Tech Support Forum banner
Status
Not open for further replies.

How to Restore Files & Folders Hidden by Malware?

2K views 16 replies 2 participants last post by  Gary R 
#1 ·
BRIEF DESCRIPTION OF MY ISSUE
I took my laptop out to work remotely using my phone as a tether. The tethered connected worked just fine, but my laptop could not pick up the signal for some reason and so my phone was not detected as one of the internet access points. I spent time with it but still could not get my phone to show up as one of the internet access points.

When I got back home, it looked like I lost all of my Word files, downloads, everything. I haven't been able to access these files for over a week now. I think, I hope that it's just a case of malware hiding my files from me. Step by step, can you help me with a reliable, tried and true procedure to recover my files?

All of my former Word 2013 docs are missing. The file itself exists on this “shell” of an OS as do the other MS suites. But they’re not populated. All of the documents I’ve accumulated over the last 6 years are missing. Ditto for all of my downloads. The download file exists; it’s just that it’s not populated with the stuff I’ve saved over the same period. It goes without saying that I need both my Word docs and my downloads.

See attachments.
 

Attachments

See less See more
#3 · (Edited)
OK, back sooner than expected, and that's because I found the following in your FRST.txt log ...

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 24-05-2020 01
Ran by mwalg_000 (administrator) on MONEYMAKER (Dell Inc. Inspiron 5737) (26-05-2020 18:16:52)
Running from C:\Users\TEMP\Documents
Loaded Profiles: mwalg_000 <==== ATTENTION (Temporary Profile?)
... which tells me that your computer is booted to a temporary profile.

This can happen either when your User profile gets corrupted duriing normal usage (which although rarely, does happen from time to time), or when Malware deliberately corrupts it.

So, the first thing we need to establish is which it is.

So ..... please do the following ....

  • Right click Start and select Shutdown or sign out > Restart and allow your computer to completely power down.
  • When your computer has finished restarting see if your problem is still present.
  • If it is, repeat the process another 3 times, each time making the same restart selection.
  • Please let me know what happens.
 
#6 ·
Well, the first restart attempt took almost 20 minutes to restart.

When the desktop finally loaded, the score or so of programs on there reverted to default display.

The default browser is now MS Edge. I generally set Chrome as my default browser. Oh, and the first web page that opened, an MS Edge page without any URL, had a tab that read "Web Threat Blocked."

Everything is slow. So, yes, problem still persists.

I will try this 3 more times.
 
#8 · (Edited)
The 2nd restart took only 5 minutes to load, so that was promising.

On the 3rd restart, everything returned to normal . . . well, my normal. Downloads, Word 2013 files, everything on the desktop repopulated to where I'd left it.

How, er, why did this work, the three restarts?

Wow! Can't believe it worked. Just, wow!

Thank you so much, Gary R. Terrific.

I'd better get an external drive to save ALL of my files just in case. Do you have a recommendation for that?

And my computer still runs a little slow. I wonder what the best approach is to improve that.

But thank you so much. This is a huge relief. Thank you, Gary.
 
#9 ·
Glad to hear you got your files back.

To be honest I'm not exactly sure why it sometimes takes 3 or 4 tries before a corrupted User profile gets repaired, I just know that it does sometimes take that long.

Can you please run a new scan with FRST, and attach the new FRST.txt and Addition.txt logs so I can see whether there's anything untoward that needs attending to. Could be it might provide an explanation to why your computer is running slowly.

As far as backups go, I store mine on a detachable hard drive which I plug in via USB. I don't recommend USB flash drives because they're not reliable and have a habit of failing when you need them not to.
 
#10 ·
Gary,

Sorry for the delay. My work schedule is such that I had to sleep earlier and I am heading out to work in a few minutes. I started the scan. If it finishes before I leave, I'll get it to you. Thank you very much for your remarkable efforts, man.

Gabriel
 
#12 ·
Well, looks like there's a new problem. I've scanned my computer twice with the Farbar Recovery tool and received this message both times:

Sorry, you have been blocked
You are unable to access platforumedge2.network
Why have I been blocked?
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.

What can I do to resolve this?
You can email the site owner to let them know you were blocked. Please include what you were doing when this page came up and the Cloudflare Ray ID found at the bottom of this page.

Cloudflare Ray ID: 59a52bcbb8bec7cd
Your IP: 67.166.22.61
Performance & security by Cloudflare.

Not sure what to do.
 
#13 ·
Did you get this message when you ran FRST, or when you tried to attach the logs here at TSF ?

If it was when you tried attaching the logs here at TSF, please try the following ...

  • Right click on your FRST.txt log, and select Send to then Compressed (zipped) folder
  • Repeat for your Addition.txt log
  • Now try attaching them to your next post.

