Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix has hidden all of my files


  • This topic is locked This topic is locked
20 replies to this topic

#1 philsphan

philsphan

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 02 June 2011 - 01:38 PM

Hello all,
I ran combofix. my infection is gone, but it has hidden all of my files. (everything)
I can't find them. Any one know how i can restore them? I know they are somewhere as i've tried to replace them but they already exist.
thanks

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,482 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:28 PM

Posted 02 June 2011 - 08:07 PM

The symptoms you describe are indicative of a side effect from the HDD Defrag family of rogue security programs which changes file attributes to "hidden", making them appear invisible so the user thinks some of their files have been deleted. Newer variants of the FakeHDD rogue delete Quick Launch and Start Menu items/folders and store them in a %Temp%\smtmp folder.

See this example guide which includes removal instructions and using unhide.exe (Step 17), a tool which will remove the "hidden" attribute on all files and attempt to restore Quick Launch and Start Menu items to their proper location. When done you will need to restore the hidden attributes to those files manually. To do that, open Windows Explorer, go to Tools > Folder Options > View and make that change there.

Note: Do not clean out your temporary files/folders until this issue is resolved.

IMPORTANT!: If you ran or want to run ComboFix on your own due to malware infection, please be aware that using it is only one part of the disinfection process. Preliminary scans from other tools like DDS, RSIT and GMER should be used first because they provide comprehensive logs with specific details about files, folders and registry keys which may have been modified by malware infection. Analysis of those logs allows planning an strategy for effective disinfection and a determination if using ComboFix is necessary.

Further, when issues arise due to complex malware infections, possible false detections, problems running ComboFix or with other security tools causing conflicts, experts are usually aware of them and can advise what should or should not be done while providing individual assistance. When false detections are identified, experts have access to the developer and can report them so he can investigate, confirm and make corrections. Those attempting to use ComboFix on their own do not have such information and are at risk when running the tool in an unsupervised environment. Please read the pinned topic ComboFix usage, Questions, Help? - Look here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 philsphan

philsphan
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 02 June 2011 - 11:29 PM

Thanks. that worked. i'm a little unclear as to where to restore the hidden attributes in IE. I don't have a folder options. I did a google search on where to restore "folder options" but didn't work
My personal files are back. thanks again.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,482 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:28 PM

Posted 03 June 2011 - 07:40 AM

Folder Options can be accessed from the Tools Menu Windows Explorer or by right-clicking on My Computer > Explore:

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 ochopintre

ochopintre

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 03 June 2011 - 09:59 AM

I tried to run combofix.exe but comodo firewall found lots of malware and spywares can anyone explain wtf?

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,482 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:28 PM

Posted 03 June 2011 - 02:19 PM

Welcome to BC ochopintre

If you have an issue or problem you would like to discuss, please start your own topic. Doing that will help to avoid the confusion that often occurs when trying to help two or more members at the same time in the same thread. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using and the presence of other malware. Further, posting for assistance in someone else's topic is not considered proper forum etiquette.

Thanks for your cooperation.
The BC Staff

Important Note: As a general policy, Bleeping Computer does not offer advice on how to run ComboFix unless we asked someone to run it. This is because people should not be using ComboFix without being advised to do so by a trained expert (i.e. Malware Response Team) who is assisting a member deal a malware issue on that system. When issues arise due to complex malware infections, possible false detections, problems running ComboFix or with other security tools causing conflicts, experts are usually aware of them and can advise what should or should not be done while providing individual assistance. When false detections are identified, experts have access to the developer and can report them so he can investigate, confirm and make corrections. Those attempting to use ComboFix on their own do not have such information and are at risk when running the tool in an unsupervised environment.

Further, using ComboFix is only one part of the disinfection process. Preliminary scans from other tools like DDS, RSIT and GMER should be used first because they provide comprehensive logs with specific details about files, folders and registry keys which may have been modified by malware infection. Analysis of those logs allows planning an strategy for effective disinfection and a determination if using ComboFix is necessary. Please read the pinned topic ComboFix usage, Questions, Help? - Look here.

If you need assistance with a malware infection that requires using ComboFix, please read the "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help".
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.
  • When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts.
  • If you already ran ComboFix, include the log (ComboFix.txt) in your topic. It should have been saved to your root directory, usually C:\.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 philsphan

philsphan
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 05 June 2011 - 03:23 PM

When i restored my files i was infected again. I guess the bugs were hiding in those files. I'm finding lots of infections upon every scan of Malwarebytes and Super Anti-Spyware. Getting search engine Redirects also. Should i just wipe OS clean and start from scratch? (i'd hate to do it)

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:28 PM

Posted 05 June 2011 - 04:38 PM

You could also post the last MBAM and SAS logs for review,perhaps somethong is there that we can act on.


Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.5.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these[/color] instructions. [color=green]In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 philsphan

philsphan
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 05 June 2011 - 07:31 PM

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6773

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

6/4/2011 8:01:47 PM
mbam-log-2011-06-04 (20-01-47).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 268731
Time elapsed: 1 hour(s), 10 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\jsaret.dll (Trojan.Hiloti) -> Delete on reboot.
c:\WINDOWS\epuwitat.dll (IPH.Trojan.Hiloti.B) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jhibaco (Trojan.Hiloti) -> Value: Jhibaco -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hkare (IPH.Trojan.Hiloti.B) -> Value: Hkare -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\jsaret.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\WINDOWS\epuwitat.dll (IPH.Trojan.Hiloti.B) -> Delete on reboot.
c:\documents and settings\compaq_administrator\local settings\temp\ms0cfg32.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\documents and settings\compaq_administrator\local settings\temporary internet files\Content.IE5\4DI7SPAF\oqgcf1vv[1].exe (Trojan.Hiloti) -> Quarantined and deleted successfully.

#10 philsphan

philsphan
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 05 June 2011 - 07:32 PM

can't find the SAP log

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:28 PM

Posted 05 June 2011 - 08:14 PM

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Did you run the TDSS scan?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 philsphan

philsphan
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 05 June 2011 - 10:15 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/05/2011 at 00:40 AM

Application Version : 4.38.1004

Core Rules Database Version : 7202
Trace Rules Database Version: 5014

Scan type : Complete Scan
Total Scan Time : 00:53:28

Memory items scanned : 566
Memory threats detected : 0
Registry items scanned : 5617
Registry threats detected : 0
File items scanned : 32829
File threats detected : 3

Adware.Tracking Cookie
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@atdmt.combing[2].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@www.stopzilla[1].txt
C:\Documents and Settings\Compaq_Administrator\Cookies\compaq_administrator@stopzilla[2].txt

Ran TDSS, it found nothing, MBA log is in Previous post. SAS Log above

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:28 PM

Posted 06 June 2011 - 03:15 PM

Ok,let's do an final online scan and tell me how it is after that.


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 philsphan

philsphan
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 06 June 2011 - 09:36 PM

C:\Documents and Settings\Compaq_Administrator\Application Data\9844EF4492DE55C7D9DF88EC356E270D\enemies-names.txt.vir Win32/Adware.AntimalwareDoctor.AE.Gen application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Compaq_Administrator\Application Data\9844EF4492DE55C7D9DF88EC356E270D\enemies-names.txt.vir Win32/Adware.AntimalwareDoctor.AE.Gen application cleaned by deleting - quarantined

#15 philsphan

philsphan
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 06 June 2011 - 10:30 PM

still infected. this program called Malware Protect, pops up all the time and just disables everything and does a bogus scan.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users