Go Back   AnandTech Forums > Software > Operating Systems

Forums
· Hardware and Technology
· CPUs and Overclocking
· Motherboards
· Video Cards and Graphics
· Memory and Storage
· Power Supplies
· Cases & Cooling
· SFF, Notebooks, Pre-Built/Barebones PCs
· Networking
· Peripherals
· General Hardware
· Highly Technical
· Computer Help
· Home Theater PCs
· Consumer Electronics
· Digital and Video Cameras
· Mobile Devices & Gadgets
· Audio/Video & Home Theater
· Software
· Software for Windows
· All Things Apple
· *nix Software
· Operating Systems
· Programming
· PC Gaming
· Console Gaming
· Distributed Computing
· Security
· Social
· Off Topic
· Politics and News
· Discussion Club
· Love and Relationships
· The Garage
· Health and Fitness
· Merchandise and Shopping
· For Sale/Trade
· Hot Deals with Free Stuff/Contests
· Black Friday 2014
· Forum Issues
· Technical Forum Issues
· Personal Forum Issues
· Suggestion Box
· Moderator Resources
· Moderator Discussions
   

Reply
 
Thread Tools
Old 04-14-2011, 07:19 PM   #1
ichy
Diamond Member
 
Join Date: Oct 2006
Posts: 6,932
Default Can't see files in My Documents folder

A couple of days ago I got infected by one of those stupid Windows Recovery malware programs. Malwarebytes was able to get rid of it, but now when I go into my Documents and Settings folder it shows up as empty. When I click on folder properties it says there a hundred something gigabytes of files in there, so clearly whatever's there isn't actually gone. I'm also able to save files into my downloads folder and open them, but when I go back to the User1 folder the Downloads folder no longer shows up. I'm guessing the files are still there but the registry was screwed with some how. Any advice on how to make these files & folders show up again in Windows Explorer?
ichy is offline   Reply With Quote
Old 04-14-2011, 07:36 PM   #2
ichy
Diamond Member
 
Join Date: Oct 2006
Posts: 6,932
Default

Nevermind, looks like everything in there was somehow changed to a hidden folder. Changed it back, all is well.
ichy is offline   Reply With Quote
Old 04-16-2011, 02:01 AM   #3
LiuKangBakinPie
Diamond Member
 
LiuKangBakinPie's Avatar
 
Join Date: Jan 2011
Location: Right Behind you
Posts: 3,912
Default

Are you on windows xp? You sure the malware is gone?
__________________
MMORPG players are freaks. If I ever catch my kids doing anything with a computer except for normal stuff like porn and hacking into school to change their grades, I will beat their asses like a red headed step child.
3DMark11
LiuKangBakinPie is offline   Reply With Quote
Old 04-16-2011, 09:50 AM   #4
Matt1970
Lifer
 
Matt1970's Avatar
 
Join Date: Mar 2007
Location: Syracuse NY
Posts: 10,850
Default

Malwarebytes is good but it still misses stuff. Typicly you want to follow up with SpyBot and Super Anti-Spyware.
Matt1970 is offline   Reply With Quote
Old 04-16-2011, 01:25 PM   #5
ichy
Diamond Member
 
Join Date: Oct 2006
Posts: 6,932
Default

Did all of the above, and manually yanked out all of the registry entries.

Running Windows 7 BTW.
ichy is offline   Reply With Quote
Old 04-19-2011, 11:42 PM   #6
SetecAstronomy
Junior Member
 
Join Date: Oct 2007
Posts: 13
Default

I've seen that particular malware infection on several machines at work. Often much more than the my documents folder gets set as hidden, such as the entire user account folders. I've also seen this cause the entire start menu to display as blank due to all the shortcut's being marked hidden. The easiest solution i found to undo that is running the following command from an elevated cmd prompt from the root of C:

attrib -h /s /d

from an elevated cmd prompt from the root of C: This will unhide everything (skipping over system files that you would want hidden)

If you have not already i urge you to run tdsskiller (google it) on your computer as well. In every almost every instance the rogue software you had is the visible payload of a TDSS rootkit/bootkit infection. It may have been removed by other things you have ran however certain tdss variants are very sophisticated and difficult to remove.
SetecAstronomy is offline   Reply With Quote
Old 04-20-2011, 01:29 AM   #7
bankster55
Golden Member
 
bankster55's Avatar
 
Join Date: Mar 2010
Posts: 1,124
Default

These fake AV, fake recovery, fake MSE are REALLY getting to be obnoxious.
The shut down all AV and firewalls, even the very obscure ones.
When you click on their icon, the icons disappear
They restrict permissions on all folders, not allowing any deletes or running of .exe's. And then prohibits changing back the permissions.
They prevent any restores
After booting to kaspersky rescue CD it didnt allow it to fully load
The Win 7 DVD stops at the welcome screen - goes no further.
Blocks going on internet
Loads desktop with warning graphics
etc etc

