Malware, BadWare, ScareWare, RansomWare, just make you MadWare. I couldn’t get back far enough to find the cause, but the brief version began with a call well before business hours from a client…
I didn’t get to see all the problems, as he tired to fix it first, before deciding this was something different. The story goes like this: “I had a message on the screen to upgrade [not update] Avast.” He did as directed, and it said it had to reboot. When he came back to the login screen, all three users were presented and he clicked on his own icon. In he went, to a balck desktop, missing all but the public icons. When he started Outlook 2007, it took him to the new install, set up a new account wizard.
He ran a restore point, yet the results were the same. He left me a message.
I go there and began to look for the associated “hide all your icons” malware, but the user documents folder was empty…not even any hidden files, just like a new Windows 7 user would be. Found the Outlook .pst, and it was very small, but there with a new date. His desktop folder had none of his files/icons, so this left me wondering what was up. I pulled up the cmd line and what caught my eye was the initial directory was “C:\Users\TEMP>,” not one named for his user, as he signed in under.
From here, I wondered what was up, so I went to regedit and did a serach for “\users\temp.” I got the result I was looking for (in HKey_Users), but it was the surrounding registry entries that clued me to the fix required: The malware had taken the normal -1000 (first user) and had renamed in with a “.bak” extension, and then in the now existing -1000 user settings, it had used his login in name, but pointed his settings to the “\user\temp” folders, which now explained the absence of any of his files.
I went back to Windows Explorer and confirmed all his files were actually in the user folder bearing his name, and then, being a bit smarter on the problem, noted the temp user folders were, of course, like a brand new user.
The repair was simple at this point: Rename the offending -1000 user with a “.bad” extension on the entry, then removed the “.bak” from his real -1000 user entry. Of course, I first backed up the registry as it was, just in case I would find out this wasn’t the case, and then, with the changes in place, restarted the system and all was now back to normal.
Still can’t tell you the exact cause, but the symptoms were a solid black desktop, and empty files for My Documents/Pictures/etc, and Outlook wanted to create a new install for a new user. All it turned out to be was the infection had copied and renamed the proper user registry entry, and put iteslf in is the user, and, while using the the correct user name, it was sending the coputer to the new “TEMP user name, now new and empty folders.
The reboot after correcting the registry entries worked fine, and that was two weeks ago.