Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Thumb drive files are there but hidden


  • This topic is locked This topic is locked
11 replies to this topic

#1 Arrow92

Arrow92

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Malaysia
  • Local time:03:34 PM

Posted 20 February 2012 - 12:55 AM

Greetings, BC'ians!
I have a Kingston DT 101 G2 thumb drive. Around 4 months ago, my thumb drive was infected with a horrible virus. I knew all my files were there as when I checked under "properties", the used space was as it was before. However, the files were not there. A friend of mine helped me out. He told me the files were hidden. So, he used his ESET nod32 antivirus to clean my thumb drive and he gave me these instructions:

"STEP 1:
Plug your pendrive to USB port of your computer. Make sure it is detected.

STEP 2:
Start command prompt by Click Start>>Run and type cmd then hit enter.

STEP3
Find the drive letter for the conected USB drive. For example, G:
In command prompt, type G:
Then type
attrib -s -h /s /d *.*

Make sure that you put space between each elements in the code.
hit enter, wait a moment and this should unhide all your files on your pendrive."

Then he told me to cut and copy all my files, which would then return them to normal. It worked and I was overjoyed.

(A side note; All of the above happened using my then college room mates laptop, which was what I used regularly as I at that time did not have a laptop of my own) However, last week the same thing happened again on my home PC. My thumb drive which I have not used in a few months again had the same problem. There was a virus cleaned by my ESET nod32 but I forgot to take note of the name(my apologies). I searched around and followed these instructions:

Go to Tools >> folder option >> View and click on show hidden files also uncheck the boxes that says hide extension for known files and hide protected operation system files ( recommended )

It worked. However, I am wondering whether this is a permanent solution cause I have some very important documents on it and am a bit worried it will relapse again.

Thanks very much.

Aaron M.

"I am always ready to learn, although i do not always like being taught" - Winston Churchill

Who ever said that paper beats rock is a moron.Next time i see some one i am going to throw a rock at them while they hold up a piece of paper for a shield. - Anonymous


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:34 AM

Posted 20 February 2012 - 04:55 PM

To make your files visible again, please download the following program:

Unhide.exe

If you can copy the Unhide.exe to your removable drive and run it.

If the tool is located on your C: drive and you want to unhide files in your removable drive execute this.

x: unhide hit the enter key.

Change the x: for the the driver letter assigned of your external drive.

Allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

This may take sometime, please let if finish.

Edited by boopme, 20 February 2012 - 04:55 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Arrow92

Arrow92
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Malaysia
  • Local time:03:34 PM

Posted 23 February 2012 - 04:12 AM

What I thought was a firecracker turned out to be an atomic bomb...

As of now, my computer is totally wiped out. I have nothing. At all... Allow me to tell you the events that happened.

I downloaded and executed the file that you gave. I then proceeded to copy and paste it inside my thumbdrive. I ran it. However, nothing changed. The files were still hidden. So I kept trying to run it and see what will happen, but no difference. I then decided to do as suggested by a pop up from the file and turn off my antivirus... That is when all hell broke loose. Everything I was using shut down. Some pop ups came up but I don't remember what it was. I restarted my computer and then came this:

Trend ChipAwayVirus has detected a boot virus on your hard disk!

Press <Enter> for more information
<C> to continue booting

If I press enter they ask me to insert a clean floppy disk, which I do not have(I think). If I choose to continue booting, I go to my desktop. Which is empty. No wallpaper, no files. When I go to the start button, everything is gone. It is just empty.

Please do advise on what to do next. Thank you very much

Aaron M.

"I am always ready to learn, although i do not always like being taught" - Winston Churchill

Who ever said that paper beats rock is a moron.Next time i see some one i am going to throw a rock at them while they hold up a piece of paper for a shield. - Anonymous


#4 Arrow92

Arrow92
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Malaysia
  • Local time:03:34 PM

Posted 23 February 2012 - 04:17 AM

Okay, here is some breaking news.

As I was at my seemingly empty desktop, I noticed an odd thing... The skype and antivirus programs were working fine(they are in the tool bar at the bottom right of the comp). I then decided to right click the start button and explore. I then went to folder options, used the steps as I mentioned earlier and lo and behold, my files were there. Hidden, but STILL THERE!

I am now running a full scan on my computer with my anti-virus. I plan to run the unhide file you gave me and see if things can go back to normal. Will keep you posted. Oh and if you have any comments and advice, please do, as I am still quite worried.

Thank you.

Aaron M.

"I am always ready to learn, although i do not always like being taught" - Winston Churchill

Who ever said that paper beats rock is a moron.Next time i see some one i am going to throw a rock at them while they hold up a piece of paper for a shield. - Anonymous


#5 Arrow92

Arrow92
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Malaysia
  • Local time:03:34 PM

Posted 23 February 2012 - 06:08 AM

Another update:
I finished scanning my computer with ESET nod32. It found one virus but was unable to clean it. It is:

Operating memory » svchost.exe(1288) - a variant of Win32/Olmasco.O trojan - unable to clean

I googled the name of the trojan. I found another person on BC with the exact same symptoms as to what my computer displayed. http://www.bleepingcomputer.com/forums/topic422738.html

Also, I found a site to a guide about step by step removal for the trojan. Please advice on the validity of the guide.
http://blog.teesupport.com/remove-win32olmasco-o-trojan-manually-get-rid-of-win32olmasco-o-trojan-absolutely/

Oh, and I also got a suggestion to do a system restore. Is that advisable?

