Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ComboFix DeQuarantine Problem


  • This topic is locked This topic is locked
6 replies to this topic

#1 Caalor

Caalor

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 22 May 2013 - 04:49 AM

Hello,

 

I'm an IT Professional and I'd like to at first thank you all for the tons of help I've received through the years by reading posts from this forum.

 

This time I would be more than grateful if you could lend a hand.

 

A colleague (IT Pro also) has used ComboFix while trying to fix a pc from a virus/malware infection (I am sorry, I was not actually briefed so I do not know more on the topic).

 

It seems that CF has removed/disabled registry entries that create numerous problems to this pc (services do not start, VMWare cannot start also, no internet connection, windows fail to connect to the event log service WSAStartup fails, etc).

 

 

At this point this PC landed on my hands and I was requested to see if the damage can be undone.

 

I see that some services such as DHCP Client, System Event Notification Service and TCP/IP NetBIOS helper are stuck in "starting" status. They cannot be stopped or restarted.

 

I checked the Quarantine folder and there were some registry backups and 2-3 files.

 

I created the following script and opened it with a combofix.exe that was on the desktop (drag'n drop). I thought that most probably that was the combofix.exe used.

 

DeQuarantine::
C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-SynTPEnh.reg.dat
C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
C:\Qoobox\Quarantine\Registry_backups\Toolbar-Locked.reg.dat
C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKCU-Run-AdobeBridge.reg.dat
C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-Toolbar-Locked.reg.dat
QUIT::

 

 

My problem is that the problems remain (absolutely no difference) and that there is no dequarantine log anywhere, even though I can find the script as used in the Qoobox folder.

 

Combofix seems to run as always trying to scan and clean the pc.

 

I have attached the combofix log.

 

I am sorry that I do not have any more info to help you on this.

 

I thought to ask here before I try to manually fix this pc.

 

Thank you very much for your time,

 

Caal

Attached Files


Edited by Caalor, 22 May 2013 - 04:51 AM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:11 PM

Posted 22 May 2013 - 08:41 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

First...

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


Now...

Registry backups are restored differently. Rename the file, removing the .dat extension to change it to a .reg extension.

Example from your script

C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKCU-Run-AdobeBridge.reg.dat
becomes

C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKCU-Run-AdobeBridge.reg
Then Double click to merge the entries.
Posted Image
m0le is a proud member of UNITE

#3 Caalor

Caalor
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 23 May 2013 - 01:15 PM

Hello m0le and thanks for the prompt response,

 

This was actually my first thought and I've already tried it.

 

Half of the files produce an error, that this is not a valid registry entry.

 

The rest I think worked out nicely.

 

Thanks again,

 

Caal



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:11 PM

Posted 23 May 2013 - 06:51 PM

Not sure why they're coming up as not valid. The only other method of restoring backups is to run a command from either a batchfile or from Start > Run.

Like this:

Regedit "C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKCU-Run-AdobeBridge.reg.dat"
Posted Image
m0le is a proud member of UNITE

#5 Caalor

Caalor
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 24 May 2013 - 06:29 AM

I really do not know why these are invalid.

 

Anyway, I started to manually fix every error for every service and the pc seems to be running smoothly at the moment but I'll have to keep and eye on it since I did quite a lot of changes.

 

It's a pitty that the automated method didn't work for me.

 

Nevertheless, I'd like to thank you m0le for your help.

 

Best regards,

 

Caal



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:11 PM

Posted 24 May 2013 - 07:39 PM

You're welcome, Caal.
Posted Image
m0le is a proud member of UNITE

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:11 PM

Posted 24 May 2013 - 07:39 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users