We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Help - virus attack has deleted my laptop files!
Options
Truegho
Posts: 838 Forumite
in Techie Stuff
My laptop was attacked last night by the most destructive, vicious virus it has ever encountered. The result was that most of my files - esp all my video, text and Dreamweaver website pages - were deleted. When I tried to use System Restore in the hope of getting them back, it did not fully recover all the files, and all the video and text files are still amongst the missing.
My question is this: is there absolutely no way at all I can get my missing text and video files back? I mean, surely the virus can't have been so potent as to be capable of such mass deletion . . . can it?
A lot of these Notepad files I've lost contain some of my passwords for various websites, which is obviously of great concern to me.
To describe the exact nature of the virus attack, if it would help you all to advise me, it initially rendered my Windows screen totally black, save for a couple of icons. Then, as I say, when I ran System Restore, I only retrieved some of my files.
I hope you can help me, as I am absolutely livid at the way this accursed virus - or spyware - attack, whatever it was, has wiped out half of my files.
Thanks.
My question is this: is there absolutely no way at all I can get my missing text and video files back? I mean, surely the virus can't have been so potent as to be capable of such mass deletion . . . can it?
A lot of these Notepad files I've lost contain some of my passwords for various websites, which is obviously of great concern to me.
To describe the exact nature of the virus attack, if it would help you all to advise me, it initially rendered my Windows screen totally black, save for a couple of icons. Then, as I say, when I ran System Restore, I only retrieved some of my files.
I hope you can help me, as I am absolutely livid at the way this accursed virus - or spyware - attack, whatever it was, has wiped out half of my files.
Thanks.
0
Comments
-
See if your files become visible after following this advice:
http://www.bleepingcomputer.com/tutorials/tutorial130.html
Find a way to run Malwarebytes, do a QUICK scan, clean anything it finds and post a log:http://forums.malwarebytes.org/index.php?showtopic=85715&st=0&p=434112&#entry434112
http://www.malwarebytes.org/mbam-download.php
Afterwards, run Unhide to make files visible again:
http://download.bleepingcomputer.com/grinler/unhide.exe
Then save hijackthis to the desktop:
http://www.trendmicro.com/ftp/products/hijackthis/beta/HijackThis.exe
Hold LEFT SHIFT and RIGHT CLICK on it, Run As Administrator. SCAN SYSTEM and SAVE A LOG. Don't Fix anything, just post the log that comes up in notepad and we'll advise further.0 -
It has almost certainly just hidden your user account files..... follow the good advice above, the unhide.exe program should reveal all your 'lost' files so don't panic just yet!
And remember, when it's all sorted out, make backups to another hard drive or online or cd etc or all of those if the files are important!
A friend of mine had the same issue the other day, it was the fake antivirus scam infection that gives a display showing scanning and finding 'infections' and for a modest fee it'll fix the problem (that it created!) - all his files were gone and his user account was invisible despite he could log in to it. Revealing the hidden files for his account made it all reappear again and malwarebytes cleared the infection.
Never trust information given by strangers on internet forums0 -
This sounds exactly the same as what happened to my computer. My hubby was using the comp last night and he said the screen went blank then froze, then some error boxes appeared, so he just unplugged it. I am only back from a week in hospital and when I turned on the computer today the screen is just black, with all my icons gone.
I am still able to get into the computer by the start button. Anyway my hard drive was partitioned C and D...D drive has disappeared as has most of my documents and all my pictures. I have windows 7, with avast antivirus. When i did a complete scan 3 threats came up ending in win32:downloader-IGK (trj). I moved these to the chest. My firefox browser returned but not anything else. So I did a 2nd scan after restarting and I had 6 threats..ending - win32:fakealert-ASR (trj) / Win32:dropper-HDP (dpr) / Win32:trojan-gen / and 3 ending with Win32:deployment IHA (trj). I've put these into the chest and closed down the comp, as I was scared I was just re-infesting it.......whats going on? Can anyone help me as I am so lost what to do next?
I'm using my laptop and have changed my email passwords and facebook password.
Cheers Shelly0 -
This sounds exactly the same as what happened to my computer. Cheers Shelly
Restart the infected computer, and keep hitting F8 until you get the option to start the computer in SAFE MODE with NETWORKING.
See if you can do a SYSTEM RESTORE and pick a day well before the infection occurred.
