Windows directory completely emptied

Discussion:

(too old to reply)

humber

2003-08-22 14:32:35 UTC

One of the computers appeared to crash at a small charity my partner is
involved with.

I went in to have a look, starting from a W98SE boot disk. There was no
Windows, because an investigation showed that the C:\Windows directory had
absolutely nothing in it except a Desktop folder (which was empty), and a
folder with the charity name, which was also empty.

So the whole Windows system was missing. I tried reinstalling Windows, but
this threw up other problems, e.g. "msoe.dll file may be corrupt", "Recycle
bin is corrupt, format is invalid, do you want to empty?", but at least
Windows is up and limping.

Nobody knows how this could have happened, or at least I can't get any
explanations from anybody. The computer is used on the internet, so could a
virus have wiped the Windows directory clean? I can think of no way anybody
could have completely emptied the Windows directory, while leaving the
folder intact, or at least not without knowing some DOS, which nobody there
does.

Any ideas welcome.

humber

n***@zilch.com

2003-08-22 14:45:59 UTC

Permalink

On Fri, 22 Aug 2003 15:32:35 +0100, "humber"

Post by humber
One of the computers appeared to crash at a small charity my partner is
involved with.
I went in to have a look, starting from a W98SE boot disk. There was no
Windows, because an investigation showed that the C:\Windows directory had
absolutely nothing in it except a Desktop folder (which was empty), and a
folder with the charity name, which was also empty.
So the whole Windows system was missing. I tried reinstalling Windows, but
this threw up other problems, e.g. "msoe.dll file may be corrupt", "Recycle
bin is corrupt, format is invalid, do you want to empty?", but at least
Windows is up and limping.
Nobody knows how this could have happened, or at least I can't get any
explanations from anybody. The computer is used on the internet, so could a
virus have wiped the Windows directory clean? I can think of no way anybody
could have completely emptied the Windows directory, while leaving the
folder intact, or at least not without knowing some DOS, which nobody there
does.
Any ideas welcome.

Didn't scandisk show a problem? My first thought is file system
corruption. Maybe failing h. d. ? BTW, during my early experiences
with Win 98 I once or twice ran into situations where Norton's Disk
Doctor (NDD) found and fixed lost clusters that scandisk didn't find.

Art
http://www.epix.net/~artnpeg

humber

2003-08-22 14:54:15 UTC

Permalink

Post by n***@zilch.com
On Fri, 22 Aug 2003 15:32:35 +0100, "humber"

Nope, Scandisk showed both C: and D: drives with no problems at all.

n***@zilch.com

2003-08-22 15:03:54 UTC

Permalink

On Fri, 22 Aug 2003 15:54:15 +0100, "humber"

Post by humber

Post by n***@zilch.com

Post by humber
Any ideas welcome.

Nope, Scandisk showed both C: and D: drives with no problems at all.

And after satisfying yourself that there was no file system corruption
or a failing h.d. then what did a DOS antivirus scanner show after
cold booting into DOS from a floppy? And which one(s) did you use?

If a couple of good up to date DOS av scanners don't turn up any
malware, it may be time for a reformat and reinstall.

Art
http://www.epix.net/~artnpeg

humber

2003-08-22 23:00:24 UTC

Permalink

Post by n***@zilch.com
On Fri, 22 Aug 2003 15:54:15 +0100, "humber"

Post by humber

Post by n***@zilch.com

Post by humber
Any ideas welcome.

Nope, Scandisk showed both C: and D: drives with no problems at all.

And after satisfying yourself that there was no file system corruption
or a failing h.d. then what did a DOS antivirus scanner show after
cold booting into DOS from a floppy? And which one(s) did you use?
If a couple of good up to date DOS av scanners don't turn up any
malware, it may be time for a reformat and reinstall.

I'd just got out of bed when the phone rang, and I was dragged along by my
partner to this site I'd never even been to before, not knowing what to
expect. I'm no geek, just the person who knows a very little more than the
users at this site, who know nothing.

There was obviously no way to link to the Internet, and I don't carry a DOS
AV scanner around with me. If I were in the business of maintenance, I
might keep an up-to-date version of FPROT for DOS handy on a floppy, but I
don't. Here at home I use NOD.

I think you're right, though, time for a reformat and reinstall.
Fortunately, the people at the site have backed up all their own documents,
database info and stuff, and have all the s/ware, so that may be the route
we/they will have to go.

Thanks for your advice and help, I appreciate it.

humber (dragged kicking and screaming into a format/reinstall).

h.

David W. Hodgins

2003-08-22 17:18:18 UTC

Permalink

Post by humber
I went in to have a look, starting from a W98SE boot disk. There was no
Windows, because an investigation showed that the C:\Windows directory had
absolutely nothing in it except a Desktop folder (which was empty), and a
folder with the charity name, which was also empty.

Not enough info for a usefull diagnoses. One thing though. Windows
does not have to be installed to the c:\windows directory. On my win98
system, it's installed to c:\w

I have created a c:\windows directory, but it is empty.

