Virus Cleaned - All files, folders HIDDEN SYSTEM - SOLVED!

[Katlaya]

So far, what I am getting is that the System Restore is no longer configured. Not sure how they did that one. Under Local Computer Policies>Computer Configuration>Administrative Templates>System, nothing seems to be configured at all!

[Katlaya]

OK.. it seems that those things weren't configured because I never configured them. However I have a whole host of System Restore not being able to initialize in my event viewer. What I think is happening is either a change in the register key so it can't be found now or the all of those executable files for it are somehow corrupted. There are over a hundred of them. I have directly clicked on them individually and keep getting the same message as before from all of them so I'm thinking it must be a registry problem that redirects it somehow when it attempts to open. I don't know... I'm scratching my head on this one.

[Katlaya]

More update on the System Recovery issue. When I do a net start " System Restore Service at the C prompt on the desk top... I get this reply:

The System Restore Service is starting.
The System Restore Service could not be started.
The system could not find the file specified.

When I click directly on the exe file, I get that message that I told you about earlier. Hope this might give you a clue to what it might be. I have my fingers crossed!

[Panama Red]

Check your Services list and see if RPC (Remote Procedure Call) is started. In the Run box type: services.msc. RPC is the only dependency for System Restore. Maybe your issue is tied to a problem w/RPC. Also, did you run the SFC yet?

[Katlaya]

Ok.. finally fixed it with a re-install. This doesn't allow me to go back and pick an earlier version, even though I can see them on my computer, but since it had been disabled in some fashion, I couldn't get to them anyway. At least I have it working now, however. I found the solution on this website:
Service Pack 3 "sr.inf" file needed for System Restore

[lowest]

I guess I'm not bumping too hard...

Just had a similar virus, the error window looked valid enough. It wasn't until I was partway through the process where I saw I could get the "full" version.

Anyway, same problems, all of my folders/files are hidden. The only reason I new I had any data was that I had other startup programs running (and I got through bios and booted windows...).

First off, everything is just hidden. If you have any data you need to keep, unhide the folders and ship them somewhere else.

My Fix, nothing too complicated:

-Entered the run dialog (windowsbutton-r) and loaded up msconfig
-Found a very strange item in my startup menu (which pointed to a exe in an application data folder. I disabled it. The next time I started windows, no sign of the virus, just all of my folders hidden.
-Entered c: via the run dialog
-Viewed Hidden files, selected all of the folders, and changed them to not be hidden or read only.
-A file said "you can't do that" so I ignored all for the rest of the process.
-Then I used CCleaner to scan the registry and fixed errors(I love this program).
-Did a system restore (I feel that it has troubles when files are hidden)
-The first time hung, and I rebooted (already prepared for windows to be completely broken).
-After rebooting, everything was back to normal, no missing folders/shortcuts, and the folder that had the virus no longer existed.
-Did another system restore, this time with no issues.

Everything is working now, just got a message that I need to do a windows update.

[Biscuits]

Thanks for all the info above, I have almost recovered back from my "system check" malware disaster.

I have 2 concerns still though.
1. I can't complete a system restore. It goes through the motions even seems to restore. Gets to the end and says "unable to restore to #date" or something??
2. What do i do with the offending "system check" software. It is still on there and if i try uninstall it will just happen all over again? Can i just delete the whole lot without causing problems?

Note: i have done nothing with the registery. Is there a decent reg fixer out there i don't have to buy to fix more than 15 problems.

[DoubleSpeed]

Just wanted to say a big thank you to this forum for helping me fix my father in laws pc!

In the hope that this helps someone else here is a rundown of what happened…

My father in law runs Windows XP and after visiting a site instantly got pop-up/alerts saying 'windows delayed write failed' the whole machine died and when trying to start he had the blue screen of dealth and the message 'unmountable_boot_volume'. Managed to get the machine to boot again using the Windows installation disk and chkdsk /r from the Recovery Console. When the machine booted AVG found the virus win32/kryptik.co and successfully removed/quarantined it so I thought all was good however the machine appeared empty, nothing from the start menu i.e. no programs just said empty and all documents, photo etc all gone! Very weird nothing visible at all!

After a Google search ‘programs and files hidden by virus’ found this forum, saw the initial help of running the command from the command prompt cmd however I had no obvious access to cmd prompt then after further reading found the link to the unhide.exe, ran this and it fixed everything! All files, folders and programs unhidden all visible again, fantastic.

Panic over all those family photos/memories all preserved, just got to get him a good backup routine sorted now!

Thanks again hope the above helps someone else.

[Pkerkm]

Hello,

My name is pkerkm...i work for ITS department of my school, this is a work study job the school has, we fix computer and related problems.

We have had this malware/virus/bug that hides the students folders.

We have tried, the following tools, that i've seen in this post.

unhide.exe
tsskiller.exe
We use ccleaner, malware bytes, super anti-spyware.
norton power eraser.


Also, we have done "tools"-> "folder options"->"view" i have unchecked and checked the right options.

i ran unhide.exe, it ran correclty, but didn't work.
i ran tsskiller and it found the root virus, it "cure" it, and restarted and it did not work.

ccleaner, malware bytes and super anti-spyware did find bad "things" and removed them.

norton power eraser, also deleted whatever it was infected by it.



