This week I had an interesting experience. I connected my pen drive for personal use, that has all my digital life, the notebook from my cousin and he was infected by a virus.
All my folders and files were “processed” Shortcut, but, when clicking the shortcut, the original file or folder opens “normally”.
The conclusion that we have here is that the original folders and files still remain in the pen drive, then it is possible to recover them and remove this annoying virus.
The recovery procedure is very simple, but it must be run on a PC that is not infected. First of all you should ensure that the micro in which effect the cleaning also is clean (without this virus) and a good antivirus installed and updated.
Removing the virus
If you do not have an antivirus installed (that danger!), sugiro install or AVG AntiVirus Free. To me he is one of the best in this category, besides being free.
Run the antivirus and run a full scan on your pen drive. It will detect and remove the virus infected files. It is usually a file with extension “.vbs”.
Recovering files from pen drive “removed” virus
- Open the Windows command prompt as administrator; Learn how the Windows 8 e no Windows 7.
- Run the following command changing the drive letter of your USB Drives. In the example below the unit is “F:”. In your case can be “It:”, “G:” or any other letter. Check this before you run the command.
- Enter: attributed-h-r-s-a / s / d F:\*.*
- Tecle e aguarde. Depending on the amount of files and folders in pen drive this command can take quite. Wait until the end.
Soon, Now your folders and files must already be displayed correctly. Then we remove annoying shortcuts that were created by the virus.
- Still at the command prompt, type the following command, remembering to change the drive letter of your pen drive:
- Enter: of F:\*.lnk
How the virus works
This silly virus creates a copy of itself into the pen drive. It is a file with extension “.vbs”. It creates several shortcuts with the same name of the files and folders in the main directory of the flash drive, however, this created shortcut always points to the file with “.vbs”, passing as a parameter the correct path and name of the original folder or file.
Thus, every time you click the shortcut, file “.vbs” runs and, consequently, the virus is triggered. To ensure the guise, after executing the routines virus that has been programmed, it opens the original file or folder. So, people who do not understand much computer do not bother to find out what's happening, because, somewhat, continue accessing your files “no problem”.
Conclusion
I found this pretty dumb virus, it is very easy to detect that the flash drive is infected, but the idea is interesting, it ensures that the virus is always executed, because the owner of the pen drive always clicks the shortcut to access the desired file or folder.
Not jotted down variant of the virus that infected my pen drive and have not studied what the real purpose of it, but, probably, is a virus that monitors user behavior, or one that creates a zombie machine, or who picks up the database password, those things that most viruses do.
So that's. I hope you stay tuned as you begin to strangers shortcuts appear on your Pen Drive!
hello guys I have a weird problem, do all correct procedure however appears the following sentence the fate of the symbolic D bond:\ USBCH ^ 8A does not exist
Thank you Bruno!
Helped me a lot.
It's very scientific your study, Congratulations! I'm trying to do what you have sujerido…but earthquake in not recover the drive back to the data to change it.
Bom dia Bruno, congratulations on your work, it is clear and helps us a lot.
I ask a help. AVG My micro detected a virus on my flash drive and deleted all folders. In quarantine folders appear there but not give to save them. How do I retrieve the pen drive. I not recorded anything yet on it… Thank you.
what good all back again in ¬¬pqp I can not take this no uniformed ject of plague every tutorial programs nothing funcona always comes back
Bruno,
How do I delete the following virus from my pen drive?
Or do symbolic link destination G:\ª?¬*F?W =.?there IU
Or do symbolic link destination G:\Trª @ ± ¹?.?m? does not exist
Or do symbolic link destination G:\??’ does not exist
Or do symbolic link destination G:\task force?ò®@É.ì0? does not exist
Or do symbolic link destination G:\7you?¨?÷?s.zÝ? does not exist
Or do symbolic link destination G:\X6Í?IT ¹.??õ there
Or do symbolic link destination G:\PLO ± ÛBݪ.¾²¼ does not exist
Or do symbolic link destination G:\L?OC does not exist
Or do symbolic link destination G:\x??There ¸ÑSÏ.lÜx
Or do symbolic link destination G:\this ×?¢ U3?. ¹? does not exist
Or do symbolic link destination G:\?ä¶sÄ U1.)?ä there
Or do symbolic link destination G:\?æ?There ËǸcj.fgÌ
Or do symbolic link destination G:\?? {8??i.@Ö? does not exist
Or do symbolic link destination G:\Go ¹??including?î there
Or do symbolic link destination G:\á @ e ·? ¹?.?m? does not exist
Or do symbolic link destination G:\?îÓNöe8¸.CÄw does not exist
Or do symbolic link destination G:\?ûÝ©9yy .¹?? does not exist
Or do symbolic link destination G:\7 '¼Ó?{=.2?J does not exist
Or do symbolic link destination G:\¬ there
Or do symbolic link destination G:\®èÿci)C®. © ä? does not exist
Or do symbolic link destination G:\?D{TN H.ÿÅÙ does not exist
Or do symbolic link destination G:\%UEI?;!@.?-l does not exist
Or do symbolic link destination G:\ü?÷ È8§ÀÞ.?6does not exist
Or do symbolic link destination G:\?Q?z1??.õÍ8 does not exist
Or do symbolic link destination G:\±¢LV? ¹?.?m? does not exist
Or do symbolic link destination G:\?s? ?There ¶d.aËÒ
Or do symbolic link destination G:\?0?@IT IS?+@ .SS does not exist
Or do symbolic link destination G:\¯???Ñ???. <¹ does not exist
Or do symbolic link destination G:\?C?Å0f ¥.<ATH does not exist
Or do symbolic link destination G:\???û?EE /.?There ؼ
Or do symbolic link destination G:\AUA,mujl. × "q does not exist
Or do symbolic link destination G:\è§??1nr¤.ãæ2 does not exist
I managed to take the shortcut virus, but my files are gone!! How do I do?
