Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

All files missing on one partition - due to malware??

Status
Not open for further replies.
goombawaho

goombawaho

MIS
Oct 7, 2007
6,597
US
Customer's Windows 7 machine would not boot. All data on windows partition was gone when I got there (as determined by booting to a BartPE CD), yet the HP Recovery Partition data was unmolested. Hard drive tested out fine using manufacturer's test. Trying to figure out what happened to all the files.

When I put the hard drive in my "recovery computer" to run GetDataBack on it, Microsoft Security Essentials found the following:
DOS/Alureon.A
Items:
boot:\Device\Harddisk1\DR1
boot:\Device\Harddisk1\DR1\(MBR)

When I recovered some of the data off the drive, M.S.E. found:
Win32/Alureon.DX
Second detection when restoring files from slave drive:
containerfile:C:\Documents and Settings\JLD\Desktop\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\2c79c3d9-4c15dc39

containerfile:C:\Documents and Settings\JLD\Desktop\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\48e5885e-22359887

file:C:\Documents and Settings\JLD\Desktop\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\2c79c3d9-4c15dc39->[Obfuscator.PN]

file:C:\Documents and Settings\JLD\Desktop\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\48e5885e-22359887->[Obfuscator.PN]


Does it make sense that the malware removed all the files by itself? Or did it happen in conjunction with Kaspersky fighting the malware? The drive's partition for C: was still there. I don't know what to tell the customer as the root cause. Strange that the recovery partition still had files in it but the C: drive would be totally zapped.
 
Sort by date Sort by votes
Can you find

Presumably your customer caught Trojan:DOS/Alureon.A at some point, or Kaspersky made a false positive. Can you find Kaspersky's log file?

It seems this behaviour is not unknown - see
Miucrosoft have some information here
and here

Does the customer use an admin enabled account? If so this is a bad idea. Standard advice applies
•Enable a firewall on your computer.
•Get the latest computer updates for all your installed software.
•Use up-to-date antivirus software.
•Limit user privileges on the computer.
•Use caution when opening attachments and accepting file transfers.
•Use caution when clicking on links to webpages.
•Avoid downloading pirated software.
•Protect yourself against social engineering attacks.
•Use strong passwords.
 
Upvote 0 Downvote
I'm not worried about how NOT to get malware, I'm just trying to understand what happened in this particular instance. The last time I saw something like this, it was the entire partition on the disk that had gone away, not just the files - something different entirely.

The C: drive was EMPTY except for some log files where I tried to run Windows 7 startup repair.

I guess maybe you meant "could I recover the Kaspersky logs?" That might have been a good idea if I had had more time, but NO.
 
Upvote 0 Downvote
Yes I did mean "could I recover the Kaspersky logs?" as I think that's the only chance of a clue you may get. I suspect that Kaspersky may well be the culprit.

As for the other - I was just reminding you to remind your customer. Which I am sure you will. I am certain you know!

Don't you just hate these malware writers and dstributer!
 
Upvote 0 Downvote
You tell me how you would determine that. I booted to BarPE and found only the Windows recovery files that resulted from booting to the Windows 7 CD and trying to repair the windows installation.
 
Upvote 0 Downvote
From what I read on the Alureon Trojan, I do not think that that caused the missing files...

see:
there is a possibility though, that another malware or secondary infection could cause the deletion of files (I know that GRUEL.A does delete files but not all)... and if the recovery partition was hidden (no drive letter under W7), then it would be left alone...

but I've never seen an AV kill the whole drive, it would leave the folder structure intact and most of the files...


now if the files are hidden (attribute H) then the files would not show, I am not sure if under BartPE if the option to show all hidden files is enabled by default, and to show hidden files (unhide them) you could use the following from a DOS CMD line:

dir X: /ah (to see all hidden files and directories)
attrib -h X:\*.* (to unhide ALL files and directories)

for drive X (change this to whichever drive letter that the drive is showing under your RECOVERY system)...

PS: I know that you know what you are doing, and that the above may just be a recap or redundant information... but one never knows...



Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
 
Upvote 0 Downvote
Well, I can't check it now as the customer has the drive back, but my experience has been that you can get into the System Volume Information folder and browse it using BartPE. And that folder is marked as HIDDEN and SYSTEM, so I was always running under the assumption that I could see hidden files with BartPE by default.

Guess I need to confirm that because normally malware would flag it's source file as hidden if it were smart.

The reason I wanted to know is A) for myself and B) for the customer because he wants to know whether he should beat one of his employees for recreational web surfing that got the virus on the PC. Maybe not a real beating, but whipping via tongue lashing.

 
Upvote 0 Downvote
Upvote 0 Downvote
It needs the final dash! Which although showing is not part of the link!!!

Try a copy and paste.

Code: 
[URL unfurl="true"]http://www.windowsitpro.com/article/configuration/how-can-i-view-super-hidden-files-[/URL]
 
Upvote 0 Downvote
As an update to this type of malware:

1. Combofix now has a routine where it does the attrib -H C:\* /S /D AUTOMATICALLY at the end of its run. It fixed up a computer with this hidden file problem for me a few days ago.

2. There is another program to help fix the missing start menu items, etc. on this page. You can also use UNHIDE on the same page if you don't use Combofix as part of the removal process.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2ffat
  • Locked
  • News
MalwareBytes may have been hacked
Replies
0
Views
116
2ffat
2ffat
Olumighty
  • Locked
  • Question
BIOS PASSWORD WIPE OR CLEAR ON COMPUTER LAPTOP 1
Replies
1
Views
126
SamBones
SamBones
goombawaho
  • Locked
  • News
Malware Injected Into CCleaner 3
Replies
2
Views
125
goombawaho
goombawaho
Tiffc0922
  • Locked
  • Question
Virus / Malware Scans on Local PCs
Replies
5
Views
130
goombawaho
goombawaho
goombawaho
  • Locked
  • Helpful tip
Evil: Poweliks Malware 1
Replies
1
Views
83
kjv1611
kjv1611

Part and Inventory Search

Sponsor

Back
Top