Advanced recovery needed - HELP!

[integral_82]

Hi all

I recently found out I had a virus in my computer, and to get rid of it I used a couple of malware-deleting softwares, and finally CCleaner.

 

When the PC restarted, all the preferences/bookmarks had been changed; more importantly, Thunderbird started as if it had never had an account, or emails in it. Tragically as well, no backup exists...

 

All evidence suggests this was caused by the CCleaner wipe, but Im not sure which part(registry?) I did a Windows system restore point, but that didnt help, so my question would be as follows:

 

- Can CCleaner generate a report of what it did, so I can try to restore the files that went missing?

- Can anybody suggest a way of restoring the lost account/files?

 

Ive used Recuva, but im not so familair with it, also posting on their forum.

Any help would be appreciated.

Thanks

[integral_82]

Hi all,

had a tragic incident, where my Thunderbird account and emails were accidentally deleted by CCleaner, and of course, no backup exists...yes, i know ..

I did an in-depth analysis with Recuva, but all it found were some corrupted emails and an empty "Thunderbird email" zip file...

Is there really no way to recover the information? Not even with the premium version of Recuva? Any suggestions welcome

Thanks

[nodles]

You don't need to make double post about the same problem {Linked Removed Threads Merged}.

 

CCleaner doesn't delete Thunderbird emails, but it can clean/remove account details (password, not sure if removes the account/account name).

If you have ticked "Saved Passwords" under Mozilla/Firefox, it removes saved passwords in all Mozilla products (eg. Firefox & Thunderbird).

 

Free and paid versions don't differ, they are the same except you get direct support from devs/Piriform if you pay for it.

 

Which Recuva version are you using? Have you tried "Deep Scan"? Can be found under Options > Actions > tick Deep Scan.

You could also try to tick "Scan for non-deleted files" and see if it helps.

[nodles]

I answered to your (double) post here: {Linked Removed Threads Merged}

[Augeas]

I've merged your two threads, so no double posting please.

 

Try unzipping the Thunderbird email zip file in Recuva. I know it says zero bytes, but it won't when you unzip it.

[integral_82]

Thanks for the replies, and apologies for the double post; was trying to address the causes (CCleaner) and the solutions (Recuva) in each one.

 

Nodles: you mention that CCleaner wont delete emails, but the fact is the Mail folder is empty...I used two other programs to clear the virus_

- DT-Kill, which the developper said after reading the report, that had nothing to do with the deletion

- Malwarebytes' antimalware...which I dont know if it had anything to do with the deleted emails

 

Thats why I wanted to know if CCleaner had a report generating option to check what actions it had taken...

 

The Recuva version is 1.42.544 (64bit). I did the deep-scan (only for mail files though) and got as most promising result the empty zip files, which takes me to...

 

Augeas: Im not sure if you mean there is an option to unzip the file IN Recuva, My recuva doesnt allow many fancy options. As for unzipping it with usual programs, they give error, or produce a 0kB generic file...

 

I do appreciate the help and any further suggestiosn you might have.

[Augeas]

I think you use Recuva to 'recover' it to a suitable folder.

[Nergal]

The Fact that Prefs and Bookmarks were changed coupled with the fact that ccleaner does not touch those items, leads me to believe that this issue was caused by the initial malware. Malware has been known to do some of the following:

1. Move crucial files to temporary folders so that when the user clears temp files those items too are removed
   
2. Mark user preferences, appdata folders, Start Menus "all users" based folders and more as hidden
   
3. reroute the location (using symbolic links) of all of the above
   

 

My guess, and it is just a guess, is that the first of the above may have occurred.

Regrettably, in this case, Ccleaner does not have the ability to recall a cleaned log after it has already been closed and/or rerun. The reason behind this is actually a pretty solid one; if you are cleaning a computer you don't want something that leaves behind, what is essentially, more junk after a clean.

 

I do not believe that the actual issue is in ccleaner but instead in the Malware infection with ccleaner, perhaps, being the unknowing participant in the Malware's chaos.

 

[Alan_B]

but the fact is the Mail folder is empty...I used two other programs to clear the virus_

- DT-Kill, which the developper said after reading the report, that had nothing to do with the deletion

- Malwarebytes' antimalware...which I dont know if it had anything to do with the deleted emails

Had you said that in your first post I would have immediately advised you to look for a Malwarebytes quarantine folder.

 

I helped clean up a friend's Laptop.

I download Malwarebytes as one measure.

Subsequently I observed that it was using a MalwareBytes quarantine folder with a very old time stamp,

and it not only held what was cleaned at this time but also stuff that a previous helper had cleaned up with a previous version of MalwareBytes.

 

Perhaps your emails are not deleted, merely fingered as malware carriers and put where they can do no harm.

[integral_82]

Hi all,

 

thanks for the replies, I do appreciate it.

 

Augeas: Im not sure if Im doing something wrong, but when I "recover" the zip Thunderbird file onto a folder on the desktop, the file has 0kB...as I said, when I try to unzip it, it gives an error...is there something Im missing?

 

Nergal: the malware in question (DT virus) is supposed to be a trojan, with Keylogger, Downloader y Rootkit functions. It is most easily noticed by Spanish users as it repeats the accent character, would there be a way to figure out if it might have moved part of the files as part of its functionality?

 

Alan B: I had used some cleaners previously, but this was the first time I used Malwarebytes. In the quarantine folders there were a couple of Downloaders and an Adware agent...is there any way I check if things have been deleted?

[Alan_B]

Sorry, I do not know how to undelete anything that may have been in quarantine.

[Nergal]

honestly I think you are still compromised and need to seek professional help from one of the antimalware specialists listed in this thread.

http://forum.piriform.com/index.php?showtopic=34786&pid=208046&st=0&#entry208046

please point them to the thread, this one we are in right now, in your 1st post to them

 

note ccleaner is not has never been nor makes any claim to be a security product, just a trash cleaner