The AV mentioned (MWB SAS SBS&D) here are absolutely useless - goes right by them
The only decent shot at stopping this stuff is Comodo IS Suite (freeware)
But I have thrown in the towel, Apr 28 is when the new ubuntu 11.04 supposedly comes out, and i will use it exclusively for surfing the web, nothing else, triple booting with Win 7 X86 X64
http://www.h-online.com/open/news/it...s-1228402.html
__________________
I actually have ~8000 AT posts, was in first group to join Sep. 99 (text only format) - just too lazy to import my info. In fact, its kinda nice to be anonymous. Remember those live meet and greet other local AT members OT threads?

bankster55 is offline   Reply With Quote
Old 04-23-2011, 07:19 PM   #8
Bill Brasky
Diamond Member
 
Bill Brasky's Avatar
 
Join Date: May 2006
Posts: 4,252
Default

I'm still curious how one goes about getting a virus. Do you guys get them from the web or in e-mails?
__________________
"People who speak in metaphors should shampoo my crotch." -Jack Nicholson
Bill Brasky is offline   Reply With Quote
Old 04-24-2011, 06:54 PM   #9
bankster55
Golden Member
 
bankster55's Avatar
 
Join Date: Mar 2010
Posts: 1,124
Default

Porn sites - thats where industrial grade virus hang out
You go to a site, then when you click on a sub link it goes to a dif one, and just by going to that page and you are dead meat.
Comodo has prob the best bad web page avoidance system and blacklist.
Warez sites are next, patches cracks and hacks
P2P torrents may have a payload

Most peeps get those fake AV, fake MSE, fake recovery popups during their normal cruising - IE, Yahoo, AOL messenger, outlook, outlook express, - things I wouldnt go near with a ten foot pole. If its popular, stay away.
Emails with "CC" with 10 or 15 people getting the same message are dangerous, since some of them are prob infected.
If you get a fake AV popup, you have to close out FireFox, unplug modem (or block internet with FW if you can), restart FF and close out all tabs. Then replug modem and start FF fresh. If you click on ANYTHING on the popup (and you HAVE TO), you got it.
System restore as a last gasp option.
Just look at all this crap, and this aint even the bad stuff.
http://www.google.com/images?hl=en&s...qi=g1&aql=&oq=
__________________
I actually have ~8000 AT posts, was in first group to join Sep. 99 (text only format) - just too lazy to import my info. In fact, its kinda nice to be anonymous. Remember those live meet and greet other local AT members OT threads?

bankster55 is offline   Reply With Quote
Old 04-25-2011, 06:27 PM   #10
Bill Brasky
Diamond Member
 
Bill Brasky's Avatar
 
Join Date: May 2006
Posts: 4,252
Default

Quote:
Originally Posted by bankster55 View Post
Porn sites - thats where industrial grade virus hang out
You go to a site, then when you click on a sub link it goes to a dif one, and just by going to that page and you are dead meat.
Comodo has prob the best bad web page avoidance system and blacklist.
Warez sites are next, patches cracks and hacks
P2P torrents may have a payload

Most peeps get those fake AV, fake MSE, fake recovery popups during their normal cruising - IE, Yahoo, AOL messenger, outlook, outlook express, - things I wouldnt go near with a ten foot pole. If its popular, stay away.
Emails with "CC" with 10 or 15 people getting the same message are dangerous, since some of them are prob infected.
If you get a fake AV popup, you have to close out FireFox, unplug modem (or block internet with FW if you can), restart FF and close out all tabs. Then replug modem and start FF fresh. If you click on ANYTHING on the popup (and you HAVE TO), you got it.
System restore as a last gasp option.
Just look at all this crap, and this aint even the bad stuff.
http://www.google.com/images?hl=en&s...qi=g1&aql=&oq=
Yeah, it's surprising how many people click around on the web without real-time AV, and FF+ noscript (or something similar that disables javascript).
__________________
"People who speak in metaphors should shampoo my crotch." -Jack Nicholson
Bill Brasky is offline   Reply With Quote
Old 07-24-2011, 07:11 PM   #11
HLW3333
Junior Member
 
Join Date: Jul 2011
Posts: 2
Default Cant See Files In My Document

Quote:
Originally Posted by SetecAstronomy View Post
I've seen that particular malware infection on several machines at work. Often much more than the my documents folder gets set as hidden, such as the entire user account folders. I've also seen this cause the entire start menu to display as blank due to all the shortcut's being marked hidden. The easiest solution i found to undo that is running the following command from an elevated cmd prompt from the root of C:

attrib -h /s /d

from an elevated cmd prompt from the root of C: This will unhide everything (skipping over system files that you would want hidden)

