Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can malware remove OS


  • Please log in to reply
23 replies to this topic

#1 Bryan G

Bryan G

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, WI.
  • Local time:06:13 PM

Posted 14 April 2015 - 10:24 AM

I have a computer here that was running a little funny, mouse was disappearing so they held the power button down to shut it off. Upon restart it went into windows 8 repair but couldn't finish.
I took the computer to my place and found that windows 8 was almost completely wiped out. The "programs files" folder was missing, the "users" folder was missing, windows folder was empty.
Can malware do this?
The other question is could someone maliciously do this?

This computer runs appointment software for a salon and she's now out of business more or less (she should have been backing it up). She had 5 employees walk out the day before this happened, so we're wondering if they did something.

I cannot recover the files she needs. I ran easy recovery pro and recuva only to get corrupted files. Now I'm trying to figure out how this could have happened.

What makes this so weird is that the hard drive tests out to be good, so how did all these files disappear?



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,544 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:13 PM

Posted 14 April 2015 - 10:42 AM

Hi Bryan G :)

May I ask you how you found out that all these folders were missing? Did you hook up the hard drive to another computer and explored it's content? Also, it's possible that she was the one who caused all that. When you force shut down a system when it's doing read and write operations on the drive (like it was most likely doing), you have good chances of messing up the drive and damaging/corrupting information, data on it. Hence why Windows automatically restarts in "Automatic Repair" or "Check disk" stance after.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Bryan G

Bryan G
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, WI.
  • Local time:06:13 PM

Posted 14 April 2015 - 10:57 AM

Thank you for your response.

 

yes it's on another computer. That's how I ran easy recovery pro and recuva.

 

Even if it was reading and writting, how would the "users", "program files" and "program files (x86)" folders all be gone?

How would the "windows" folder be empty?

 

The only folders on the "C:" drive are "$recycle.bin", "boot", "found.000", "hp", "media server", "swsetup", "system volume information", "system.sav" and "windows", that's it, all the other folders are missing.


Edited by Bryan G, 14 April 2015 - 11:01 AM.


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,544 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:13 PM

Posted 14 April 2015 - 10:59 AM

To me it looks like the installation was heavily damaged during that shutdown or maybe Windows was running updates and it corrupted the whole system. I just wonder how a malware would manage to delete all these folders and their content while Windows is in use, since they all have running processes. It could only be done at boot time, and even there.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:13 PM

Posted 14 April 2015 - 10:59 AM

I find it strange that the Users folder was completely gone as it has files that are in use when logged into windows, so whatever was deleted had to be done prior to windows fully loading and using those files/folders. Its possible for malware to remove those folders on reboot, but it seems pointless as what is to gain from that?

The fact that you have a found.000 means that chkdsk ran and found corrupted/damaged files. Are there a lot of files in there?

#6 Bryan G

Bryan G
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, WI.
  • Local time:06:13 PM

Posted 14 April 2015 - 11:19 AM

I've been working on computer for years, many computers, it's what I do, and I've never seen nor heard of this, that's why I'm here, to ask people who know more than me.

 

Yy customer said the mouse was acting funny, it would disappear then come back, it would be unresponsive then work. This is why she shut it down, to fix the curser/mouse problem. BUT, this whole time, the touch screen worked. Using the touch screen everything was working fine until they shut it down and started it back up.

 

Then she mentioned that 5 employees quit the day before, but still, from what I know, you can't delete all those folders while windows is running, could you?

 

When I ran recovery software, I did get most or all the files back, I think, I didn't go throught all of them, it looked like it was complete, I just searched for the ones she needs and they are corrupted.

 

I just ran maleware bytes on the c drive and came up with nothing, but I figured that would happen.



#7 Bryan G

Bryan G
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, WI.
  • Local time:06:13 PM

Posted 14 April 2015 - 11:24 AM

I find it strange that the Users folder was completely gone as it has files that are in use when logged into windows, so whatever was deleted had to be done prior to windows fully loading and using those files/folders. Its possible for malware to remove those folders on reboot, but it seems pointless as what is to gain from that?

The fact that you have a found.000 means that chkdsk ran and found corrupted/damaged files. Are there a lot of files in there?

 

Like I mentioned, they were able to make apointments right up to shutting it down. I would think if these folders were deleted by a pissed off employee, you would be seeing errors prior to shutdown.

 

I can't access the found.000 folder in windows explorer, but in Acronis Disk Director I can "browse" and there are hundreds of folders and probably thousands of files.



#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:13 PM

Posted 14 April 2015 - 11:31 AM

Its possible data corruption on the hard drive occured and those "missing" files and folders were recovered as fragments by chkdsk. I agree, I do not think this could have been done while Windows was active. So some specialized tool would need to have been used to delete the files on reboot.

