Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combo fix - renamed C: drive/redirect


  • Please log in to reply
7 replies to this topic

#1 cbia

cbia

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:37 PM

Posted 28 October 2011 - 11:35 AM

I ran combofix (I know bad mistake without coming here first - I realize that now) and during the scanning process the computer froze and rebooted. When it restarted it appears a lot of my critical files are hidden. Then when I click on C: in my computer it takes my to what appears to be a shortcut back to my computer. The title of the shortcut was combofix.

I did a search here and it said to uninstall combofix. I did that and nothing changed besides I don't have the combofix.exe on my desktop and the shortcut/icon was renamed when I click on C: on my computer.

Any ideas how I can get things back to normal?

The computer was riddled with malware like the fake internet security popups and browser redirects. So I ran malwarebytes and then ran combofix.

Thanks.

BC AdBot (Login to Remove)

 


#2 Troycity

Troycity

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:37 PM

Posted 28 October 2011 - 12:16 PM

Hello,

First what you need to do is clear all of your Temp Files. You can use CCleaner and check as much as you can on the left. Also under setting, make sure that you unchecked (keep files less than 24 hours).

Next try to go to your control panel. If you see Java, double click on it and then click on settings under temporary files at the bottom and then click on delete.

Now that we have clear all of the junk files, restart you PC under safe mode with networking.

Once the PC has restarted (instructions removed), download Malwarebytes one more time, and Superantispyware. Get the free version, also you can surely use Hitman pro as it has a free 30 activation with no registering or anything else (For rootkit)

Then scan with Hitman Pro First.

Then Malwarebites.

Then Superantispyware.

I understand that this is going to be time consuming, however, this is your best chance to get a clean PC back to normal. Finally, what is truly important is that whenever your PC is clean again is to delete any restore points (simply turn it off.) Then turn it back on, this will create a new clean restore point.

Hope this will help. Please note in some severe infection, although the PC is now clean, a clean re-install of the OS might still be necessary. So make sure to back up all of your files and favorites prior to do so.

Good luck and let us know if you issue has been resolved.

Mod Edit: Some comments removed due to posting unauthorized advice.

Edited by quietman7, 28 October 2011 - 04:26 PM.


#3 cbia

cbia
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:37 PM

Posted 28 October 2011 - 02:49 PM

I tried the first part. Got all the way to running combofix again. It was running for an hour and then the screen/mouse froze. I didn't do anything and just turned the monitor off and will go check on it soon.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:37 PM

Posted 28 October 2011 - 04:15 PM

cbia, please read How do I get help? Who is helping me?

...Posting your problem here allows more experienced and knowledgeable Members and Staff to determine if solving your problem requires additional information and whether it is actually caused by malware or by some other problem requiring a different approach...

Advice or instructions in this area should be limited to non-invasive scanners or tools that create a report that can be reviewed by a trained helper. The use of Combofix or any other high level removal tool is not for this area. See HERE.

As this is an open area, available for any member to post in, please use caution when following the advice given. Instructions from the following member groups is to be considered trusted:
Admin | Site Admin | Global Moderator | Moderator | Malware Response Instructor | Malware Response Team | BC Advisor


As you can see, the use of ComboFix is not permitted here and you should not follow advice from anyone asking you to run it. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read the pinned topic ComboFix usage, Questions, Help? - Look here.


Since you already ran ComboFix, the log should be reviewed in order to ascertain what was detected and removed.

Please read the pinned topic Preparation Guide For Requesting Help. When you have done that, post the required logs to include your ComboFix log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts.

If you're not sure where to find the log, ComboFix will create and save it to the root directory, usually C:\ComboFix.txt. To retrieve the log, launch Windows Explorer, navigate to the root directory and double-click on it to open in Notepad.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 cbia

cbia
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:37 PM

Posted 28 October 2011 - 06:52 PM

How can I access the log if c: is being redirected every time? Not just in my computer but I cannot access any files via notepad>open either.

I am sorry for posting in the wrong area. Is there anyway a mod/admin can move this to the correct area? Thanks.

As I said earlier, I ran combofix, the PC rebooted without finishing (so there probably isn't a log file anyway).

BTW, the PC is still froze in the scanning phase. I can't move the mouse but the screen is still up. I will leave it that way till tomorrow. If it is still that way, then I will reformat - I was able to backup important files before I scanned anything.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:37 PM

Posted 28 October 2011 - 08:50 PM

There are circumstances ComboFix will hang, crash or stall at various stages due to malware interference, failure to disable other real-time protection tools or the presence of CD Emulators so that it does not complete successfully. Also, depending on how badly a system is infected, ComboFix may take longer to complete its routine than it normally does or fail to run properly. While that is not normal behavior, it is not unusual.

In such cases, it is helpful to know at what stage CF stalled/crashed and to provide that information to the Helper who is assisting you so they can investigate. This is just another reason why you should only use ComboFix under supervision. If it still appears to be struck, frozen or failed to reboot, then try this:

Open Task Manager and look for the following ComboFix related processes (some have a .3XE extension):
  • PEV.exe
  • NirCmd.3XE
  • PEV.3XE
  • SED
  • GREP
  • any file that has the extension *.3XE
One at a time, right-click and select End Process. If doing that did not free ComboFix and allow it to continue, then you will need to reboot the computer manually.

If not log was created, then I still recommend you follow the directions in the Prep Guide and post the required logs for assistance with the malware. If you choose to reformat, that's ok...just let us know.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 kulgion

kulgion

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:37 PM

Posted 19 July 2012 - 04:29 PM

I had the same problem. The virus changed all file attributes on the C: drive to hidden. I booted to Mini-windows xp on a flash drive and unhid all files. I then deleted the combofix folder. I also deleted the virus files which in this case were in C:\documents and settings\all users\application data\(bunch of random letters).

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:37 PM

Posted 19 July 2012 - 08:21 PM

The symptoms you describe are indicative of a side effect from the HDD Defrag family of rogue security programs which changes file attributes to "hidden", making them appear invisible so the user thinks some of their files have been deleted. Newer variants of the FakeHDD rogue delete Quick Launch and Start Menu items/folders and store them in a %Temp%\smtmp folder.

Please read this topic: Unhide.exe - A introduction as to what this program does
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users