Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Jelika on August 11, 2012, 12:34:05 AM
-
Yesterday I ran a scan and Avast found 3 virus. It suggested I ran a boot time scan which I did and once it returned to my desktop, it had deleted all my files. ALL of them! My computer looks as though it just came from the factory.
I attempted a system restore but the only possible restores are the ones from system checkpoint which is useless and it won`t let me go back far enough to were I had cleaned my computer completely. Is there any way I can recuperate these files?
I run Windows XP Media Center Edition. Thank you
-
Bootime scans don't delete all your files. Whatever the virus might have been, it might have been that. But I don't know much, just wait for a few responses from the avast! team.
-
I probably should have said that the `process` deleted the files and file folders as I am aware that the scan itself did not do the damage. I still need to know if there is a way to recuperate the lost files.
-
Open Avast GUI by clicking the Orange Ball at the bottom in the taskbar
Click maintenance
Click Virus Chest
Send us a print screen of that
and also whille you are there, click on Scan computer, then click Scan logs
if you see one that says Virus found in red click on it. Create a printscreen of that.
Attach them in your next post
Anthony :D
-
Just a thought...
Some of the rogue malware progams HIDE (or MOVE) your personal files, placing them in "temporary" areas. Your desktop appears empty, as if everything is gone. IF that's what happened here, it may be possible, under guidance, to recover them... AS LONG AS you don't run any "temp file cleaners" (such as Disk Cleanup or CCleaner).
Typically, such a rogue program would have alerted you, either claiming to have found lots of errors on your system... perhaps even asserting it was about to crash... and offering to "fix" everything for you... for a FEE. Sometimes, they explicitly make a "ransom" demand, telling you they've encrypted all your files, and that you must pay them to get your files back. If you didn't experience either of these symptoms, then my "thought" might not apply to what happened to you.
regardless, I would NOT run any "temp file cleaners" until you're sure it won't permanently impact your system in a negative way.
-
Do not use any temporary file cleaners
- Download RogueKiller (http://www.sur-la-toile.com/RogueKiller/) and save it on your desktop.
- Quit all programs
- Start RogueKiller.exe.
- Wait until Prescan has finished ...
- Click on Scan
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRScan.png)
- Wait for the end of the scan.
- The report has been created on the desktop.
- Click on the Delete button.
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRDelete.png)
- The report has been created on the desktop.
- Next click on the ShortcutsFix
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRShortcutsFix.png)
- The report has been created on the desktop.
Please post: All RKreport.txt text files located on your desktop.
-
This just happened to my dad's computer. I got nowhere by searching google for the answer, so i just poked around for a while. What i figured out made me laugh. Most all of his files were all in the exact same places, but they were all set to "hidden." (i say most, because there were a few programs he hadn't found yet) go into a folder, find the folder options selection from the Tools menu, go to the View tab, scroll down to find "Hidden files and folders" and select to show hidden files and folders. Hope this helps!
-
As I conjectured in my post, it sounded like a rogue in which user files were HIDDEN and/or MOVED. So UNhiding would fix the hidden (-only) aspect.
Perhaps the "few programs [your dad] hadn't found yet" were in fact moved (as well).
By the way, simply UNhiding the files removes a SYMPTOM of the rogue... but it does NOT remove the rogue itself --- which might still be present. That's why EssexBoy offered a more comprehensive solution.
Ironically, we never heard back from the OP.
-
As I conjectured in my post, it sounded like a rogue in which user files were HIDDEN and/or MOVED. So UNhiding would fix the hidden (-only) aspect.
Perhaps the "few programs [your dad] hadn't found yet" were in fact moved (as well).
By the way, simply UNhiding the files removes a SYMPTOM of the rogue... but it does NOT remove the rogue itself --- which might still be present. That's why EssexBoy offered a more comprehensive solution.
Ironically, we never heard back from the OP.
while i know the problem isnt 100% fixed, at least you can back up your important stuff [that should already be backed up]. thank you for your help!
