My Docs, msconfig, programs - all gone!

Discussion in 'malware problems & news' started by porty, Sep 6, 2005.

Thread Status:
Not open for further replies.
  1. porty

    porty Registered Member

    Joined:
    Sep 17, 2004
    Posts:
    48
    A customer's XPH laptop has suddenly been stripped of all docs, all programs files except the 16 or so default progs installed when the system was new, and msconfig is empty of all listings except for one - msmmsgs.

    Something else - in Docs and Settings, there's a folder with his name on it, i.e. Harry Potter, but there's also a folder labelled Harry Potter.YOUR.L8U9KG8WXJ.

    Apart from the lost items, the computer seems to run normally. I've never seen anything like this; is this the work of a new bug?
     
  2. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,095
    porty,

    This is a Netsky.P worm disguised in email or file-sharing as a Harry Potter game, and by the looks of it wiped the items you mentioned.

    Since the computer appears to run, I would recommend a full system online scan from one or more of following websites in order to excise the worm:
    Housecall: http://housecall.trendmicro.com/ or for Europe:
    http://uk.trendmicro-europe.com/enterprise/products/housecall_launch.php
    Kaspersky: http://www.kaspersky.com/service?chapter=161739400
    bitdefender: http://www.bitdefender.com/scan/license.php
    Malware: http://virusscan.jotti.org
    F-Secure: http://support.f-secure.com/enu/home/ols.shtml
    Panda: http://www.pandasoftware.com/activescan
    RAV AV: http://www.ravaantivirus.com/scan
    eTrust: http://www3.ca.com/virusinfo/virusscan.aspx

    If your customer can remember when the infection was first noticed, perhaps it is possible to bootup and restore to a restore point before that date.

    Remembering the more a computer is run the more difficult it is to recover lost files, you might also try one of these (paid), last 2 forensic recovery tools:
    EasyRecovery: http://www.ontrack.com.uk/easyrecoveryprofessional/
    Encase: http://www.guidancesoftware.com/products/ef_index.asp
    WinHex: http://www.x-ways.net/winhex/index-m.html

    -- Tom
     
    Last edited: Sep 7, 2005
  3. porty

    porty Registered Member

    Joined:
    Sep 17, 2004
    Posts:
    48
    lotuseclat79, thanks for your comments. Sorry, I might have confused folks a little, my customer's name is not Harry Potter, I was just using it as an example, knowing that my customer wouldn't want me using his real name on the net.

    But the folder is as I've described it, apart from the 'Harry Potter' bit!

    I'll try some of those online scanners although I've already tried a few mainstream programs without results.

    This is definitely odd; HiJackThis! shows nothing but the startups for the various 'Anti-' progs I've installed, which is weird in itself; it's about the cleanest HJT log I've ever seen.

    Here's something even odder - I created a folder yesterday, C:\Download, and dumped in all the progs I wanted to install. Today the folder is empty!

    I've also just noticed that his Outlook Express account has vanished - all that's left are empty folders.

    If this is a bug, it's very efficient and very dangerous. I think I may have to get his Compaq recovery disks and rebuild the system from scratch.

    Cheers.
     
  4. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,095
    Hi porty,

    I did not assume Harry Potter was your customer's name - but it is the name of a worm variant of Netsky.P.

    Yes, run the Kaspersky scan first, then the jotti - both of those should give you broad coverage. It definitely sounds like there is a malware loose on the machine if folders go missing! The malware is probably hiding in the Restore folder by now, so trying to do a restore to a point before the troubles began may or may not work.

    -- Tom
     
  5. porty

    porty Registered Member

    Joined:
    Sep 17, 2004
    Posts:
    48
    Thanks Tom. Re the restore, it was the first thing I tried. Again odd, no restore points except one, which had been created on the morning of the day that he brought it in; it was probably an automatically created RP. I went back to it but it must have been set after the damage had been done, because nothing altered.

    I've just run the Symantec Netsky fix, but that found zip.

    And Stinger 2.5.6 found nothing either. As I said, it's probably going to be safer if I do a reinstall - it's not as if he's got a lot of data to transfer - well, none, in fact!

    Cheers
     
Loading...
Thread Status:
Not open for further replies.