Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Virus. All folders on unit are empty.


  • Please log in to reply
5 replies to this topic

#1 Tribat

Tribat

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 14 February 2013 - 09:08 PM

A client brought in a Dell laptop with a missing driver. A tech downloaded a driver onto a flash drive. I'm not sure of where the driver came from. When the flash drive was put into the computer it started loading something and the tech pulled it out and restarted the unit. After reboot the tech noticed that the start menu was empty. Typical of a hidden files infection. After a second reboot the unit goes straight to startup repair. I pulled the HDD out of the unit and hooked it up to another computer with an enclosure. The drive reads as 99.9% free space. All of the the folders are there but they all show as empty (0 bytes). The recovery partition is intact and the drive passes Dell diags. Any ideas on recovering the data? I'm sure I could just restore it but the client needs the data.


Edited by Budapest, 15 February 2013 - 03:30 AM.
Moved from Win7 ~Budapest


BC AdBot (Login to Remove)

 


#2 AbsoZed

AbsoZed

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Anna, IL
  • Local time:06:17 PM

Posted 14 February 2013 - 10:31 PM

Hi there. I think you've got the TDS virus. Seen it a couple of times, always proves interesting. Judging from what you've said the computer still boots; so run this on it, and let me know the results!

 

http://support.kaspersky.com/downloads/utils/tdsskiller.exe



#3 antmorals

antmorals

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 15 February 2013 - 06:42 AM

I can not say for sure what kind of virus this is but I have been through it. I booted my machine using Ubuntu Live, copied all folders on external HDD and restored the machine to factory settings. Surprisingly, none of the files in the folders were 'infected'. I could copy them back on the laptop after restoration without any hassle.



#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:17 PM

Posted 15 February 2013 - 11:43 AM

Hello, look at this guide.  HDD REPAIR

After the virus is removed you run Unhide.exe to see the hidden files...Step 19.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Tribat

Tribat
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 15 February 2013 - 03:08 PM

Here's an update. TDSS killer is clean. Moving a folder off the drive just moves an empty folder. This is definitely not scamware or rogueware. The drive is physically empty except for the folders. The drive when plugged into another computer shows as 99/9% free space in properties. We are about to foot the bill sending it to a data recovery service and I was wondering if anyone else had seen this issue.



#6 AbsoZed

AbsoZed

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Anna, IL
  • Local time:06:17 PM

Posted 16 February 2013 - 12:51 AM

Alright, well, before you do that, try out BackTrack Live CD, see if you can manage to recover anything using the forensics if you're familiar with that. If not, well, I assume that's your only option. But if you move folders, they could keep the attributes. Are you certain they're absolutely non-existent?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users