Spyware, Viruses, & Security forum

General discussion

Files have vanished

by VistaVictim / May 7, 2013 2:52 AM PDT

I switched on my Windows 7 laptop around an hour ago to find that my desktop had completely changed, most icons have gone missing or hidden. Pretty much the rest of my files has gone missing as well, chrome required me to log in, all my usernames and favourites have been forgotten by chrome, my browsing histories have been wiped.

I did an AVG svan and nothing came up.

I Googled around a bit and this feels a lot like the symptoms of the Windows Restore virus, only there's no indication of that (eg Windows Restore windows) on my computer at the moment.

I've restarted about 5 times, nothing changes.

Any ideas?

Post a reply
Discussion is locked
You are posting a reply to: Files have vanished
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Files have vanished
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
by VistaVictim / May 7, 2013 3:07 AM PDT
In reply to: Files have vanished

also, my MS Word docs do pop up in a taskbar search but when I click to open they are blank. So maybe there is some kind of masking virus at work...

Collapse -
A corrupt profile can do that too.
by R. Proffitt Forum moderator / May 7, 2013 3:14 AM PDT
In reply to: Files have vanished

It's a well discussed area so I'll shortchange you a little here. When the profile is messed up, windows might create a new one (how nice?) and the desktop looks blank.

It's also possible you didn't log in under your own account so log out and see if you see your old account.

Given how the profile can get corrupted it's just another reason why we backup what we can't lose.

Collapse -
sadly no
by VistaVictim / May 7, 2013 3:34 AM PDT

unfortunately that's not it as there's only one profile on this laptop. i logged in again fwiw and no change.

another clue, all the text on the icons looks a bit rudimentary, as if I'm in a different mode or a simpler, older form of windows. Chrome interface also appears to have a marginally different font.

But the biggest clue is that Task Bar search can actually pull up my documents, which are blank when opened, even though no documents appear in my old documents folder

Bob I trust you as you've helped me a few times before - would gladly give you remote access if possible / allowed

Collapse -
One more time.
by R. Proffitt Forum moderator / May 7, 2013 3:40 AM PDT
In reply to: sadly no

Before we turn to Grif's scan suggestions, please boot to SAFE MODE (I'll supply a link in a second) and try all accounts there.

Be sure to try file explorer to look around for your documents while in safe mode.

For Vista, here's safe mode -> http://windows.microsoft.com/en-us/windows-vista/start-your-computer-in-safe-mode


PS. If that's not finding your files, run RKILL and supply the output for me to take a look at. For now, only RKILL please. Here's Grif with the tools ->http://forums.cnet.com/7726-6132_102-5098912.html?tag=posts;msg5099421

Collapse -
am in Windows 7
by VistaVictim / May 7, 2013 3:44 AM PDT
In reply to: One more time.

just an fyi - am a real novice and not sure how to start in safe mode

Collapse -
It's the same F8 key for 7.
by R. Proffitt Forum moderator / May 7, 2013 3:48 AM PDT
In reply to: am in Windows 7

Sorry I didn't re-read it all and just took your name and went for it.

Collapse -
by VistaVictim / May 7, 2013 3:56 AM PDT

no problem. Ok, so I restarted in Windows 7 Safe Mode, and of course my internet dongle doesn't work in Safe Mode. Do you want me to go out and get to a WiFi place, do you think that will work in Safe Mode? Or do you want to give me a list of instructions for me to carry out offline?

Collapse -
While in Safe Mode
by R. Proffitt Forum moderator / May 7, 2013 3:59 AM PDT
In reply to: ok

I look for my files again and have RKILL handy for Safe and the normal boot to sniff out what it could be.

Look at Carol's advice too.

Collapse -
IF it's not a corrupt profile..
by Carol~ Forum moderator / May 7, 2013 3:44 AM PDT
In reply to: Files have vanished

IF it's not a corrupt profile and you say it sounds (although not to me) like the symtoms of the System Restore rogue did you try any of what's suggested in the removal guide? Like the Rkill tool, unhide.exe and scanning with Malwarebytes' Anti-Malware?

It may be a long shot, but did you try disabling the System Maintenance troubleshooter?


Collapse -
yes and no
by VistaVictim / May 7, 2013 3:58 AM PDT

yes i did try unhide.exe but i got a dialogue box saying it coulndt run. will now try disabling the System Maintenance troubleshooter, Malwarebytes' Anti-Malware and Rkill tool.

But you say it doesnt sound like System Restore rogue. In that case, what could it be, do you think?

Collapse -
Slow down a moment.
by R. Proffitt Forum moderator / May 7, 2013 4:00 AM PDT
In reply to: yes and no

I like to see what we're dealing with before we hit it with all the scans. RKILL alone may cough up a good clue.

Collapse -
by VistaVictim / May 7, 2013 4:16 AM PDT
In reply to: Slow down a moment.

oddly enough am trying to download Rkill.exe, it appears to complete download and then vanishes. No sign of it in Downloads folder, nor Task Bar search. Tried 3 times.