Then follow the links I posted above:
1/ Do a scan with Malwarebytes and post a log
2/ Post a Hijackthis log0 -
The "lost files" are almost certainly not lost so don't panic and DO NOT use the recovery options (cd/dvd or on a recovery partition) that your PC will have come with as this'll reload windows (great, it'll remove the infects BUT will lose your files as it's 'as new' condition)
So take the advice given above and you should be sorted out...
Never trust information given by strangers on internet forums0 -
Thanks for your replies guys. I'll have a bash at following your instructions tomorrow Russ....will copy the log to here for further information afterwards.
Would be really great if all this works and the problem is sorted. But hopes will not be "up" until we find out for sure.
Till tomorrow....ta very much....shelly
0 -
Hi. Thanks for the advice. Well, you'll be pleased to know that I have now managed to retrieve the files I'd lost (with the exception of the web pages listed in my Dreamweaver website program!) by using the unhide remedy.spannerzone wrote: »It has almost certainly just hidden your user account files..... follow the good advice above, the unhide.exe program should reveal all your 'lost' files so don't panic just yet!
And remember, when it's all sorted out, make backups to another hard drive or online or cd etc or all of those if the files are important!
A friend of mine had the same issue the other day, it was the fake antivirus scam infection that gives a display showing scanning and finding 'infections' and for a modest fee it'll fix the problem (that it created!) - all his files were gone and his user account was invisible despite he could log in to it. Revealing the hidden files for his account made it all reappear again and malwarebytes cleared the infection.0 -
Now make backups onto a portable hard drive (costs from about £35) so that your valuable files are safe incase the computer's hard drive ever fails!
You can never have too many backups!
Never trust information given by strangers on internet forums0 -
OK I started in safe mode. checked hidden files as suggested. downloaded malwarebytes and scanned Quick which produced 2 infected files (Malware Trace and Trogen.Agend-gen) log attached. Then I carried out a slower scan which did not show anything, but I've saved that log too. Then I deleted them both from quarantine. Redid the hidden file instructions. and restarted as normal. It seems all my pictures have come back but not all my documents and I still only have the local disc C but not D......I think i had both before re hiding the files again.....what next? I'm just downloading the hijack and will save that log soon.
L!!!
Malwarebytes' Anti-Malware 1.51.0.1200
https://www.malwarebytes.org
Database version: 7010
Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385
03/07/2011 14:03:22
mbam-log-2011-07-03 (14-03-02).txt
Scan type: Quick scan
Objects scanned: 180610
Time elapsed: 3 minute(s), 31 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Users\Michelle\AppData\Roaming\Adobe\shed\thr1.chm (Malware.Trace) -> No action taken.
c:\Users\Michelle\AppData\Roaming\Adobe\plugs\mmc8825943.txt (Trojan.Agent.Gen) -> No action taken.
2nd log
Malwarebytes' Anti-Malware 1.51.0.1200
https://www.malwarebytes.org
Database version: 7010
Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385
03/07/2011 14:22:22
mbam-log-2011-07-03 (14-22-22).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 274935
Time elapsed: 15 minute(s), 41 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)0 -
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:54:52, on 03/07/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16800)
Boot mode: Normal
Hijack log...........what now?
Running processes:
C:\Program Files (x86)\IObit\Advanced SystemCare 3\AWC.exe
C:\Windows\PixArt\PAC7302\Monitor.exe
C:\Program Files (x86)\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Spyware Terminator\SpywareTerminatorShield.Exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
C:\Users\Michelle\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Online Radio 1.1 Toolbar - {343db173-0e5a-4f2a-b7bb-71a49085d70e} - C:\Program Files (x86)\Online_Radio_1.1\tbOnli.dll
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
O2 - BHO: Online Radio 1.1 Toolbar - {343db173-0e5a-4f2a-b7bb-71a49085d70e} - C:\Program Files (x86)\Online_Radio_1.1\tbOnli.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Online Radio 1.1 Toolbar - {343db173-0e5a-4f2a-b7bb-71a49085d70e} - C:\Program Files (x86)\Online_Radio_1.1\tbOnli.dll
O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files (x86)\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [avast] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKCU\..\Run: [SmartRAM] "C:\Program Files (x86)\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" /m
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files (x86)\Citrix\GoToAssist\570\g2aservice.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files (x86)\Spyware Terminator\sp_rsser.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
--
End of file - 7896 bytes0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.9K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.9K Work, Benefits & Business
- 598.7K Mortgages, Homes & Bills
- 176.9K Life & Family
- 257.1K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards