Doctor, doctor, tell the news, I got a bad case of computer blues
November 15, 2011 5:33 AM   Subscribe

My home computer seems to have been attacked, and possibly wiped of all programs and files, by some kind of virus. Is there hope for my computer or is all my data (which includes 75% of a rough draft of a novel) hopelessly lost?

Last night I turned the computer on and found that when it boots up there’s… nothing on it. All my programs and files seem to be gone. When I click on Start, it’s blank. After it’s been up and running for a bit, weird things start happening. I get twenty or so pop up messages saying that my computer can’t open various systems folders.

Then I get a program starting up that’s called “System Restore” and claiming that it will scan and fix my computer and giving me a listing of the things that are supposedly wrong with it but that sound like bullshit (i.e., “memory RAM temperature is 82 degrees Celsius”). Then it claims it can only fix some of the problems, and demands that I subscribe to the program so it can fix the others. I’ve tried booting up in Safe Mode with networking, but my computer is still blank, and when I’ve tried to run a system restore to an earlier date, I can only get as far as picking a back up date before the program just seems to stall – I click on “Next” and nothing happens.

Is there anything that can be done? Keep explanations simple and clear, please, as I am but a humble technopeasant.
posted by orange swan to Computers & Internet (21 answers total) 3 users marked this as a favorite
Response by poster: Just did some Googling — could I have gotten what's known as the Fake Windows System Restore virus, and will the info on this page work for me?
posted by orange swan at 5:43 AM on November 15, 2011

Sounds like a virus. DO NOT run that app. This may help (tl;dr: use Malwarebytes).

Above all, take this as a warning- back up your stuff! With freely available tools like Dropbox, Mozy, etc., it's fairly simple to keep at least a folder's worth of important stuff backed up to the cloud.
posted by mkultra at 5:43 AM on November 15, 2011 [1 favorite]

Don't take a chance on trying to do any more by yourself. Take the computer to a computer professional who will be able to fix the problem without potentially losing your data.
posted by JJ86 at 5:50 AM on November 15, 2011 [6 favorites]

Because you get the same thing when in Safe Mode. It sounds like a virus I encountered this past summer. Malwarebytes will not work on this one. Not the version I used this summer anyway.
What this virus did is make your profile folder hidden and read only as well as some other system folders. So when you boot up it created a temp profile folder to use since your primary one is inaccessible.
You can put this drive as slave in another PC and then reclaim "ownership", unhide, and make write accessible for the Profile folder to get your files back. But it would take too long to do the same for all your program and system folders. I suggest reformat at that point after you recovered your files.
P.S. The files are there, you can see them by creating a new profile, log into that at boot up then set your folder view to show hidden files and folders.
posted by udon at 5:53 AM on November 15, 2011 [1 favorite]

Hey, I just had this same thing happen to me a couple of weeks ago. This system restore virus is a nasty son of a bitch. Your files are all still there, the virus just hides them. Start in safe mode with networking, look up removal processes online (Malwarebytes is the one I used), and go through your control panel, clicking properties and unhiding your files. I'm sure there's probably a better way to do this, but I'm extremely non tech-savvy. Best of luck.
posted by Krazor at 5:57 AM on November 15, 2011

Or what udon said. That too.
posted by Krazor at 5:57 AM on November 15, 2011

Because you have very serious work on it: Turn it off. Take it to a professional. A data recovery professional, not a generic IT fixer guy. IT fixer guy would be OK, but you have a novel on there, so take it to a data recovery company.

Then look into backups when you get it running again. CrashPlan is not bad, and can be used for free to back up to external drives and to other computers.
posted by krilli at 6:08 AM on November 15, 2011 [2 favorites]

If it were me I would boot to a live Linux CD like Ubuntu or something which would allow me to see what is or isn't on your old disk without the malicious code on in executing or making any changes to it. If you can find the files, copy them off to another media. I would use 10.04 LTS instead of the newest flashbang version, personally.

If that didn't work, then I'd look to a recovery pro.
posted by Edogy at 6:17 AM on November 15, 2011 [10 favorites]

Seconding Edogy. Go to another computer and burn a linux cd (I recommend knoppix but ubuntu would also work). Then, put this cd into the infected computer, plug an external drive in and reboot and see if your files are there. You should be able to copy files from the infected computer to the external drive.
posted by a womble is an active kind of sloth at 6:29 AM on November 15, 2011 [2 favorites]

There's a lot of amateur advice in this thread. The long story short is that your data is FINE, it's just being hidden by a nasty little trojan and rootkit. Running malwarebytes in safemode may make the computer usable, but by NO MEANS will this secure the system.

Depending on the level of your geekiness, you could do what "a womble..." or edogy say, although i'll recommend Linux Mint or PartedMagic as they're easier to deal with in my personal opinion.

