We help IT Professionals succeed at work.

Workstation reduced to useless - One user no programs displaying    Is combofix malware?

This is a new one for me.   I have a workstation, XP pro that has only one user called 'user' and no program files.
I have tried to boot into safe mode, but get the same thing, the user, 'user' no prompt to change it.

This computer previously had at least two other users.

I can explore, sort of.....  The 'C' volume has been renamed 'ComboFix'   When you expand it to explore it dups the previous window.

Comment
Watch Question

Commented:
Combofix is a cleanup application used to remove malware.  It sounds like you've been hit with this virus that hides all your files and moves your applications to a folder I think it's called stemp.  If you unhide all your files and folders you should be able to find all the programs from your start menu in documents and settings\user\stemp or just look for this folder.  I found a very helpful post on the internet regarding this.  I'll have a look around for it.

Commented:
Here is the post:

This worked for me, pretty much back to normal got my links back:

I found a website to help with restoring the start menu / programs shorcuts community.mcafee.com/message/188808

It states” It occurred to me that if it was a scam to get you to buy software – it would potentially work – so all the “lost” data must be on the disc somewhere – probably in renamed files.

So I did a full windows search of the c drive – including non-indexed, hidden and systems files for all the files created on the day that it happened and found the lost start menu files in:-

c:\users\username\appdata\local\temp\smtmp the latter being a folder containing all the files and shortcuts – I then just copied these back to their proper locations ie the start menu items belong in c:\programdata\microsoft\windows\startmenu\progams and then copied/dragged the other shortcuts back to the desktop or taskbar….

Maybe this will help other people though obviously the name smtmp might be a randomly produced one the methodology should still work.”

I searched for smtmp and found all of the links and was able to restore them.

taken from
http://www.precisesecurity.com/rogue/windows-recovery/

Commented:
I take it that the administrator account is gone and the account user does not have admin access
It sounds like you have a virus - if you have a second computer and an external usb enclosure, then since the OS is pretty much inaccessible on this computer, take out the hard drive and do a virus scan from a different computer (you can also do a malware scan with say, malwarebytes).
Maen Abu-TabanjehNetwork Administrator, Network Consultant
Top Expert 2011

Commented:
just try malwarebytes anti-malware , its best one :

www.malwarebytes.org

its can remove all malware and get your machine back again
Remove the hard drive and attach to another computer via USB cable.
http://www.ebay.com/sch/i.html?_from=R40&_trksid=p5197.m570.l1313&_nkw=usb+sata+ide&_sacat=See-All-Categories

or search for usb sata ide on ebay for the cable.

copy/recover the files that you need. (Make sure you show hidden files and folder) If your drive has this much damage it is better to reinstall windows instead of attempt repair.
Robert RComputer Service Technician

Commented:
you can use a free program called unhide.exe to restore your files that were hidden. http://download.bleepingcomputer.com/grinler/unhide.exe
Hi Gary,
I would suggest running the unhide file just as web_tracker suggested above. I would also suggest installing the XP2 support tools here and then after install is complete. Open a command prompt and type "whoami /all", hit enter and post results. Need this information as it is important. There are a few ways to get admin back if you dont have it, so don't be discouraged.

Commented:
Is Combofix Malware?

NO, not if retrieved from www.bleepingcomputer.com
  From there its one of the best rootkit, malware, and virus removers out there

     http://www.bleepingcomputer.com/combofix/how-to-use-combofix

YES, if retrieved from www.combofix.org, or a nubmer of other sites, its generally been found to be a Trojan dropper infected clone of the real Combofix tool.
From a command prompt I was able to successfully do a Windows System Restore.   It seems back to 100%.  

Author

Commented:
This worked.
Just make sure you now have a good antivirus product, as you may have restored the virus as well!
Hold on there buddy! I really think you should rescan your system using a clean install of malwarebytes and making sure you have a recovery disk ready for the future. Not knowing what the threat was in the subject post I implore you to find out what this is. It may come back or may still be on your system! What will you do if this comes back right after posting this?

Commented:
given the nature of the changes previously posted I would not trust jsut malwarebytes or an aV product, you should run a clean copy of combofix to makesure not rootkits are still embedded.

Not an objection - just good advice
This does sound more on the lines of TDSS type infection. The reason I suggest rescanning with malwarebytes is that it does catch infections even after system restore. Blindly running Combofix on a infected computer can and will damage your computer if improperly used. i have seen many cases with this. It is by far better advice to use GMER or something equally as powerful to check the system routines closer to see if there is suspicious activity still present. Newer malware need newer approaches.