Virus Cleaned - All files, folders HIDDEN SYSTEM - SOLVED!

[Petef56]

Here's a new one. I cleaned this WinXP computer of a virus by slaving it to a clean computer and running 3 different scans. I notice by the color of the folders that all the folders are Hidden. It appears that the virus changed the atributes of all the files and folders on drive C: to be HIDDEN SYSTEM files!

Next I issue the following commands at the command prompt...
c:\
attrib -h -s *.* /S /D

The above command resets all the files to be non-system and unhides them.

My concern now is that by default, Windows specifies certain files or folders as SYSTEM and/or HIDDEN and and now that is NOT the case. Is there any way to restore the attributes without performing a repair install of WinXP and all the updates?

Also..
What would be the harm or risks in leaving all the files as non-system and unhidden?

---pete---

[EzyStvy]

Quote:

Originally Posted by Petef56 Next I issue the following commands at the command prompt... c:\ attrib -h -s *.* /S /D The above command resets all the files to be non-system and unhides them.

You're the second person I've seen this week with this issue

The way you did the command did the entire hard drive. You could go back and do +h+s on specific folders.

[Petef56]

Quote:

Originally Posted by EzyStvy You're the second person I've seen this week with this issue The way you did the command did the entire hard drive. You could go back and do +h+s on specific folders.

Yeah, but even if we knew which Windows folders and files were originally set up as "system" or "hidden", it would be too labor intensive to reset them manually using the attrib command.

---pete---

[glc]

It's gonna be faster to do a repair reinstall.

[Petef56]

Quote:

Originally Posted by glc It's gonna be faster to do a repair reinstall.

Do you think it's really necessary?
In other words, what's the harm in having all the files as unhidden and non-system?

---pete---

[glc]

It just won't work right.

[Petef56]

Quote:

Originally Posted by glc It just won't work right.

OK, thanks. That's what I needed to know.

---pete---

[4orced4door]

Hey guys, I signed up just to let you know I found a solution for this, at least in my case. I ran into the same deal today, the virus hid all the files on the hard drive. From a command prompt dir shows nothing, you have to dir /ah everything. I too was worried about just mass changing everything with attrib.

I started doing my normal cleanup and the first thing I did was run Kaspersky's TDSSKiller rootkit removal tool. It found and cured an infection, and when I rebooted the PC the file structure amazingly looked normal again. Desktop icons are still hidden, but the root of the C drive looks normal. So a repair install may not be necessary. Still cleaning up the infected system but I was shocked to see the hidden files go back to normal.

Here's a link to the utility I'm talking about (you could also probably use GMER). I've been using this on all infected PCs I clean (maybe 10 a week) and I'm seeing like 30-40% of them infected with this rootkit lately.

How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)?

[Petef56]

Quote:

Originally Posted by 4orced4door I started doing my normal cleanup and the first thing I did was run Kaspersky's TDSSKiller rootkit removal tool. It found and cured an infection, and when I rebooted the PC the file structure amazingly looked normal again. [/url]

My normal routine in cleaning is to remove the HD, and do my scans with HD slaved to a clean PC. I run TDSSKiller, NOD32, Malwarebytes and SAS.

In the case of this thread, TDSSKiller didn't fix the "hidden" folders problem.

Thanks anyway for the tip. I wound up restoring the entire system (Image backup) to an earlier date and then restoring all the data.

---pete---

[Panama Red]

Quote:

Originally Posted by glc It's gonna be faster to do a repair reinstall.

I wish the fix were that easy. I got one today with the same type of infection - Windows Security Alert/failing hard drive.

Booted to Safe w/Networking but could not open TDSSkiller or Malewarebytes. Pulled the hdd and scanned with it slaved to my laptop. TDSSkiller found nothing. MBAM found 4 problems and MSSE cleaned 6 along the way of the MBAM scan. All files appeared hidden when connected to my laptop. Reinstalled hdd and tried to boot but no matter whether SAFE or Normal, it went into a reboot loop. Disabled restart on error and BSOD showed 7B error. Ran chkdsk/r - didn't fix reboot. Booted to XP Pro disk and ran Recovery Console with commands to fixboot and fixmbr. Still in a reboot loop. Did repair install. Fixed reboot issue but would not start until XP is activated and desktop was blank. Rebooted to Admin account and had only the desktop background - nothing else. I'm reinstalling XP Pro as I type this. This Dell Vostro 1500 doesn't have a restore partition. Either that or the virus crippled that option too. What a PITA!