-
If this helps I can't say, but I'll digress and 'may' throw some hope.
I accidentally formatted a back-up drive once with all my PCB cad work, Jpegs and text docs., my fault, no-one else to blame, but I got them all back with Recover My Files http://www.recovermyfiles.com/ (http://www.recovermyfiles.com/), if you do this it will let you see if they are recoverable or not... then it's up to you if you want to purchase the license to enable 'recovery', this may sound like I'm selling I'm not - but it's letting you know they are there and are 'able' to be recovered.
You could then go routing around for free software that may do the trick, rather that sit back and say nothing I'd rather speak up letting you know that all 'may not' be lost in getting them back - it gives you the chance to see!
It doesn't bother me should this post get's deleted, but it IS denying you the chance of recovering those files one way or another!
Always keep a clean cloned drive - always! For few minutes work you are back in business, whether its the main drive or back up drive.
Dave
-
Sorry it took so long but a family emergency took out of town. Came back this morning so here are the screen captures you asked for.
-
And the second one
-
And the background info
-
Last one
-
As I conjectured in my post, it sounded like a rogue in which user files were HIDDEN and/or MOVED. So UNhiding would fix the hidden (-only) aspect.
Perhaps the "few programs [your dad] hadn't found yet" were in fact moved (as well).
By the way, simply UNhiding the files removes a SYMPTOM of the rogue... but it does NOT remove the rogue itself --- which might still be present. That's why EssexBoy offered a more comprehensive solution.
Ironically, we never heard back from the OP.
Haven't seen a trace of any HDD Rogue and I already applied the 'show all hidden files' action with no success. It's the first thing I did.
All my ''programs'' are still accessible. It's the data that is missing. All pictures, documents, shortcuts etc... and the Temp folder in C:\Documents and Settings\Default User\Local Settings\temp is totally empty.
-
You need to follow essexboy's advice in reply 6.
You might also want to hide your gmail address from the public - spammers have been known to harvest e-mail addresses from forums like this.
-
While Rogues typically identify themselves --- in order to try to extort a ransom --- I still think it's worth following Essexboy's directions. It may not help... but it shouldn't hurt.
A rogue might remove [or hide] such personal files --- but a virus scan shouldN'T.
I don't know WHERE the rogue (if that's what it was) might have moved the files. Hopefully, it's to a directory beside the one you've already checked to find empty.
But if it moved them to SOME temp directory... and that directory has since been emptied... there may not be much that can be done at this point.
-
You need to follow essexboy's advice in reply 6.
+1
-
Another thing I should mention is that I just tried 'searching' for pictures using .jpg and all of them are there, but in folders to which I no longer have access. So I guess what I need to do is find a way to restore the folders and everything should be ok. Right?
-
You need to follow essexboy's advice in reply 6.
+1
Done, there you go:
-
having run RogueKiller, have any (or all) of your personal files come back?
-
Even if your files have come back, please wait for further advice from essexboy on any necessary completion activities.
He'll probably be at work now, but usually checks the forum in the evening.
-
Unfortunately not. But as I mentioned, if I use the search function, I can see and access them all. The folders however remain no where to be found.
Also forgot to mention earlier that all of my Outllook folders, files, contacts etc are also missing.
-
if I use the search function, I can see and access them all.
That sounds like a step in the right direction. :)
I'll send essexboy a prompt that the thread has come back to life.
-
Hi lets now look at the system and see what else is hiding
What are the folders that are missing, also are all the menus back where they should be under the start button ?
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
(https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif)
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
qmgr.dll
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS /s
CREATERESTOREPOINT
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Post both logs
-
There you go. Hope it helps.
-
File was too large to post at the same time.