If it was when you ran FRST, let me know because it may mean we need to run a scan in Recovery Environment to see if you have a Malicious Rootkitted file present.
 
#16 ·
After looking through your latest logs, there's few things I need to discuss with you, and a few things that need attending to.

First ....

Your log shows that you had 76 chrome.exe processes running at the time the scan was made ...

(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe <76>
... so either you had an inordinately large number of tabs open, or there's something wrong with Chrome, possibly an infection.

Next ....

You have a large number of sites that you have allowed to send you notifications in Chrome ...

CHR Notifications: Default -> hxxps://aei-push.os.tc; hxxps://app.gotowebinar.com; hxxps://calendar.google.com; hxxps://drive.google.com; hxxps://learnbuildearn.os.tc; hxxps://mentalfloss.com; hxxps://mg.mail.yahoo.com; hxxps://pulse.tenstreet.com; hxxps://sidehustleschool.com; hxxps://thepodcastfactory.pushconnectnotify.net; hxxps://tomshardware.onesignal.com; hxxps://us-mg5.mail.yahoo.com; hxxps://www.aei.org; hxxps://www.businessnewsdaily.com; hxxps://www.cyberlink.com; hxxps://www.earlytorise.com; hxxps://www.harryanddavid.com; hxxps://www.investors.com; hxxps://www.moneytalksnews.com; hxxps://www.nestmann.com; hxxps://www.princetonreview.com; hxxps://www.tomshardware.com
... please check through them to see whether they are all sites that you have allowed. Notifications can be used as a vehicle to hijack Chrome.

Next ....

You have a large number of extensions installed on Chrome, this will greatly affect it's performance. Most of them appear to be legit, however it's not really a good idea to have so many extensions, even legit ones.

The extensions I've listed below, each raised questions when I researched them, and unless you specifically know them to be from legit sources, I would recommend you uninstall them ...

CHR Extension: (Google Search) - C:\Users\mwalg_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-27]
CHR Extension: (AutoCAD 360) - C:\Users\mwalg_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcjeclnkejmbepoibfnamioojinoopln [2014-10-24]
CHR Extension: (Application Launcher for Drive (by Google)) - C:\Users\mwalg_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh [2014-11-16]
CHR Extension: (Chrome Web Store Payments) - C:\Users\mwalg_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2019-10-05]
CHR Extension: (Floor Plan Creator) - C:\Users\mwalg_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\ogbnemfckmdpkeeccieeahplnemmbcfg [2014-10-24]
CHR Extension: (Chrome Media Router) - C:\Users\mwalg_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2020-05-27]
CHR HKU\S-1-5-21-1478717658-117861286-2969353822-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh]
... see ... https://www.timeatlas.com/uninstall-chrome-extensions/

Next ....

