I had an interesting task today, my manager came in in a blind panic telling me that all of her files on her computer have been deleted and the hard drive has broken, is there anything I can do? Well ok, let me have a look…she boots up the machine into Windows, which was the first odd thing, and when she signs in a program pops up called Windows Recovery looking fairly official and there are a ton of “Critical Errors” popping up from the system tray, the desktop background is blank and every file on the computer is gone. I can see why she’s panicing. For a moment I’m confused as this laptop is always run on a secure network so I thought it unlikely to be malware, but it’s obvious that the hard drive isn’t busted, it’s booted into windows so malware is the only logical conclusion.
So how can it be fixed? Interestingly as soon as I tried doing anything slightly complicated such as opening a CMD window it restarts the computer which resets it going through the myriad of “error” windows. So I need to quit this application before I can do anything at all, the task manager won’t open so I need to find another application to do it for me. A quick google and I find iExplore (Download) that successfully killed the application. Nice.
Next is to get all of the offending programs deleted, would be easy if our network wasn’t blocking every useful site under the sun, ok I’ll tether my mac with the iphone and dl it that way. A quick USB switch later and it’s on the affected laptop. Spybot should get it done but just in case I’ll aso put on the free version of Malwarebytes. Install both of those and run the scans. They take a while but it’s best to be thorough. They find quite a lot, get rid of the malware and restart to complete.
Great, but on restart all of the files are still missing…crap. I doubt that the software deleted the files and an obvious ‘show hidden files’ isn’t going to cut it and I’m not going to go through every individual file and show the hidden files even if it did. Need another way. Another quick google comes up with this little gem: unhide.exe. Download (once again through the tethered mac) and run, it took a while giving me reason to think that it wouldn’t run at all, but eventually all of the files pop back up on the window and a quick check shows that all of the files have been restored.
So a lot of work to undo something that loos like it was downloaded by clicking through a link on a dodgy website. Moral? On the web, if you don’t know if it’s real don’t go near it. However the manager was delighted as she thought the whole computer was a lost call…sometimes it pays to know about computers 
