Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another ComboFix File Quarantine/"Deletion" question


  • Please log in to reply
9 replies to this topic

#1 LaPs

LaPs

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 25 January 2010 - 09:17 AM

DO NOT MOVE-MG


Good Morning,

Like a few others here, I used ComboFix to resolve a Google Redirect Virus issue (not knowing that it had been pulled by the dev), and it "deleted" (quarantined) every file on my machine. A quick look around my C:\ I found all the files with a brand spanking new .vir extension. </panic mode>

Following instructions and recommendations from tetonbob given to another forum member in another thread, I was able to use a dequarantine script to recover all my data back to its original location. Fantastic!

At this point I just need someone to help me address some housekeeping issues...it seems all my data was copied from the Quarantine folder and the .vir extension was removed, because the quarantine folder is still showing the "infected" files. Essentially I have two sets of files, the normal one and the set that was quarantined and marked .vir. Is it safe to remove the set of quarantined data?

Are there any other things that I should be doing to get my PC back to its condition before I ran ComboFix?


Thanks in advance for your help!

Edited by garmanma, 25 January 2010 - 11:17 AM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:02 AM

Posted 25 January 2010 - 01:49 PM

Hello there



Are you having any issues right now? This is important to know because there are two ways to proceed and I need to know which way to go. thumbup2.gif

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 LaPs

LaPs
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 25 January 2010 - 02:11 PM

Hi, thanks for your response!

Currently I am not having any issues that prompted my use of ComboFix in the first place. The google redirect issue was resolved by ComboFix. Now I am merely trying to correct the "side effects" of running CF. I have some configuration files present on my desktop that were not there previously. I'd also like to know if it is safe to delete everything from C:\Qoobox now that I've run this script:

QUOTE
Dequarantine::
C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile
C:\Qoobox\Quarantine\C\Documents and Settings
Quit::


I have the DeQuarantine .txt log if you'd like it.

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:02 AM

Posted 25 January 2010 - 02:18 PM

You're welcome. smile.gif

I wanted to be sure you weren't having any problems running or changing anything. Please delete that version of ComboFix if you haven't already, and yes, you can delete Qoobox and everything in it. When you dequarantined all the files, the .vir extension was indeed removed, and those are no longer necessary.
QUOTE
I have some configuration files present on my desktop that were not there previously.
Those *should* be all right to delete....but could you tell me what they are first, please? smile.gif

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 LaPs

LaPs
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 25 January 2010 - 02:27 PM

They seemed to be picture related, more specifically Picasa associated files. There are several .picasa.ini and thumbs.db files in a few folders that sit directly on my desktop, and there is a desktop.ini file and several thumbs.db files scattered through My Documents and its subfolders.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:02 AM

Posted 25 January 2010 - 02:39 PM

Well, I'm not an expert on Picasa, but it sounds like some bits got misplaced in the process. I guess what you do with those will depend on how much you use Picasa. The pictures you have associated with it should still be there if you delete those files, but you might have to search for them. What you might try is uninstalling Picasa, removing those files off the desktop, then reinstalling Picasa and let it find all your media again. Like I said, I'm no expert on Picasa, but that seems the easiest to try. smile.gif
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 LaPs

LaPs
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 25 January 2010 - 02:44 PM

I was thinking the same thing. Any thoughts on the desktop.ini file that has shown up in My Documents? And finally, is it safe to delete the contents of C:\ComboFix?

Thanks again!

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:02 AM

Posted 25 January 2010 - 02:51 PM

Have a look here : http://www.ofzenandcomputing.com/zanswers/797

So try going to your settings and checking the “Hide protected operating system files (recommended)” and see if that makes it go away. smile.gif

Yes, please delete ComboFix, and the folder it's in.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 LaPs

LaPs
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 26 January 2010 - 12:45 PM

Ok, all ComboFix folders and files have been deleted. Picasa has been reinstalled and after reboot the config files hid themselves, and as far as I can tell everything is working properly.

I think I'm all set. Thank you so much!



#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:02 AM

Posted 26 January 2010 - 01:51 PM

That's great! And you're most welcome. thumbup2.gif

Take care then, and be careful!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users