48 total posts
(Page 1 of 2)
Lost folders and files.
Looks like they are lost forever. All you can do:
1. Have look at the external disk from another PC.
2. Get the hard disk out and have a look at that on another PC (use an enclosure or a USB to IDE/SATA cable, you can buy them in your local computer store).
If the files still are gone find the money to send both disks to a professional data recovery company and let them see what they can recover. Should be around USD 2000 for the 2 disks.
On your new PC (or on the new hard disk of your current PC, once you've reinstalled XP on it) be sure to schedule a daily backup of all changes in the data to an external disk that you DISCONNNECT when not in use for the backup and a regular full backup of all the data to an external backup service somewhere on the Internet.
And maybe use a better antivirus?
If these files can be recovered ...
praise yourself lucky. What Carol says certainly looks hopeful, and the part for the external disk can easily be checked by connecting it to another PC. Even if you can't clean the hard disk, you should be able to get your files off to another PC by connecting it as an external disk also. Then - with all your data safe - you can format the disk to get rid of this nasty virus.
However, this doesn't in any way lessen the need for a good backup procedure to prevent a real disaster from occurring in the future. We can't press that enough.
Same, of course, to have a good look at your antivirus program.
I really hope you succeed. Then Carol deserves a big thank you, don't you agree?
To the reader with the same problem
To the reader with the same problem:
Read on! All is not lost! Your files are all safe, the virus just made them "hidden". I wrote a guide below that should help you fix the issue (compiled from all the helpful comments that helped me to fix my own problem), or read the comments for yourself! However, I recommend you keep reading before you use the "attrib C:\*.* /d /s -h -r -s" command to see if it's right for you.
Sorry for the double post.
Here is the "Remove Windows Diagnostic" uninstall guide, by the makers of "rkill" (a helpful tool used in the process:
The first half of the guide is basically describing the virus, if it's clear you have the same thing you can skip down to the middle.
Here's a link to my guide: (It's designed to be a little briefer and to warn you against mistakes that I made)
These are for use if your files seem to be disappearing, and if a new program calling itself "Windows Diagnostic" with an icon of 4 jigsaw pieces has appeared, giving lots of phony error messages
Once again, thanks to everyone here.
They MAY not be gone..
In "Remove Windows Diagnostic (Uninstall Guide)" it states when describing this specific rogue:
'To further make it seem like your computer is not operating correctly, Windows Diagnostic will also make it so that certain folders on your computer display no contents. When opening these folders, such as C:\Windows\System32\ or various drive letters, instead of seeing the normal list of files it will instead display a different folder's contents or make it appear as if the folder is empty. This is done to make it seem like there is corruption on your hard drive that is causing your files to not be displayed.'
Windows Diagnostic is relatively new, and I don't know much about it yet. I don't want to get your hopes up. But I see too many "seems" and "appears" in the above description to convince me the files are definitely gone.
It also says in the removal guide:
'It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.'
DID you do this? Have you tried a Rescue Disk such as Avira's, which boots outside Windows?
Something to check..
Some malware will change your settings to use a proxy server. It may (or may not) be the case, in this instance, but check it anyway.
Open Internet Explorer. Go to Tools>Internet Options>Connections Tab. Click on the LAN settings button. See if there is a check mark next to "Use a proxy server for your LAN". If there is, UNcheck it and click OK. Then OK, again.
same prob, more diagnostic information, recovery possible?
Carol, as someone else who has been hit by this, let me say I'm really glad to see someone take an active interest in it. Your words here are encouraging.
I followed the removal instructions at http://www.bleepingcomputer.com/virus-removal/remove-windows-diagnostic
And it seems like I've gotten the malware removed, but my files are still missing. As with the OP, I'm strongly motivated to recover the data, as it is the sum of a lot of work. (2+ years, and I need it to graduate).
I did follow the instructions, running rkill and malwarebytes. Malwarebytes has quarantined 6 files and 1 registry entry.
During the phony error messages, before I got it cleaned out, it threw out warnings about hard drive errors and being unable to save some files, etc. But the messages seemed consistent with the description of phony warnings, so I wasn't too worried.
Anyway, I *think* I have it cleaned out. But as I mentioned, my files are still missing. My OS is windows Vista, and when I navigate to the users folder in my c drive, the admin account folder is missing; there's only a guest and public folder. (As a backdoor?-> )I can use the search function to find a few specific files in the downloads folder of my account, but I can't find them all that way. Further, when I navigate to the download folder in the directory pane (not through the c drive/users), it appears to be empty. Also, the documents, pictures, music, etc, folders appear to be empty when checked like this.
The three or four quick icons (firefox, show desktop, cycle active pane, etc) that sit in the (system tray? Taskbar?) Immediately to the right of the start button have also disappeared.
As a point of interest, on start-up, a calendar program called rainlender, that I've been using for a long time throws an error message that it cannot open a .log file that is kept in c:\users\adminuseraccount\.rainlender2\rainlender2.log. It says " (error 5: access is denied.)
