Virus which hid all my files.

Hi there,

I was recently infected (although I still could be) with a virus which told me I had multiple critical hard drive and RAM problems. I used the quick scan on malwerebytes and the virus went away (I hope) however my files seemed to have gone. After checking the properties of my User folder, I realised that all the files had been hidden, so I unhid all of my files in all areas of Computer. However, even now they're unhidden, all the folders in the "all Programs" section of the start menu are empty... Any help on how to get these back?

Thanks in advance,
Mac

Please post the complete results of your MBAM scan for review.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.

• Click the Logs Tab at the top.
• The log will be named by the date of scan in the following format: mbam-log-date(time).txt
  -- If you have previously used MBAM, there may be several logs showing in the list.
• Click on the log name to highlight it.
• Go to the bottom and click on Open.
• The log should automatically open in notepad as a text file.
• Go to Edit and choose Select all.
• Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
• Come back to this thread, click Add Reply, then right-click and choose Paste.
• Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Logs are saved to the following locations:
-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd
-- Vista, Windows 7, 2008: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd


The symptoms you describe can be indicative of a side effect from the HDD Defrag family of rogue security programs which changes file attributes to "hidden", making them appear invisible so the user thinks some of their files have been deleted. Newer variants of the FakeHDD rogue delete Quick Launch and Start Menu items/folders.

Please download unhide.exe by Grinler and save to your Desktop. Double-click on the file to run the tool.

After running it, all files will have the "hidden" attribute removed. This includes files that are normally hidden by the operating system and any files you may have intentionally hidden. The tool is designed not to remove hidden attribute for system files. If Quick Launch and the Start Menu were deleted, unhide.exe will attempt to restore them back to their proper location. When done you will need to restore the hidden attributes to those files manually. To do that, open Windows Explorer, go to Tools > Folder Options > View and make that change there.

Note: Do not clean out your temporary files/folders until this issue is resolved.

Hi,

I'm having the same problem with my XP Pro system. Got through preliminary steps to eliminate the malware, had to run anti-malware disk to get the fake Windows program to stop. Then was able to run my regular programs (Malwarebytes, Spybot, Microsoft Essentials) which each found some things. However, I couldn't update Spybot or Malwarebytes. Finally, after running each of them, life got a bit more normal and I could run the updates, ran each program again and nothing more found. BTW, Spybot usually removes "unneeded temporary files", and likely did so this time. I was able to access a few programs via the Run command (the ones I know what to enter, i.e., "mbam", "firefox", "thunderbird"). But I can't access most of the rest that way - don't know what to enter.

Next problem was that all documents and almost all programs were hidden, so went through the steps recommended in the "Remove Windows Recovery (Uninstall Guide)", used "unhide.exe" and can now see & access all my documents, also any icons I still keep (I've deleted many/most of my icons over a period of time - I like a clean desktop and access my regular programs via icons on customized Start Menu, and the remainder/infrequent ones via All Programs). Currently, while my programs show up as names in All Programs, when trying to click on almost all of them it says "(Empty)", except Internet Explorer, Windows Media Player, and Zipeg. The rest are, of course, still installed, and show up in Add or Remove Programs.

Tried the steps listed for XP Pro in topic 396978, but no further progress.

Any thoughts on my next step(s)?

Thanks,
Dennis

Welcome to BC DLWayne

If you have an issue or problem you would like to discuss, please start your own topic. Doing that will help to avoid the confusion that often occurs when trying to help two or more members at the same time in the same thread. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using and the presence of other malware. Further, posting for assistance in someone else's topic is not considered proper forum etiquette.

Thanks for your cooperation.
The BC Staff

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6610

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

18/05/2011 17:33:41
mbam-log-2011-05-18 (17-33-41).txt

Scan type: Quick scan
Objects scanned: 174320
Time elapsed: 7 minute(s), 55 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
c:\programdata\rhhkieeenua.exe (Rogue.Installer.Gen) -> 4644 -> Unloaded process successfully.
c:\programdata\38788856.exe (Trojan.FakeAlert.Gen) -> 5604 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RHhkiEeEnUa (Rogue.Installer.Gen) -> Value: RHhkiEeEnUa -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\programdata\rhhkieeenua.exe (Rogue.Installer.Gen) -> Quarantined and deleted successfully.
c:\Users\Nick\AppData\Local\Temp\adobe_flash_player.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Nick\local settings\temporary internet files\Content.IE5\BXXY6WPH\about[1].exe (Rogue.Installer.Gen) -> Quarantined and deleted successfully.
c:\programdata\38788856.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

I'm about to use unhidden.exe now.
Mac

Right, I used it and my start menu files were still not there and so I disabled my anti virus software and tried it again, but still no luck.