Regards, Dave Hodgins

Michael Cecil

2003-08-22 17:45:16 UTC

Permalink

On Fri, 22 Aug 2003 17:18:18 GMT, "David W. Hodgins"

Post by David W. Hodgins

Not enough info for a usefull diagnoses. One thing though. Windows
does not have to be installed to the c:\windows directory. On my win98
system, it's installed to c:\w
I have created a c:\windows directory, but it is empty.

That proves it. David is the virus! After him!!

--
Michael Cecil
***@comcast.net
http://home.comcast.net/~macecil/howto/
http://home.comcast.net/~antiviruscd/

humber

2003-08-22 23:01:04 UTC

Permalink

On Fri, 22 Aug 2003 15:32:35 +0100, humber

Not enough info for a usefull diagnoses. One thing though. Windows
does not have to be installed to the c:\windows directory. On my win98
system, it's installed to c:\w
I have created a c:\windows directory, but it is empty.

Before I discovered the Windows directory was empty, I tried the reinstall
route using a boot floppy and the W98SE CD-ROM. The Windows wanted to
install itself into Windows.000 (trying to create a new instance of iself),
so I let it do that and it seemed to work, but it was still pretty wonky.
The user phoned the help line from where they got the PC and they said I
shouldn't have installed it into Windows.000, but should have overwrote the
original Windows (directory). So back again I went, tried to delete the
Windows.000 directory (with no success) so I renamed it to fred.000, and
then did another reinstall into Windows (directory). Still wonky.

The user was trying to avoid taking it back to the place they bought it, but
it looks like this may be necessary.

I think maybe null's solution of fdisk/format & reinstall may be the only
answer.

humber

David W. Hodgins

2003-08-23 01:41:27 UTC

Permalink

Post by humber
then did another reinstall into Windows (directory). Still wonky.

Keep in mind a reinstall will not overwrite the registry (user.dat,
and system.dat), which are hidden files in the windows directory.

Regards, Dave Hodgins

David W. Hodgins

2003-08-24 01:15:37 UTC

Permalink

Post by David W. Hodgins
Keep in mind a reinstall will not overwrite the registry (user.dat,
and system.dat), which are hidden files in the windows directory.

Interesting, I didn't know this. But, if the C:\Windows directory is
*empty*, and had I done a DOS command on C: of dir /ah, I wonder what I
would have seen. How many files? Unfortunately I didn't think of that at
the time.

I installed windows 98, over 95, and it kept the registry entries, for
all of my applications, such as msoffice. I would have had to reinstall
all applications, if it did overwrite the registry.

If the registry is corrupt, and you don't have a backup to restore from
(try scanreg /restore in msdos mode), the only way to correct this, is
to delete the system.dat and user.dat files from the windows directory,
and then re-install. Reformating the drive first will work too<g>.

It's unlikely the virus/trogan/whatever deleted the registry files, since
they would have been in use by windows.

Running dir /ah in my windows directory shows 10 files, and 7 directories.
You should also note, that windows likes to hide directories with the
system attribute set, from things such as find files.

Regards, Dave Hodgins

humber

2003-08-24 22:57:54 UTC

Permalink

On Sat, 23 Aug 2003 22:23:17 +0100, "humber"

On Sat, 23 Aug 2003 00:01:04 +0100, humber

Thanks for your advice, David W. and cquirke. Since nobody else knows what
to do, I think I'll go back and format the site's HDD and start again to
reload everything. They have all their s/ware so it looks like the easiest
way.

humber

Gabriele Neukam

2003-08-22 21:12:00 UTC

Permalink

On that special day, humber, (***@catfood.yahoo.whiskers.com)
said...

Post by humber
Nobody knows how this could have happened, or at least I can't get any
explanations from anybody. The computer is used on the internet, so could a
virus have wiped the Windows directory clean?

If it had been the sixth of July, i would have said it is the payload of
any Klez.E or later, but in August? Is the CMOS clock missing the
correct date?

Gabriele Neukam

***@t-online.de

--
Ah, Information. A good, too valuable theses days, to give it away, just
so, at no cost.

humber

2003-08-22 23:01:24 UTC

Permalink

Post by Gabriele Neukam
said...

If it had been the sixth of July, i would have said it is the payload of
any Klez.E or later, but in August? Is the CMOS clock missing the
correct date?

I didn't check that, hey, I don't even do this stuff for a living! But it's
quite possible their clock was wrong, I wouldn't be surprised.

Thanks for the pointer to the Klez virus, I'll have a further look into
that.

humber

humber

2003-08-23 00:12:03 UTC

Permalink

A further search makes it look like it could possibly be the W32.Pokey.Worm.
This thing deletes the contents of the Windows and Windows\System
directories, which describes the problem these people are having.

Often the trouble with troubleshooting is that you are trying to talk to
people who can't describe what they did, in what order they did it, or what
happened next. So maybe somebody downloaded this worm from the Internet,
but I'll never know.

Anyway, thanks everybody for your suggestions. Maybe it's time to carry
around a floppy with AV defs on it, like null says.

humber

FromTheRafters

2003-08-23 02:22:53 UTC

Permalink

Post by humber
A further search makes it look like it could possibly be the W32.Pokey.Worm.
This thing deletes the contents of the Windows and Windows\System
directories, which describes the problem these people are having.

It needn't be a worms payload that does this sort of thing.
It could have been a simple logic bomb trojan.