Spyware, Viruses, & Security

General discussion

Windows Diagnostic virus - lost folders and files

by atlanticgirl / March 18, 2011 6:03 AM PDT

Hi,I am in a great panic...our computer,containing all the medical records of our handicapped children,has been hit by the Window Diagnostic virus.It has erased ALL the folder and files off our desktop so we cannot access any of them.We are SO scared that these files have been erased forever. Also,we were trying to access some files on an external HD when the attack occurred and it also seems to have been hit by the virus too.The only difference is we can still see the folders on that drive but when we try to open any of them,we get the 'folder empty' message.This external HD has years' of very important work on it and we are so upset and scared that we are not going to get those files back. We have tried running rkill and malwarebytes but it won't allow us to do so. Nor can we access the internet as our browsers have been blocked.When we try to boot in 'safe mode' or 'safe mode with networking',we are not allowed to do so as a very brief blue screen with text (too fast to read) flashes up and then the computer is automatically restarted not allowing us access to 'safe mode'. We are running Windows XP. PLEASE help us to remove this nasty virus and restore our important files and folders and we are so very upset and worried that we have lost all our years of work. Many thanks.

Discussion is locked
You are posting a reply to: Windows Diagnostic virus - lost folders and files
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Windows Diagnostic virus - lost folders and files
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Lost folders and files.
by Kees_B Forum moderator / March 18, 2011 6:13 AM PDT

Looks like they are lost forever. All you can do:
1. Have look at the external disk from another PC.
2. Get the hard disk out and have a look at that on another PC (use an enclosure or a USB to IDE/SATA cable, you can buy them in your local computer store).
If the files still are gone find the money to send both disks to a professional data recovery company and let them see what they can recover. Should be around USD 2000 for the 2 disks.

On your new PC (or on the new hard disk of your current PC, once you've reinstalled XP on it) be sure to schedule a daily backup of all changes in the data to an external disk that you DISCONNNECT when not in use for the backup and a regular full backup of all the data to an external backup service somewhere on the Internet.
And maybe use a better antivirus?

Kees

Collapse -
If these files can be recovered ...
by Kees_B Forum moderator / March 18, 2011 7:45 AM PDT

praise yourself lucky. What Carol says certainly looks hopeful, and the part for the external disk can easily be checked by connecting it to another PC. Even if you can't clean the hard disk, you should be able to get your files off to another PC by connecting it as an external disk also. Then - with all your data safe - you can format the disk to get rid of this nasty virus.

However, this doesn't in any way lessen the need for a good backup procedure to prevent a real disaster from occurring in the future. We can't press that enough.
Same, of course, to have a good look at your antivirus program.

I really hope you succeed. Then Carol deserves a big thank you, don't you agree?

Kees

Collapse -
To the reader with the same problem
by mutecebu / March 21, 2011 12:05 PM PDT

To the reader with the same problem:
Read on! All is not lost! Your files are all safe, the virus just made them "hidden". I wrote a guide below that should help you fix the issue (compiled from all the helpful comments that helped me to fix my own problem), or read the comments for yourself! However, I recommend you keep reading before you use the "attrib C:\*.* /d /s -h -r -s" command to see if it's right for you.

Good luck!

Collapse -
Helpful links
by mutecebu / March 21, 2011 12:14 PM PDT

Sorry for the double post.

Here is the "Remove Windows Diagnostic" uninstall guide, by the makers of "rkill" (a helpful tool used in the process:
http://www.bleepingcomputer.com/virus-removal/remove-windows-diagnostic
The first half of the guide is basically describing the virus, if it's clear you have the same thing you can skip down to the middle.

Here's a link to my guide: (It's designed to be a little briefer and to warn you against mistakes that I made)
http://forums.cnet.com/7726-6132_102-5104010.html?tag=posts;msg5104010

These are for use if your files seem to be disappearing, and if a new program calling itself "Windows Diagnostic" with an icon of 4 jigsaw pieces has appeared, giving lots of phony error messages

Once again, thanks to everyone here.

Collapse -
They MAY not be gone..
by Carol~ Forum moderator / March 18, 2011 7:29 AM PDT

atlanticgirl..