[rjfvillarosa]

I have been following this thread out of interest. Last Saturday I was asked to repair a netbook with what turned out to be the worst infection I have ever come across. After slaving the harddrive and cleaning it I reinstalled it to find not a single application would run, none of the icons in the Control Panel worked, I couldn't even get the Task Manager to run. A Nuke and Pave sorted it out, these rogue antivirus programs are getting worse.

[kilgoretrout]

Quote:

After slaving the harddrive and cleaning it I reinstalled it to find not a single application would run, none of the icons in the Control Panel worked, I couldn't even get the Task Manager to run.

I had the identical problem; the specific malware was one of the fake antivirus variety. I was able to cleanup the infection with malwarebytes but the malware had made changes to the registry that broke the exe file association causing most executables to no longer run. After googling around I found registry edits to fix that but then windows update was broke. That was caused by several dlls needed by windows upate being deregistered. Fixed that and finally got the thing back to normal.

Bottom line from all this is that it appears that current malware is making registry edits and other system changes that persist even after the malware is removed. Current antimalware applications are unable to find and repair all the system changes made by current malware and those changes persist even after the malware executable is removed by the antimalware app. Chasing down all those system changes and registry edits has become so labor intensive that it may now be easier to backup personal data and do a nuke and pave. My general procedure is to try a repair with thorough antimalware scans in safe mode or with hard drive removed. Assess the remaining damage and see if I can fix it quickly with the tricks I readily know. If not, try a repair install and if that fails it's nuke and pave time.

[Panama Red]

Quote:

Originally Posted by kilgoretrout I had the identical problem; the specific malware was one of the fake antivirus variety. I was able to cleanup the infection with malwarebytes but the malware had made changes to the registry that broke the exe file association causing most executables to no longer run. After googling around I found registry edits to fix that but then windows update was broke. That was caused by several dlls needed by windows upate being deregistered. Fixed that and finally got the thing back to normal. Bottom line from all this is that it appears that current malware is making registry edits and other system changes that persist even after the malware is removed. Current antimalware applications are unable to find and repair all the system changes made by current malware and those changes persist even after the malware executable is removed by the antimalware app. Chasing down all those system changes and registry edits has become so labor intensive that it may now be easier to backup personal data and do a nuke and pave. My general procedure is to try a repair with thorough antimalware scans in safe mode or with hard drive removed. Assess the remaining damage and see if I can fix it quickly with the tricks I readily know. If not, try a repair install and if that fails it's nuke and pave time.

Sounds like you and I are on the same page when it comes to cleaning systems. Seems like we hit the wall like this periodically when the bad guys make a quantum leap ahead of the good guys. Hopefully, MBAM's folks will develop a fix for this. Good luck to us all, eh?

[rjfvillarosa]

Quote:

Originally Posted by Panama Red Sounds like you and I are on the same page when it comes to cleaning systems.

You can add my name to that page list PR.....

[Panama Red]

Update: I had another pc over the weekend that was infected the same way. Once the virus was removed by putting the hard drive in another machine, the files were all hidden as were most of the programs on the start menu. I tried everything I could think of and was just about to nuke and pave. One place I hadn't checked before was the MBAM forums. There I found mention of a little program called unhide.exe. Further checking showed it also recommended at bleepingcomputer.com.

[Petef56]

Quote:

Originally Posted by Panama Red Update: I had another pc over the weekend that was infected the same way. Once the virus was removed by putting the hard drive in another machine, the files were all hidden as were most of the programs on the start menu. I tried everything I could think of and was just about to nuke and pave. One place I hadn't checked before was the MBAM forums. There I found mention of a little program called unhide.exe. Further checking showed it also recommended at bleepingcomputer.com.

Is there a link to info about unhide.exe?

I'd like to find out more about the program. For example, does it unhide all files & folders and what about the "system" files? In my case the computer had all the file attributes set as "hidden" and "system".

---pete---

[Panama Red]

It only unhides the folders/files that were changed, Pete. It does nothing with the system files. and there's no need for you to mess with attributes. It just restores things back to normal.

[scottinvausa]

Thanks Panama, unhide.exe worked great for the most part (see below,) and it fixed the WindowsUpdate problems, saved the Repair step (thus far.)
Now onto resolving the hidden desktop items and disabled right-click on the desktop (right-click works fine on the taskbar though.) Will probably end up nuke and paving this one, but I have a little time before the boss needs it back. It's clean now, I just need to clean-up. First indications of an infection were popups alerting him of disk errors.