Thank you very much.

Aaron M.

Edited by Arrow92, 23 February 2012 - 07:49 AM.

"I am always ready to learn, although i do not always like being taught" - Winston Churchill

Who ever said that paper beats rock is a moron.Next time i see some one i am going to throw a rock at them while they hold up a piece of paper for a shield. - Anonymous


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:34 AM

Posted 23 February 2012 - 10:05 AM

After you run Unhide ,you should all run a FULL scan with MBAM ,with your drive connected.

Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1 <<<== Use this one first.

Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform FULL Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

[b][url="http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-malware-tutorial#troubleshoot"]Troubleshoot Malwarebytes' Anti-Malwa
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Arrow92

Arrow92
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Malaysia
  • Local time:03:34 PM

Posted 23 February 2012 - 11:04 AM

Just to reconfirm, do I run MBAM before or after Unhide? Cause the funny thing is, about half an hour before you replied, I installed and ran MBAM. Yes, I did a full scan but I only did it for C: drive. About 2 mins ago, it finished. Shall I continue with disinfection or run Unhide and THEN rescan and disinfect?

Aaron M.

"I am always ready to learn, although i do not always like being taught" - Winston Churchill

Who ever said that paper beats rock is a moron.Next time i see some one i am going to throw a rock at them while they hold up a piece of paper for a shield. - Anonymous


#8 Arrow92

Arrow92
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Malaysia
  • Local time:03:34 PM

Posted 23 February 2012 - 12:26 PM

Alright, I have done as you wrote. However, since I happened to run the scan BEFORE receiving your reply(I only scanned C:), I removed all viruses. This is the report:

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 216709
Time elapsed: 31 minute(s),

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 4
HKLM\SOFTWARE\Microsoft\DirectX\MSA (Malware.Trace) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\DirectX\MSB (Malware.Trace) -> Quarantined and deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SVRWSC (Trojan.Agent) -> Quarantined and deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Services\SvrWsc (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Taskman (Worm.Palevo) -> Data: C:\Documents and Settings\admin\jvxqnu.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\Documents and Settings\admin\My Documents\Downloads\freesystemscan(2).exe.part (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\My Documents\Downloads\freesystemscan.exe.part (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0FCAA346-20F2-4F33-A922-BFBBB15C2E74}\RP428\A0266948.exe (Rogue.SystemCheck) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0FCAA346-20F2-4F33-A922-BFBBB15C2E74}\RP428\A0266950.exe (Rogue.SystemCheck) -> Quarantined and deleted successfully.

(end)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


I then ran it a second time and scanned the whole computer, with my thumb drive connected, and I got this:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.23.02

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 7.0.5730.11
admin :: ASHLEY [administrator]

2/24/2012 12:23:52 AM
mbam-log-2012-02-24 (00-23-52).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 245905
Time elapsed: 40 minute(s), 42 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I also ran unhide and all my folders and files on my desktop are back to normal. However, the same problem as earlier is still there. That is, unhide is not working on my thumb drive. I even copied the file into my thumb drive but still no luck. Oh and I forgot to mention earlier, I don't quite understand this part of your earlier instructions:

"If the tool is located on your C: drive and you want to unhide files in your removable drive execute this.
x: unhide hit the enter key.
Change the x: for the the driver letter assigned of your external drive."

Due to my confusion, I did not attempt this procedure.

Thank you very much.

Aaron M.

"I am always ready to learn, although i do not always like being taught" - Winston Churchill

Who ever said that paper beats rock is a moron.Next time i see some one i am going to throw a rock at them while they hold up a piece of paper for a shield. - Anonymous


#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:34 AM

Posted 23 February 2012 - 01:09 PM

Ok, lets get a deeper look.
Please go here....Preparation Guide ,do steps 6-9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If GMER won't run skip it and move on.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 Arrow92

Arrow92
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Malaysia
  • Local time:03:34 PM

Posted 24 February 2012 - 12:43 AM

Sure thing will do. But just a side note, all scans on MBAM are coming up clean. However, this keeps coming up every time I boot up my computer:
"Trend ChipAwayVirus has detected a boot virus on your hard disk!

Press <Enter> for more information
<C> to continue booting"

Any idea what it means?

Thank you.

Aaron M.

"I am always ready to learn, although i do not always like being taught" - Winston Churchill

Who ever said that paper beats rock is a moron.Next time i see some one i am going to throw a rock at them while they hold up a piece of paper for a shield. - Anonymous


#11 Arrow92

Arrow92
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Malaysia
  • Local time:03:34 PM

Posted 24 February 2012 - 03:07 AM

Have followed instructions and opened new thread:

http://www.bleepingcomputer.com/forums/topic443926.html

Thank you.

Aaron M.

"I am always ready to learn, although i do not always like being taught" - Winston Churchill

Who ever said that paper beats rock is a moron.Next time i see some one i am going to throw a rock at them while they hold up a piece of paper for a shield. - Anonymous


#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:34 AM

Posted 24 February 2012 - 11:16 AM

That's good,they will find the boot virus also,
Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.

The current wait time is 1 - 5 days and ALL logs are answered.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users