In "Remove Windows Diagnostic (Uninstall Guide)" it states when describing this specific rogue:

'To further make it seem like your computer is not operating correctly, Windows Diagnostic will also make it so that certain folders on your computer display no contents. When opening these folders, such as C:\Windows\System32\ or various drive letters, instead of seeing the normal list of files it will instead display a different folder's contents or make it appear as if the folder is empty. This is done to make it seem like there is corruption on your hard drive that is causing your files to not be displayed.'

Windows Diagnostic is relatively new, and I don't know much about it yet. I don't want to get your hopes up. But I see too many "seems" and "appears" in the above description to convince me the files are definitely gone.

It also says in the removal guide:

'It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.'

DID you do this? Have you tried a Rescue Disk such as Avira's, which boots outside Windows?

Carol

Collapse -
Something to check..
by Carol~ Forum moderator / March 18, 2011 7:45 AM PDT
In reply to: They MAY not be gone..

atlanticgirl..

Some malware will change your settings to use a proxy server. It may (or may not) be the case, in this instance, but check it anyway.

Open Internet Explorer. Go to Tools>Internet Options>Connections Tab. Click on the LAN settings button. See if there is a check mark next to "Use a proxy server for your LAN". If there is, UNcheck it and click OK. Then OK, again.

Carol

Collapse -
same prob, more diagnostic information, recovery possible?
by HattrickRedeyes / March 19, 2011 1:44 AM PDT
In reply to: They MAY not be gone..

Carol, as someone else who has been hit by this, let me say I'm really glad to see someone take an active interest in it. Your words here are encouraging.

I followed the removal instructions at http://www.bleepingcomputer.com/virus-removal/remove-windows-diagnostic

And it seems like I've gotten the malware removed, but my files are still missing. As with the OP, I'm strongly motivated to recover the data, as it is the sum of a lot of work. (2+ years, and I need it to graduate).

I did follow the instructions, running rkill and malwarebytes. Malwarebytes has quarantined 6 files and 1 registry entry.

During the phony error messages, before I got it cleaned out, it threw out warnings about hard drive errors and being unable to save some files, etc. But the messages seemed consistent with the description of phony warnings, so I wasn't too worried.

Anyway, I *think* I have it cleaned out. But as I mentioned, my files are still missing. My OS is windows Vista, and when I navigate to the users folder in my c drive, the admin account folder is missing; there's only a guest and public folder. (As a backdoor?-> )I can use the search function to find a few specific files in the downloads folder of my account, but I can't find them all that way. Further, when I navigate to the download folder in the directory pane (not through the c drive/users), it appears to be empty. Also, the documents, pictures, music, etc, folders appear to be empty when checked like this.

The three or four quick icons (firefox, show desktop, cycle active pane, etc) that sit in the (system tray? Taskbar?) Immediately to the right of the start button have also disappeared.

As a point of interest, on start-up, a calendar program called rainlender, that I've been using for a long time throws an error message that it cannot open a .log file that is kept in c:\users\adminuseraccount\.rainlender2\rainlender2.log. It says " (error 5: access is denied.)

The hard drive capacity/usage seems to be what it was before this problem, if I remember correctly?

I have not tried a rescue disk, and unrelated, the optical drive is dead, but flash drives work for loading things if I couldn't download them. It seems to be able to navigate the web fine.

While searching (for this post it seems Wink ), I came across this link http://www.socialblogr.com/2010/09/how-to-restore-files-hidden-by-virus-on-windows-7.html, which discusses what sounds similar on a windows 7 computer, while I have vista, I'm wondering if this is a direction we should consider?

I'm wondering is if the files are still there and can be restored without resorting to more dramatic means, such as a recovery program?

Collapse -
hidden
by inetco / March 20, 2011 6:11 PM PDT

go into file properties and untick hidden files and at least some of your file will return more when i get my head around this one

Collapse -
possible fix to recover your files
by HattrickRedeyes / March 19, 2011 3:14 AM PDT

they may just be hidden. I got some friends on another forum to hold my hand and walk me through unhiding things.

they referenced this:
http://moniroth.wordpress.com/2008/05/16/unhide-folder-after-clean-viruses/

this is what worked for me-
go to start-> run-> type cmd

then type all this in at once.

attrib C:\*.* /d /s -h -r -s


press Enter key.

my background still seems jacked up and there are a few wonky bits here and there, but it looks like my files are visible again.

carol, does this all make sense? my friends reccomend saving all the files on another drive and doing a fresh install if I can swing it.

