Restore / Recover from Virus that hides files and creates shortcut or .Exe application in Their Place


      Many Viruses out there, hide your Folders and create Shortcuts or Application of the same name and same Icons as the Folders in the same directory. Many times people follow these shortcuts and end up infecting their system with this annoying virus.


      If you find any trace of this virus in your Flash/Pen Drive, External Hard-disk and other forms of Removable Disk, Then this quick tutorial should help you get your files back into place.

  • Windows 7 and Vista: Click Start in the search program field type CMD right click and Run as Administrator....
  • Type your Removable Storage Drive letter followed by colon and ENTER key. eg I: 
  • drive-letter: attrib *.* /s /d -h -r -s to make visible all files  (for more info, try attrib /?) or continue reading for a more detailed outline.

1.    Your Flash Drive should look like this when infected. (As you can see all the Folders have been hidden with only fake shortcuts leading to the virus).


2. Go to Folder Options: (on Windows 7: press alt first), click Tools ----> Folder Options: goto Views tab.

                                                                                      
3. Click Don't show hidden files, folders or drives and un-check "Hide protected operating system files". But If you're using Windows Xp and a virus has messed up you hidden folder options, then proceed to the command line step. 


4. Your Drive should now Display the hidden files.  Right click you desired folder and click properties.


5.  If the virus is one that just makes the Folders hidden and not System hidden( System Protected). Then the Hidden check box should be enabled and checked as shown in the image below (If not goto Command Line/Alternate solution section ). Just un-check the the Hidden tag and if you wish the Read-only tag too. but If it is shown as in step 1 of Command line section below:

COMMAND LINE SOLUTION / ALTERNATE SOLUTION


         If after the above steps your folder property is as shown below:  where the hidden tag is disabled and therefore, cannot be unchecked.
   
Follow the steps below:

STEP 1:  

Windows 7 and Vista: Click Start in the search program field type CMD right click and Run as Administrator.
               Windows XP: Click Start, click Run: type CMD and click OK.
                Or Goto Start------> Accessories------>  Command Prompt.

STEP 2:  

Type your Removable Storage Drive letter followed by colon and ENTER key. (eg I: )


STEP 3:  

Type Dir /A:H to display all hidden files (Note: will also display System protected files and Folders ), you can also use Dir /A:H to display only System protected files and Folders or Dir /A:HSD to display only System protected, Hidden Directories only.



STEP 4:

Type the Command as shown below, Make sure you type the attrib (attribute) command or you'll get an error. follow the System: 

attrib "File/Folder name" -h -r -s. 

Or  
attrib *.* /s /d -h -r -s to make visible all files (for more info, try attrib /?) 

STEP 5: 

After deleting the unwanted shortcuts or Fake applications. Your Directory should look like this.



7 comments:

  1. this will only get back folder.but incase if you reconnect pendrive it will hide again. First remove Trojan.
    ================
    Step1: Use task manager and stop “service196.exe” 196 could be any random number.
    Step2: Locate this exe file in windows folder and delete it
    Step3 : Remove all registry entry for this exe file. Normally uses name “Adobe Reader Speed Launcher”. exact location can be found at

    http://www.threatexpert.com/report.aspx?md5=af5ec168d7729de093655472f5bcc5c8

    Step 4: Delete autorun.inf and recycle folder from external pendrives etc.
    =================
    To recover file folder run below given command from command prompt.
    attrib -h -r -s /s /d F:\*.*
    F could be any external drive. Folders are are just hidden.

    ReplyDelete
  2. I tried this and i am still not able to see the folders, i see a $RECYCLE.BIN folder and within that folder there are 3 folders with nothing in it and also when i ran the command i get a acccess denied message.

    ReplyDelete
    Replies
    1. You are getting the access denied error, cause you're not running in an elevated privilege mode, right click command prompt and runs as admin, or highlight cmd and press control+shift+enter.

      Delete
  3. Thank you so much you save me from PC format.

    ReplyDelete