Help Please... Combofix has deleted/quarantined the entire user profile folder contents inc desktop & my docs data.
Yesterday (4th Feb 2015 @ approx 17:00hrs GMT) we ran combofix on a suspected infected computer. It had AVG cloudcare, we disabled the realtime scanner until restart. We then downloaded combofix direct from bleepingcomputer.
Combofix run, did its normal stuff, then we noticed it was DELETING what we have found to be EVERYTHING in the users c:\users\%username%\ folder to the point when the computer rebooted, it re-created the appdata folders, etc, etc like a new user was logging into a new PC.
There is a URL that might help here, but its quite old and it was for WinXP. Does anyone know if the same can be run for Win7? And more importantly has anyone had this same experience recently!!!???
It might just be that this computer is heavily infected and all the profile files are genuinely infected with something. I am fully aware that bleepingcomputer recommend backing up before running this, but I've used this 50-100 times at least, and never ever had this happen. We are also aware that the deleted files are put in C:\QooBox\(the original path)\ and have the extension .vir added to the file name and original file extension. So you can of course without the EXE mentioned in the above URL article just remove the .vir to potentially thousands of files (using a script) and all should be ok again, but ideally we would like to run the tool as this appears to set security/permissions etc as well.
If anyone can help with ref to how this possibly happened i.e. (all files are actually infected) or if this was another bug like what happened a few years back (as per URL), that would be very very much appreciated.