Collapse -
<edit>
by HattrickRedeyes / March 19, 2011 3:18 AM PDT

^ I mean I know I trust the folks who steered me in that direction, I just mean, can you explain it for the OP if she needs it worked out?

Collapse -
Same problem
by Daman422 / March 19, 2011 3:54 AM PDT
In reply to: <edit>

My girlfriend encountered the same problem today and I walked her through. Removing the virus yet still all her files are hidden and they are very important. I saw the command you posted and I was just wondering if it is 100% safe. I'm uncomfortable using the command prompt and from what I understand you can seriously mess up your computer with commands. I didn't want to tell her to type it in not knowing what it would do and if it was safe.

If you could explain what it does and if it's completely safe that would be great. It might be too late since she's going to the computer store. But just for reference for others.

Collapse -
Recovering hidden files..
by Carol~ Forum moderator / March 20, 2011 10:01 PM PDT

Hattrick..

You asked if it makes sense. The only thing I can tell you, is what I would do. And what I would try. I would first try suggestions, which I know for sure, can do NO harm. A good example might be, looking to see if "Hidden Files and Folder" needs enabling, in the Folder Options dialog box. I didn't think it would be something that simple, but some in this thread say it worked. No harm in trying.

I saw quite a few different suggestions, at various sites. My gut feeling is, the files are still there. I did find one fix, where modifying a couple of values in the registry worked. It's quite possible, the virus altered the original settings. Again, I don't know this for sure.

What may work for some, may not work for others. As you will see by the comments, within the link you provided. I would hate to have members trying everything and anything anyone suggests. Skeptic that I am, I fear they might find themselves worse off than they were, prior to implementing any given fix.

It's why I suggested in this post, members visit a HijackThis forum, where they would receive individual attention and further help.

This is STRICTLY my opinion. I would only ask, whatever you choose to do .. "proceed with caution".

Best of luck and thanks for your input..
Carol

Collapse -
Start menu items still hidden....
by techmi26 / May 20, 2011 7:16 AM PDT

After running the unhide tool you may still be missing most of your start menu shortcuts... They can be found in a folder named smtmp inside:

(XP)- C:\Documents and Settings\Username\Local Settings\Temp
(W7)- C:\Users\Username\AppData\Local\Temp

You might see a few numbered folders inside smtmp. One is for the items in All Users\Start Menu folder, one is quick launch items and one is the desktop items.

Mike

Collapse -
Another alternative
by mrmacfixit Forum moderator / March 19, 2011 3:54 AM PDT

would work if you know someone with a Mac.

Remove the hard drive from your machine and connect it to the Mac.

As Windows, and the virus, will not be running, all the files on that drive will be visible to the Mac and can be recovered onto the Mac HD.

Any windows virus that is present on the disk will not have any effect on the Mac

P

Collapse -
Did you ever get your files back
by jenvin1 / March 19, 2011 5:08 AM PDT

I'm having the same problem and I still can't see my files. Did you have any success getting your files back?

Collapse -
I don't think the files are gone, just hidden
by Galahad_75 / March 19, 2011 5:47 AM PDT

Hi,
I had the same virus, removed with the same procedure and now have the same issue - no programs in start menu or files in explorer.
I'm sure that all files are still on the hard drive though, because when i re-ran Malwarebytes and performed FULL SCAN i can see it checking all my files and programs, so they must still be there, so are hopefully just hidden.
I'm going to try "C:\*.* /d /s -h -r -s" in cmd prompt after the scan completes. That will probably be tomorrow, but i'll let you know how i get on.

Collapse -
Try Unhiding Folders
by davidchang72 / March 19, 2011 10:00 AM PDT

I had this same problem. I did a system restore to an earlier date and my hard drive came back but I still could not see any files. Ran Microsoft Secutiry Essentials and Malwarebytes which did not detect anything but my files still appeared to be missing.