After each of the tools i've mentioned above, i've ran the following code in the command prompt.

(my code is in "example")

E:\>"cd\"
C:\>"dir\ah"
C:\>"attrib *. -h -s -r /d /s"

C:\>access denied "filepath/folderpath"



We are quite computer savvy, but we are probably doing something wrong, please leave a reply to this post thanks.


P.S we have had this problem since last year for many computers.

[glc]

In a school situation, you would be better off wiping and reimaging the infected machines.

[Pkerkm]

we have done that in the past, but now we are trying to see how we can fix it. we think that the virus goes is in the network affecting students computers, or they download files from the internet, and that is how they are getting them.

our priority is not to re-image, that is our last option. it does work, and it doesn't take long, but we want to know how to do it.

our main problem is that we keep getting access denied, when doing the attrib command.

[glc]

If you have Vista or 7, you need to run the command prompt as administrator.

[jai37]

I'm having this same problem and I have Vista. How do I get rid of this virus....PLEASE HELP!

[rjfvillarosa]

jai37. Please read through the entire thread to see if it answers your question, also, could you please be a little more specific about the infection your computer has encountered and give us the specifications of your computer.

[Kaylore]

Thanks everyone! I created a profile just to express my gratitude. I think my wife downloaded something. Not sure, but basically my user account became invisible (and by consequence our documents, music, icons, et al). Anyway we ran TDSSKiller, found an infection, and then ran Unhide. I didn't even need to restart. I figured I could just log off and log back in immediately if it worked, and sure enough everything was completely restored - icons and all. There was a bit of a lag as the media re-populated, but it was all there as before. Thank you so much! My wife thinks I'm a genius.

[wdisregard]

Just an addition, had the same problem, scanned as a slave in my own pc
found viruses but couldn't delete boot sector virus.
Booted with TDSSKiller and it found and removed the RootKit
but loading windows my desktop and filesystem were still hidden
Tried installing Malwarebytes but it wouldn't complete installation

So I downloaded combofix, ran it, once it had completed it came up with about 20 files
it had deleted, all my desktop icons menu items and filesytem icons returned as normal.

If anyone still has trouble with this, to access files when they are all hidden
you can use the TaskManager by pressing Ctrl and ALT and Delete
Click File > New Task (Run)
type c:\ in the box to bring up a folder and do
Tools > Folder Options > Click View Tab and select "Show Hidden files and folders" click Ok

In the task Manager again click File > New Task (Run) and type iexplore this will load Internet Explorer so you can download any antivirus tools (Firefox wouldn't open for me)

[ITParedes]

sorry to bring back the dead. I've encountered this virus a numerous amount of times and honestly I think this most recent time is the only time I've managed to defeat it.

Though I will say that I have luck when engaging against it. I've always been able to log in.

Initial boot to see what I'm dealing with allows time for all services to start up. This in turn allows the malware to deactivate accordingly.

What I do is as soon as I enter the log in password, I ctrl+alt+del and run msconfig and disable all services and start up programs. reboot. this stops everything from starting UNLESS its needed. From here I google (my best friend) all services to make sure they're not malicious. I can now boot without having it annoy the crap out of me. I used MBAW and Unhide.exe to remove and get my stuff unhidden. I'm still in the process of being thorough, but once I was able to move around with taskmgr and run, i got into programdata and deleted the files with weird names that google couldn't give me info on. emptied bin and hopefully that does it for me.

I've been doing basic IT for awhile now, and I'm starting to get into the nit and grit of it. I'll be a regular around here. And thank you for the info! I just wanted to post my experiences here.

**** As Unhide.exe log shows

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
* NoActiveDesktopChanges policy was found and deleted!
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
* DisableTaskMgr policy was found and deleted!
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
* HidNoChangingWallPaperden policy was found and deleted!
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
* Start_ShowControlPanel was set to 0! It was set back to 1!
* Start_ShowHelp was set to 0! It was set back to 1!
* Start_ShowMyComputer was set to 0! It was set back to 1!
* Start_ShowMyDocs was set to 0! It was set back to 1!
* Start_ShowMyMusic was set to 0! It was set back to 1!
* Start_ShowMyPics was set to 0! It was set back to 1!
* Start_ShowPrinters was set to 0! It was set back to 1!
* Start_ShowRun was set to 0! It was set back to 1!
* Start_ShowSearch was set to 0! It was set back to 1!
* Start_ShowSetProgramAccessAndDefaults was set to 0! It was set back to 1!
* Start_ShowRecentDocs was set to 0! It was set back to 2!
* Start_ShowNetConn was set to 0! It was set back to 1!
* Start_ShowNetPlaces was set to 0! It was set back to 1!
* Start_TrackDocs was set to 0! It was set back to 1!
* Start_ShowUser was set to 0! It was set back to 1!
* Start_ShowMyGames was set to 0! It was set back to 1!

Restarting Explorer.exe in order to apply changes.

Program finished at: 08/05/2012 05:49:34 PM
Execution time: 0 hours(s), 12 minute(s), and 47 seconds(s)

Posted for those that used unhide and got nothing maybe if you did these values manually.