Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unhide.exe - A introduction as to what this program does


  • Please log in to reply
350 replies to this topic

#1 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 39,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:43 PM

Posted 20 June 2011 - 06:14 PM

Unhide.exe is a program that will revert many of the changes on your computer caused by the FakeHDD family of rogue anti-spyware programs. This family of rogues pretends to be a system optimization program that will solve errors with your computer’s hard disks, memory, and performance. It will also display fake alerts stating that your computer has numerous computer issues and prompt you to purchase the program in order to resolve these issues.

Unhide can be downloaded from the following url: http://www.bleepingcomputer.com/download/unhide/

A screen shot of one of the programs in this family is:

Posted Image


As part of the infection process, this family of rogues will change the attributes of all the files on your computer's fixed hard disks so that they are hidden (+H). It will then change your Windows configuration to make it so that you do not see hidden files or hidden system files. By doing this, the rogue attempts to make you think that all of your files have been deleted in the hopes that this will trick you into purchasing the program in order to recover your files.

This infection will also delete shortcuts in various folders on your computer so that you can no longer find them pinned to the taskbar, in the quick launch, or in your Start Menu. When the infection deletes the shortcuts it will store a backup copy of them in the folder %Temp%\smtmp. Using this backup, we can then restore the files to their proper location so you can find them once again under your Start Menu and in other locations. It is very important, though, that if you are infected with this family of infections that you do not delete any of the files in your %Temp% folder and that you do not run any temp file cleaners as they will delete this backup folder. With this folder removed, we will not be able to restore the shortcuts back to their proper location.

Unhide.exe is used to automatically revert these changes on your computer. When run, it will unhide (-H) all +H files on the fixed disks of your computer. It will not, though, unhide any files that also have the +S attribute. Unhide will also automatically detect if the %Temp%\smtmp folder exists, and if it does, it will copy them back to their proper locations for you. If your shortcuts are missing due to this infection and you have already cleaned out your Temp folder, then you can use the scripts at the bottom of this post to restore your default Start Menu.

Unhide will also reset certain Registry settings that this infection changes to hide your shortcuts and start menu items. When Unhide is running, if it detects any changes in these Registry settings it will reset them to the Windows default and display a messaging that it has done so.

When Unhide is complete, it will create a logfile on the Windows Desktop called Unhide.txt.

 
Below are the folders found under %Temp%\smtmp that this infection moves your Start Menu Shortcuts. The list below also tells you the corresponding locations the shortcuts should normally reside in based on the version of Windows you are using.

%Temp%\smtmp\1:

Windows XP: C:\Documents and Settings\All Users\Start Menu
Windows Vista and Windows 7: C:\ProgramData\Microsoft\Windows\Start Menu

%Temp%\smtmp\2\:

Windows XP: C:\Documents and Settings\<your login name here>\Application Data\Microsoft\Internet Explorer\Quick Launch\
Windows Vista and Windows 7: C:\Users\<your login name here>\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\

%Temp%\smtmp\3\:

Windows XP: Does not exist in XP. Therefore do not be concerned if %Temp%\smtmp\3 does not exist on Windows XP.
Windows Vista and Windows 7: C:\Users\<your login name here>\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar

%Temp%\smtmp\4\:

Windows XP: C:\Documents and Settings\All Users\Desktop
Windows Vista and Windows 7: C:\Users\Public\Desktop


To manually restore your shortcuts, simply open up each of the %Temp%\smtmp\ folders that you have on your machine and copy everything found there into the respective folder listed above.

For example, if you are running Windows XP, then you would copy all everything located in %Temp%\smtmp\1 to C:\Documents and Settings\All Users\Start Menu. If you are using Windows Vista or 7, you would copy everything from %Temp%\smtmp\1 to C:\ProgramData\Microsoft\Windows\Start Menu.

In order to see some of these locations you need to change your Windows settings so that show hidden files and show system protected files are enabled. Information on how to do this can be found in this tutorial. When done, you can change those settings back to their previous settings.

How to show hidden files in Windows

 

Update: 11/14/2011

For those of you who no longer have the %Temp%\Smtmp folder, you will not be able to use Unhide to restore your Start Menu items. With this in mind, I have created some scripts to restore the default Start Menu for specific versions of Windows that I have access to. You can view the available versions below. I will be adding more as time goes on.

Windows 2000 US English
http://download.bleepingcomputer.com/grinler/fakehdd/win-2000-sm-reset.exe

Windows XP Pro 32-bit US English - This should also work in other 32 bit version of Windows XP but I have nothing to compare against.
http://download.bleepingcomputer.com/grinler/fakehdd/winxp-pro-32bit-sm-reset.exe

Windows Vista 32-bit US English
http://download.bleepingcomputer.com/grinler/fakehdd/vista-32-sm-reset.exe

Windows Vista 64-bit US English
http://download.bleepingcomputer.com/grinler/fakehdd/vista-64-sm-reset.exe

Windows 7 32-bit US English
http://download.bleepingcomputer.com/grinler/fakehdd/win7-32-sm-reset.exe

Windows 7 64-bit US English
http://download.bleepingcomputer.com/grinler/fakehdd/win7-x64-sm-reset.exe

Thanks to tetonbob and Andrew for supplying me with the required start menus.

 

Update: 04/03/2012

Unhide was updated to include certain Start Menu options that were being hidden on the start menu. Unhide will now restore those settings back to Windows defaults and then restart Explorer.exe so that the changes go into effect.

