Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ComboFix - Deleted EVERYTHING


  • This topic is locked This topic is locked
24 replies to this topic

#1 Robert717

Robert717

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 24 January 2010 - 05:42 PM

I see that someone else reported the same. I have been using ComboFix for a long time, and was surprised at the amount of time it took to run. Once complete - everything in the user account was lost. Everything! Including the start menu & documents. User running as 'Owner'. Running recuva did not get the files back. Not sure what I am going to do next, but I am very upset about this. Why doesn't ComboFix have options?

Thanks.
:thumbsup:

BC AdBot (Login to Remove)

 


#2 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 34,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:05:28 PM

Posted 24 January 2010 - 06:13 PM

Author has been notified of the issue.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#3 sproket90

sproket90

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 24 January 2010 - 06:20 PM

I see that someone else reported the same. I have been using ComboFix for a long time, and was surprised at the amount of time it took to run. Once complete - everything in the user account was lost. Everything! Including the start menu & documents. User running as 'Owner'. Running recuva did not get the files back. Not sure what I am going to do next, but I am very upset about this. Why doesn't ComboFix have options?

Thanks.
:flowers:


:thumbsup: did the SAME TO ME!! Omg I just spent 6 hours cleaning a computer and ran combofix just to make sure... now all program files are in quarantine, all of My Docs is in quarantine... every file is named with .vir at the end...

The system HAS BEEN TRASHED... OMG!!!!

Please let me know if Combofix has an UNDO function...?????? :trumpet:

Now I have to restore my backup, go thru 6 hours of cleaning...

:inlove:

#4 Robert717

Robert717
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 24 January 2010 - 06:24 PM

Author has been notified of the issue.


That's great & all - but how do I undo what ComboFix did?

#5 Robert717

Robert717
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 24 January 2010 - 06:36 PM

I feel a little better thanks to sproket. Everything lost gets moved to C:\Qoobox. Now I only have a few more than 5000 files to rename & move.

#6 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 34,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:05:28 PM

Posted 24 January 2010 - 06:53 PM

Author has been notified of the issue.


but how do I undo what ComboFix did?

Without the authors guidance any suggestion is a guess and to the safety that you will retrieve your information. My suggestion is to be patient for an official response from the author.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#7 AndrewNZ

AndrewNZ

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 24 January 2010 - 06:53 PM

Just wanna add my 2 cents. I signed up here because of this.

I.T Tech here...been using Combofix since I can remember for our customers.

Did a scan today...the log at the end was staggering.

It deleted all the usersí docos, pictures, music, desktop icons, etc....All except one folder in My Documents.

I've never seen anything like it...surely all these files werenít infected? What should I do...?

#8 Robert717

Robert717
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 24 January 2010 - 07:25 PM

For anyone having the same problem,

Contents removed to protect members. Depending on a number of variables, serious problems could result from following what was posted here. ~ OB

Edited by Orange Blossom, 24 January 2010 - 08:21 PM.


#9 AndrewNZ

AndrewNZ

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 24 January 2010 - 07:34 PM

I might wait until something is done via the Author just for that piece of mind. Although if there isn't a fix by tomorrow I may use the above suggestion.

Why did this happen I wonder? When this happened to me this morning ComboFix did an update...was one recently released?

#10 y2roby

y2roby

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 24 January 2010 - 07:42 PM

This is my first post here, and I had the same problem as the rest of you. I couldn't get rid of that google redirect virus any other way, so I used combofix for the first time today, and this is what I get! All my files gone! Well, not technically gone apparently, and i'm glad to know that at least. I'm probably what you'd call a "non-tech" person, so I won't try Robert's solution yet.

When the Author responds, will the response be posted in this thread? Or in a new thread in the forum perhaps?

Edited by y2roby, 24 January 2010 - 07:51 PM.


#11 Robert717

Robert717
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 24 January 2010 - 08:02 PM

The files in the BackEnv folder - you do not need to worry about the .dat files - they are exports. Just don't delete them in case they are needed for reference.

I have verified that the 'special' folders are ok.

Copying all the files to the user account while in safe mode, then logging in as that user - everything is back to normal.

While I am not the author, I am a network engineer. I am sure (s)he will be by eventually to put this to rest. If you have any questions I will check back a couple times throughout the night.


Some alternate tools to help with the cleanup -
Sysinternals "AutoRuns"
SpyBot S&D
Malware Bytes
Hijack This

Good luck!

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:28 PM

Posted 24 January 2010 - 09:49 PM

Hi all, I know how frustrating this is for everyone, but I am working on a generic fix that you can all use. I suggest that you do not do any mass renaming or other solutions as it will make this solution not possible for you. Please be patient .

Thanks

#13 Cassycan

Cassycan

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 24 January 2010 - 10:06 PM

And for those of us who did not have internet access to see this thread and have done mass rename?

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:28 PM

Posted 24 January 2010 - 10:12 PM

Then copy the files into the appropriate folders and do a system restore back to a restore point right before cf ran.

Basically the process is restore the following folders from the quarantine to their normal locations:

C:\Qoobox\Quarantine\C\Documents and Settings
C:\Qoobox\Quarantine\C\Users
C:\Qoobox\Quarantine\C\ProgramData
C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile

So it would be like this:

C:\Qoobox\Quarantine\C\Documents and Settings -> C:\Documents and Settings
C:\Qoobox\Quarantine\C\Users -> C:\Users
C:\Qoobox\Quarantine\C\ProgramData -> C:\ProgramData
C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile -> C:\WINDOWS\system32\config\systemprofile

Then do a system restore to the restore point right before CF ran to fix perm issues.

Please note some of the folders above only appear in Vista and do not appear in XP.

#15 sproket90

sproket90

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 24 January 2010 - 11:06 PM

Just wanna add my 2 cents. I signed up here because of this.

I.T Tech here...been using Combofix since I can remember for our customers.

Did a scan today...the log at the end was staggering.

It deleted all the usersí docos, pictures, music, desktop icons, etc....All except one folder in My Documents.

I've never seen anything like it...surely all these files werenít infected? What should I do...?


It appears that it does not delete everything it renames ever file with .vir at the end and puts all the files into a directory called Qoobox in quarantine

but looks very difficult to put them all back thou... :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users