user files hidden after virus

Posted on 2011-10-24
Medium Priority
Last Modified: 2012-06-21
I had two different users get the same virus.  The virus marked all files on the C: drive as hidden.  I removed the virus through malwarebytes anti-malware, but after the virus was removed, the C: drive was still hidden.  I un-hid the files, but when the user who launched the virus logs in, their desktop is missing, and they cannot launch the task manager.  When right-clicking on the task bar, the option is greyed out, and similarly when they press ctrl-alt-del the option is greyed out there.  I logged on as myself or the domain admin, and the option is there.  Seems like it only happened for the user who initially launched the virus.
Question by:Winstink
LVL 63

Accepted Solution

☠ MASQ ☠ earned 2000 total points
ID: 37019893
LVL 27

Expert Comment

by:Jason Watkins
ID: 37020180
If this is a domain machine,  I would back-up all user data and re-image (reinstall Windows), then restore. I know this is the "easy" way, but in a domain environment, there should be no chance of this spreading.


Author Comment

ID: 37031074
I was able to un-hide the files after running the file as suggested in the article.  However, the user still cannot call task manager the "Traditional" ways. (right-click on the task bar and ctrl-alt-delete)

Expert Comment

ID: 37031110
Have you try disable and enable it in registry?

User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
 System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
 Value Name: DisableTaskMgr
 Data Type: REG_DWORD (DWORD Value)
 Value Data: (0 = default, 1 = disable Task Manager)

Author Comment

ID: 37057794
turns out the virus was not completely gone.  Ran a full system scan of MWAM, and it's gone now.  

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Can you find a fax from a vendor you saved a decade ago in seconds? Have you ever cursed your PC under your breath during an audit because you couldn’t find the requested statement or driver history?  If you answered no to the first question or yes …
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses
Course of the Month16 days, 23 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question