Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix Deleting My "Windows 7 K" Files and Folders


  • Please log in to reply
11 replies to this topic

#1 djloekee27

djloekee27

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 02 January 2011 - 06:15 AM

combofix detected nate address lookup as malware. but it's not, i have a nate (the korean yahoo/google) email address
http://www.nate.com/
nateon instant messenger
http://nateonweb.nate.com/
and a cyworld (korean facebook/myspace) account that is owned by nate.
http://www.nate.com/?f=cymain
and i installed nate address lookup when i installed nateon instant messenger.

combofix deleted my all of the files that i had in the start menu and now when i click on start and all programs, it is empty.
c:\programdata\Microsoft\Windows\Start Menu\프로그램
c:\users\Classic .NET AppPool\AppData\Roaming\Microsoft\Windows\Start Menu\프로그램
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\프로그램
c:\users\R.C. Williams\AppData\Roaming\Microsoft\Windows\Start Menu\프로그램

so now i have to see if i can use a restore point to get everything back because combofix deleted my windows 7 k (k for korean version) files. i live in korean with a korean laptop that has the english language pack installed on it because i can't read korean, and combofix goes and deletes my windows 7 files and folders.

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:31 PM

Posted 02 January 2011 - 06:26 AM

One question, and that is Why did you feel that you needed to run Combofix?

#3 djloekee27

djloekee27
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 02 January 2011 - 07:04 AM

One question, and that is Why did you feel that you needed to run Combofix?

this is why.
http://www.bleepingcomputer.com/forums/topic370007.html/page__p__2072912#entry2072912
http://www.security-forums.com/viewtopic.php?t=63367
http://help.lockergnome.com/general/cukftxcmynhbr-dll-file-cash-titan-browser-enhancer--ftopict65535.html
http://forums.malwarebytes.org/index.php?showtopic=71449&st=0&p=367110&#entry367110
there was a file that my a/v couldn't remove.
i've used combofix for the past 2 years with no problems (i build pc's and sometimes my friends call me whenever they have problems with computer viruses). but my os was the american version of miscrosoft windows. and now i have the korean version of windows because microsoft doesn't sell the american version in korea.
http://sphotos.ak.fbcdn.net/hphotos-ak-snc4/hs029.snc4/33818_10150111182662953_501077952_7322267_803772_n.jpg
http://sphotos.ak.fbcdn.net/hphotos-ak-snc4/hs1365.snc4/163782_10150111182592953_501077952_7322263_4681157_n.jpg
http://sphotos.ak.fbcdn.net/hphotos-ak-ash1/hs734.ash1/162847_10150111182832953_501077952_7322275_2479710_n.jpg
http://sphotos.ak.fbcdn.net/hphotos-ak-snc4/hs1196.snc4/154870_10150111183067953_501077952_7322285_8006156_n.jpg
http://sphotos.ak.fbcdn.net/hphotos-ak-snc4/hs712.snc4/63199_10150111191162953_501077952_7322513_8034888_n.jpg
http://sphotos.ak.fbcdn.net/hphotos-ak-ash2/hs560.ash2/148262_10150111181972953_501077952_7322237_7716258_n.jpg
http://sphotos.ak.fbcdn.net/hphotos-ak-ash2/hs598.ash2/155036_10150111182032953_501077952_7322239_6194290_n.jpg
http://sphotos.ak.fbcdn.net/hphotos-ak-snc4/hs1364.snc4/163673_10150111182082953_501077952_7322241_2197522_n.jpg
and these were microsoft windows 7 64bit files and folders that were deleted, not anything related to viruses, trojans, spyware, adware, malware, ect. all of my program shortcuts that are displayed like this whenever you click on the start button
http://img.photobucket.com/albums/v290/djloekee27/Screenshots/startmenu02.jpg
were deleted from my laptop and everything was empty when i clicked on the start button.

Edited by djloekee27, 02 January 2011 - 07:09 AM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:31 PM

Posted 02 January 2011 - 07:14 AM

Hi djloekee27, thank you for letting us know. I will notify the developer of this.

In the mean time, please look if the following folder exists: c:\qoobox\quarantine and list me its contents (if the file ComboFix-quarantined-files.txt is present, please include its contents).
The quarantine folder should contain a folder named C which contains subfolders with the same names as the folders in the filepath of the deleted files.

Since you are already receiving help from kahdah at MBAM forums, I will close your topic at BC and I have notified him about this topic.

Edited by elise025, 02 January 2011 - 07:26 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 djloekee27

djloekee27
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 02 January 2011 - 07:18 AM

Hi djloekee27, thank you for letting us know. I will notify the developer of this.