These start menu items that are now made visible include:
  • Documents
  • Pictures
  • User Profile
  • Music
  • Games
  • Control Panel
  • Videos
  • Default Programs

 

Update: 04/04/2012

Unhide will now process removable drives, such as USB drives, by default.

 

Update: 04/12/2012

Unhide now has the -f option that will force it to run on Windows versions that I have marked as not compatible. These versions of Windows are ones that I was unable to test the program on. Therefore, the use of this option is done so at your own risk.

Please let us know if you have any questions.

Edited by Grinler, 23 July 2012 - 10:03 AM.
Added info about new version


BC AdBot (Login to Remove)

 


#2 WhiskeyTango73

WhiskeyTango73

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:43 PM

Posted 20 June 2011 - 07:13 PM

Thank you. There is one workstation (x32 XP) that was hit with a variant of this a while ago and is still having hidden folder issues. The folders are back (due to malware removal and a system restore) but are only 'half' visible. I will try to restore them with this info.

#3 David McMahon

David McMahon

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 20 June 2011 - 09:07 PM

Found download link, thank you for posting, sounds odd, but can't wait to use it "in anger"

http://download.bleepingcomputer.com/grinler/unhide.exe

Edited by David McMahon, 20 June 2011 - 09:14 PM.


#4 sm24

sm24

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:43 AM

Posted 22 June 2011 - 05:12 AM

@Grinler I am new to this stuff,question,what does +S attribute mean? is it harmful when I backup my files? is it safe to unhide my hidden files to save and back them up during a malware/virus/spyware attack?

Edited by sm24, 22 June 2011 - 05:12 AM.


#5 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 39,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:43 PM

Posted 23 June 2011 - 07:14 AM

+S means its a system file. Windows will set that attribute on files that are required by Windows to properly operate.

As for unhiding files, the only time you ever want to use this program is if you were infected with the FakeHDD rogue.

#6 WhiskeyTango73

WhiskeyTango73

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:43 PM

Posted 23 June 2011 - 09:30 AM

I used http://download.bleepingcomputer.com/grinler/unhide.exe on the station that was infected with this a while back, and it worked flawlessly. In order to "restore" the folders after it was infected, a combination of Rkill and Mbam removed the virus, but the folders were still missing. Then a system restore to a point before the virus along with Rkill and Mbam again restored the files, but they were only "halfway" visible... as in only halfway illuminated. The individual that opened the email and obtained this virus was just happy to get the files 'back', but this unhid them completely. TYVM

#7 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 39,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:43 PM

Posted 25 June 2011 - 09:26 AM

Malwarebytes and rkill will not restore the hidden files. For these infections, you should completely removal the virus and unhide should be the last thing you run.

#8 WhiskeyTango73

WhiskeyTango73

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:43 PM

Posted 25 June 2011 - 10:21 AM

No they will not. I ran Rkill and Mbam to rid the virus, then the folders became half visible with a system restore and a repeat Rkill and Mbam. The Unhide.exe restored the folders. I didn't (mean to) imply that Rkill and Mbam restored the folders.

#9 wiczjr

wiczjr

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 29 June 2011 - 03:00 PM

THANK YOU lawrence. I've removed this virus from dozens of PC's over the last few weeks and nothing is more irritating than changing file attributes.
Both faith and fear may sail into your harbour, but only allow faith to drop anchor.

#10 sm24

sm24

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:43 AM

Posted 07 July 2011 - 01:42 AM

I already downloaded a new unhideexe and run it
it says :


processing C:\
PROCESSING D:\
PARSE ERROR

then it showed a message saying:

finished
"your files should now be visible. if you are still missing start menu items,please temporarily disable your Antivirus
or security programs and try again in the event that they interefered with the restoral process"


what should I do? the files in my desktop is already visible but I haven't seen my recycle bin yet..it was misssing since the malware infected my laptop. Is it ok to back up my files now even if it's like not all of my files were unhidden?

#11 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 39,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:43 PM

Posted 07 July 2011 - 09:06 AM

What are the drive letters on your computer?

#12 sm24

sm24

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:43 AM

Posted 07 July 2011 - 12:38 PM

C,D and drive E sir,even if I used Unhideexe I still can't see it in my desktop,I already run it 3 or 4 times in safe mode,and I want also to know if it is safe to do backups at this point?

I mean I really dont have any backup files before the malware infection,so I badly need it,how do i know if one of my original files (files before the infection) is infected by the malware so that I can avoid backing them up. thank you

#13 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 39,961 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:43 PM

Posted 07 July 2011 - 04:03 PM

Yes, its safe to backup. This infection does not infect files. I am not sure what this parse error. First time I have seen it unfortunately.

#14 sm24

sm24

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:43 AM

Posted 07 July 2011 - 09:36 PM

thanks,now I can safely continue with my back up.even if I havent started my cleaning up measures to delete the malware,is it safe to backup in normal mode? I would like to know how to turn off autoplay/auto run feature,so that every time I connect a usb or ext hd any possible virus will not infect my comp,and where and how do I find my missing recycle bin in my desktop? it's missing since the infection,and I happen to delete the infected fedex scam file before the win recovery bug my comp thanks

Edited by sm24, 08 July 2011 - 04:59 AM.


#15 sm24

sm24

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:43 AM

Posted 08 July 2011 - 10:28 PM

sir,is backing up in safe mode the same effect/quality/functionality in normal mode? thanks very much




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users