The icon is probably a dead link now (hope) don't click to find out.
"A log file about what actions unhide performed etc" attach that log back here, like i attached the script.
Quads
Yep seems like everything is back...but obviously in large form, so can't account for everything just yet, but all does seem ok...should I try and boot up in normal mode?
though what should I do about the "data recovery" icon that is still there where it installed itself on teh task bar - i think there is also a shortcut that installed itself on the desktop?
btw sending you a choice of virual hot chocolate with marshmallows or a nip of brandy - take your pic!
leave them alone
attach the unhide log back here please like I did the script
You still appear by the ADS entry to have a Rootkit / Bootkit, but I choose to break the FakeHDD first so it won't interfer later.
Quads
Hope you don't mind - still won't let me attach it as a text doc - no idea why - still saying attachment doesn't match extension - I even copied and pasted into a new notepad and still won't let me attach
so here it is
Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/forums/topic405109.html
Program started at: 05/20/2012 05:41:45 PM
Windows Version: Windows XP
Please be patient while your files are made visible again.
Processing the A:\ drive
Finished processing the A:\ drive. 0 files processed.
Processing the C:\ drive
Finished processing the C:\ drive. 148602 files processed.
Restoring the Start Menu.
* 217 Shortcuts and Desktop items were restored.
Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
* NoDesktop policy was found and deleted!
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
* DisableTaskMgr policy was found and deleted!
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
* HidNoChangingWallPaperden policy was found and deleted!
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
* Start_ShowControlPanel was set to 0! It was set back to 1!
* Start_ShowHelp was set to 0! It was set back to 1!
* Start_ShowMyComputer was set to 0! It was set back to 1!
* Start_ShowMyDocs was set to 0! It was set back to 1!
* Start_ShowMyMusic was set to 0! It was set back to 1!
* Start_ShowMyPics was set to 0! It was set back to 1!
* Start_ShowPrinters was set to 0! It was set back to 1!
* Start_ShowRun was set to 0! It was set back to 1!
* Start_ShowSearch was set to 0! It was set back to 1!
* Start_ShowSetProgramAccessAndDefaults was set to 0! It was set back to 1!
* Start_ShowRecentDocs was set to 0! It was set back to 2!
* Start_ShowNetConn was set to 0! It was set back to 1!
* Start_ShowNetPlaces was set to 0! It was set back to 1!
Restarting Explorer.exe in order to apply changes.
How are you trying to attach the .txt files, And .doc files are not allowed.
Quads
Hit reply
Hit Browse
Attach txt File
Post
You hit reply underneath the main ttype field you will see a "Choose File" button.
Quads
Is it because there is http code in the txt file that the site is rejecting it - saying that it does not match?
Sorry Quads you had a blank messgae come through - was that more intructions??
Quads wrote:You hit reply underneath the main ttype field you will see a "Choose File" button.
Quads
mmmm do you have a screen shot - i can't find a "choose file" anywhere
Everyone else can find it, it's clear as day as it's big enough
Quads
...yeah tried everywhere but the site continues to reject my txt file uploads - what to do next?
tanks
Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/forums/topic405109.html
Program started at: 05/20/2012 05:41:45 PM
Windows Version: Windows XP
Please be patient while your files are made visible again.
Processing the A:\ drive
Finished processing the A:\ drive. 0 files processed.
Processing the C:\ drive
Finished processing the C:\ drive. 148602 files processed.
Restoring the Start Menu.
* 217 Shortcuts and Desktop items were restored.
Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
* NoDesktop policy was found and deleted!
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
* DisableTaskMgr policy was found and deleted!
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
* HidNoChangingWallPaperden policy was found and deleted!
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
* Start_ShowControlPanel was set to 0! It was set back to 1!
* Start_ShowHelp was set to 0! It was set back to 1!
* Start_ShowMyComputer was set to 0! It was set back to 1!
* Start_ShowMyDocs was set to 0! It was set back to 1!
* Start_ShowMyMusic was set to 0! It was set back to 1!
* Start_ShowMyPics was set to 0! It was set back to 1!
* Start_ShowPrinters was set to 0! It was set back to 1!
* Start_ShowRun was set to 0! It was set back to 1!
* Start_ShowSearch was set to 0! It was set back to 1!
* Start_ShowSetProgramAccessAndDefaults was set to 0! It was set back to 1!
* Start_ShowRecentDocs was set to 0! It was set back to 2!
* Start_ShowNetConn was set to 0! It was set back to 1!
* Start_ShowNetPlaces was set to 0! It was set back to 1!
Restarting Explorer.exe in order to apply changes.
Go and do your school work.
I have no idea how to remove the likes of MaxSS if that is the one behind on your system as the programs and scripts can get worse, and you struggle with the easier stuff.
That will just have to hide in the background a bit longer.
Quads
tried something different - still didn't work - your gif came up as a big plain triangle - i'm sure I'm doing what anyone else would do to attch files - perhaps it is still something to do with the virus?
The image has to be approved then it shows.
Bye
Quads
grrrr i am no imbecile - i have followed everything to the letter - why are you after all this washing your hands of it
i am still operating in safe mode if that has anything to do with it - seriously?!