Do this, backup all important files, (don't forget bookmarks, documents, etc), and nuke it from orbit. (wipe and reinstall.) The system IS recoverable, but not in a reasonable amount of time with someone with limited skill. Failure to eliminate it fully just brings it back as soon as you reboot.
posted by TomMelee at 7:51 AM on November 15, 2011

Using a Linux live CD (see answers above) GET YOUR NOVEL BACKED UP! Once that's been done, you can work on restoring your computer with less anxiety.
posted by Obscure Reference at 7:58 AM on November 15, 2011

I believe it's a virus called "Fake Frag". I do online tech-support full time, and have run into this. One of the things it tends to do is hide all your files and move them to another folder. See:

If you don't know what you're doing, take your machine to someone who does. Make sure they know your data is almost certainly still there but just hidden. It doesn't take long to fix/recover if you know what you're doing. If you don't, it seems like it would be pretty easy to _really_ lose all your files. Once your files have been backed up on CD or an external hard drive and verified, have them format your hard drive and reinstall your OS. Good luck.
posted by Death by Ugabooga at 8:41 AM on November 15, 2011

Just so you don't feel lonely - I got hit with this virus this morning. It has pretty much ruined my work day.

The good news is, I run nightly backups of all of my data. I am in the process of re-imaging my system right now. Theoretically I could ultimately fix my current system, but the simple truth is I wouldn't feel safe with it even if I did. I'd rather nuke the whole thing and start fresh with a clean image that I know is good. Better to spend a day wiping and re-setting things up then spend weeks or months not sure if my system is trustworthy.
posted by Lokheed at 9:37 AM on November 15, 2011

I got something similar about a week ago, and I was able to use an Ubuntu CD (as suggested by a couple of folks here) to pull my files onto an external hard drive.

The next day, someone broke into our house and stole my laptop and the external drive.

The universe didn't want me to have my files.
posted by hotelechozulu at 10:25 AM on November 15, 2011

Make an image copy of your drive before you do anything. That way, if you F-up, you have still got data to work with. Deleted files can often be recovered so you want to image the drive not just copy the files off it.
posted by epo at 11:30 AM on November 15, 2011

deezil's profile is full of links to useful tools.

I got hit by one like this too -- on a laptop with a very-out-of-data MacAfee installed. My own lazy fault!

For me it was a fake-system-restore Trojan backed up by a rootkit. It doesn't remove your files, it hides them and tries to extort you to buy their "tool" to fix the "system problems".

I had success with this guide, after a long struggle.

Eventually I was able to run from Safe Mode:
1) one of the renamed versions of rkill
2) the normal version of TDSSKiller (from the Kapersky link in deezils profile) DID NOT WORK for me, it failed to start; searching Google for "TDSSKiller wont' start" or similar brings up a post on the Kapersky forums (from a Kapersky employee) with a version that is just named "T" that was able to run and remove the underlying rootkit
3) MalwareBytes Anti-Malware removed the Trojan

and then ran the same from normal mode -- no further nasties found.

and then ran the unhide tool (linked from the guide above) which moved back the files that were hidden.

and then ran all the detection tools deezil lists to be sure that there was nothing else lurking.

I consider myself reasonably experienced and found this very challenging to fix.

The suggestions above to (1) use a Linux Live CD to get the files you want off the machine and (2) reformat and reinstall Windows are probably easier and safer if you're not confident about thoroughly eradicating the nasties.
posted by We had a deal, Kyle at 11:56 AM on November 15, 2011

Do you have access to a clean computer where you can burn a cd? I currently use UBCD, and have used knoppix. You download a .iso file, and burn it to cd as a bootable disk. Then, you boot up with the disk, and use that for your operating system, and it can view your hard drive.

If you aren't super-confident, bribe a friend with strong IT skills(pie is my preferred bribe), or take it to a pro.
posted by theora55 at 11:58 AM on November 15, 2011

The Sauce household got a dose of this last week and it made me want to crotchpunt a motherfucker. So, sympathies.

Like others, we booted into an alternative OS (SystemRescueCD) and used that to rescue the files from the laptop onto a large USB drive. After verifying the backup by mounting it on another computer, we paved the laptop back to its factory settings and reinstalled everything.

I don't think I can give you a nice clear recipe for what we did, because details of your laptop might differ substantially from ours. If you are not computer-savvy, then please seek the assistance of someone who is.

(note, the guys who do SystemRescueCD are true warriors of the light and proof that Good still exists in the world.)
posted by Sauce Trough at 1:54 PM on November 15, 2011

And unless you're really, really attached to Windows for some reason - go ahead and install a Linux distro instead of Windows! Viruses really aren't a problem, many of them are super user-friendly and fun (Try Mint, Ubuntu, or my fav, Kubuntu), and there's all manner of free/open-source software so that you can do everything you could do on Windows and more.
posted by nosila at 2:04 PM on November 15, 2011

I've used Ultimate Boot CD to get a system back up and running after a virus scare much like this.

As for nosila's suggestion of switching to Linux -- he's right and not right. You CAN'T do everything you could do in Windows. Some games do NOT work in Linux at all (the Sims games are a very popular example of this). It's more accurate to say there's all manner of free/O-Source software to do many things you could do in Windows, in a similar fashion.
posted by Heretical at 2:36 PM on November 15, 2011

Response by poster: Well, I tried to fix the virus myself using files from the link I posted in the first comment, and was unable to do so. I ended up taking the computer (via TTC, which was not fun) to a computer guy who fixed it. He had to copy all my files and wipe the hard drive as he said there were a hundred viruses on it. It's back to normal now and from now on I will be more vigilant about doing my virus protection updates. This was my third scam virus this year, sigh.
posted by orange swan at 4:25 PM on November 19, 2011

« Older What is this on my elbow?   |   Other movies and TV shows like these? Newer »
This thread is closed to new comments.