Solved Possible virus or malware has deleted all of my files.

August 1, 2012 at 15:49:37
Specs: Windows 7 home Premium, Intel Core2 Duo 2.93Ghz / 4GB
Something has deleted/hidden all of the files in the my documents folder. However, my pictures are still in their folder. I have "view all hidden files" attribute on. I ran a full system scan with NAV and found nothing. I also ran TDSSKiller and it found nothing. I also ran aswMBR... here is the log file:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-01 18:19:52
-----------------------------
18:19:52.007 OS Version: Windows 6.1.7601 Service Pack 1
18:19:52.007 Number of processors: 2 586 0x170A
18:19:52.007 ComputerName: TODDNEWPC UserName: ToddAdmin
18:20:16.062 Initialize success
18:25:18.577 AVAST engine defs: 12080100
18:25:47.422 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
18:25:47.422 Disk 0 Vendor: Hitachi_HDS721032CLA362 JPFOA3FF Size: 305245MB BusType: 3
18:25:47.438 Disk 0 MBR read successfully
18:25:47.438 Disk 0 MBR scan
18:25:47.453 Disk 0 Windows VISTA default MBR code
18:25:47.469 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
18:25:47.484 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 9518 MB offset 81920
18:25:47.484 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 295686 MB offset 19574784
18:25:47.500 Disk 0 scanning sectors +625139712
18:25:47.594 Disk 0 scanning C:\Windows\system32\drivers
18:25:55.737 Service scanning
18:26:16.906 Modules scanning
18:26:26.422 Disk 0 trace - called modules:
18:26:26.469 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
18:26:26.469 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85f48ac8]
18:26:26.469 3 CLASSPNP.SYS[8b5a059e] -> nt!IofCallDriver -> [0x85a8c6d0]
18:26:26.484 5 ACPI.sys[8ae9b3d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85a9b030]
18:26:27.296 AVAST engine scan C:\Windows
18:26:29.214 AVAST engine scan C:\Windows\system32
18:28:41.737 AVAST engine scan C:\Windows\system32\drivers
18:28:53.265 AVAST engine scan C:\Users\ToddAdmin
18:30:17.287 AVAST engine scan C:\ProgramData
18:31:09.875 Scan finished successfully
18:31:36.582 Disk 0 MBR has been saved successfully to "C:\Users\ToddAdmin\Desktop\MBR.dat"
18:31:36.582 The log file has been saved successfully to "C:\Users\ToddAdmin\Desktop\aswMBR.txt"


See More: Possible virus or malware has deleted all of my files.

Report •

✔ Best Answer
August 3, 2012 at 18:51:25
Other things to try.

1: Try right clicking on the folder > Properties > Previous Versions and it should show a list of previous versions of the folder, choose the one you want to restore and click restore.

2: Run SFC.
How to use the System File Checker tool to troubleshoot missing or corrupted system files on Windows Vista or on Windows 7
http://support.microsoft.com/kb/929833

3: How to Run Disk Check in Vista & Windows 7 (W7)
http://www.winvistaclub.com/f20.html
http://www.sevenforums.com/tutorial...
http://www.howtogeek.com/howto/wind...



#1
August 1, 2012 at 17:03:57
You are on the right track by looking for a virus, nothing shows up YET, that's quite normal.

Can I have a screenshot/photo of your Disk Management please.
Using Windows 7 Disk Management Console
http://www.suite101.com/content/usi...
http://ancillotti.hubpages.com/hub/...
http://windows7themes.net/how-to-op...

Also, run this.

Using ESET's Online Scanner
General clean up and Prep (Do prior to any AV scans)
http://www.computing.net/howtos/sho...
http://forums.majorgeeks.com/showth...
http://www.eset.eu/online-scanner
http://www.eset.com/us/online-scanner
How can I view the log file from ESET Online Scanner?
http://www.eset.eu/eset-online-scan...


Report •

#2
August 1, 2012 at 17:27:30
These are other good tools to run.

Unhide
http://www.bleepingcomputer.com/vir...
http://download.bleepingcomputer.co...
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run, it does take some time, be patient. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

Tweaking.com - Windows Repair
http://www.softpedia.com/get/Tweak/...
http://www.softpedia.com/progScreen...
http://www.tweaking.com/
http://www.tweaking.com/content/pag...


Report •

#3
August 2, 2012 at 05:49:48
Thanks for your replies Johnw - Before I saw your replies, I also ran Microsoft defender Offline and it found nothing. I have a screenshot of disk manager, but I can't figure out how to post it here...


Report •

Related Solutions

#4
August 2, 2012 at 06:58:23
ESET online scanner also found nothing. And the unhide program did not help :(

Report •

#5
August 2, 2012 at 07:10:21
Here is the log file from unhide:
Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/for...

Program started at: 08/02/2012 10:05:18 AM
Windows Version: Windows 7

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 131824 files processed.

Processing the E:\ drive
Finished processing the E:\ drive. 0 files processed.

Processing the F:\ drive
Finished processing the F:\ drive. 16 files processed.

The C:\Users\TODDAD~1\AppData\Local\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingcomputer.com/for...

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
No registry changes detected.

Restarting Explorer.exe in order to apply changes.

Program finished at: 08/02/2012 10:08:26 AM
Execution time: 0 hours(s), 3 minute(s), and 7 seconds(s)


Report •

#6
August 2, 2012 at 15:02:28
" I have a screenshot of disk manager, but I can't figure out how to post it here... "

You can upload it to a free site & then post the link here.

http://imgur.com


Report •

#7
August 3, 2012 at 10:03:20
Here is the screen shot link... http://imgur.com/A1bh2

Report •

#8
August 3, 2012 at 17:56:55
"Here is the screen shot link.."

Thanks, if you are sure those partitions are made by you or by your computer manufacturer, you appear to be clean.

World's stealthiest rootkit gets a makeover
http://www.theregister.co.uk/2011/1...
Rootkit Bounces Back …with a vengeance
http://www.techsupportforum.com/381...

Did you try > Tweaking.com - Windows Repair

Probably ticking the first 3 boxes, as per Screenshot 6 will be enough.


Report •

#9
August 3, 2012 at 18:51:25
✔ Best Answer
Other things to try.

1: Try right clicking on the folder > Properties > Previous Versions and it should show a list of previous versions of the folder, choose the one you want to restore and click restore.

2: Run SFC.
How to use the System File Checker tool to troubleshoot missing or corrupted system files on Windows Vista or on Windows 7
http://support.microsoft.com/kb/929833

3: How to Run Disk Check in Vista & Windows 7 (W7)
http://www.winvistaclub.com/f20.html
http://www.sevenforums.com/tutorial...
http://www.howtogeek.com/howto/wind...


Report •

#10
August 4, 2012 at 06:42:02
Thanks for all of your help!

Report •

#11
August 4, 2012 at 06:49:10
"Thanks for all of your help!"

YW.


Report •

Ask Question