Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What files did ComboFix delete


  • Please log in to reply
13 replies to this topic

#1 karalabe

karalabe

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 08 April 2014 - 03:10 PM

Hi, 

 

 

First of all i apologize for my english, it's not my main language. 

 

If i post here, it's because it's the only thread where i read a way to recover some files when ComboFix turned crazy.

I used it yesterday, because i read in a guide that it could make my computer (OS: Win XP sp3) more safe for his last days. I'll change my computer for a new one this week.

The analyse seems to be ok, no problems of running, and he saw a few suspect files that he put in quarantine. these are not deleted, because ComboFix is still install.

The problem is that ComboFix has delete some files on two hardrive of stockage. Seems to be 3.9go on one, 3.3go for the other. And 1go on my main partition, where the OS is install.

 

Of course, nothing of this is write on the combofix logs...
 
I just wanna know if there's a way to see what files he deleted. I don't care about recover them, if it's lost, it's lost...
 
I'm sorry if i post it on the wrong topic, it seems to me more clever to reply on this one, for a little problem like this...
 
Thanks, already for your responses
 :)

 



BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:38 PM

Posted 08 April 2014 - 04:29 PM

As a general policy, Bleeping Computer does not offer advice on how to run ComboFix unless we asked someone to run it or if there is a problem with the computer caused by running the tool. We recommend that people should not be using ComboFix without being advised to do so by a trained expert (see here) who is assisting them deal with a malware problem. When issues arise due to complex malware infections, possible false detections, problems running ComboFix (i.e. stalling, hanging, crashing) or with other security tools causing conflicts, experts are usually aware of them and can advise what should or should not be done while providing individual assistance. When false detections are identified, experts have access to the developer and can report them so he can investigate, confirm and make corrections. Those attempting to use ComboFix on their own do not have such information and are at risk when running the tool in an unsupervised environment.

With that said, ComboFix's log should show what was removed. As part of its routine ComboFix creates a folder named Qoobox in C:\QooBox\Quarantine\ to keep files that have been removed by ComboFix. These files are copied and renamed by adding .vir at the end so they are are no longer a threat. The path to the removed file(s) in the C:\QooBox\Quarantine folder shows the location where it was removed from. In some case, ComboFix may remove a legitimate file for various reasons. To view/restore a file, just remove the .vir and copy it back to its original location.

If you want individual assistance and since ComboFix has already been run, its log should be thoroughly reviewed by trained experts before proceeding further. A log should have been created and saved to the root directory, usually C:\ComboFix.txt.

Please follow the instructions in the Preparation Guide For Requesting Help starting at Step 6.
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running DDS which will create two logs. (Note: Windows 8.1 Users will not be able run DDS and create a log)
When you have done that, start a new topic and post the required logs to include your ComboFix log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts.
-- ComboFix logs are not permitted in this forum.

After doing this, please reply back in this thread with a link to the new topic so we can closed this one.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 karalabe

karalabe
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 09 April 2014 - 03:30 AM

Thanks for it!

 

Just one last thing about files deleted by this programme.

I know that they could be in quarantine. But in this folder, there 's just 2.6mo of .vir. And Combofix has delete more than 7go of files.

And no entries about my two HD is in the combofix.txt...

 

Do you think that i should follow all this instruction or it's an other problem? 

 

I know that combofix it's dangereous. I know it now...maybe all these forums (like here, for my countries, example) or articles about security should not recommand this program. It is dangerous and not finish at all...I just can't believe that he wrote just few things about files deleted and nothing about the rest. 



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:38 PM

Posted 09 April 2014 - 06:06 AM

Sorry but it's unclear what you are trying to expalin. In any event, I and MRT Helpers would not be able to provide specific information without actually examining the ComboFix log which can only be posted in the forum I linked to above.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 karalabe

karalabe
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 09 April 2014 - 07:59 AM

I just trying to say that in my quarantine folder, there is just a few mo (2.6) of files with .vir. But ComboFix has delete more than 7go.

 

All i want is a 'solution' (if it exist) to see which files has been deleted.
Not to recover them or eleminate some virus.
But if you believe that these files were infected or i should follow your instructions, tell me (again ^^).


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:38 PM

Posted 09 April 2014 - 12:58 PM

I already explained how to view deleted files by looking at the contents in C:\QooBox\Quarantine.

There is no way for me to determine if your files were infected. ComboFix is designed to remove malicious files but in rare cases it may remove a legitimate file.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 karalabe

karalabe
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 09 April 2014 - 01:56 PM

Yes, i understand that, but Combofix resize also all files? Mean compress them...

Because like i said top, it's more than 7 teraoctets.

And there's not 7 to in the quarantine file, only 2.6 mo. So where the hell these files (probably movies or music) are?

 

I'm sorry if i'm unclear :-/



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:38 PM

Posted 09 April 2014 - 02:00 PM

Please follow the instructions in the Preparation Guide For Requesting Help starting at Step 6.

  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running DDS which will create two logs. (Note: Windows 8.1 Users will not be able run DDS and create a log)
When you have done that, start a new topic and post the required logs to include your ComboFix log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts.
-- ComboFix logs are not permitted in this forum.

After doing this, please reply back in this thread with a link to the new topic so we can closed this one.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 karalabe

karalabe
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 10 April 2014 - 02:21 AM

Just don't know what is hard to understand...

I don't need any help to remove a virus or read these logs. But a way/program to find which files has been deleted. Something like ''Recuva'' or ''Pc Files isnpector'', to found lost data. Something more pratical and logic, to see just the name precisely of these lost files.

 

Seems logic to me:

 

before the scan of combofbix: it stay on my D: drive: 13.5go of free space, and on I: 13.6go

After the scan; 17.4 and 16.9.

So Combofix delete legitimated files, AND don't send them to the quaratine folders. AND don't notice it into the logs .txt.

 

It exist a way to read some ''hard drive's logs''?



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:38 PM

Posted 10 April 2014 - 05:52 AM

The ComboFix logs tells you what files it has detected, removed and placed into quarantine. ComboFix does not resize and compress files and does not move them anywhere else but the C:\QooBox\Quarantine folder. If missing files are not in that location...then ComboFix did not remove them.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 karalabe

karalabe
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 11 April 2014 - 03:59 AM

So 7GO of files just disapear after this analyse, it's certainly a coincidence. :)

Just, yes, because Combofix is a 'professional' program (who write some bads logs, but no problem, pro can read it...or not.)

 

By the way if you have an idea for "It exist a way to read some ''hard drive's logs''?"

I would thank you



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:38 PM

Posted 11 April 2014 - 06:18 AM

What kind of hard drive logs and what program created them?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 karalabe

karalabe
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 12 April 2014 - 02:07 PM

I don't know, that why i ask here, where i expect to find some people who can learn to me how can i see that sort of things.

If some programs to recover deleted files exist*, if suppose that these ones could exist too.

*(i try with 3 of them, but i just can't see exactly wich files were delete after the scan of ComboFix)



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:38 PM

Posted 12 April 2014 - 04:15 PM

What other security programs did you use to run scans and remove malware before or after running ComboFix?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users