Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ComboFix problems and resolution for legitimate files being deleted


  • Please log in to reply
82 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:52 AM

Posted 24 January 2010 - 11:41 PM

As many of of you know ComboFix has been pulled due to bug that causes legitimate files to be deleted. For those that have been affected, you would have noticed many deletions taking place as ComboFix was running, and your desktop would be blank. For users of Windows XP, you may still have an Internet Explorer icon and the Recycle Bin still present on your desktop, but everything else would be gone.

To restore the folders and files that were deleted, please download the following file and save it to your desktop:

http://download.bleepingcomputer.com/sUBs/CFDQ-UsrPrf.exe

Now disable all anti-virus program as they may interfere with the restoration process. Instructions on how to do this can be found here. Then launch the CFDQ-UsrPrf.exe program to start the restoration process. When the program has finished your data will have been restored. Please note, that if you had infections located in the deleted folders, these infections will now be restored as well. Therefore please do not reboot without first contacting the helper that was helping you previously as the infections could become active again.

BC AdBot (Login to Remove)

 


#2 y2roby

y2roby

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 25 January 2010 - 03:04 AM

Thank you for the solution, but I had some issues with it. I got the ComboFix.exe onto my desktop, then dragged the Cfscript file into it and combofix started like you said it would. It prompted me to turn off Symantec, because it was on at the time, and I did. However, about an hour later Combofix said it was still scanning for infected files. I realized that symantec had come back on somehow, so I thought maybe that was interfering with Combofix. After shutting off autoprotect again, Combofix obviously wasn't going to close on its own, so I just closed it myself. It appeared that all my files and programs were back anyway. But now I couldn't get on the internet, either via Firefox or IE. So I attempted to do the SystemRestore step. The problem there was there was no restore point available, apart from the one created by this most recent running of ComboFix. So I went to that one, thinking I would just start from the beginning of this solution again and make sure symantec stayed off.

That's where I am now, post-restore point. But most of my programs appear to be gone again. Strangely, Word, PDF, and Text documents, as well as picture files, all appear on my desktop and in the 'My Documents' or 'My Pictures' folder as they should. Other programs don't, but I know they are working because I can go into 'My Computer', then 'Program Files' and excess everything I use to be able to. It's just that I can't see almost anything apart from what I mentioned on my desktop or by going to 'Start' and the 'Programs'. Did I do something wrong? Should I undo the restore point and try to regain the permissions another way? Oh, and I have the internet back now since I did the SystemRestore, obviously.

Edit: I ran the batch file too, but i'm not sure if it did anything. A black popup window appeared for a few seconds with some text in it, and then was gone before I could read it. Nothing else appeared to be happening, so I restarted the computer and everything appears as I just described.

Edit again: Ok, I know i'm probably going to drive yall, nuts, but just for the sake of being thorough, I should also note that one of things I once again can't see when I click 'Start' then 'Programs' is Accessories, so i'm not sure how to get into System Restore again if I need to.

Edited by y2roby, 25 January 2010 - 03:36 AM.


#3 Browne

Browne

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 25 January 2010 - 08:01 AM

Basically, I have the same as y2roby. Initially, when I started CF from the desktop it detected that my AVG running so I stopped all AVG services, but CF said it was still running. I stopped all, restarted in Safe Mode. Same thing, stopped all AVG services, again CF said it was still running but I proceeded anyway. Now CF has been running in safe mode for the past 45 minutes. All the original desktop files are back on the desktop, but I don't want to stop CF until it finishes....my question, will it ever stop?

BTW, for the Author's info, Combo deleted the DELL System Restore on the first pass, so I cannot proceed with that when, and if, ComboFix ever stops.

Oh, and to y2roby, if you want to start System Restore, start it from "Help & Support", if it still exists in your start menu.

EDIT: CF now finished, restarted to desktop, everything seems to be fine...have not run the desktop.bat file as yet, just checking out state at the moment, will re-edit if any further problems arise..

FURTHER EDIT: This sounds strange but, I know Win XP SP3 was installed on machine, now its SP2..strange indeed....

Edited by Browne, 25 January 2010 - 09:36 AM.


#4 bigpinkears

bigpinkears

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 25 January 2010 - 09:44 AM

Did you edit your original post? I could have sworn that it said download cfscript, etc., before. I was in the middle of everything (it is taking quite some time for various reasons), and I came back to what I thought was the page where I got the instructions, and the post is different from the one I had been reading.

I did the thing with cfscript, after altering it for d drive and d folder (i ran combofix on d drive)and it restored many of the files that it had deleted, but others it did not. It didn't restore my computers ability to connect to internet, and a few other things are still askew, like programs menu, and other things. I was hoping there was something else I could do.


EDIT: I just want to clarify that most of my media files and word documents were restored, and I can fish the few remaining out of the qoobox folder. It's just that I can't connect to the internet, and my programs menu is skewed, really. I can deal with the programs menu issue, but trying to get back on the internet is the main issue. I'm kind of scared to run the exe file you have posted, as I already did the thing with cfscript.

Edited by bigpinkears, 25 January 2010 - 10:04 AM.


#5 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:52 AM

Posted 25 January 2010 - 10:00 AM

Yes, the original post has been edited. I am confirming whether or not you can use the above program after already doing the cfscript solution.

#6 bigpinkears

bigpinkears

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 25 January 2010 - 10:09 AM

Thanks. :-)

#7 Browne

Browne

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 25 January 2010 - 10:40 AM

Yes, the original post has been edited. I am confirming whether or not you can use the above program after already doing the cfscript solution.


After running the script file, I THINK all has been restored. Should I now run the .exe file? And if so, what will that do to the files already restored?

#8 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:52 AM

Posted 25 January 2010 - 01:12 PM

You can go ahead and run the executable posted in the first post. It wont harm anything even if you used the cfscript previously.

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:52 AM

Posted 25 January 2010 - 01:17 PM

@Grinler,
I saw a few logs that I saw in the Malware Removal forum that I saw with some users not aware of this tool to dequarantine what has been removed. Is it possible to have a pinned topic there regarding this as well so user's are aware? Just a suggestion.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:52 AM

Posted 25 January 2010 - 01:18 PM

I will post a forum wide message. Also if you can let me know the topics, I will post a link to this thread in them.

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:52 AM

Posted 25 January 2010 - 01:21 PM

Okay. I think I responded to one linking to this topic as well. Here's another: http://www.bleepingcomputer.com/forums/t/290209/combofix-deleted-everything-on-my-computer/

If I find anymore, I'll refer them to this thread until an announcement is made of this.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:52 AM

Posted 25 January 2010 - 01:51 PM

Forum announcement is up, so hopefully more people will see this topic.

#13 Cassycan

Cassycan

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 25 January 2010 - 02:10 PM

For those of us for whom this is not a possibility is there a better place to ask for help since I havent gotten a response in over 12 hours from my and the situation is different than when I posted? I realize how busy and how much you folks do, but I am stuck with a client who has been out of business for about a week.

#14 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:52 AM

Posted 25 January 2010 - 02:36 PM

Cassycan, what have you done already and what are your current problems?

#15 AndrewNZ

AndrewNZ

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 25 January 2010 - 03:19 PM

I haven't tried this yet, but once the personal files are restored how do I go about removing the actual infections that originally prompted me to run Combofix?

I mean...won't the same thing happen all over again if I run the latest version of Combofix? I have an older version which I suppose is safe.

I understand itís hard for developers to perfect this program but I'm kind of confused as to why the DL link is removed from the website, yet Combofix updates for those who have the actual .exe, to a version which wipes personal files?

Thanks for the quick solution though :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users