A VIRUS HAS HIDDEN MY FILES AND FOLDERS BUT THEY ARE STILL THERE, JUST HIDDEN

Silense
Silense used Ask the Experts™
on
I can't see my files (under my document & C drive) & programs from "Star Menu" all are hidden. I run 3/4 anti virus but couldn't fix this. How can I resolve the issue? Would I be able to fix this if I change the attribute value of Explorer in registry somewhere?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
helpfinderIT Consultant

Commented:
try to create new user profile, move your files here and then if everything will be some time OK, just delete this infected one
Top Expert 2012
Commented:
Also you can right click on the folder and select Properties, then untick the Hidden checkbox to unhide again...

Author

Commented:
@777. Yaa you are right but my understanding there is faster & better way to do it from registry(instead of selecting folder) to change attribute values whcih I can't find.
Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.

Commented:
I would do virus check in safe mode just to be safe
Commented:
try attrib -h -s folder/file path or attrib -s -h
I think you need to read this article - http://experts-exchange.com/A_6209.html

Author

Commented:
upgate & run the anti-virus in safe mode but doesn't work. My understanding when the virus damage the setting it's change the attribute values on regedit. But not sure which one need to change values to 0 instead of 2.
Did you apply the fixNCR.reg file as that article says for step 1?
If the virus was a fake HDD type, you might want to download and run the unhide.exe app found on bleeping computer.  Usually that is effective in fixing changed file attributes.
Unhide is the 4th step in that article, after fixNCR.reg, rkill/RogueKiller and MBAM, just before TDSSKiller.

Author

Commented:
Can I manually change the registry value? Because this virus change the registy value from 0 to 2, where 0=Normal and 2= Hide.

Author

Commented:
But I am not sure where to go to change the registry value in regedit.
If you haven't done the other steps yet, whatever changed it before will likely just change it again.
You need to kill the application that is running in the process list first that is actively monitoring for these types of changes. Your best option is to run the Thekiller first as it does what unhide does and cuts down on a few steps, then you can continue with the other steps.

I have seen a lot of ZeroAccess droppers being spread through exploit sites as of late. Wouldn't suprise me if this is another "Smart-HDD" infection.

Author

Commented:
Thanks.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial