Virus Cleaned - All files, folders HIDDEN SYSTEM - SOLVED!

Discussion in 'Online Security' started by Petef56, Apr 8, 2011.

  1. Petef56

    Petef56

    Joined:
    May 18, 2007
    Messages:
    686
    Location:
    USA, New Jersey
    Here's a new one. I cleaned this WinXP computer of a virus by slaving it to a clean computer and running 3 different scans. I notice by the color of the folders that all the folders are Hidden. It appears that the virus changed the atributes of all the files and folders on drive C: to be HIDDEN SYSTEM files!

    Next I issue the following commands at the command prompt...
    c:\
    attrib -h -s *.* /S /D

    The above command resets all the files to be non-system and unhides them.

    My concern now is that by default, Windows specifies certain files or folders as SYSTEM and/or HIDDEN and and now that is NOT the case. Is there any way to restore the attributes without performing a repair install of WinXP and all the updates?

    Also..
    What would be the harm or risks in leaving all the files as non-system and unhidden?

    ---pete---
     
  2. EzyStvy

    EzyStvy Computing Professor Staff Member

    Joined:
    Dec 30, 1999
    Messages:
    10,183
    Location:
    Dallas, Tx
    You're the second person I've seen this week with this issue:eek:

    The way you did the command did the entire hard drive. You could go back and do +h+s on specific folders.
     
  3. Petef56

    Petef56

    Joined:
    May 18, 2007
    Messages:
    686
    Location:
    USA, New Jersey
    Yeah, but even if we knew which Windows folders and files were originally set up as "system" or "hidden", it would be too labor intensive to reset them manually using the attrib command.

    ---pete---
     
  4. glc

    glc Forum Administrator Staff Member

    Joined:
    May 26, 2000
    Messages:
    47,481
    Location:
    Joplin MO
    It's gonna be faster to do a repair reinstall.
     
  5. Petef56

    Petef56

    Joined:
    May 18, 2007
    Messages:
    686
    Location:
    USA, New Jersey
    Do you think it's really necessary?
    In other words, what's the harm in having all the files as unhidden and non-system?

    ---pete---
     
  6. glc

    glc Forum Administrator Staff Member

    Joined:
    May 26, 2000
    Messages:
    47,481
    Location:
    Joplin MO
    It just won't work right.
     
  7. Petef56

    Petef56

    Joined:
    May 18, 2007
    Messages:
    686
    Location:
    USA, New Jersey
    OK, thanks. That's what I needed to know.

    ---pete---
     
  8. 4orced4door

    4orced4door

    Joined:
    Apr 11, 2011
    Messages:
    1
    Hey guys, I signed up just to let you know I found a solution for this, at least in my case. I ran into the same deal today, the virus hid all the files on the hard drive. From a command prompt dir shows nothing, you have to dir /ah everything. I too was worried about just mass changing everything with attrib.

    I started doing my normal cleanup and the first thing I did was run Kaspersky's TDSSKiller rootkit removal tool. It found and cured an infection, and when I rebooted the PC the file structure amazingly looked normal again. Desktop icons are still hidden, but the root of the C drive looks normal. So a repair install may not be necessary. Still cleaning up the infected system but I was shocked to see the hidden files go back to normal.

    Here's a link to the utility I'm talking about (you could also probably use GMER). I've been using this on all infected PCs I clean (maybe 10 a week) and I'm seeing like 30-40% of them infected with this rootkit lately.

    How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)?
     
  9. Petef56

    Petef56

    Joined:
    May 18, 2007
    Messages:
    686
    Location:
    USA, New Jersey
    My normal routine in cleaning is to remove the HD, and do my scans with HD slaved to a clean PC. I run TDSSKiller, NOD32, Malwarebytes and SAS.

    In the case of this thread, TDSSKiller didn't fix the "hidden" folders problem.

    Thanks anyway for the tip. I wound up restoring the entire system (Image backup) to an earlier date and then restoring all the data.

    ---pete---
     
  10. Panama Red

    Panama Red If I'm not here, I may be cruisin'! Staff Member

    Joined:
    Apr 8, 2003
    Messages:
    14,773
    Location:
    near the left coast of Michigan
    I wish the fix were that easy.:eek: I got one today with the same type of infection - Windows Security Alert/failing hard drive.

    Booted to Safe w/Networking but could not open TDSSkiller or Malewarebytes. Pulled the hdd and scanned with it slaved to my laptop. TDSSkiller found nothing. MBAM found 4 problems and MSSE cleaned 6 along the way of the MBAM scan. All files appeared hidden when connected to my laptop. Reinstalled hdd and tried to boot but no matter whether SAFE or Normal, it went into a reboot loop. Disabled restart on error and BSOD showed 7B error. Ran chkdsk/r - didn't fix reboot. Booted to XP Pro disk and ran Recovery Console with commands to fixboot and fixmbr. Still in a reboot loop. Did repair install. Fixed reboot issue but would not start until XP is activated and desktop was blank. Rebooted to Admin account and had only the desktop background - nothing else. I'm reinstalling XP Pro as I type this. This Dell Vostro 1500 doesn't have a restore partition. Either that or the virus crippled that option too. What a PITA!
     
  11. rjfvillarosa

    rjfvillarosa Moderator Staff Member

    Joined:
    Sep 15, 2004
    Messages:
    7,639
    Location:
    Cardiff, Wales. UK
    I have been following this thread out of interest. Last Saturday I was asked to repair a netbook with what turned out to be the worst infection I have ever come across. After slaving the harddrive and cleaning it I reinstalled it to find not a single application would run, none of the icons in the Control Panel worked, I couldn't even get the Task Manager to run. A Nuke and Pave sorted it out, these rogue antivirus programs are getting worse.
     
  12. kilgoretrout

    kilgoretrout

    Joined:
    Apr 22, 2003
    Messages:
    1,605
    I had the identical problem; the specific malware was one of the fake antivirus variety. I was able to cleanup the infection with malwarebytes but the malware had made changes to the registry that broke the exe file association causing most executables to no longer run. After googling around I found registry edits to fix that but then windows update was broke. That was caused by several dlls needed by windows upate being deregistered. Fixed that and finally got the thing back to normal.

    Bottom line from all this is that it appears that current malware is making registry edits and other system changes that persist even after the malware is removed. Current antimalware applications are unable to find and repair all the system changes made by current malware and those changes persist even after the malware executable is removed by the antimalware app. Chasing down all those system changes and registry edits has become so labor intensive that it may now be easier to backup personal data and do a nuke and pave. My general procedure is to try a repair with thorough antimalware scans in safe mode or with hard drive removed. Assess the remaining damage and see if I can fix it quickly with the tricks I readily know. If not, try a repair install and if that fails it's nuke and pave time.
     
  13. Panama Red

    Panama Red If I'm not here, I may be cruisin'! Staff Member

    Joined:
    Apr 8, 2003
    Messages:
    14,773
    Location:
    near the left coast of Michigan
    Sounds like you and I are on the same page when it comes to cleaning systems. Seems like we hit the wall like this periodically when the bad guys make a quantum leap ahead of the good guys. Hopefully, MBAM's folks will develop a fix for this. Good luck to us all, eh? :p
     
  14. rjfvillarosa

    rjfvillarosa Moderator Staff Member

    Joined:
    Sep 15, 2004
    Messages:
    7,639
    Location:
    Cardiff, Wales. UK
    You can add my name to that page list PR.....;)
     
  15. Panama Red

    Panama Red If I'm not here, I may be cruisin'! Staff Member

    Joined:
    Apr 8, 2003
    Messages:
    14,773
    Location:
    near the left coast of Michigan
    Update: I had another pc over the weekend that was infected the same way. Once the virus was removed by putting the hard drive in another machine, the files were all hidden as were most of the programs on the start menu. I tried everything I could think of and was just about to nuke and pave. One place I hadn't checked before was the MBAM forums. There I found mention of a little program called unhide.exe. Further checking showed it also recommended at bleepingcomputer.com.
     
  16. Petef56

    Petef56

    Joined:
    May 18, 2007
    Messages:
    686
    Location:
    USA, New Jersey
    Is there a link to info about unhide.exe?

    I'd like to find out more about the program. For example, does it unhide all files & folders and what about the "system" files? In my case the computer had all the file attributes set as "hidden" and "system".

    ---pete---
     
  17. Panama Red

    Panama Red If I'm not here, I may be cruisin'! Staff Member

    Joined:
    Apr 8, 2003
    Messages:
    14,773
    Location:
    near the left coast of Michigan
    It only unhides the folders/files that were changed, Pete. It does nothing with the system files. and there's no need for you to mess with attributes. It just restores things back to normal.
     
  18. scottinvausa

    scottinvausa

    Joined:
    May 3, 2011
    Messages:
    1
    Thanks Panama, unhide.exe worked great for the most part (see below,) and it fixed the WindowsUpdate problems, saved the Repair step (thus far.)
    Now onto resolving the hidden desktop items and disabled right-click on the desktop (right-click works fine on the taskbar though.) Will probably end up nuke and paving this one, but I have a little time before the boss needs it back. It's clean now, I just need to clean-up. First indications of an infection were popups alerting him of disk errors.
     
  19. rwest

    rwest

    Joined:
    Mar 19, 2006
    Messages:
    2,176
    Location:
    Cocoa, Florida
    Just a bit of update for this critter.

    Unhide did not work for me untill after a repair install. I still have an issue with the main users desktop. But so far everything else seems okay.
     
  20. seagull

    seagull

    Joined:
    Jun 22, 2003
    Messages:
    649
    Location:
    Brookings, OR**Rain forest of the northwest.**
    ok I had to butt in here. I got the trojan this AM. I was in a panic but here is what I did on vista 64 bit.


    Went to safe mode and opened Malwarebites. It found 4 trojans and cleaned them out.

    Ran it again to make sure. Rebooted and like stated above Most of my files were gone/hidden.

    Lucky me I came here and linked to
    ' Un hide" and ran it. Rebooted and there they were back thank god. Some of the SHORTCUTS were gone but I was able to restore all that I tried so I think I am OK.

    I thought this might help others

    PS I did not do a windows repair
    pps I did not have any trojans last night because I scaned before I shut down for the night.
     
    Last edited: May 14, 2011

Share This Page