I am leaning towards HD corruption, but not 100% on that..

#9 Bryan G

Bryan G
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, WI.
  • Local time:06:13 PM

Posted 14 April 2015 - 11:36 AM

right now I'm changing ownership of the found.000 folder so I can get the files out. But I think that they will be corrupt anyway.

 

I probable will not be able to figure out how this happened, I can't believe some employees that cut hair would know how to do this. She did not have any A/V or malware protection, but they never browsed the web with this and her router has a firewall.


Edited by Bryan G, 14 April 2015 - 11:38 AM.


#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:13 PM

Posted 14 April 2015 - 11:42 AM

You may want to try some HD benchmark programs against it to see if there are any SMART errors or other issues that arise.

#11 Bryan G

Bryan G
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, WI.
  • Local time:06:13 PM

Posted 14 April 2015 - 11:42 AM

Its possible data corruption on the hard drive occured and those "missing" files and folders were recovered as fragments by chkdsk. I agree, I do not think this could have been done while Windows was active. So some specialized tool would need to have been used to delete the files on reboot.

I am leaning towards HD corruption, but not 100% on that..

am I right in assuming that tests like crysial disk and DSmartControl aren't 100%, even when they say a drive is good, it could still be bad couldn't it?



#12 Bryan G

Bryan G
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, WI.
  • Local time:06:13 PM

Posted 14 April 2015 - 11:45 AM

You may want to try some HD benchmark programs against it to see if there are any SMART errors or other issues that arise.

I ran crystialdisk and gsmartcontrol and both showed the drive is good. On gsmart I ran a quick test and it showed good.



#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,544 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:13 PM

Posted 14 April 2015 - 11:51 AM

The SMART status can show as good on GSmartControl, but were there any lines highlighted in red or pink?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 Bryan G

Bryan G
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, WI.
  • Local time:06:13 PM

Posted 14 April 2015 - 12:02 PM

The error log is red. it shows 1 error. I'm not sure how to read this:
 


 

Error 1 occurred at disk power-on lifetime: 12195 hours (508 days + 3 hours)
  When the command that caused the error occurred, the device was active or idle.

  After command completion occurred, registers were:
  ER ST SC SN CL CH DH
  -- -- -- -- -- -- --
  04 71 09 a9 00 80 e0

  Commands leading to the command that caused the error were:
  CR FR SC SN CL CH DH DC   Powered_Up_Time  Command/Feature_Name
  -- -- -- -- -- -- -- --  ----------------  --------------------
  ea 00 00 00 00 00 a0 00  27d+05:27:23.403  FLUSH CACHE EXT
  61 00 10 80 2d 8b 40 00  27d+05:27:23.402  WRITE FPDMA QUEUED
  61 00 88 b0 43 3b 40 00  27d+05:27:07.609  WRITE FPDMA QUEUED
  61 00 08 78 2d 8b 40 00  27d+05:26:51.930  WRITE FPDMA QUEUED
  ea 00 00 00 00 00 a0 00  27d+05:26:51.912  FLUSH CACHE EXT

SMART Self-test log structure revision number 1
Num  Test_Description    Status                  Remaining  LifeTime(hours)  LBA_of_first_error
# 1  Extended offline    Interrupted (host reset)      00%     12865         -
# 2  Short offline       Completed without error       00%     12864         -
# 3  Short offline       Completed without error       00%     12862         -
# 4  Short offline       Interrupted (host reset)      60%     12862         -
# 5  Short offline       Aborted by host               90%     12862         -
# 6  Short offline       Completed without error       00%     12862         -
# 7  Short offline       Completed without error       00%     12862         -
# 8  Extended offline    Interrupted (host reset)      90%         1         -

SMART Selective self-test log data structure revision number 1
 SPAN  MIN_LBA  MAX_LBA  CURRENT_TEST_STATUS
    1        0        0  Not_testing
    2        0        0  Not_testing
    3        0        0  Not_testing
    4        0        0  Not_testing
    5        0        0  Not_testing
Selective self-test flags (0x0):
  After scanning selected spans, do NOT read-scan remainder of disk.
If Selective self-test is pending on power-up, resume after 0 minute delay.

 

 

I could post the entire log, but it's large.



#15 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,544 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:13 PM

Posted 14 April 2015 - 12:09 PM

I mean, on the GSmartControl window itself, after running the test. It displays the lines in red and/or pink if there's an issue with them. Were there any? For now it looks like GSmartControl detected that the drive was shut down unexpectedly during an operation.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users