Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combo fix removed my files (replicators)


  • This topic is locked This topic is locked
13 replies to this topic

#1 pablitus

pablitus

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 19 November 2011 - 07:29 AM

I used combofix to remove some files but it also removed executables I use for work.
I use all files under replicators.

Could I dequarantine this files?

Thanks,

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:29 AM

Posted 23 November 2011 - 09:18 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 pablitus

pablitus
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 23 November 2011 - 09:30 PM

I am here..

I appreciate your help!!

Thanks!!

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:29 AM

Posted 24 November 2011 - 02:21 PM

Here is the script for the dequarantine.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

Dequarantine::
C:\Qoobox\Quarantine\Replicators\01C3873A904F1E4848412D57BC993DA4
C:\Qoobox\Quarantine\Replicators\40017753C6922751E2F982E8C6F8FC7B
C:\Qoobox\Quarantine\Replicators\660A90A3488D68097C5395EBC24ED44A
C:\Qoobox\Quarantine\Replicators\76A0F2D54BA8AE9EBC6DCC6B00C83532
C:\Qoobox\Quarantine\Replicators\95400335EEB0EBF94B6D99CBF563C515
C:\Qoobox\Quarantine\Replicators\B883633A0329D0060056C6498A4E4EFF
C:\Qoobox\Quarantine\Replicators\E88E5E81089400319903FB8B01A2821C
Quit::


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce the DeQuarantine_log.txt will be produced. Post the log and let me know if that's done the trick. :)
Posted Image
m0le is a proud member of UNITE

#5 pablitus

pablitus
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 25 November 2011 - 02:18 PM

Hey I did that but it didn't do anything. It also didn't produce a dequarantine log.

What could have gone wrong?

Thanks

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:29 AM

Posted 25 November 2011 - 02:28 PM

Rerun the program with the amended script below.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

Dequarantine::
C:\Qoobox\Quarantine\Replicators\01C3873A904F1E4848412D57BC993DA4
C:\Qoobox\Quarantine\Replicators\40017753C6922751E2F982E8C6F8FC7B
C:\Qoobox\Quarantine\Replicators\660A90A3488D68097C5395EBC24ED44A
C:\Qoobox\Quarantine\Replicators\76A0F2D54BA8AE9EBC6DCC6B00C83532
C:\Qoobox\Quarantine\Replicators\95400335EEB0EBF94B6D99CBF563C515
C:\Qoobox\Quarantine\Replicators\B883633A0329D0060056C6498A4E4EFF
C:\Qoobox\Quarantine\Replicators\E88E5E81089400319903FB8B01A2821C


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, two logs will be produced, a DeQuarantine_log.txt and a Combofix.txt log. Please post both of these logs
Posted Image
m0le is a proud member of UNITE

#7 pablitus

pablitus
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 25 November 2011 - 02:31 PM

After rerunning it. I only get a combofix.txt. No dequarantine log.

I attached the combofix.txt log now.

Is it supposed to not recover replicators?

Thanks

Attached Files


Edited by pablitus, 25 November 2011 - 02:32 PM.


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:29 AM

Posted 25 November 2011 - 02:41 PM

It should recover anything. I will have to speak to the Combofix team. Bear with me for an answer.
Posted Image
m0le is a proud member of UNITE

#9 pablitus

pablitus
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 25 November 2011 - 02:47 PM

Thanks. I appreciate your help.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:29 AM

Posted 25 November 2011 - 03:04 PM

Can you look for the Replicator folder at this location:

%SystemDrive%\QooBox\Quarantine\Replicators\

If it's there then please zip the folder and upload it to sUBs - as shown below


Open notepad and copy/paste the text in the codebox below into it:

@echo off
for %%g in (
C:\QooBox\Quarantine\Replicators\
) do zip Files_for_submission %%g
del %0

Save this as grab.bat
Choose to "Save type as - All Files"
Save it on your desktop.
It should look like this: Posted Image
Double click on grab.bat & allow it to run

A file, Files_for_submission.zip will be created on your desktop. Please upload that file here:

http://www.bleepingcomputer.com/submit-malware.php?channel=4
Posted Image
m0le is a proud member of UNITE

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:29 AM

Posted 28 November 2011 - 06:35 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#12 pablitus

pablitus
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 28 November 2011 - 07:53 PM

I found a backup of the files so I used those.

Thanks anyway!!

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:29 AM

Posted 28 November 2011 - 08:29 PM

Okay, that was a second option on my list but I wasn't sure you would have access to backup files.

Thanks for letting me know :)
Posted Image
m0le is a proud member of UNITE

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:29 AM

Posted 03 December 2011 - 09:07 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users