Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ComboFix Deleting files it shouldn't be touching


  • This topic is locked This topic is locked
5 replies to this topic

#1 MSSmallBiz

MSSmallBiz

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 13 May 2013 - 01:56 PM

Having an issue with IE which would lead one to think the system was bugged I ran ComboFix. This was after running MS Security Scanner complete scan, Win Defender scan, aVast scan as well as Malwarebytes which all came back more or less clean, some expected files flagged, nothing major found. At that time I still had an issue with IE so ran ComboFix. After completing the scan ComboFix proudly announced it had DELETED TWO ACRONIS TIB BACKUP IMAGES made of another computer, a computer that is no longer in service and those backups were the backups!

What in the world is Combofix doing deleting backup images, especially from something like Acronis with no confirmations? It appears they are deleted to the point I am going to have to do a low level scan with a boot CD as EaseUS doesn't see the files or folders ComboFix deleted.

 



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:26 AM

Posted 13 May 2013 - 03:23 PM

I've notified sUBs of the issue and will let you know what comes of it.


So long, and thanks for all the fish.

 

 


#3 MSSmallBiz

MSSmallBiz
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 13 May 2013 - 03:40 PM

I've notified sUBs of the issue and will let you know what comes of it.

 

Thank you. i have saved the log file but in short there were two image files in that folder, one of a retired notebook which is the primary concern and the other was a base image of Win7 fully updated with no apps or anything else loaded using install files directly from MS's Technet so there is no way that base image was infected with anything even if ComboFix was trying to dig into the images. The folder they were located in was also deleted, c:\images, not exactly a temp folder name or location. As it appears comboFix deleted the MFT entry points I am having to run a low level scan of the HD in an attempt to recover the 55GB image file, I am not hopeful any such recovery is going to come back with a file that is not corrupted in some fashion.



#4 MSSmallBiz

MSSmallBiz
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 13 May 2013 - 11:15 PM

All deleted files are moved to C:\Qoobox. Thankfully the files and the base folder itself were there, hopefully not corrupted.



#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:26 AM

Posted 14 May 2013 - 01:43 PM

Good evening. :)

Will you post the relevant Combofix log that was created when the files were deleted.


So long, and thanks for all the fish.

 

 


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:26 AM

Posted 26 May 2013 - 01:17 PM

Given the lack of a response for over a week, this thread is now closed.


So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users