Everything disappeared off computer

Kleenex

Hi,

My brother was on the computer last night and not sure what he was up to but basically everything is gone off the computer.

The desktop is empty and when I go to the Start button - all that is there is Outlook Express.
When I hit All Programs - nothing is there either.



Any idea what happened or how to recover everything?

Thanks

chin_grin

It's either a nasty virus or a corrupt profile.

What operating system are you using (XP / Windows 7).

Kleenex

chin_grin wrote: »

It's either a nasty virus or a corrupt profile.

What operating system are you using (XP / Windows 7).

Windows XP

chin_grin

Kleenex wrote: »

Windows XP

Power the machine off and while it's coming back on tap f8 to go in to Safe Mode with networking.

If you're given the option go in to the Administrator account.

When it loads up check to see if the same thing happens. Also update and run a full virus scan just as a precaution.

Torqay

First of all, run unhide.exe* and then scan your computer with MBAM

* The unhide.exe program automatically goes through your computer and unhides all files except hidden system files – Windows files that are supposed to be (and should stay) hidden. It basically automates the attrib command above to change the hidden attribute of all your files and folders. Once unhide.exe has finished you should now be able to view and open your documents/pictures/music again just as before

Kleenex

chin_grin wrote: »

Power the machine off and while it's coming back on tap f8 to go in to Safe Mode with networking.

If you're given the option go in to the Administrator account.

When it loads up check to see if the same thing happens. Also update and run a full virus scan just as a precaution.

I did the above and went into administrator account, it asked me did I want to proceed or do a system restore, so I just proceeded.

I'm in Safe Mode now - When I hit Start - My Documents, My Pictures, Control Panel etc are there BUT there there is no documents in the My Documents folder at all.

There is an internet icon also, should I download an anti-virus and run a virus scan now or what should I do?

Thanks

Paddyo

Hi Kleenex

You do have some malware on your computer one of the effects is to hide all your files.

Do as suggested to unhide your files, but you will also need to run a program such as malwarebytes and you should also run rkill.exe and tdskiller.exe

In fact, run rkill.exe first, then tdskiller and then malwarebytes without rebooting.

These are all free utilities which can be downloaded from the web.

Good luck with it

Paddyo

yoyo

Torqay wrote: »

First of all, run unhide.exe* and then scan your computer with MBAM

* The unhide.exe program automatically goes through your computer and unhides all files except hidden system files – Windows files that are supposed to be (and should stay) hidden. It basically automates the attrib command above to change the hidden attribute of all your files and folders. Once unhide.exe has finished you should now be able to view and open your documents/pictures/music again just as before

Just re: this, I'd reccomend running unhide.exe after the malware is gone. You should be able remove the malware in safemode with networking using mbam op, then after run unhide. Make sure to update mbam on launch.
Got infected by one of these b*stards the other night, quite ammusing but I'm guessing was due to a security problem with my Java/Flash plugins. So if theres anything I've learned keep all that up to date!

Nick

Torqay

yoyo wrote: »

Got infected by one of these b*stards the other night, quite ammusing but I'm guessing was due to a security problem with my Java/Flash plugins.

Quite rampant, had two customers screaming about their files being "gone" last week. Although easy to fix (it isn't really nasty), the shock taught them a valuable lesson: always backup your stuff.

yoyo

Torqay wrote: »

Quite rampant, had two customers screaming about their files being "gone" last week. Although easy to fix (it isn't really nasty), the shock taught them a valuable lesson: always backup your stuff.

Tbh I was pritty locked and it was more ammusing than anything. I got up to go for a piss and the fake alerts started, it rebooted automatically itself so I just interupted the boot>Safe mode with networking, dled mbam and 5 mins later all gone. I did run a few other (much needed :P ) scans after the event.
Unhide.exe did work well, but I did have to repin my taskbar items, startmenu config etc.
Funny enough I was only on google/boards and I think a site (legitimate) that was linked from a boards post. I did find the link took longer than it should to open. It was either that or something I opened in the past with a time based payload trigger.

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|rmIhrYfwFjUdy.exe (Rogue.FakeHDD) -> Data: C:\ProgramData\rmIhrYfwFjUdy.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\ProgramData\rmIhrYfwFjUdy.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
C:\Users\Nick\AppData\Local\Temp\xXC94w5gnVJHeq.exe.tmp (Rogue.FakeHDD) -> Quarantined and deleted successfully.

Here be the b*stard anyways, the first time ever removing one of these I didn't get a few quid for

Nick :pac:

Torqay

Shoulda run your browser sandboxed...

Or use a VM for your interweb stuff altogether... little inconvenience, great pay off.

yoyo

Torqay wrote: »

Shoulda run your browser sandboxed...

Or use a VM for your interweb stuff altogether... little inconvenience, great pay off.

Ahh its not really that big a deal, these things are pritty harmless just an inconvenience, have been keeping an eye on all my accounts and stuff atm the same though. Its more the "shock" factor they bring if you don't know whats up. I didn't even get a glimpse of the gui at all as it had started rebooting when I finished up in the jax so just removed it completely then. It just started poping up the fake crc disk, hard disk pop ups.
Its interesting to see they use the ProgramData directory now (that can be written to without UAC consent), oddly find how it got added to registry without consent though. Having said that its likely a old Java or Flash player plugin was the culprite and maybe had security holes. Its a good idea (now I know :pac: ) to update all plugins when needed, I usually use Ninite to do this but got lazy the last few weeks.
I did open a file that was downloaded from a reputable site that said it contained a trojan, and it only worked once and not again. But that was opened weeks ago so unless it was a payload triggered by date/time I'm not sure if that had anything to do with it, its possible though.

