Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The Updated Combofix (5-23-11)


  • Please log in to reply
4 replies to this topic

#1 TrueBlueComputers

TrueBlueComputers

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 25 May 2011 - 12:23 PM

Hey all long time lurker first time posting. As many of the people that frequent this forum know there is a relatively new virus out there that hides all the files on a system giving the appearance that all files are gone. Combofix is able to take care of the brunt of this virus and with a simple command in command prompt to unhide the files your g2g but up until a few days ago the start menu would be totally wiped out, with many programs saying empty. For some users this was not an issue but for some it meant having to do a reload on the system. The new Combofix however is able to fix this. I know the rules say we cant discuss how CB works internally but if anyone would able to clue me in as to how to repair the start menu in the same fashion that CB does. My little computer repair shop would be very grateful.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,272 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:06 PM

Posted 25 May 2011 - 01:50 PM

Welcome to BC.

I know the rules say we cant discuss how CB works internally

That is correct. For others reading this thread and do not know what TrueBlueComputers is referring to, please read ComboFix usage, Questions, Help? - Look here.

The symptoms you describe are indicative of a side effect from the HDD Defrag family of rogue security programs which changes file attributes to "hidden", making them appear invisible so the user thinks some of their files have been deleted. Newer variants of the FakeHDD rogue delete Quick Launch and Start Menu items/folders and store them in a %Temp%\smtmp folder.

A safer alternative for victims is to use unhide.exe (Step 17) as shown in this example guide. It was created by Grinler to remove the "hidden" attribute on all files and attempt to restore Quick Launch and Start Menu items to their proper location. Due to the rapidly changing of the infection, this may not always work and you have to resort to other methods.

Note: Do not clean out your temporary files/folders until this issue is resolved.

This is a manual fix for Vista/Windows 7 users:

1. Copy the entire content of this folder:
C:\Users\user_name\AppData\Local\Temp\smtmp\1
and paste it to this folder:
C:\Program Data\Start Menu

2. Copy the entire content of this folder:
C:\Users\user_name\AppData\Local\Temp\smtmp\2
and paste it to this folder:
C:\Users\user_name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch

3. Copy the entire content of this folder:
C:\Users\user_name\AppData\Local\Temp\smtmp\3
and paste it to this folder:
C:\Users\user-name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar

4. Copy the entire content of this folder:
C:\Users\user_name\AppData\Local\Temp\smtmp\4
and paste it to this folder:
C:\Program Data\Desktop

-- Note: The "Start Menu", "Quick Launch" and "Desktop" folders are system folders. In order to see them, you need to Reconfigure Windows to show hidden files, folders. In Windows Explorer go to Tools > Folder Options and click on the View tab. Under Advanced settings > Files and Folders > Hidden Files and Folders, uncheck "Hide Protected operating system Files (recommended)" and hit Apply > OK. In order to access the "Start Menu" folder, you may need to that folder as show here.

If the above does not work, then you can restore the defaults for the Start Menu and Administrative Tools as follows:
This is a manual fix for XP users:

1. Copy the entire content of this folder:
C:\Documents and Settings\user_name\Local Settings\Temp\smtmp\1
and paste it to this folder:
C:\Documents and Settings\All Users\Start Menu

2. Copy the entire content of this folder:
C:\Documents and Settings\user_name\Local Settings\Temp\smtmp\2
and paste it to this folder:
C:\Documents and Settings\user_name\Application Data\Microsoft\Internet Explorer\Quick Launch

3. Copy the entire content of this folder:
C:\Documents and Settings\user_name\Local Settings\Temp\smtmp\3
and paste it to this folder:
C:\Documents and Settings\user_name\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar

4. Copy the entire content of this folder:
C:\Documents and Settings\user_name\Local Settings\Temp\smtmp\4
and paste it to this folder:
C:\Documents and Settings\All Users\Desktop

If the above does not work then you can restore the defaults for the Start Menu, Accessories and Administrative Tools as follows:
For any other missing program shortcuts you will probably need to reinstall the application or manually create new shortcuts.

Edited by quietman7, 25 May 2011 - 01:54 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 TrueBlueComputers

TrueBlueComputers
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 25 May 2011 - 03:22 PM

WOW

Thank you so much. That was way more information than I was expecting. I really appreciate the fast reply and the wealth of information.

#4 FishersNole

FishersNole

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 25 May 2011 - 04:26 PM

good afternoon, Friends. First timer here...got a tip from my IT guy at work regarding BC membership and am now trying to use it wisely.

How do I download combofix.exe ???? He told me it'll remove about:blank


Any suggestions/tips are appreciated. Thanks.

FishersNole

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,272 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:06 PM

Posted 25 May 2011 - 04:53 PM

You're welcome TrueBlueComputers and good luck.


Welcome to BC FishersNole

Please see the authorized How to use ComboFix guide.

...you should download ComboFix from one of the following URLs:

  • BleepingComputer.com
  • InfoSpyware.net
To download ComboFix, simply left-click on one of the links above...Click on the Save button, and when it asks you where to save it


If you are dealing with a malware infection, please be aware that using ComboFix is only one part of the disinfection process. Preliminary scans from other tools like DDS, RSIT and GMER should be used first because they provide comprehensive logs with specific details about files, folders and registry keys which may have been modified by malware infection. Analysis of those logs allows planning an strategy for effective disinfection and a determination if using ComboFix is necessary. ComboFix was never meant to be used as a general purpose malware scanner like SuperAntispyware or Malwarebytes' Anti-Malware which scan individual drives or different folders on a computer for viruses.

I ask that you read the pinned topic ComboFix usage, Questions, Help? - Look here before proceeding with using ComboFix on your own.

Also when you have an issue or problem you would like to discuss, please start your own topic. Doing that will help to avoid the confusion that often occurs when trying to help two or more members at the same time in the same thread. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using and the presence of other malware. Further, posting for assistance in someone else's topic is not considered proper forum etiquette.

Thanks for your cooperation.
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users