Like Galahad said below I could tell the files were still there because Malware was scanning all of them.

Then I figured it out. In My Computer I right-clicked on the My Documents folder and looked at the properties. The "hidden" box was checked. I unchecked the box and applied the settings to all of the sub-folders and now I can see everything again.

Collapse -
But its a tedious process
by jenvin1 / March 19, 2011 11:05 AM PDT
In reply to: Try Unhiding Folders

I got help through Microsoft doing all that but I had to unhide each folder because it wouldn't do it automatically. Plus my comp is now running slow, my Windows Defender is corrupted, and the sound it makes is still there when my desktop loads. Does anyone experience this as well? The sound won't go away.

Collapse -
worked for me!
by kspark777 / May 19, 2011 11:19 PM PDT
In reply to: Try Unhiding Folders

all restored by right clicking on my documents, then going to properties tab, uncheck the box that says hidden (attributes) then select unhide all. all my docs programs and pics are back!!

Collapse -
still no programs
by kspark777 / May 19, 2011 11:29 PM PDT
In reply to: worked for me!

i got all my docs and pics but still have nothing when i go to start--programs--it is empty. plz help

Collapse -
Did you try..
by Carol~ Forum moderator / May 19, 2011 11:54 PM PDT
In reply to: still no programs

kspark..

If you haven't tried the following, I would suggest doing so. Scroll down to #17 in the below guide, where you will find a program (unhide.exe), which has helped quite a few members. You have nothing to lose, by trying.

Remove Windows Recovery (Uninstall Guide)

Best of luck..
Carol

Collapse -
all programs are back in start menu!!
by kspark777 / May 20, 2011 10:47 AM PDT
In reply to: Did you try..

all programs, desktop icons, pics (10000 of them LOL) and documents.Thanks Carol and malware free download. 3 weeks ago i went in safemode and got malwarebytes free download it caught 1400 registry errors. its fixed now!!!!

Collapse -
(NT) You're welcome. Glad we were able to help. :)
by Carol~ Forum moderator / May 22, 2011 11:48 PM PDT
Collapse -
For future reference.....
by techmi26 / May 23, 2011 2:11 AM PDT
In reply to: still no programs

After running the unhide tool you may still be missing most of your start menu shortcuts?

They can be found in a folder named smtmp inside:
(XP)- C:\Documents and Settings\Username\Local Settings\Temp
(W7)- C:\Users\Username\AppData\Local\Temp

In my case there were three numbered folders inside C:\Documents and Settings\Username\Local Settings\Temp\smtmp folder. The folders were numbered 1, 2 and 4.

Inside the 1 folder was a folder named "Programs." This folder should be copied / pasted to (using XP) to C:\Documents and Settings\All Users\Start Menu, which will already have a folder named Programs but it is safe to overwrite it since Windows will replace the subfolders without creating duplicates.

Inside the 2 folder (for me) were the quick launch items specific for the user. Select ALL of these shortcuts and copy / paste to (using XP) C:\Documents and Settings\Username\Application Data\Microsoft\Internet Explorer\Quick Launch.

Inside the 4 folder were the desktop items that should be copied to C:\Documents and Settings\All Users\Desktop.

For Windows 7 users, the all users start menu is C:\ProgramData\Microsoft\Windows\Start Menu\Programs and the all users desktop folder is C:\Users\Public\Desktop

Mike

Collapse -
More Info
by davidchang72 / March 19, 2011 12:16 PM PDT

After unhiding my files I ran rkill and then Malwarebytes again. Malware bytes did find a couple of trojans that were labeled WindowsDiagnostic and HDD. Hopefully this works and you don't need to spend the $45 on Trojan Killer.

Wish these people had better things to do with there time than create trojans and viruses.

Collapse -
yes, this nasty virus just hid your files - unhide them
by marcuslcnet / March 19, 2011 1:10 PM PDT
In reply to: More Info

I got hit with this virus as well and after following the removal instructions on bleepingcomputer a lot of files were missing still.

To my relief, they were just hidden. All of your stuff is still there.