-
Hi it looks as though you emptied your temporary folders prior to running RogueKiller, so those shortcuts are lost and we will need to recreate them
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
DRV - File not found [Kernel | Boot | Stopped] -- System32\drivers\iqrgw.sys -- (axxc)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
[2012-08-12 12:03:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.N-2E4C3D3E87CC4\My Documents\Recover
[2010-04-28 12:03:10 | 000,001,008 | --S- | C] () -- C:\Documents and Settings\All Users\Application Data\kXk1e8cNYr5
[2010-04-26 07:39:33 | 000,020,384 | --S- | C] () -- C:\Documents and Settings\All Users\Application Data\vf833a5xcC
[2010-04-24 20:14:08 | 000,015,030 | --S- | C] () -- C:\Documents and Settings\All Users\Application Data\vV3jJCmDGwx
[2010-04-12 09:58:03 | 000,015,434 | --S- | C] () -- C:\Documents and Settings\All Users\Application Data\2rX3LGT3
[2008-12-09 10:29:03 | 000,000,013 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ØÒÝÃÄ3113›.sys
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Restore Accessories Program Files Menu]
Please download this tool here (http://www.winxptutor.com/download/accrestore.zip).
You will need to unzip the tool first.
Once you've unzipped the tool, please double-click on it to run it.
Ensure that the following check boxes are checked (as seen in this image below):
(http://i1224.photobucket.com/albums/ee362/Essexboy3/XP%20restore%20shots/restore-start-menu-accessories-folder.gif)
Once they are, click on the Restore button.
Restore Admin Tools Program Files Menu]
Please download this tool here (http://www.winxptutor.com/download/admintools.zip).
You will need to unzip the tool first.
Once you've unzipped the tool, please double-click on it to run it.
Click on the Restore Administrative Tools Items button.
As seen in this image below:
(http://i1224.photobucket.com/albums/ee362/Essexboy3/XP%20restore%20shots/RestoreAdministrativeTools.gif)
This next one will produce the necessary shortcut links which you can cut and paste into the start menu folder
Download the repair.vbs (https://skydrive.live.com/embed?cid=32D8666F4048075B&resid=32D8666F4048075B%21550&authkey=AAx5Z3O_aFTskF4) file to your destop
Run the repair.vbs
It will ask for a folder name call it recovery
The tool will let you know when it is finished
On the desktop will be a recovery folder
Open the folder
Cut and Paste the links that you want to C:\documents and settings\your name\start menu
(http://i1224.photobucket.com/albums/ee362/Essexboy3/XP%20restore%20shots/recoverxp1.gif)
(http://i1224.photobucket.com/albums/ee362/Essexboy3/XP%20restore%20shots/recoverxp2.gif)
-
Problem: once I started running the app with the script you provided I received the following error message: cannot create c:\windows\system32\drivers\etc\HOSTS
So I stopped until further notice. Should I have run the OTL app anyway? And if so, how long will it take for the process to complete?
-
Remove the following line form the script and then re-run it please :
[resethosts]
-
I can't see that line in the script. All you gave me is this:
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
qmgr.dll
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS /s
CREATERESTOREPOINT
-
See Post 28
-
All done.
Log attached.
What's next?
Do I need to reboot? Because I still don't have any of my data.
Also, I must mention that the folder with my name does not have a folder named 'Start Menu' so I used C:\Documents and Settings\Default User\Start Menu instead. The other choices are Administrator, All Users, Linda (that's me), Local Service and Network service
Perhaps I used the wrong folder?
-
Create an empty folder with your name
i.e. C:\Documents and Settings\Linda\Start Menu
And then populate that one as previous...
Once done let me know what problems remain
-
OK, re-did it right this time. What's missing are all my documents, images, music and videos as well as my Outlook folders, calendar, contact etc.
-
Could you run RogueKiller one more time please and select the shortcut fix
- Next click on the ShortcutsFix
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRShortcutsFix.png)
- The report has been created on the desktop.
Please post: All RKreport.txt text files located on your desktop.
-
Here we go
-
What are we missing now... Could you screenshot it
-
What's missing are all my documents, images, music and videos as well as my Outlook folders, calendar, contact etc.