If you have not already i urge you to run tdsskiller (google it) on your computer as well. In every almost every instance the rogue software you had is the visible payload of a TDSS rootkit/bootkit infection. It may have been removed by other things you have ran however certain tdss variants are very sophisticated and difficult to remove.
I got infected by the Malware XP Repair program a couple of days ago. And lost my desktop, desktop icons, start Icons for system accessesories like defrag etc. All because I inadvertently hit the wrong key when my anti-virus program asked me if I wanted to block access to a site that was seeking access to my computer. At the time I was running 1. the McAfee anti virus program, 2 Free versions of Malware Bytes and Panda Cloud anti Virus on my PC. After running Malware virus scans of these 2 program and downloading tdsskiller as suggested I got my desktop back, but my computer still cant' find any of my txt or html files. Also defrag etc still are all hidden on my PC. What a mess !!!

I believe your "easy solution" would solve some of my problems, but I've forgotten how to do it. If you or anyone else can walk me thru the procedure step by step ASAP I would really appreciate it BTW I know everything is still on my computer because by Local disk properties still shows the same amount of used and unused disk space that existed before this mess.
HLW3333 is offline   Reply With Quote
Old 07-25-2011, 10:54 AM   #12
lowrider69
Senior Member
 
Join Date: Aug 2004
Posts: 422
Default

I cleaned a system about a month ago that had stuff hidden and missing from the client's My Documents folder. I had to do a data recovery and unhide the rest of the stuff.


Regular common sites get hacked everyday. The biggest thing to worry about is ad servers getting hacked, it's very common. I don't surf without Firefox and NoScript and I have NoScript set to forbid iframes for untrusted domains as well, which is not the default setting but I highly recommend enabling it under the embeddings tab. Many hackers will put a iframe into the page code of the page they're hacking and have it load malicious code from another server/site. They also use object tags as well, which is blocked by NoScript by default for untrusted domains. Plus I use Avast which has a excellent network shield and web shield.

I'd rather have malware blocked from downloading at all then have it download to my drive and then caught once it's run. I have seen AV's catch a malicious program when it was run and say it blocked it and the system still got infected or something still got messed up. They wouldn't catch all of it.


One more thing, always create frequent backup images which is good to do for numerous reasons.

Also, if you're using a mail client like Outlook Express, Live Mail, Thunderbird, etc....set them to view all mail in plain text. It's very effective and a easy thing to do to greatly cut down on your chances of getting hammered with a malicious email.

Last edited by lowrider69; 07-25-2011 at 02:49 PM.
lowrider69 is offline   Reply With Quote
Old 07-26-2011, 11:26 AM   #13
HLW3333
Junior Member
 
Join Date: Jul 2011
Posts: 2
Smile

After a long and frustrating “trial and error” week-end I successfully got my laptop up and running again. This is my second struggle with a “malware program” in two years. Because of the “Hijack” of my Program folder and the hidden file feature of this particular “XP REPAIR” malware program, it made my first experience look like a piece of cake.

The moral of the story is NEVER!!! NEVER!!! EVER!!! allow a blocked site or program to gain access to your computer.

FWIW, after a week-end of “Googling” the web for solutions to my problem I came across this Article - How to fix "Windows XP Recovery" Malware Wednesday, June 8, 2011 - by Brian Richards Tags: Malware, virus removal, Windows XP Recovery, General at http://www.interworks.com/blogs/brichards/2011/06/08/how-fix-windows-xp-recovery-malware

IMHO, Richards gives you the easiest step by step instructions to follow to get rid of this particular type of “Windows Recovery Malware”.


PS: If for some reason the Richard's article does not resolve your malware problem , then I strongly suggest you Check out: Am I Infected? What Do I Do? at http://www.bleepingcomputer.com/foru...picfilter__all


Also unhide.exe took a full 5 hours to clean up my laptop. A side effect of running unhide.exe now has my laptop cpu usage running at 24% to 80% instead of almost always at 100% according to Windows Task Manager.

Last edited by HLW3333; 07-26-2011 at 11:25 PM. Reason: Increase Font Add PS:
HLW3333 is offline   Reply With Quote
Old 07-26-2011, 09:05 PM   #14
SolMiester
Diamond Member
 
SolMiester's Avatar
 
Join Date: Dec 2004
Location: Napier, New Zealand
Posts: 4,758
Default

I had an issue with a clients PC, a virus had also hidden all the users documents after we clean the virus out...so had to use this program to unhide them all...
trojan-killer.net/download/unhider.exe
__________________
HOME-LianLi PC-9F,ASRock P67Pro3, i5 2500k @4Ghz, 8Gb HyperX, ASUS DC GTX660OC, Corsair Force 120 SSD, HP ML350G5 2012 Host-Plex/W8/MINT..
My Super 6 Calais
SolMiester is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 08:57 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.