Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus which hid all my files.


  • Please log in to reply
20 replies to this topic

#1 macalester

macalester

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 18 May 2011 - 12:19 PM

Hi there,

I was recently infected (although I still could be) with a virus which told me I had multiple critical hard drive and RAM problems. I used the quick scan on malwerebytes and the virus went away (I hope) however my files seemed to have gone. After checking the properties of my User folder, I realised that all the files had been hidden, so I unhid all of my files in all areas of Computer. However, even now they're unhidden, all the folders in the "all Programs" section of the start menu are empty... Any help on how to get these back?

Thanks in advance,
Mac

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 30,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:07 PM

Posted 19 May 2011 - 10:12 PM

Please post the complete results of your MBAM scan for review.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
  • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
    -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
Logs are saved to the following locations:
-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd
-- Vista, Windows 7, 2008: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd



The symptoms you describe can be indicative of a side effect from the HDD Defrag family of rogue security programs which changes file attributes to "hidden", making them appear invisible so the user thinks some of their files have been deleted. Newer variants of the FakeHDD rogue delete Quick Launch and Start Menu items/folders.

Please download unhide.exe by Grinler and save to your Desktop. Double-click on the file to run the tool.

After running it, all files will have the "hidden" attribute removed. This includes files that are normally hidden by the operating system and any files you may have intentionally hidden. The tool is designed not to remove hidden attribute for system files. If Quick Launch and the Start Menu were deleted, unhide.exe will attempt to restore them back to their proper location. When done you will need to restore the hidden attributes to those files manually. To do that, open Windows Explorer, go to Tools > Folder Options > View and make that change there.

Note: Do not clean out your temporary files/folders until this issue is resolved.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#3 DLWayne

DLWayne

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 20 May 2011 - 12:07 AM

Hi,

I'm having the same problem with my XP Pro system. Got through preliminary steps to eliminate the malware, had to run anti-malware disk to get the fake Windows program to stop. Then was able to run my regular programs (Malwarebytes, Spybot, Microsoft Essentials) which each found some things. However, I couldn't update Spybot or Malwarebytes. Finally, after running each of them, life got a bit more normal and I could run the updates, ran each program again and nothing more found. BTW, Spybot usually removes "unneeded temporary files", and likely did so this time. I was able to access a few programs via the Run command (the ones I know what to enter, i.e., "mbam", "firefox", "thunderbird"). But I can't access most of the rest that way - don't know what to enter.

Next problem was that all documents and almost all programs were hidden, so went through the steps recommended in the "Remove Windows Recovery (Uninstall Guide)", used "unhide.exe" and can now see & access all my documents, also any icons I still keep (I've deleted many/most of my icons over a period of time - I like a clean desktop and access my regular programs via icons on customized Start Menu, and the remainder/infrequent ones via All Programs). Currently, while my programs show up as names in All Programs, when trying to click on almost all of them it says "(Empty)", except Internet Explorer, Windows Media Player, and Zipeg. The rest are, of course, still installed, and show up in Add or Remove Programs.

Tried the steps listed for XP Pro in topic 396978, but no further progress.

Any thoughts on my next step(s)?

Thanks,
Dennis

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 30,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:07 PM

Posted 20 May 2011 - 05:29 AM

Welcome to BC DLWayne

If you have an issue or problem you would like to discuss, please start your own topic. Doing that will help to avoid the confusion that often occurs when trying to help two or more members at the same time in the same thread. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using and the presence of other malware. Further, posting for assistance in someone else's topic is not considered proper forum etiquette.

Thanks for your cooperation.
The BC Staff
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#5 macalester

macalester
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 21 May 2011 - 08:51 AM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6610

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

18/05/2011 17:33:41
mbam-log-2011-05-18 (17-33-41).txt

Scan type: Quick scan
Objects scanned: 174320
Time elapsed: 7 minute(s), 55 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
c:\programdata\rhhkieeenua.exe (Rogue.Installer.Gen) -> 4644 -> Unloaded process successfully.
c:\programdata\38788856.exe (Trojan.FakeAlert.Gen) -> 5604 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RHhkiEeEnUa (Rogue.Installer.Gen) -> Value: RHhkiEeEnUa -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\programdata\rhhkieeenua.exe (Rogue.Installer.Gen) -> Quarantined and deleted successfully.
c:\Users\Nick\AppData\Local\Temp\adobe_flash_player.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Nick\local settings\temporary internet files\Content.IE5\BXXY6WPH\about[1].exe (Rogue.Installer.Gen) -> Quarantined and deleted successfully.
c:\programdata\38788856.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

I'm about to use unhidden.exe now.
Mac

#6 macalester

macalester
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 21 May 2011 - 09:08 AM

