Win 7 installation disappeared - malware?

Discussion in 'malware problems & news' started by SheikYorHips, Feb 14, 2012.

Thread Status:
Not open for further replies.
  1. SheikYorHips

    SheikYorHips Registered Member

    Joined:
    Aug 6, 2008
    Posts:
    5
    Hello, I need some help in figuring out what happened to my computer.

    The system: Win 7 x64, i7 860, 8gb ram, 1 hdd with two partitions, Comodo firewall

    The problem: I was watching a video on youtube when firefox suddenly froze, then after waiting a short while for it to come back alive, I noticed I couldn't run any other app except for task manager which is I guess already loaded by the OS. Unfortunately this one was unable to kill anything, except for explorer.exe once it also froze when I went deeper in the tree structure on the hdd. Unable to do anything else I did a cold boot, after which I was greeted by the Win unable to start, files missing, start a recovery prompt. Connected the disk to a machine running XP, where I discovered that the installation partition was cleaned out (no label, no files except for a $recycle.bin folder) and the XP event viewer log added an entry "The file or directory F:\ is corrupt and unreadable. Please run the Chkdsk utility." The used/free space was somehow still reported correctly, just like it was when the partition was still fine. The secondary partition was left completely untouched.

    I ran a recovery program and I was able to retrieve everything I cared about from the cleaned out partition. What doesn't seem coincidental is that while the recovery program found all folders as they were before the problem happened, only "documents & settings", "users" & "windows" were stripped of their names (recovery program gave them unique 6 character names) and flattened in the root. Or at least "windows" was flattened, by which I mean its subfolders were also named uniquely by the recovery program and at the root level.

    With the recovery of the important files successfully completed, I ran chkdsk that was unable to finish, an on demand scan by avast on the affected partition and the recovered files which came up with nothing. Also ran tdsskiller on the XP machine, again 0 problems. I then tested the hardware parts: extended hdd test (complete surface test), memtest and cpu stress test on the offending machine that all passed with flying colors, so I'm clueless as to what happened.

    Let me also add that I generally don't do risky stuff security wise (never been infested and I'm using PCs since the ms-dos days), particularly not on this machine and I'm trying to find out what happened to it, so that I can hopefully prevent it from happening in the future. I plan to zero fill this drive, repartition and reinstall, but I'm holding out on it in case there's more to be learned from situation as is. Help and info very much appreciated.
     
  2. SheikYorHips

    SheikYorHips Registered Member

    Joined:
    Aug 6, 2008
    Posts:
    5
    Important update that will hopefully trigger more helpful replies... I managed to restore the original w7 installation by using the recovery option on the installation disk (unexpectedly straightforward, quick & painless process). Ran tdsskiller once again after I successfully booted into into w7 and this was the result:
    http://i.imgur.com/WLPXv.jpg
    http://imgur.com/XLXDW
    after a repeated scan
    http://imgur.com/8L87e

    Now how am I to interpret this? Tdsskiller gave me confirmed false positives in the past, but this one seems genuinely suspicious. As you can see in the 1st screenshot, I opted to quarantine the threat, while the following result window (2nd screenshot) says in big bold letters "No threats found" and just under that lists found threats = 1, quarantined objects = 2. That's ambiguous to say the least. Even less comforting is that a second scan (3rd screenshot) still finds the same threat despite it supposedly being quarantined in the first one. Which leaves me with the following questions:

    1. Is this a real infection and if so was it the culprit of my previously described problem (presumably yes if it's real)?
    2. Is this threat neutralized after the tdsskiller quarantine or not?
    3. There's been usb keys exchanged between this "infected" system and others. I have scanned others with tdsskiller as well and it came up empty. Can I safely assume the infection, if it happened, was contained to this w7 system? If not how should I go about it to properly diagnose and clean the usb keys and systems.
    4. What additional scans of the w7 system would you recommend now?

    Thanks in advance for your help and information.

    UPDATE: upon reboot tdsskiller returns a completely clean slate, 0 threats
     
    Last edited: Feb 16, 2012
  3. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    I would recommend Hitman Pro, Malwarebytes and Emsisoft Emergency Kit.

    Hitman Pro: hxxp://www.softpedia.com/get/Internet/Popup-Ad-Spyware-Blockers/Hitman-Pro.shtml

    MalwareBytes: hxxp://www.softpedia.com/get/Antivirus/Malwarebytes-Anti-Malware.shtml

    Emsisoft Emergency Kit: hxxps://www.emsisoft.com/en/software/eek/
     
  4. SheikYorHips

    SheikYorHips Registered Member

    Joined:
    Aug 6, 2008
    Posts:
    5
    Thanks a lot for the tips Alex, I'll do that. I was beginning to think I did something wrong for lack of replies. In the mean time I also installed the trial version of Kaspersky, updated its database and performed the scans offered (full, vulnerabilities) and those also found nothing fortunately.

    update: scanned with all 3 recommended apps and they all came up empty handed, so I guess I can conclude the system is clean, right?
     
    Last edited: Feb 17, 2012
  5. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    If you did full scans with updated TDSS Killer, Kaspersky AV, Malwarebytes, Hitman Pro and Emsisoft and all came up with nothing i think that is highly probable that your system is clean :thumb:
     
    Last edited: Feb 17, 2012
  6. SheikYorHips

    SheikYorHips Registered Member

    Joined:
    Aug 6, 2008
    Posts:
    5
    cheers and thanks :)
     
Loading...
Thread Status:
Not open for further replies.