Previous step did not resolve my problem unfortunately.
-
Is it the files themselves or just the shortcuts ?
-
If I search some of the files individually I can find them and see the path for example C:\My Documents\My Pictures, but that folder does not exist on my computer anymore (seems to have been replaced by: C:\Documents and Settings\Administrator.N-2E4C3D3E87CC4\My Documents\My Pictures which is empty, so I guess the answer is the shortcuts?
Another thing weird I should mention. I just looked at the program shortcuts and found this file (see attachment) that is not a program but a .ini file (which I converted to .txt in order to upload it and the modification date is exactly the date I lost everything. Could this help you?
-
The desktop ini is a system file which will be hidden later
Did you do this step on the affected login ?
This next one will produce the necessary shortcut links which you can cut and paste into the start menu folder
Download the repair.vbs (https://skydrive.live.com/embed?cid=32D8666F4048075B&resid=32D8666F4048075B%21550&authkey=AAx5Z3O_aFTskF4) file to your destop
Run the repair.vbs
It will ask for a folder name call it recovery
The tool will let you know when it is finished
On the desktop will be a recovery folder
Open the folder
Cut and Paste the links that you want to C:\documents and settings\your name\start menu
(http://i1224.photobucket.com/albums/ee362/Essexboy3/XP%20restore%20shots/recoverxp1.gif)
(http://i1224.photobucket.com/albums/ee362/Essexboy3/XP%20restore%20shots/recoverxp2.gif)
-
Yes I did. I double checked all of the steps you gave me and did it in the correct order.
-
Can you locate the folders in windows explorer, right click the folder and select send to...
Then select desktop shortcut.
If that works then we will do the remainder manually... However, if the files themselves are missing then we are to late to recover them
-
I can locate some of them using the search function, but not the main ones like 'My Pictures' - 'My Documents' etc.
I do know that the date itself is still there because I can find it again using specific search but I have so many files and folders I wouldn't know were to begin. It seems as though I lost the file association. For example, if I start Dreamweaver it looks like a clean install and all the folders containing my files are no longer associated with the application etc.
I found this link with a bunch of file association fixes. Should I use it?
http://www.dougknox.com/xp/file_assoc.htm
-
Update: I just found all of my documents located under: C:\Documents and Settings\Administrator\My Documents
There is also something call Groove Synchronization which offers the option to synchronize all of the Administrator's documents.
Should I run it?
-
When you locate the files.. Could you make a note of what the folder it is in and then use the right click to send a short cut to the desktop
When you start Dreamweaver are you able to add folders within the options settings ?
Groove synchronisation is for sharing word documents on line
-
I am able to shortcut some of the folders, not all of them.
As for Dreamweaver, I can't add folders. I can however retrieve single files going through the program files path but I lost all the sites setting and another weird thing is that the 'My Documents' folder is now called 'Mes Documents' as if my computer was set in French. Hum...
Update: In my search for the missing folders access I found something they all have in common. All of the files I have managed to find are located under C:\Documents and Settings\Administrator (although I see nothing when I go there manually). Which makes me wonder. Perhaps I should have copied the 'Recovery' folder shortcuts that were created under Administrator instead of my (name)?
-
That would be worth a try to see if it resolves the problem
-
Tried it. Sorry to say it didn't change a thing.
Anything else I can try?
-
OK I will need to check some data out for a bit on this .. as it is not normally this convulated
Did you empty your temporary files prior to running RogueKiller ?
-
No. I didn't empty anything. I ran Avast in normal mode, then when prompted I did the boot-time scan and then the mess began. The only things I did was to follow your steps. Will wait for further instructions. Thanks for taking the time to help out.
-
Any update? I really need to figure out how to fix this mess.
