January 2010 - 06:45 PM

Hi,

could you please tell me where you saved ComboFix when you ran it on the machine? If it was deleted by ComboFix I need the location to restore it.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 tekky

tekky
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 24 January 2010 - 06:47 PM

I thought I copied it to the desktop, but now I'm thinking I probably ran it from a network share.

It's not in the quarantined desktop folder : {

Is it possible for someone to upload it for me?

#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:49 PM

Posted 24 January 2010 - 06:59 PM

Hi,

I'll ask around, otherwise the tool will probably be back up in a couple of hours or days and we could get a fresh copy from there.
Any chance the vesion on your netshare is up to date and we could use that one?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 tekky

tekky
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 24 January 2010 - 08:36 PM

the version on the share is out of date

and regardless of the fact that combofix is not for commercial use (i did not see any disclaimer, and i dont know of any commercial alternatives) i am supposed to be returning this computer to the customer today :/

Edited by tekky, 24 January 2010 - 08:36 PM.


#13 tekky

tekky
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 24 January 2010 - 08:43 PM

i am going to mass-rename the .vir files and move them back to their original locations

this should be sufficient?

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:49 PM

Posted 24 January 2010 - 09:22 PM

Hi,

yes renaming the relevant files should be sufficient.

.Since this topic appears to be resolved, I will now close it.

If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users