For the Virus Experts

[mjakob42]

G'day, SFO!

 

Okay, so I got a weird virus today. I turn on my computer and a good portion of my files had been deleted - not to mention there was a program NOT installed/downloaded by myself called "Internet Checkers" if I recall correctly. I did a system restore and everything is fine now, but I was curious as to what kind of virus I ran into and what kind of action to take in case this happens again. Thank you!

[Arashikage]

Internet Checkers is a stock program from Windows.  It's the game Checkers but on the internet with others.

http://windows.microsoft.com/en-us/windows7/internet-checkers-how-to-play

 

As to what you had, I have no idea what it was.  But I doubt it was Internet Checkers

[Pgpaw3]

No idea what virus this could have been, but there are some nasty ones out there.

 

Best thing I can suggest for the future is constantly do anti-virus scans, make sure your antivirus is actively defending your computer and is up to date, and to regularly make restore points and back ups of all the data on your computer.

[DZComposer]

This is a classic symptom of hard drive failure. I highly advise making backups and running a HDD diagnostic.

[sroberson]

Wouldn't disk failure that causes loss of files just make the entire OS unusable and corrupt? Not only that, but there would still be references to the damaged files on the drive, just it wouldn't be able to be run or opened.

[Arashikage]

It depends, shortcuts are files too.  And when a hard drive fails it doesn't have to corrupt system files.  Anything on the disk is fair game.  

[sroberson]

I just find it unlikely that files would appear to be deleted without a sign of corruption and without having some sort of reference to the file located somewhere (even executables could appear and try to reference other program files that are damaged...like a shortcut that can't find the referenced file). I guess it could happen though.

Maybe the symptoms havent been described thoroughly enough to make good guessing.

[Dr. Orange]

I'm with DZ. I just think it's a Drive accidental or something not working right. But if your convinced its a virus, scan your recent websites, files (Get a Security program like Norton or AVG first though) and hope for the best.

[DZComposer]

In my career I've seen many many hard drives fail. They don't all immediately fail catastrophically. If the file pointer in the MFT is corrupt, the file system may just ignore it. When you delete something, you don't actually erase it. You just remove the file pointer in the MFT. To actually erase something, you need to write over it. BTW, the MFT being corrupt is scarier than files being corrupt because if the entire MFT gets corrupted the partition gets completely hosed. It is also possible that the drive is fine but the MFT got corrupted somehow (losing power during a write operation, perhaps?)

If course, I'm not 100% certain not having seen the machine myself.

[sroberson]

Would Windows simply delete files that the MFT couldn't access?  Or would it leave it in place and show errors about it not being accessible or the file being missing?  I guess I was thinking Windows wouldn't delete the files but continue to try and reference it as a User encounters it (of course if the MFT failed to access system files then that would result in a broken OS without user intervention). 

[mjakob42]

Alright, everybody, first off thanks for all the advice (especially from DZ - as soon as I get home and get my TB drive I'm going to back up all my stuff). Second, a couple things I'd like to add:

 

- I forgot to mention in my initial post that the deleted files weren't totally gone - they were in the recycle bin, in which case is that still a sign of HDD failure?

 

- Over the past couple of days, my computer needs to install updates every time it shuts down.

[AAAA]

No HDD failure would not place files in the bin. I'm sure some programs can be set to and files there... It doesn't sound like a virus. Does anyone else have access to the pc?

Secondly download a copy of hyrems door disk. And scan the hdd for errors as well as run the repair functions.

More often then not that's all a pc shop will do is run hyrems on your hdd then charge you for a new one.

Defrag more regularly will help but I suggest using auslogica

And you can try scanning with "malwarebytes anti malware"

See if anything bad turns up. Honestly it's one of the best windows scanners around

Kapersky is next in line but often if and I stress the IF a virus gets a foothold no antivirus will repair the damage it's done you need to clean up the system and either reinstall or recover to a point before you had the virus.

1. Download and run malwarebytes

2.use auslogica to defrag and check for errors

3. carefully use hyrems.. That may be spelt wrong but just google it get the latest version and carefully run it you have to boot it like an install dish so insert then boot the pc.

Read up on using it first would be a good idea.

But basicly if malwarebytes doesn't find anything I would do the next steps

If after all that this occurs again someone or some program is placing it's files in the bin

What type of files were they?

[DZComposer]

Would Windows simply delete files that the MFT couldn't access?  Or would it leave it in place and show errors about it not being accessible or the file being missing?  I guess I was thinking Windows wouldn't delete the files but continue to try and reference it as a User encounters it (of course if the MFT failed to access system files then that would result in a broken OS without user intervention).

The MFT is how the OS knows whether or not a file exists. If a file doesn't doesn't have a record in the MFT it doesn't exist. In fact, when you delete a file the system does not erase the file off the disk. It simply removes the file's entry from the MFT and marks its sectors as available for use.

If the MFT is corrupt, instead of the record of the file there would be garbage there. Garbage != file location on disk, so the OS would report the file doesn't exist. If the MFT is completely hosed, the OS won't even boot.

Only way Windows would know anything about that file is if some program wanted to access it. Windows would go to the MFT to look the file up, find no record, and return the dreaded "File not Found" error.

If the file itself was corrupt but not the MFT, Windows gets its location from the MFT, but when it goes to the mentioned sectors, it only finds garbage. Unless Windows is natively-built to process that file, it won't know it's garbage. The application requesting it would try to read it and bail out complaining that something is wrong with the file.