|1: Download & run Unhide|
To run Unhide, simply download it to your Desktop and then double-click on the Unhide icon. The program will open a black box and start making the files on your fixed disks visible again. Please note, that this program will not unhide removable drives like flash cards and usb drives as the FakeHDD rogues do not target these types of drives. Once it has finished, the program will display a Windows alert stating that your files have been restored. You should then reboot your computer for all of the settings to go into effect.
When Unhide is complete, it will create a logfile on the Windows Desktop called Unhide.txt.
Copy & Paste the contents of the log in your next post please. Let me know if it doesn't produce a log.
A introduction as to what this program does.
Unhide.exe is a program that will revert many of the changes on your computer caused by the FakeHDD family of rogue anti-spyware programs. This family of rogues pretends to be a system optimization program that will solve errors with your computer’s hard disks, memory, and performance. It will also display fake alerts stating that your computer has numerous computer issues and prompt you to purchase the program in order to resolve these issues.
As part of the infection process, this family of rogues will change the attributes of all the files on your computer's fixed hard disks so that they are hidden (+H). It will then change your Windows configuration to make it so that you do not see hidden files or hidden system files. By doing this, the rogue attempts to make you think that all of your files have been deleted in the hopes that this will trick you into purchasing the program in order to recover your files.
This infection will also delete shortcuts in various folders on your computer so that you can no longer find them pinned to the taskbar, in the quick launch, or in your Start Menu. When the infection deletes the shortcuts it will store a backup copy of them in the folder %Temp%\smtmp. Using this backup, we can then restore the files to their proper location so you can find them once again under your Start Menu and in other locations. It is very important, though, that if you are infected with this family of infections that you do not delete any of the files in your %Temp% folder and that you do not run any temp file cleaners as they will delete this backup folder. With this folder removed, we will not be able to restore the shortcuts back to their proper location.
Unhide.exe is used to automatically revert these changes on your computer. When run, it will unhide (-H) all +H files on the fixed disks of your computer. It will not, though, unhide any files that also have the +S attribute. Unhide will also automatically detect if the %Temp%\smtmp folder exists, and if it does, it will copy them back to their proper locations for you. If your shortcuts are missing due to this infection and you have already cleaned out your Temp folder, then you can use the scripts at the bottom of this post to restore your default Start Menu.
Unhide will also reset certain Registry settings that this infection changes to hide your shortcuts and start menu items. When Unhide is running, if it detects any changes in these Registry settings it will reset them to the Windows default and display a messaging that it has done so.
3: Run Defogger & then Combofix.
Please download DeFogger and save it to your Desktop
Once downloaded, double-click on the DeFogger icon to start the tool.
Double click DeFogger to run the tool.
The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.
This program can enable and disable CD emulation, often required in removing difficult malware. Some CD Emulation programs use a hidden driver that may be seen as a rootkit or that will interfere with the proper operation of the anti-rootkit scanner.
Download ComboFix to your Desktop & then run. Copy & Paste the contents of the log in your next post please. ComboFix's log should be located at C:\COMBOFIX.TXT.
A guide and tutorial on using ComboFix
Manually restoring the Internet connection
There are circumstances ComboFix will hang, crash or stall at various stages due to malware interference, failure to disable other real-time protection tools or the presence of CD Emulators (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD) so that it does not complete successfully. Also, depending on how badly a system is infected, ComboFix may take longer to complete its routine than it normally does or fail to run properly. While that is not normal behavior, it is not unusual"
If you think it's frozen, look at the computer clock.
If it's running, Combofix is still working.
NOTE: Do not mouseclick combofix's window while it is running. That may cause it to stall.
NOTE: ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
**Please Note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
Once these two steps have been completed, double-click on the ComboFix icon found on your Desktop.
Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.