-
I have as yet been unable to find anything similar to this so any resolution at this stage will be by trial and error
So lets try this option first :
Right click C:\Documents and Settings\Administrator\My Documents
Select Copy
Now go to C:\Documents and Settings\Linda
Right click and select paste
This should copy everything over
-
I do not have a folder named: C:\Documents and Settings\Administrator\My Documents
All of my documents are still in the recovery folder. So I tried to copy that to the target folder, didn't fix a thing.
Another thing I noticed this week is when I try to open a document (picture for example) that I located using the search function, it does not open with the program it was previously associated with but rather with a windows program. Same for videos etc. It is as if my computer had reverted to factory default. It's a real mess.
-
OK next attempt can you backup to a USB or CD all the files that you can find and create then place them in the correct folder i.e. documents, pictures,
So create a folder on the USB called pictures and copy all the pictures into that folder
-
I have way too many files and folders to fit on my 4GB USB, so I tried something else which seems to have solved part of my problem.
As I mentioned previously I could locate the documents folder using the search function and typing in the direct link which was: C:\Documents and Settings\Administrator\My Documents
The problem was that the documents in question where now under C:\Documents and Settings\Administrator\ were no 'My Documents" folder existed because it had moved under Administrator's Documents.
So I renamed the 'Administrator's Documents' folder to ''My Documents'' and then changed the target shortcut of the My Documents shortcut in the Start Menu to point to the correct folder and I can now easily access all of my files and documents. Yeah!!!
I do however need further assistance. I still need to restore my Outlook 2007 folders, contacts and emails (if that is possible).
Any clue where I could start looking?
-
Do you have the PST, OST, PAB, OAB, DAT files for outlook ?
They should be located here - these are hidden files/folders
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook
-
I found them under: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook
Not sure if those are the files you are suggesting, but that's all I found. See attachment
-
Anything?
-
Those are the right files, you should be able to use outlook to recover the backups
http://email.about.com/od/outlooktips/qt/Restore_Outlook_Mail_Contacts_and_Other_Data_from_a_Backup.htm
http://www.howto-outlook.com/howto/backupandrestore.htm
-
It worked great! Thank you so much for all your help. It is truly appreciated.
I still need to find a way to synchronize Dreamweaver with my sites folders but hopefully I will figure that out.
Again, thank you and have a great day!
-
No problem, it gave my research skills a very good workout ;D
-
Hi it looks as though you emptied your temporary folders prior to running RogueKiller, so those shortcuts are lost and we will need to recreate them
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
Hi! I had the same problem and followed the proposed sollution until before this post. Because of the warning you gave us, I was wondering if I can follow from here on with my Windows 8?
Charlotte
-
Hi there, it really depends on what the problem is that you are experiencing
-
Hey!
Thank you for your quick answer!
So: I installed avast, ran a scan and it also made a boot scan after that. Then I deleted Avast again. And then I saw that a part of my files in "my documents" were gone. I did what was written above until the OTL. I will include the files.
-
During the boot scan did Avast alert you on any files as being infected ?
- Download RogueKiller (http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe) and save it on your desktop.
NOTE: If using IE8 or better Smartscreen Filter will need to be disabled
- Quit all programs
- Start RogueKiller.exe.
- Wait until Prescan has finished ...
- Click on Scan
(https://dl.dropbox.com/u/73555776/RKScan.GIF)
- Wait for the end of the scan.
- The report has been created on the desktop.
- Click on the Delete button.
(https://dl.dropbox.com/u/73555776/RKDelete.GIF)
- The report has been created on the desktop.
- Next click on the ShortcutsFix
(https://dl.dropbox.com/u/73555776/RKFixShortcuts.GIF)
- The report has been created on the desktop.
Please attach: All RKreport.txt text files located on your desktop.
-
Yes, (something with win...) and they were put in the chest.
But unfortunatelly, I unistalled Avast and I wasn't able to recover the chest with Recuva...
See files in attachment
-
Unfortunately by removing Avast you deleted all the files in the chest.
What type of files were deleted ? Were they word documents or HTML files