The hard drive capacity/usage seems to be what it was before this problem, if I remember correctly?
I have not tried a rescue disk, and unrelated, the optical drive is dead, but flash drives work for loading things if I couldn't download them. It seems to be able to navigate the web fine.
While searching (for this post it seems ), I came across this link http://www.socialblogr.com/2010/09/how-to-restore-files-hidden-by-virus-on-windows-7.html, which discusses what sounds similar on a windows 7 computer, while I have vista, I'm wondering if this is a direction we should consider?
I'm wondering is if the files are still there and can be restored without resorting to more dramatic means, such as a recovery program?
go into file properties and untick hidden files and at least some of your file will return more when i get my head around this one
possible fix to recover your files
they may just be hidden. I got some friends on another forum to hold my hand and walk me through unhiding things.
they referenced this:
this is what worked for me-
go to start-> run-> type cmd
then type all this in at once.
attrib C:\*.* /d /s -h -r -s
press Enter key.
my background still seems jacked up and there are a few wonky bits here and there, but it looks like my files are visible again.
carol, does this all make sense? my friends reccomend saving all the files on another drive and doing a fresh install if I can swing it.
^ I mean I know I trust the folks who steered me in that direction, I just mean, can you explain it for the OP if she needs it worked out?
My girlfriend encountered the same problem today and I walked her through. Removing the virus yet still all her files are hidden and they are very important. I saw the command you posted and I was just wondering if it is 100% safe. I'm uncomfortable using the command prompt and from what I understand you can seriously mess up your computer with commands. I didn't want to tell her to type it in not knowing what it would do and if it was safe.
If you could explain what it does and if it's completely safe that would be great. It might be too late since she's going to the computer store. But just for reference for others.
Recovering hidden files..
You asked if it makes sense. The only thing I can tell you, is what I would do. And what I would try. I would first try suggestions, which I know for sure, can do NO harm. A good example might be, looking to see if "Hidden Files and Folder" needs enabling, in the Folder Options dialog box. I didn't think it would be something that simple, but some in this thread say it worked. No harm in trying.
I saw quite a few different suggestions, at various sites. My gut feeling is, the files are still there. I did find one fix, where modifying a couple of values in the registry worked. It's quite possible, the virus altered the original settings. Again, I don't know this for sure.
What may work for some, may not work for others. As you will see by the comments, within the link you provided. I would hate to have members trying everything and anything anyone suggests. Skeptic that I am, I fear they might find themselves worse off than they were, prior to implementing any given fix.
It's why I suggested in this post, members visit a HijackThis forum, where they would receive individual attention and further help.
This is STRICTLY my opinion. I would only ask, whatever you choose to do .. "proceed with caution".
Best of luck and thanks for your input..
Start menu items still hidden....
After running the unhide tool you may still be missing most of your start menu shortcuts... They can be found in a folder named smtmp inside:
(XP)- C:\Documents and Settings\Username\Local Settings\Temp
You might see a few numbered folders inside smtmp. One is for the items in All Users\Start Menu folder, one is quick launch items and one is the desktop items.
would work if you know someone with a Mac.
Remove the hard drive from your machine and connect it to the Mac.
As Windows, and the virus, will not be running, all the files on that drive will be visible to the Mac and can be recovered onto the Mac HD.
Any windows virus that is present on the disk will not have any effect on the Mac
Did you ever get your files back
I'm having the same problem and I still can't see my files. Did you have any success getting your files back?
I don't think the files are gone, just hidden
I had the same virus, removed with the same procedure and now have the same issue - no programs in start menu or files in explorer.
I'm sure that all files are still on the hard drive though, because when i re-ran Malwarebytes and performed FULL SCAN i can see it checking all my files and programs, so they must still be there, so are hopefully just hidden.
I'm going to try "C:\*.* /d /s -h -r -s" in cmd prompt after the scan completes. That will probably be tomorrow, but i'll let you know how i get on.
Try Unhiding Folders
I had this same problem. I did a system restore to an earlier date and my hard drive came back but I still could not see any files. Ran Microsoft Secutiry Essentials and Malwarebytes which did not detect anything but my files still appeared to be missing.
Like Galahad said below I could tell the files were still there because Malware was scanning all of them.
Then I figured it out. In My Computer I right-clicked on the My Documents folder and looked at the properties. The "hidden" box was checked. I unchecked the box and applied the settings to all of the sub-folders and now I can see everything again.
But its a tedious process
I got help through Microsoft doing all that but I had to unhide each folder because it wouldn't do it automatically. Plus my comp is now running slow, my Windows Defender is corrupted, and the sound it makes is still there when my desktop loads. Does anyone experience this as well? The sound won't go away.
worked for me!
all restored by right clicking on my documents, then going to properties tab, uncheck the box that says hidden (attributes) then select unhide all. all my docs programs and pics are back!!
still no programs
i got all my docs and pics but still have nothing when i go to start--programs--it is empty. plz help
Did you try..