Collapse -
Re: RKILL vanishes
by Kees_B Forum moderator / May 7, 2013 4:27 AM PDT
In reply to: odd

Then download on another PC, copy to your USB-stick and run from there.


Collapse -
by VistaVictim / May 7, 2013 7:58 PM PDT
In reply to: Re: RKILL vanishes

I followed your instructions and got Rkill onto a pen drive at an internet cafe, then tried to run it off that on my laptop but it fails to run, what looks like a black DOS window appears for a millisecond, with what I think is the line 'Failed to find path...'

I was able to install Malwarebytes, I ran it and it found 0 problems.

AVG continues to function, and finds nothing.

I had an unprecedented screen-freeze crash today.

Also unprecedented, my internet dongle is frequently unrecognized and required pull out/push in action several times today.

I note that despite my vanished files, my 52 GB C drive only has 5 GB of space left on it, afair this was not the case prior to this 'vanishing files' problem. My 67 GB E drive has 65 GB free.

By the way, am working on a high-end Samsung 900x bought new, just 5 months ago.

Collapse -
Re: DOS window
by Kees_B Forum moderator / May 7, 2013 8:23 PM PDT
In reply to: next

Then run it from the command prompt. Start the command promot and type the full filename (like e:\rkill.exe) and enter. Then you'll see the full error message.


Collapse -
in the meantime
by VistaVictim / May 8, 2013 7:15 PM PDT
In reply to: Re: DOS window

at the internet cafe mentioned earlier the owner took a look at my laptop with software named Compufix, which he says he swears by. It did indeed manage to restore the content of e.g. MS Word files that had opened as blank (as mentioned above). He then saw that all the files were in fact there, just that the profile was hiding them. His solution was to create a new profile and move all content from the old one to the new one. This has amazingly recovered about 95% of the information from prior to the problem, with a few annoying omissions such as Skype history having been wiped, which means I lost the record of several important live messaging sessions. The guy like me uses Windows 7 religiously, and says he has never seen anything like the problem on my laptop before. He isn't sure what caused the problematic profile, and isn't ruling out that it could have been malware. Any thoughts?

Collapse -
Corrupt profiles are
by R. Proffitt Forum moderator / May 8, 2013 10:13 PM PDT
In reply to: in the meantime
Collapse -
tks, still slightly odd
by VistaVictim / May 9, 2013 3:43 AM PDT
In reply to: Corrupt profiles are

thanks, the odd thing is that if it was purely a Windows fault, it wasnt precisely as MSFT say it would be:

On your link it says: "If you tried to log on to Windows and received an error message telling you that your user profile might be corrupted, you can try to repair it. "

Well, there was no error message and zero indication of what had happened - just a totally blank desktop that had been littered with folders, with my MS Word docs. I wonder if that could be a clue that malware had provoked it?

Collapse -
by R. Proffitt Forum moderator / May 9, 2013 4:15 AM PDT

And as you encounter this issue it can indeed be silent. There's a few lessons here. Glad you recovered your files.

Collapse -
Could it be a clue malware provoked it?
by Carol~ Forum moderator / May 9, 2013 8:26 AM PDT

I'm NOT saying this was (or is) the case. You wondered if it could have been a clue malware provoked it. IF it was malware .. and IF you took no action against it .. it would still be there.

Something you may find of interest. It's not meant to scare you, but only to let you know what we're up against these days.

One of the posts in the News thread at the beginning of the week, made reference to a blog post titled, "Rootkit infection sporadically redirects search results in hopes users 'just live with it'

Some excerpts from it:

Recently we have seen an increase in fake installer scams attempting to trick computer users into installing disguised rootkits directly on their machines. In this post, we want to highlight how a scam like this can be installed and infect a machine, including behavior to watch out for....

In the case of this infection, we are utilizing a bogus Adobe Flash Player installer. Normally, this file would be downloaded from a website after a message stating "You need the latest version of Flash to view this video" appears...

Since this is a rootkit, there are no toolbars/extensions/BHO's added to the browser. There are also no modified proxy settings or modified hosts files. What is interesting about this rootkit sample is that the redirects do not happen every time. The action will occur about once every three attempts, where the user will get redirected to a series of sites that are shown below.

The number of redirects caps out around 4-5 and then everything will seem normal until a restart of the browser. This erratic action can make it extremely difficult to troubleshoot. It can also prove to be very frustrating for a user to explain as it is not consistent and once the redirection occurs enough times, the issue stops for the rest of the browsing session. We have seen instances where consumers have just been "living with it" for months.

(The underlining and arrows are mine)

I'm glad to hear everything is back to normal! Happy

Popular Forums
Computer Help 49,613 discussions
Computer Newbies 10,349 discussions
Laptops 19,436 discussions
Security 30,426 discussions
TVs & Home Theaters 20,308 discussions
Windows 10 360 discussions
Phones 15,802 discussions
Windows 7 7,351 discussions
Networking & Wireless 14,641 discussions

Smart Home Help

Light bulbs you shouldn't buy

There are plenty of dimmable LED light bulbs, but make sure you don't buy the ones that flicker when you dial them down.