New Virus “Erases” Files and Folders: Panics Users

Thanks to a new virus which makes users believe all of their data has been deleted, computer users everywhere are in mass panic and repair shops are busier than ever. This new virus is pure genius and is, as old-school hackers would put it, a “truly righteous” hack. It exploits a loophole in Java which gives the virus god-rights on the computer and installs without the user ever knowing. Unlike most viruses today which trick the user into thinking they have a virus and clicking ‘OK’ to clean it up (which actually installs it), it is embedded in webpages which use Java and installs silently. And since nearly everyone has Java turned on to surf the internet, it installs quietly and effortlessly. Suddenly, all the computer’s files, icons and folders are “gone.” Panic ensues as users frantically try to figure out how to recover their “lost” data. But what has really happened is that the virus has simply hidden every file on the computer! Genius, right? I can only imagine the developers are sitting back having a good laugh about it all.

So what do you do if you get hit by this lovely virus? A non-techy person could take it to a computer repair shop and spend anywhere from $85-$150 to get it fixed. Or for you geeks, you could fix it yourself using the following steps:

(Please note the following steps are for experienced users only – if you are not comfortable performing any of the below steps, take the computer to a professional!)

1)      Immediately boot into Safe Mode (with networking) and do not leave this until you are done! (Mashing F8 at the boot screen will do this on most computers – read the boot screen if F8 doesn’t do the trick)

1. If you have to reboot at any time, make sure you boot back into Safe Mode!

2)      Download and run RKill: http://www.bleepingcomputer.com/download/anti-virus/rkill. This will terminate the virus from running and allow you to clean up the computer. Any of the download links should work – they just have various names to confuse viruses.

3)      You need to be able to see the folders/files which are hidden. To do this, do the following:

1. Click your start menu
2. In the ‘run’ field, type “cmd” and hit enter
3. Type: c:*.* /d /s –h

• **The virus may make files read-only as well. If so, include –r.
• **If the virus makes files system files, add –s.
• Do NOT add any unnecessary –r or –s commands. Only use these commands if needed.

4)      Make sure you have the following programs installed and updated:

1. Microsoft Security Essentials (http://www.microsoft.com/security_essentials/)
2. Super AntiSpyware (http://www.superantispyware.com)
3. Remove ANY other antivirus program you have as most don’t live up to their promises and often do more harm than good (ESPECIALLY Norton, McAfee and AVG).

5)      Run a FULL scan on both Security Essentials and Super AntiSpyware.

6)      Clean up your registry! (If not comfortable with this, pay for a professional cleanup!)

1. Go to Start –>Run–>’regedit’ and hit enter, then ‘Ok’ or ‘Yes’
2. Go to HKEY_CURRENT_USER–>Software–>Microsoft–>Windows–>CurrentVersion–>Run
   i.      Remove anything which looks suspicious and is not a file you recognize. For instance, an entry with a name like FKA546542EJJAL and stored in a temp file is probably a virus (EXAMPLE ONLY). This is also a good time to remove unnecessary programs from starting up at boot time.
3. Go to HKEY_CURRENT_USER–>Software–>Microsoft–>WindowsNT–>CurrentVersion–>Winlogon
   i.      Again, remove anything suspicious. If you don’t see anything obvious, DO NOT DELETE ANYTHING.
4. Go to HKEY_USERS–>’user name’ or ‘.DEFAULT’–> Software–>Microsoft–>Windows–>CurrentVersion–>Run
   i.      Remove suspicious files as mentioned above
   ii.      Do this for EVERY user
5. Go to HKEY_LOCAL_MACHINE–>SOFTWARE–>Microsoft–>Windows–>CurrentVersion–>Run
   i.      Remove suspicious files (be EXTRA careful here as some of these files are necessary for system files to run at startup. Again, if not sure, take it in for a professional cleanup!)
6. Go to HKEY_LOCAL_MACHINE–>SOFTWARE–>Microsoft–>WindowsNT–>CurrentVersion–>WinLogon
   i.      Double click on ‘Shell’ and make sure it ONLY says ‘explorer.exe’. If there is anything after it, delete it!
   ii.      Double click on Userinit and make sure it ONLY says ‘C:Windowssystem32userinit.exe,”. If there is anything after it, delete it!

7)      Lastly, do a quick file cleanup

1. Go to C:WindowsSystem32
   i. Sort by Date Modified – click twice so you see the most recent date on top
   ii. Going from the date you got infected (hopefully you are doing this the same day or the next day) remove any files which look suspicious (yet again, if you don’t know what you are doing, take it to a professional!)
2. Go to C:Windows and do as above but look at folders as well as files
3. Delete cookies and temp files (any self-respecting geek knows how to do this already)

So by now you have:

1)      Made your files viewable and usable again

2)      Removed the virus and any associated viruses or malware through using the recommended software

3)      Removed registry entries to prevent anything bad from loading on startup and thus re-infecting your machine

4)      Removed any negative system entries which may also be contributing to the problem.

You might have even discovered you had other spyware, malware or viruses you didn’t know about throughout all this. But if you did everything correctly, you should be clean. If not, now is definitely a good time to take the computer in for a professional cleanup as your machine likely has bigger problems than you were aware of. Good luck!

**Please note that running these commands will make EVERY file on the system viewable and editable, including previously hidden system files you shouldn’t mess with. Use extreme caution when working with files after doing this. If you aren’t comfortable with this, consider paying for a professional cleanup.

 

Tags: antimalware antivirus fix computer Malware microsoft new virus News online repair Virus windows windows 7