Now rescan again with Malwarebytes Anti-Malware, but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally will prevent Malwarebytes' from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

This is a manual fix for Vista/Windows 7 users:

1. Copy the entire content of this folder:
C:\Users\user_name\AppData\Local\Temp\smtmp\1
and paste it to this folder:
C:\Program Data\Start Menu

2. Copy the entire content of this folder:
C:\Users\user_name\AppData\Local\Temp\smtmp\2
and paste it to this folder:
C:\Users\user_name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch

3. Copy the entire content of this folder:
C:\Users\user_name\AppData\Local\Temp\smtmp\3
and paste it to this folder:
C:\Users\user-name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar

4. Copy the entire content of this folder:
C:\Users\user_name\AppData\Local\Temp\smtmp\4
and paste it to this folder:
C:\Program Data\Desktop

-- Note: The "Start Menu", "Quick Launch" and "Desktop" folders are system folders. In order to see them, you need to Reconfigure Windows to show hidden files, folders. In Windows Explorer go to Tools > Folder Options and click on the View tab. Under Advanced settings > Files and Folders > Hidden Files and Folders, uncheck "Hide Protected operating system Files (recommended)" and hit Apply > OK. In order to access the "Start Menu" folder, you may need to that folder as show here.

If the above does not work, then you can restore the defaults for the Start Menu and Administrative Tools as follows:

• Windows 7: Restore Default Shortcuts in Start Menu All Programs
• Vista: Restore Default Shortcuts in Start Menu Programs
• Restore the Administrative Tools folder with Ultimate AdminTools (vista_ultimate_admintools.zip) for Windows Vista

For any other missing program shortcuts you will probably need to reinstall the application or manually create new shortcuts.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6639

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

22/05/2011 13:09:24
mbam-log-2011-05-22 (13-09-24).txt

Scan type: Full scan (C:\|D:\|E:\|Q:\|)
Objects scanned: 388638
Time elapsed: 1 hour(s), 13 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I'll now do the next step and let you know the outcome shortly

Ok.

Hi,

I couldn't find:

C:\Program Data\Start Menu

C:\Users\user_name\AppData\Local\Temp\smtmp\2

C:\Program Data\Desktop

However my Desktop shortcuts have been returned.

Thanks so far.
Mac

Not a problem.

I cam't follow step 4 in the link you sent me. Could you maybe rephrase it for me?

Thanks

It's essentially the same as Step 1, except you are copying the info from C:\Users\user_name\AppData\Local\Temp\smtmp\4 (if it exists) into C:\Program Data\Desktop instead of C:\Program Data\Start Menu.

If you cannot see the folders, they may be hidden and you will need to Reconfigure Windows to show hidden files, folders.

AppData or Application data is a hidden folder in Windows 7. It is to protect user data and settings from any unwanted change or deletion. It contains many important data such as program settings, IE cookies, toolbar settings, IE browsing history, temporary files created by applications, Libraries, send to items, templates and many more.

To access this folder you have to select “Show hidden files and folders” in the folder options.

What is Application Data Folder in Windows 7

First, find a usb key that is handy and search your documents and settings folder for the folder "smtmp". Inside this HIDDEN folder you will find three hidden folders name 1, 2, and 4. Copy this folder to the USB key (these are the missing icons from the start menu.) Follow the posted cleaning instructions for removal -> rkill, combofix, maulwarebytes, tdsskiller, unhide.exe, etc. then after all is said and done, just copy these shortcuts from your USB key back to the all users\programs directory. See this MS document as well: http://answers.microsoft.com/en-us/windows/forum/windows_xp-system/after-windows-recovery-virus-all-programs-folders/fe6e2b08-4d66-e011-8dfc-68b599b31bf5

Enjoy!
- Dan

@macalester,

Please do not follow the instructions/information provided to you by: Dan Reid. Instead work through the instructions that have been provided to you by quietman7.

@Dan Reid

Please be sure to read this thread here: http://www.bleepingcomputer.com/forums/topic383782.html before posting advice in the Am I Infected forum.