Right, I used it and my start menu files were still not there and so I disabled my anti virus software and tried it again, but still no luck.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 30,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:07 PM

Posted 21 May 2011 - 08:02 PM

Now rescan again with Malwarebytes Anti-Malware, but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally will prevent Malwarebytes' from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

This is a manual fix for Vista/Windows 7 users:

1. Copy the entire content of this folder:
C:\Users\user_name\AppData\Local\Temp\smtmp\1
and paste it to this folder:
C:\Program Data\Start Menu

2. Copy the entire content of this folder:
C:\Users\user_name\AppData\Local\Temp\smtmp\2
and paste it to this folder:
C:\Users\user_name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch

3. Copy the entire content of this folder:
C:\Users\user_name\AppData\Local\Temp\smtmp\3
and paste it to this folder:
C:\Users\user-name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar

4. Copy the entire content of this folder:
C:\Users\user_name\AppData\Local\Temp\smtmp\4
and paste it to this folder:
C:\Program Data\Desktop

-- Note: The "Start Menu", "Quick Launch" and "Desktop" folders are system folders. In order to see them, you need to Reconfigure Windows to show hidden files, folders. In Windows Explorer go to Tools > Folder Options and click on the View tab. Under Advanced settings > Files and Folders > Hidden Files and Folders, uncheck "Hide Protected operating system Files (recommended)" and hit Apply > OK. In order to access the "Start Menu" folder, you may need to that folder as show here.

If the above does not work, then you can restore the defaults for the Start Menu and Administrative Tools as follows:
For any other missing program shortcuts you will probably need to reinstall the application or manually create new shortcuts.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#8 macalester

macalester
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 22 May 2011 - 08:48 AM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6639

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

22/05/2011 13:09:24
mbam-log-2011-05-22 (13-09-24).txt

Scan type: Full scan (C:\|D:\|E:\|Q:\|)
Objects scanned: 388638
Time elapsed: 1 hour(s), 13 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I'll now do the next step and let you know the outcome shortly

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 30,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:07 PM

Posted 22 May 2011 - 02:11 PM

Ok.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#10 macalester

macalester
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 22 May 2011 - 03:42 PM

Hi,

I couldn't find:

C:\Program Data\Start Menu

C:\Users\user_name\AppData\Local\Temp\smtmp\2

C:\Program Data\Desktop

However my Desktop shortcuts have been returned.

Thanks so far.
Mac

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 30,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:07 PM

Posted 23 May 2011 - 08:05 AM

Not a problem.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#12 macalester

macalester
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 25 May 2011 - 05:25 AM

I cam't follow step 4 in the link you sent me. Could you maybe rephrase it for me?

Thanks

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 30,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:07 PM

Posted 25 May 2011 - 08:09 AM

It's essentially the same as Step 1, except you are copying the info from C:\Users\user_name\AppData\Local\Temp\smtmp\4 (if it exists) into C:\Program Data\Desktop instead of C:\Program Data\Start Menu.

If you cannot see the folders, they may be hidden and you will need to Reconfigure Windows to show hidden files, folders.

AppData or Application data is a hidden folder in Windows 7. It is to protect user data and settings from any unwanted change or deletion. It contains many important data such as program settings, IE cookies, toolbar settings, IE browsing history, temporary files created by applications, Libraries, send to items, templates and many more.

To access this folder you have to select “Show hidden files and folders” in the folder options.

What is Application Data Folder in Windows 7
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#14 Dan Reid

Dan Reid

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:07 PM

Posted 25 May 2011 - 01:17 PM

First, find a usb key that is handy and search your documents and settings folder for the folder "smtmp". Inside this HIDDEN folder you will find three hidden folders name 1, 2, and 4. Copy this folder to the USB key (these are the missing icons from the start menu.) Follow the posted cleaning instructions for removal -> rkill, combofix, maulwarebytes, tdsskiller, unhide.exe, etc. then after all is said and done, just copy these shortcuts from your USB key back to the all users\programs directory. See this MS document as well: http://answers.microsoft.com/en-us/windows/forum/windows_xp-system/after-windows-recovery-virus-all-programs-folders/fe6e2b08-4d66-e011-8dfc-68b599b31bf5

Enjoy!
- Dan

#15 SweetTech

SweetTech

    Agent ST


  • Malware Response Team
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:06:07 PM

Posted 25 May 2011 - 02:10 PM

@macalester,

Please do not follow the instructions/information provided to you by: Dan Reid. Instead work through the instructions that have been provided to you by quietman7.

@Dan Reid

Please be sure to read this thread here: http://www.bleepingcomputer.com/forums/topic383782.html before posting advice in the Am I Infected forum.

Edited by SweetTech, 25 May 2011 - 02:12 PM.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users