[rwest]

Just a bit of update for this critter.

Unhide did not work for me untill after a repair install. I still have an issue with the main users desktop. But so far everything else seems okay.

[seagull]

ok I had to butt in here. I got the trojan this AM. I was in a panic but here is what I did on vista 64 bit.


Went to safe mode and opened Malwarebites. It found 4 trojans and cleaned them out.

Ran it again to make sure. Rebooted and like stated above Most of my files were gone/hidden.

Lucky me I came here and linked to
' Un hide" and ran it. Rebooted and there they were back thank god. Some of the SHORTCUTS were gone but I was able to restore all that I tried so I think I am OK.

I thought this might help others

PS I did not do a windows repair
pps I did not have any trojans last night because I scaned before I shut down for the night.

[glc]

To get the shortcuts back:

Solution for missing start menu shortcuts

[rjfvillarosa]

And another nasty bites the dust.
Using all the info in this thread I have just brought my sisters machine back to normal, well done guys.

[Leethar]

I registered just to weigh in on this post.

1st; thanks to the previous posters for info. I got hit with this virus about 4 days ago when Frostwire wanted to update itself and came with this free "Gift". the Unhide was the last(?) step I was missing.

Quote:

Originally Posted by scottinvausa Now onto resolving the hidden desktop items and disabled right-click on the desktop (right-click works fine on the taskbar though.) Will probably end up nuke and paving this one, but I have a little time before the boss needs it back. It's clean now, I just need to clean-up. First indications of an infection were popups alerting him of disk errors.

Scott (and those that follow with the same issue),
I solved my desktop icons, right-click, and no wallpaper issue though regedit; the Virus changes (adds?) some policy settings. Go into regedit and search for NoDesktop. Right-click on the word "NoDesktop", select modify, and change the value to 0 (as in zero). I also found 2 other policies set to 1 in the same grouping and changed them to a zero (0 = no, 1 = yes). I believe they were "NoActiveDesktop" and something about changing wallpaper.

As a side note for those who have never edited their registry; my advice is to 1st back up important data, 2 export a copy of the reg so you can restore (under "file" in the reg editor), and 3 only mess around with editing your reg if you're 1 step from reinstalling windows anyway.

[Leethar]

I just found one more thing the virus did; blocked my windows updates. I don't know if this issue exists for computers in the corporate world since windows updates are usually handled differently...

What I had happening is the automatic update program and Microsoft's site said I had the automatic updates turned off. However, going into control panel -> system -> Automatic Updates I could see that it was on.

I found my solution eventually after looking through Microsoft's support forum for the error code I got when trying to install the updater (0x80070424).

» Click on Start -> Run
» Paste the command below and enter

%SYSTEMROOT%\SYSTEM32\REGSVR32.EXE %SYSTEMROOT%\SYSTEM32\WUAUENG.DLL

(The solution was found at Error number: 0×80070424 in Windows Update – Solution - Techie Corner)

HOPEFULLY, I have it all fixed now...

[massergio]

I recently got a virus... it came from the LATEST FLASH/... what happened was a popup flash add wich i clicked to shut... some how downloaded a virus via FLASH i do btw have ADBLOCK + wich for what ever reason this add got around its filters (its not perfect but pretty good FF addon). What happened with me was that the flash downloaded this virus, and ran it as a Flash(game?) wich some how took control over my windows 7 PC... it began stating with XP widnows "Windows 7 unregistered antivirus click here to register" windows kept asking allow this program yes no over and over no matter how many times i hit no. The virus somehow created an overlay wich blocked MSSE Virus scanner and blocked task manager from ending process... also it blocked MSCONFIG from comming up to prevent it from start up... yeah its a darn good virus. Anyhow the reason I came to post here is becuase this forum saved my computer. I wanted to thank all of you.