In the mean time, please look if the following folder exists: c:\qoobox\quarantine
It should contain a folder named C which contains subfolders with the same names as the folders in the filepath of the deleted files.

actually, i don't have that folder anymore.
i used OTCleanIt.exe
http://www.bleepingcomputer.com/forums/topic271529.html
to uninstall combofix but it left the c:\qoobox\BackEnv folder.
i don't have quarantine-files.txt anymore but i did save my combofix log file in a different location.


c:\program files (x86)\Nate
c:\program files (x86)\Nate\AddressSearch\instcpl.ico
c:\program files (x86)\Nate\AddressSearch\intro.ico
c:\program files (x86)\Nate\AddressSearch\kl.dat
c:\program files (x86)\Nate\AddressSearch\uninstall.exe
c:\programdata\Microsoft\Windows\Start Menu\프로그램
c:\users\Classic .NET AppPool\AppData\Roaming\Microsoft\Windows\Start Menu\프로그램
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\프로그램
c:\users\R.C. Williams\AppData\Roaming\Microsoft\Windows\Start Menu\프로그램
c:\windows\SysWow64\1090
c:\windows\SysWow64\1090\inf1090.dat
c:\windows\SysWow64\AVSredirect.dll

Edited by elise025, 02 January 2011 - 07:30 AM.
Since this forum is not intended to post Combofix or other logs, I removed the log and kept only the deleted files part


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:31 PM

Posted 02 January 2011 - 07:32 AM

Had you not done that, you could have easily restored the files. Your only option now is to reinstall the respective applications.

I notified the developer about the detection.

As a general note, it is better not to just copy fixes you see elsewhere, especially since you were already receiving help at MBAM forum.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 djloekee27

djloekee27
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 02 January 2011 - 07:39 AM

Had you not done that, you could have easily restored the files. Your only option now is to reinstall the respective applications.

I notified the developer about the detection.

As a general note, it is better not to just copy fixes you see elsewhere, especially since you were already receiving help at MBAM forum.

i actually already got all of my applications back using system restore, and then i uninstalled combofix. it didn't delete my apps but my start menu (and nate address lookup was still working after mbam detected it 4 days ago, but i uninstalled it by accident because i clicked on the uninstall button without translating the korean into english first with my handphone/cellphone). and i actually didn't receive help at the mbam forum, but another forum.

Edited by djloekee27, 02 January 2011 - 07:41 AM.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:31 PM

Posted 02 January 2011 - 08:50 AM

Hi, could you please do the following, so we can have a look at the actual names of the detected items (the board software or my Windows version do display the characters as squares). This is helpful to determine why these files were targeted by combofix.

Press Windows Key + R , type notepad in the runbox and press enter. Copy/paste the following text into Notepad and save it as logit.bat to your desktop.
@ECHO OFF
DIR /AD "c:\programdata\Microsoft\Windows\Start Menu\*" >logit.txt
START logit.txt
Exit Notepad and right click on logit.bat, select "run as administrator".
It should produce a log named logit.txt
Please attach this to your post (do not copy/paste it).

Edited by elise025, 02 January 2011 - 08:50 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 djloekee27

djloekee27
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 06 January 2011 - 07:54 AM

Hi, could you please do the following, so we can have a look at the actual names of the detected items (the board software or my Windows version do display the characters as squares). This is helpful to determine why these files were targeted by combofix.

Press Windows Key + R , type notepad in the runbox and press enter. Copy/paste the following text into Notepad and save it as logit.bat to your desktop.

@ECHO OFF
DIR /AD "c:\programdata\Microsoft\Windows\Start Menu\*" >logit.txt
START logit.txt
Exit Notepad and right click on logit.bat, select "run as administrator".
It should produce a log named logit.txt
Please attach this to your post (do not copy/paste it).

i hovered my mouse over every icon and looked everywhere but i don't have an option to add any attachments. so i uploaded it to rapidshare
http://rapidshare.com/files/441098368/logit.txt
(megaupload kept giving me errors).

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:31 PM

Posted 06 January 2011 - 08:22 AM

Thank you!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 34,528 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:06:31 AM

Posted 06 January 2011 - 10:34 PM

i hovered my mouse over every icon and looked everywhere but i don't have an option to add any attachments. so i uploaded it to rapidshare

Did you by chance use Fast Reply when looking for the manage attachments feature? If so it does not exist. If you select Add Reply by clicking the button you will see the image below. I have highlighted the manage attachments area with a red border. Hope this helps in the future should you need to attach files to a topic or post.

Posted Image

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#12 djloekee27

djloekee27
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 07 January 2011 - 01:58 AM


i hovered my mouse over every icon and looked everywhere but i don't have an option to add any attachments. so i uploaded it to rapidshare

Did you by chance use Fast Reply when looking for the manage attachments feature? If so it does not exist. If you select Add Reply by clicking the button you will see the image below. I have highlighted the manage attachments area with a red border. Hope this helps in the future should you need to attach files to a topic or post.

i used add reply. the option doesn't appear for me on this section of the forum.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users