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
  • Press Ctrl+y (Ctrl and y keys at the same time)
  • A blank randomly named .txt Notepad file will open.
  • Copy and paste the following into it ....
Code:
SystemRestore: On
CreateRestorePoint:
VirusTotal: C:\ProgramData\SharewareOnSale Notifier\SharewareOnSale Notifier.exe
HKU\S-1-5-21-1478717658-117861286-2969353822-1001\...\MountPoints2: {3cb648ce-c1e5-11e8-8095-74867a530035} - "F:\LG_PC_Programs.exe"
Task: {2DDFA6AC-B14C-4397-9F40-2618043A837C} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {3049ABA0-C946-4459-865A-9CC83C015304} - System32\Tasks\G2MUploadTask-S-1-5-21-1478717658-117861286-2969353822-1001 => C:\Users\TEMP\AppData\Local\GoToMeeting\17359\g2mupload.exe <==== ATTENTION
Task: {32F35C06-6ABD-475C-8DEC-151E0C87C725} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {34FC0AA2-4088-4048-A226-AAA119BE3AEE} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {404D06B3-DDC5-4588-9E76-3A75E872DFF6} - System32\Tasks\G2MUpdateTask-S-1-5-21-1478717658-117861286-2969353822-1001 => C:\Users\TEMP\AppData\Local\GoToMeeting\17359\g2mupdate.exe <==== ATTENTION
Task: {481B354C-393C-41AF-8B82-ACE79F49905E} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {725D36D3-39EC-452B-B574-18D231103B59} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {76AF4BC1-7E80-4BB2-9D8E-D0ACDE0CB319} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {7AE74350-285C-4119-8B0C-70309C429E52} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {93B3F208-13A4-4928-9A63-6F77B7811DBF} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {9F9CE659-0968-46C0-B7CA-FCC90C4F08A6} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {AE641A21-6ABA-4D51-B2A9-52EACC092FD9} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {CC5786D6-71E3-45FF-A5C3-1E852AF3C8D8} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {E534A6C3-3675-4520-BCC0-9A6424B24DCA} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-1478717658-117861286-2969353822-1001.job => C:\Users\TEMP\AppData\Local\GoToMeeting\17359\g2mupdate.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\G2MUploadTask-S-1-5-21-1478717658-117861286-2969353822-1001.job => C:\Users\TEMP\AppData\Local\GoToMeeting\17359\g2mupload.exe <==== ATTENTION
SearchScopes: HKLM -> DefaultScope {41AD9944-DAD6-4794-830D-5DCF36C9A8D8} URL = 
SearchScopes: HKLM -> {41AD9944-DAD6-4794-830D-5DCF36C9A8D8} URL = 
SearchScopes: HKLM-x32 -> DefaultScope {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = 
SearchScopes: HKU\S-1-5-21-1478717658-117861286-2969353822-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-1478717658-117861286-2969353822-1001 -> {0b4d26f6-61a8-4463-99dd-5f2fe0400fa6} URL = 
SearchScopes: HKU\S-1-5-21-1478717658-117861286-2969353822-1001 -> {41AD9944-DAD6-4794-830D-5DCF36C9A8D8} URL = 
Toolbar: HKU\S-1-5-21-1478717658-117861286-2969353822-1001 -> No Name - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} -  No File
Toolbar: HKU\S-1-5-21-1478717658-117861286-2969353822-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
AlternateDataStreams: C:\Users\mwalg_000\Desktop\skitchsetup-2.3.1.168.exe:BDU [0]
AlternateDataStreams: C:\Users\mwalg_000\Downloads\Greenshot-INSTALLER-1.1.9.13.exe:BDU [0]
AlternateDataStreams: C:\Users\mwalg_000\Downloads\jing.exe:BDU [0]
IE trusted site: HKU\S-1-5-21-1478717658-117861286-2969353822-1001\...\genieo.com -> hxxp://search.genieo.com
IE trusted site: HKU\S-1-5-21-1478717658-117861286-2969353822-1001\...\localhost -> localhost
IE trusted site: HKU\S-1-5-21-1478717658-117861286-2969353822-1001\...\webcompanion.com -> hxxp://webcompanion.com
FirewallRules: [{07F9F723-A030-4065-B11D-32025E29967B}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe => No File
FirewallRules: [{32F9DB7E-A542-4083-B309-A6BC9847F47E}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe => No File
FirewallRules: [{4FB70716-497C-414B-9777-598D39E82704}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe => No File
FirewallRules: [{00D635ED-F818-4E13-B4A2-DF572BB09A18}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe => No File
FirewallRules: [{C5988234-DF9A-47FF-B3E2-AC9C53E0B609}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD10\PowerDVD10.EXE => No File
FirewallRules: [{E451E5F2-F781-4B72-AA83-0742D5580675}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD10\PowerDVD Cinema\PowerDVDCinema10.exe => No File
FirewallRules: [{1EE52CF3-71EC-4281-AD98-07B2DB2CB9B4}] => (Allow) C:\Users\mwalg_000\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe => No File
FirewallRules: [{D5594A63-2418-4854-A49F-886BC5FFAEBA}] => (Allow) C:\Users\mwalg_000\AppData\Roaming\Dropbox\bin\Dropbox.exe => No File
FirewallRules: [{732B90D5-10F7-42AD-8120-8E014E42BB70}] => (Allow) C:\Users\mwalg_000\AppData\Roaming\Dropbox\bin\Dropbox.exe => No File
FirewallRules: [{7CF59742-8EBE-470F-BF76-78F1AF74A28B}] => (Allow) C:\Program Files (x86)\Tencent\QQIntl\Bin\QQ.exe => No File
FirewallRules: [{B0F75A75-F423-4236-9764-01A948BA1B35}] => (Allow) C:\Program Files (x86)\Tencent\QQIntl\Bin\QQ.exe => No File
FirewallRules: [TCP Query User{1B7E407C-C3C0-4FB3-A6F5-3D21F47D4FDB}C:\program files (x86)\tencent\qqintl\bin\qq.exe] => (Allow) C:\program files (x86)\tencent\qqintl\bin\qq.exe => No File
FirewallRules: [UDP Query User{3A186174-3B86-415C-AF3F-DC6055AE9953}C:\program files (x86)\tencent\qqintl\bin\qq.exe] => (Allow) C:\program files (x86)\tencent\qqintl\bin\qq.exe => No File
FirewallRules: [{7B9C13B1-1114-4F66-91FD-B607841AAF1E}] => (Allow) C:\Program Files\CyberLink\PowerDirector14\PDR10.EXE => No File
EmptyTemp:
Hosts:
Cmd: ipconfig /flushdns
  • Press Ctrl+s to save fixlist.txt
NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Now press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
  • Please post me the log, answer any questions I asked, and let me know how your computer is behaving now.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top