If you haven't tried the following, I would suggest doing so. Scroll down to #17 in the below guide, where you will find a program (unhide.exe), which has helped quite a few members. You have nothing to lose, by trying.
Remove Windows Recovery (Uninstall Guide)
Best of luck..
all programs are back in start menu!!
all programs, desktop icons, pics (10000 of them LOL) and documents.Thanks Carol and malware free download. 3 weeks ago i went in safemode and got malwarebytes free download it caught 1400 registry errors. its fixed now!!!!
You're welcome. Glad we were able to help. :)
For future reference.....
After running the unhide tool you may still be missing most of your start menu shortcuts?
They can be found in a folder named smtmp inside:
(XP)- C:\Documents and Settings\Username\Local Settings\Temp
In my case there were three numbered folders inside C:\Documents and Settings\Username\Local Settings\Temp\smtmp folder. The folders were numbered 1, 2 and 4.
Inside the 1 folder was a folder named "Programs." This folder should be copied / pasted to (using XP) to C:\Documents and Settings\All Users\Start Menu, which will already have a folder named Programs but it is safe to overwrite it since Windows will replace the subfolders without creating duplicates.
Inside the 2 folder (for me) were the quick launch items specific for the user. Select ALL of these shortcuts and copy / paste to (using XP) C:\Documents and Settings\Username\Application Data\Microsoft\Internet Explorer\Quick Launch.
Inside the 4 folder were the desktop items that should be copied to C:\Documents and Settings\All Users\Desktop.
For Windows 7 users, the all users start menu is C:\ProgramData\Microsoft\Windows\Start Menu\Programs and the all users desktop folder is C:\Users\Public\Desktop
After unhiding my files I ran rkill and then Malwarebytes again. Malware bytes did find a couple of trojans that were labeled WindowsDiagnostic and HDD. Hopefully this works and you don't need to spend the $45 on Trojan Killer.
Wish these people had better things to do with there time than create trojans and viruses.
yes, this nasty virus just hid your files - unhide them
I got hit with this virus as well and after following the removal instructions on bleepingcomputer a lot of files were missing still.
To my relief, they were just hidden. All of your stuff is still there.
The attrib command is a good solution, but I recommend a slightly different set of options. The -s and -r options are removing the system and read-only attributes, and it does not appear that the virus affects those settings. You really don't want to remove the system flag from actual system files, which the attrib command listed above WILL do. I would just do this:
Log in as an adminstrator
attrib c:\*.* /d /s -h
Restore default hidden and system attributes?
Does anyone have advice for those of us that took the easy route and did the attrib -s -h to the entire C: drive? I would love to see a tool that can restore the proper settings to Windows system files. Thanks!
Since No One Knows the Default/Previous Settings....
...that Microsoft uses when performing a standard install, if "System Restore" isn't possible, (because the machine would become reinfected again), the only option would be to perform a "repair" install of the operating system.
Still, there's really nothing wrong with leaving the files the way they are.. The operating system should still operate as designed..
Hope this helps.
Some DO's and DON'T's........
• Do NOT follow any of the removal guides you find as a result of a google search, unless you are 110% sure they are safe to use and follow.
Please read "Secure Shield fake rogue" where (in part) you will see:
'Some blog webmasters are regularly using the screenshots I made on their blog post. They just take the pictures, wrote a text about the rogue dangerousness and link to a "Free Scan", "Free Removal" tool (which is NOT free). Without analyzing the rogue itself.
Those blogs are cleaners affiliates. If the downloaded cleaner they link to is installed and registered, they get a retribution. They don't care if the tool can remove or not the infection. They don't analyze the infection. They just make a maximum traffic and try to be ranked on google first page.
So I decided to MAKE a picture of a new rogue that does NOT exist: Secure Shield. I post the picture and wait for the "serious" guys.
10 minutes after my blog and my digg post, Loaris posts a modified picture of mine (his digg). Loaris Trojan Remover was classified once as rogue.'
• Do NOT pay for an application just because someone posted and wrote "it worked for me". Do your research! There are excellent free applications, capable of doing the job. Unless you are 110% sure it does what it purports to do, steer clear of it. Keep in mind, the possibility always exists the poster may be involved with the site. And DO take note of Roddy's post titled, "I would not either touch Trojan Killer".
If the instructions in the removal guide don't work for you, I would strongly suggest posting at a HijackThis forum. They have access to certain diagnostic and removal tools, we don't utilize at this forum. A trained helper will walk you through the removal process. And hopefully do so in a way which will enable you to access ALL your files.
You can find a list of HijackThis forums, at the left-hand side of the below page:
I can only offer what I think may work. Until such time I know with certainty, what will work in any/every given circumstance and situation, I can only recommend asking for help at the above mentioned forums.
Best of luck..
What worked for me!
I followed instructions on Ehow
Or if you are using XP as me:
control Panel---Tools----Folders Option----View-----Hidden files and folders
----Show hidden files and folders (Instead of the current status of no showing the hidden files adn folders)
Then finally I see my hidden files again......
God bless you in your situations. Thanks for all our help.