Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

folders are empty


  • Please log in to reply
8 replies to this topic

#1 jrb111

jrb111

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 21 October 2011 - 11:10 AM

Hello - I see several postings on this subject but want to make sure I am doing the right thing. I have Windows XP -had the virus that hid information - ran unhide.exe and my system is back but my folders are still empty for - microsoft office for example. Can you help me with next steps? Thank you.

Edited by hamluis, 21 October 2011 - 12:31 PM.
Moved from XP to Am I Infected.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,295 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:11:34 PM

Posted 21 October 2011 - 12:33 PM

I'm moving this to a more appropriate forum.

Seems to be a possibility that multiple malware issues are involved...and running unhide.exe is a malware-removal step which is more likely to be used/suggested in the forum I am moving this topic to.

Louis

#3 TM_Paul

TM_Paul

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NABU
  • Local time:11:34 PM

Posted 21 October 2011 - 02:07 PM

Actually I think the malware is gone. To be exact, when you click on the start menu, does it shows empty? I can be certain that what hit you is a FakeAV type trojan. Aside from hiding folders, the move the .lnk files to temp folder so do I hope you did not do a disk cleanup. Trying this steps:

1. Go to Control Panel > Folder Options > View
2. Click on "Hidden Files,Folders, and Drives"
3. Uncheck "Hide Extensions for known Files types"
4. Click Apply > OK
5. Do a windows search (configure it to show hidden items)
6. Do a wild card search for .lnk (if you have MSWORD, use that as a reference. this will make the seach easy)
7. Check the folder that they are in.

NOTE: As I said before the move .lnk files. (I think the plase it in C:\Documents and Settings\(Account)\Application Data\Temp\sntmp) and then there is 3 folders in there 1,3,4 or something. the folder named "1" should have the shorcuts for the start menu. you copy the contents of folder 1 and paste it on C:\Documents and Settings\All Users\Start Menu. The folder 2 and 4 is not really important. I think they were desktop and favorites shortcut links

Its been a long time since I dealt with this kind of fakeAV payload so I maybre wrong.

7. If you think there are still traces of malware on your system try doing a google search of - FAKEAVREMOVER; its a Trend Micro free tool. You can use it to restore some policies and check for FakeAV malwares


"I'll be your silent gaurdian. A watchful protector. A dark knight..."


#4 jrb111

jrb111
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 21 October 2011 - 09:49 PM

Thank you for your advice. I did the search - no files were found with .Ink. Other ideas? Thanks.

#5 TM_Paul

TM_Paul

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NABU
  • Local time:11:34 PM

Posted 22 October 2011 - 01:37 AM

Hm? no .lnk? This is the file extensions for shortcuts. If you don't have these extension that means you dont have shortcut files on your PC which is impossible :lol:

when you do a wildcard search, this is what you type in ---> *.lnk

Edited by TM_Paul, 22 October 2011 - 01:43 AM.


"I'll be your silent gaurdian. A watchful protector. A dark knight..."


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:34 AM

Posted 22 October 2011 - 09:17 AM

Hello do not run any TEMP or Registry cleaners as they will be gone.

To make your files visible again, please download the following program to your desktop:

Unhide.exe

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.


Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (2.6.11.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 jrb111

jrb111
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 22 October 2011 - 05:27 PM

Unfortunately, trying to correct this problem before finding bleeping computer, I downloaded and ran cc cleaner and have done a disk cleanup. Do I have any options or do I have to reinstall everything? TM Paul I did the scan but could not find the folder...

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:34 AM

Posted 22 October 2011 - 09:44 PM

No promises ,,, back up any important files if you can.

XP

Copy all content of this folder:
C:\Documents and Settings\user_name\Local Settings\Temp\smtmp\1
and paste it to this folder:
C:\Documents and Settings\All Users\Start Menu


Copy all content of this folder:
C:\Documents and Settings\user_name\Local Settings\Temp\smtmp\2
and paste it to this folder:
C:\Documents and Settings\user_name\Application Data\Microsoft\Internet Explorer\Quick Launch


Copy all content of this folder:
C:\Documents and Settings\user_name\Local Settings\Temp\smtmp\3
and paste it to this folder:
C:\Documents and Settings\user_name\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar


Copy all content of this folder:
C:\Documents and Settings\user_name\Local Settings\Temp\smtmp\4
and paste it to this folder:
C:\Documents and Settings\All Users\Desktop
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 TM_Paul

TM_Paul

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NABU
  • Local time:11:34 PM

Posted 23 October 2011 - 02:52 AM

Yes I completely agree with boopme's steps. Its a good thing he still got the correct paths. Its been a long time since i dealt with this. currently busy with STUXNET little brother DUQU right now so I did have the time to dig up old documents. I will copy the locations if you don't mind. :thumbsup:

Thanks you very much boopme

Edited by TM_Paul, 23 October 2011 - 02:55 AM.


"I'll be your silent gaurdian. A watchful protector. A dark knight..."





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users