Nick

Torqay

yoyo wrote: »

a file that was downloaded from a reputable site

There is no such thing (except b.ie of course)!

Kleenex

Hi,

Firstly thanks for all the advice from the different people above - much appreciated.

Just an update - Alot of the files seem to have returned. However its a family computer so different people would have different files/folders on it that I may not remember.

I can't seem to find a folder of mine in the My Documents folder though and when I click on Start > All Programs and then say for example Microsoft Office it comes up (Empty), the same would happen for JDownloader or iTunes and most of the programs/applications that appear in that list when I go into All Programs.

Also just looking at the Date Modified of some of the the family members documents in My Documents - there doesnt seem to be to many recent ones.

Any ideas?

Thanks again

yoyo

Kleenex wrote: »

Hi,

Firstly thanks for all the advice from the different people above - much appreciated.

Just an update - Alot of the files seem to have returned. However its a family computer so different people would have different files/folders on it that I may not remember.

I can't seem to find a folder of mine in the My Documents folder though and when I click on Start > All Programs and then say for example Microsoft Office it comes up (Empty), the same would happen for JDownloader or iTunes and most of the programs/applications that appear in that list when I go into All Programs.

Also just looking at the Date Modified of some of the the family members documents in My Documents - there doesnt seem to be to many recent ones.

Any ideas?

Thanks again

Did you get any pop ups about hard disk errors or anything similar? Is there any errors being reported (these are likely fake). You can use unhide.exe to show the files again, but you need to make sure the virus is totally off the system, otherwise it will happen again!

Nick

Kleenex

yoyo wrote: »

Did you get any pop ups about hard disk errors or anything similar? Is there any errors being reported (these are likely fake). You can use unhide.exe to show the files again, but you need to make sure the virus is totally off the system, otherwise it will happen again!

Nick

Hi Nick,

There was no pop ups about hard disk errors or anything like that, though my brother did say that it came up hard drive or hard disk error last night when he was on it.

I will run unhide.exe now again in normal mode and see if that returns more of the files etc.

yoyo

Kleenex wrote: »

Hi Nick,

There was no pop ups about hard disk errors or anything like that, though my brother did say that it came up hard drive or hard disk error last night when he was on it.

I will run unhide.exe now again in normal mode and see if that returns more of the files etc.

He got a virus, you will need to run a malwarebytes scan to get rid of all traces first, download mbam here, I reccomend doing this and only running unhide.exe once the system has been scanned and the malware removed. You will need to re-adjust your start menu settings, but lets get this sorted first!

Nick

Kleenex

yoyo wrote: »

He got a virus, you will need to run a malwarebytes scan to get rid of all traces first, download mbam here, I reccomend doing this and only running unhide.exe once the system has been scanned and the malware removed. You will need to re-adjust your start menu settings, but lets get this sorted first!

Nick

Hi Nick,

I did what you said above and that folder I was missing appeared anyway

Also now when I go into All Programs in the Start Menu most of the applications are there and seem to be working. Though a couple of them seem to be highlighted in a kind of yellowy colour - not sure what thats about to be honest.

yoyo

Kleenex wrote: »

Hi Nick,

I did what you said above and that folder I was missing appeared anyway

Also now when I go into All Programs in the Start Menu most of the applications are there and seem to be working. Though a couple of them seem to be highlighted in a kind of yellowy colour - not sure what thats about to be honest.

Highlighted means "newly installed" programs. If you still need to fix the start menu, ie re add options let me know. Did you run an mbam scan? Did it detect anything?

Nick

Torqay

yoyo wrote: »

Did you run an mbam scan? Did it detect anything?

Nick

Mind you, the last time I had this problem, it was called something S.M.A.R.T. HDD ... it hid all files but it was not detetected by MBAM, Autoruns did the trick, and then I just deleted those random exe files in "application data".

yoyo

Torqay wrote: »

Mind you, the last time I had this problem, it was called something S.M.A.R.T. HDD ... it hid all files but it was not detetected by MBAM, Autoruns did the trick, and then I just deleted those random exe files in "application data".

That can happen with 0 day malware not being identified. These ones are simple enough to manually remove anyways

Nick

Torqay

yoyo wrote: »

That can happen with 0 day malware not being identified. These ones are simple enough to manually remove anyways

Nick

I don't think it was a zero day malware, the infection occured 5 days prior to its landing on my desk, the S.M.A.R.T. HDD rogueware is around for quite some time anyway and MBAM was of course up to date... I was kinda surprised that it did not pick it up as an infection. MBAM came up absolutely clear so I had to nuke it manually which indeed was no biggie (just a few files and shortcuts and registry entries)

yoyo

Torqay wrote: »

I don't think it was a zero day malware, the infection occured 5 days prior to its landing on my desk, the S.M.A.R.T. HDD rogueware is around for quite some time anyway and MBAM was of course up to date... I was kinda surprised that it did not pick it up as an infection. MBAM came up absolutely clear so I had to nuke it manually which indeed was no biggie (just a few files and shortcuts and registry entries)

Some forms of malware are capable of interfering with virus scans. Theres an interesting feature of mbam (not so much a feature but) in its install directory look in the "Chamealion" folder for renamed and modified versions of the mbam launcher (it kills known malware processes like rkill and then loads mbam after)

Nick