The attrib command is a good solution, but I recommend a slightly different set of options. The -s and -r options are removing the system and read-only attributes, and it does not appear that the virus affects those settings. You really don't want to remove the system flag from actual system files, which the attrib command listed above WILL do. I would just do this:

Log in as an adminstrator
start->run->cmd
cd c:\
attrib c:\*.* /d /s -h

Collapse -
Restore default hidden and system attributes?
by techmi26 / April 19, 2011 4:34 AM PDT

Does anyone have advice for those of us that took the easy route and did the attrib -s -h to the entire C: drive? I would love to see a tool that can restore the proper settings to Windows system files. Thanks!

Collapse -
Since No One Knows the Default/Previous Settings....
by Grif Thomas Forum moderator / April 19, 2011 6:16 AM PDT

...that Microsoft uses when performing a standard install, if "System Restore" isn't possible, (because the machine would become reinfected again), the only option would be to perform a "repair" install of the operating system.

Still, there's really nothing wrong with leaving the files the way they are.. The operating system should still operate as designed..

Hope this helps.

Grif

Collapse -
Some DO's and DON'T's........
by Carol~ Forum moderator / March 20, 2011 11:06 AM PDT

Do NOT:

• Do NOT follow any of the removal guides you find as a result of a google search, unless you are 110% sure they are safe to use and follow.

Please read "Secure Shield fake rogue" where (in part) you will see:

'Some blog webmasters are regularly using the screenshots I made on their blog post. They just take the pictures, wrote a text about the rogue dangerousness and link to a "Free Scan", "Free Removal" tool (which is NOT free). Without analyzing the rogue itself.

Those blogs are cleaners affiliates. If the downloaded cleaner they link to is installed and registered, they get a retribution. They don't care if the tool can remove or not the infection. They don't analyze the infection. They just make a maximum traffic and try to be ranked on google first page.

So I decided to MAKE a picture of a new rogue that does NOT exist: Secure Shield. I post the picture and wait for the "serious" guys.

10 minutes after my blog and my digg post, Loaris posts a modified picture of mine (his digg). Loaris Trojan Remover was classified once as rogue.
'

• Do NOT pay for an application just because someone posted and wrote "it worked for me". Do your research! There are excellent free applications, capable of doing the job. Unless you are 110% sure it does what it purports to do, steer clear of it. Keep in mind, the possibility always exists the poster may be involved with the site. And DO take note of Roddy's post titled, "I would not either touch Trojan Killer".
___________________

Please DO:

If the instructions in the removal guide don't work for you, I would strongly suggest posting at a HijackThis forum. They have access to certain diagnostic and removal tools, we don't utilize at this forum. A trained helper will walk you through the removal process. And hopefully do so in a way which will enable you to access ALL your files.

You can find a list of HijackThis forums, at the left-hand side of the below page:

http://hjt-data.trendmicro.com/hjt/analyzethis/index.php,

I can only offer what I think may work. Until such time I know with certainty, what will work in any/every given circumstance and situation, I can only recommend asking for help at the above mentioned forums.

Best of luck..
Carol

Collapse -
What worked for me!
by Zhangzx1 / March 20, 2011 2:15 PM PDT

I followed instructions on Ehow

http://www.ehow.com/how_2306681_unhide-folders-files-xp.html#

Or if you are using XP as me:

control Panel---Tools----Folders Option----View-----Hidden files and folders
----Show hidden files and folders (Instead of the current status of no showing the hidden files adn folders)

Then finally I see my hidden files again......

God bless you in your situations. Thanks for all our help.

Popular Forums
icon
Computer Help 47,885 discussions
icon
Computer Newbies 10,322 discussions
icon
iPhones, iPods, & iPads 3,188 discussions
icon
Security 30,333 discussions
icon
TVs & Home Theaters 20,177 discussions
icon
HDTV Picture Setting 1,932 discussions
icon
Phones 15,713 discussions
icon
Windows 7 6,210 discussions
icon
Networking & Wireless 14,510 discussions

Tech for the holiday

Find recipes for July 4 with these foodie apps

The Fourth of July means fireworks, fun and food. If you're planning on a barbecue this weekend, we've got the apps to help you find holiday-inspired recipes.