Hello Lay,
You run the command attributed-h-r-s-a / s / d F:\*.* ?
I hope you have properly executed the command del F:\*.lnk, because it placed a “*” no lugar do “.lnk” so even deleted files. ;)
If you accidentally deleted, visit this link learn how to recover deleted files.
I hope you can solve this problem.
Abs!
Bruno Cunha
Thank muuuuuito , helped me a lot!
Juliana, I mentioned up there the PSafe. What you use? Try to see if it works on your computer. Find it very easy to move, but I also work with that has a time. Good luck!
At the time this virus took some of my customers, I was asked which antivirus references use…Suggested Avast. It was today, I would not recommend checking the Avast but by PSafe. I did some tests and in terms of performance, the PSafe reacted better than Avast and AVG, all free.
This check you do is easy?? I managed to do according to the step by step of this matter, but I'm looking for the simplest processes!!
I to with a great antivirus, the PSafe! then when I put the flash drive in the pc I do a check to clear the flash drive also!
Thank you for touching friend, Congratulations on the initiative…
Valeu ai Brother!! General Funfou here!! Abraxxx
Bruno, congratulations post!
Fábio, thanks for the comments, was searching the directory for a long time! :)
Perfect, Thank you.
Thank learned a lot from this tip and I will share.
It works. Helped others. Thank you!!!
OK AMIGO. VERY GOOD.. WAS ALMOST BREAKING USB FLASH DRIVE .. BUT GAVE ALL RIGHT… Thanks a lot
Very good your tip, but commands can be complemented…
If the virus is active on the machine, the files will be unblinded immediately but will be hidden by the virus process. It happened in the case of “Cristhian Costa”
Advise that the first command to be executed is possible to eliminate the virus process on your computer…
taskkill /im wscript.exe /f
After execulta step 3 the tip…
(Enter: attributed-h-r-s-a / s / d F:*.*)
Good so far, já artery solved, the rest you use anti-virus
But if you're already familiar with the controls a bit and want to solve alone…
#REMOVE THE KEY OF RECORD START DOING THE VIRUS
REG DELETE HKcuSoftwareMicrosoftWindowsCurrentVersionRun /v help.vbs /f
REG DELETE HKcuSoftwareMicrosoftWindowsCurrentVersionRun /v cool.vbs /f
#DELETE TEMPORARY FOLDER VIRUS, WHERE IS Chambered
attrib -h -s “%temp%/help.vbs”
attrib -h -s “%temp%/cool.vbs”
del *.vbs /f
It was just a complementation…
Wave,
Thank you very much , saved my life worth ..
Worked perfect
Thanks helped a lot.. Recomendoo!
Recovered files!uahua
Bruno, unable to perform the procedure, they do not identify any files that the virus appears to be, NEM antivirus detected. If I try the command prompt, files appear, and then immediately, are hidden again. The antivirus nao accuses nothing! What do? I appreciate the help, and tentei tudo na net.
Olá Crishian!
Your antivirus is probably outdated, but I have to update it now will not solve much.
Try cleaning this pendrive on another computer, but before make sure that the antivirus is updated. When in doubt, reinstall the antivirus.
Probably your PC is infected and, in which case, recommend that you create a Pendrive boot with antivirus to verify your HD.
I have helped in some way!
Abs!
Olá Bruno, also downloaded and ran the first to Kill for the program action, this virus as well as it creates many files. js that lodge not only as pen Drive in Pc. I took a computer with AVG installed and could not see how the virus *. Js, al formatted the pc and installed PSafe also not as enchegou virus, the problem is that the pc is also running virus, lets not get it in the folder where the virus're on pc, it creates a folder block, o pen drive limpa blz, but the pc can not delete this virus. I'm downloading the suggestion of pendrive with bootable antivirus to see what gives. abs
I loved everything I've read so far, continue to help people like me, almost illiterate digital!!!!!!!!
Vlw!! I will now fix the problems here in pendrives Galley
Cool; grateful for the assistance!!!
Gee, very good this tip! Funcionou notice here. Thank you.
Vlw ein! Brigadão, funcionou notice :D