Here is what I did... I rebooted (it kept starting the virus wich said it was deleting files) into safe mode w/o internet connection to override the virus(incase it tries to redownload or some bs)... in Safemode I looked around at my folders they all had locks on them and all the content was missing (deleted?) i pannicked for a second... but decided to run SYSTEM RESTORE that helped me stop the virus at start up so I rebooted into W7 normally. Next I checked my folders none of my programs would run wich I have installed. Nothing seemed to work right... even Firefox virus scanner all was for some reason not starting up. Next, I went to my User folder nothing was in there i was in complete shock becuase I know a virus can't delete (only modify) your files unless you some how give it permission to do so. Next I checked folder properties apparently THE FILE SIZE of my DISK WAS STILL USED... so I goofed around a bit and noticed all my files went hidden on me so I unhid them manually. Now i was able to see my contents and they were switched over to read only mode not allowing programs to execute still... so I entered folders changing attributes off of read only. EDIT: Eventually I managed to start up Ccleaner and,,,, Nevermind that what I meant was in Ccleaner I swiped the recomended things like I ticked all the firefox things and registry clean up etc not ENTIRE DISK i forgot it had an option for that don't do that I don't know what it does wow would i be mad if someone ccleaned theyre disk blank lol. Next I got MSSE to start and ran that it found a virus in FF apps folder in W7(that was the sucker that flash downloaded) Next I some how in 2 hours of confusion came across this forum wich was a great help due to unhide.exe that saved my life. The thing was this virus hid every folder... that some how messed with my programs and files becuase nothing would start up right. I checked MSCONFIG and all seemed normal.

I later went on youtube (since I imagine it's a safe site) went to a FLASH VIDEO, right clicked, selected "Global Settings..." then I selected in the pop up FLASH menu "BLOCK ALL SITES FROM STORING INFORMATION ON THIS COMPUTER" Clicked ok... and have not had a problem since.

Normally I only use MSSE becuase to me it's always done the job right with out bloat ware but given this fiasco I decided to run a second scanner and internet google and youtube results recommened highly malwarebytes so I installed that and ran it as well for good measure... malwarebytes (free version) found over 6viruses MSSE missed... I deleted them and all has been good ever since.


The main reason I signed up (this is why i did) is to THANK YOU ALL FOR MAKING THIS POST! The recommended program "unhide.exe" was what I downloaded as a spectator and it saved my PC. I tried the command prompts to unhide everything what ever this virus did was hardcore it would not work with any commands. Thank you again so much... you saved me so much dear time. MY files have been unhidden and restored to their propper attributes. All programs work now, the virus is gone, I was able to self rescue my computer, MANY Thanks to all of you. I mean it from the bottom of my heart becuase I have a few games I would just hate to redownload via steam again(it takes hrs) and not to mention all my software. Man if it wasn't for this forum post I would have given up. I am so lucky I found this. Thank Goodeness for this and google. :|

I'm sorry if any info here is a tad off im remembering it all from memory. This happened about last week (last sat) and I could not post for some reason after signing up? Anyhow Thanks. Really I can't say thank you enough!

[massergio]

Ah before I forget THE VIRUS STATED ACCORDING TO TASK MANAGER... was ifi.exe when I tried to shutit Task Manager stated that it was an official widnows process... I am uncertain if IFI.exe is an official windows process... but a google result on it bruaght me NOTHING... maybe one of you can confirm it becuase after the virus it has never appeared again? that was the process wich was running... I'm assuming that was the virus. ifi.exe mentioned for google search results.

[massergio]

For those of you trying to find your hidden desktop applications and folders files etc... windows 7 do this, open start menu, search "hidden folders", click result ""show hidden files and folders" now it should be in view tab, scroll to "hidden files and folders" there should be bubbles, select the bubble that says "show hidden files, folders, and drives" that should bring back your stuff with a ghost looking transperancy (becuase it's still hidden)... after thats said and done you can begin right clicking and "unhide" the folders and files. I wish you all the best of luck! This virus has been resolved. Again, I'm going off of memory sorry my instructions are somewhat broken. Be paitient and read and you will see you can restore your computer back nothing was deleted only hidden. I got all the failing hd notices as well as the other users now all is back to normal everything is running tip top. Again it wouldn't be possible without unhide.exe thank you so much forum posters for your help, even though you weren't replying to me, you helped me lol, Peace. -

[poogs1112024]

Many many thanks! My brother has ALS and uses his special computer to communicate. It is a MyTobii P10 (Reliable AAC device with integrated eye control)

This virus broke his computer and took away his only means of communicating. This forum helped me fix it. THANK YOU THANK YOU THANK YOU.

[jbeabout]

I was able to clean it off and unhide everything! But did any of you have your shortcuts go missing under almost all program folders? It just says folder empty like it deleted the .lnk files. If so is there any easy way of getting all of those back? Thanks!

[Panama Red]

Look up above in post #21 for a link.