Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus - Deleted all my files, prevents me froms safemod


  • Please log in to reply
2 replies to this topic

#1 kyouria

kyouria

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 21 April 2011 - 12:40 PM

I just got a virus/keylogger/trojan that deleted all my files (documents, some programs, pictures, downloads) and it makes my desktop black. It also prevents me from running safe mode (F8 I believe) and MalwareBytes and Mcafee aren't detecting anything. I even had difficulty installing malwarebytes because it was blocked (I had to unblock it and run it as admin).

Is there any way to fix this and get my fies back?

I googled and it said my files aren't deleted, but hidden. Is this true? I really hope so!

Any help would greatly be appreciated.

Spoiler

Edited by kyouria, 21 April 2011 - 12:43 PM.


BC AdBot (Login to Remove)

 


#2 o0luigi0o

o0luigi0o

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:17 PM

Posted 21 April 2011 - 01:48 PM

I've seen this also, i wasnt able to repair, but just did a wipe/reinstall. its a rootkit causing it though for sure.

ATTRIB.exe

Display or change file attributes. Find Filenames.

Syntax
ATTRIB [ + attribute | - attribute ] [pathname] [/S [/D]]

Key
+ : Turn an attribute ON
- : Clear an attribute OFF

pathname : Drive and/or filename e.g. C:\*.txt
/S : Search the pathname including all subfolders.
/D : Process folders as well

attributes:

R Read-only (1)
H Hidden (2)
A Archive (32)
S System (4)

extended attributes:
E Encrypted
C Compressed (128:read-only)
I Not content-indexed
L Symbolic link/Junction (64:read-only)
N Normal (0: cannot be used for file selection)
O Offline
P Sparse file
T Temporary

The numeric values may be used when changing attributes with VBS/WSH
If no attribute is specified attrib will return the current attribute settings. Used with just the /S option ATTRIB will quickly search for a particular filename.

Hidden and System attributes take priority.

If a file has both the Hidden and System attributes set, you can clear both attributes only with a single ATTRIB command.

For example, to clear the Hidden and System attributes for the RECORD.TXT file, you would type:
ATTRIB -S -H RECORD.TXT

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:17 PM

Posted 21 April 2011 - 02:06 PM

The symptoms you describe can be indicative of a side effect from the HDD Defrag family of rogues which changes file attributes to "hidden", making them appear invisible so the user thinks all of their files have been deleted.

See this example guide which includes removal instructions and using unhide.exe (Step 17), a tool which will remove the "hidden" attribute on all files. The tool is designed not to remove hidden attribute for system files. When done you will need to restore the hidden attributes to those files manually.

Edited by quietman7, 21 April 2011 - 02:15 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users