Tuesday, March 24, 2015

(blog) Burke, the Virus Killer!

Okay, maybe that's a little over-dramatic and teensy bit overblown, but I did get hit with a virus at work which I thought had irrevocably scrambled my flash drive, rendering my files -- including my just-finished grades spreadsheet, which was due about an hour later -- irretrievable. Never saying die, I was determined to fix my drive. And I did. When I tweeted my sigh of relief, I was asked to make a blog post of it to explain to others, in case it happens to them.

Keep in mind, this will only solve your problems if you're hit with this specific virus.

"Help! My Directories Have Turned to *.LNK files!"

So here's the story, in brief: I was using the computer in the school's Teachers Room. It's probably the oldest machine on the floor, or close to it. (There are newer machines, but by comparison -- well, in actuality, too -- this one is a relic.) It's so old that the Windows Paint I used to make comics had a copyright date of 2000. But it has MS Excel on it, which could read the EGG file, which is the spreadsheet teachers enter student grades into. I used Excel last week to update the file, inserting comments for some of the students, particularly those with failing grades. After I saved the spreadsheet, that's when the errors started. I had opened a Notepad file while I was working, but I couldn't save it. I didn't realize what had gone wrong at the time. (Little did I know.)

This computer also has a second problem: since the last break, it hasn't had wifi. Therefore, I had to track down a different computer to email this. I found my colleague had arrived and opened the lab. When I tried to attach the file to a spreadsheet, that's when I found out something had happened to the drive.

The folder, which was named 2015 Spring, along with another named 2014 Fall had the wrong icons. There were arrows on the icons, which you would see if they were shortcuts to other folders or files. When I clicked on 2015 Spring, instead of opening the folder and showing all those files, I got an error message about a corrupted picture file (where the *.LNK was apparently pointing).

Long story shorter (sorry, it was so brief after all): My directories were gone and I couldn't access anything that was in them. Only a couple of files in the root directory. About 75% of that disk was in use. Most, but not all, of the files were backed up at home. But the grade file was nowhere to be found.

I Googled it. (And Binged it as well.) I found others who this had happened to, and saw instructions about going into regedit or other system commands and tinkering with Things Users Were Not Meant to Know -- even if I was once a programmer.

Have you ever been struck by lightning from out of the blue?

After two periods of reading and fretting, something occurred to me. I'd seen this before. It had happened before.

Taking a guess, I'd probably say it was 8-10 years ago and my first flash drive. Like I said, this was an old PC -- maybe the virus has been waiting there all this time. What had happened to my drive wasn't as malicious as it appeared. It was just an illusion, but an illusion that might get me to reformat my drive to "fix" something that wasn't broken in the way I had though it had been.

The *.LNK files were NOT the remains of my directories. They were bogus files with the SAME NAMES as my directories. Here's the kicker: My directories were just fine. They hadn't been touched! (At least, as far as I can tell now, they haven't been.)

The virus had changed the system attributes of the directories to make them all both HIDDEN and SYSTEM files. Hidden made them invisible to normal viewing in Windows. System just made it that much more of a Pain In The Neck (with a capital "A") to undo this.

One frustrating little thing: I used to know how to make Windows show you all hidden and system files. Apparently, I don't anymore. Maybe the options aren't in the same place. I searched for procedures online, found some and they still didn't work. So I did what any former programmer would do. I threw away the GUI Interface, shut the Windows and then I got Down and DOS-y with it.

I opened an MS-DOS command box and fixed it Old School!

Typing the DIR command showed my nothing except my root files, the fake *.LNK files and an AUTORUN.INF file, which curiously had a timestamp equal to the viral infection. (Hmmmmmmmm.) Typing DIR /AH ordered the computer to show me the Hidden files -- and there were all my directories.

Next up was the ATTRIB command, where I found out that they both Hidden and System attributes had been turned on for those files. This is what I meant by System making it more difficult: I had to go back and read up on the ATTRIB command because it wasn't working. I kept getting an error.

Basically, you can't unhide a system file and you can't unsystem a hidden file. You have to undo them both together. So one at a time, I had to enter commands of ATTRIB -H -S ("directory name").

I got my directories back. They were visible and accessible and the files were still there.

I also deleted that AUTORUN.INF file, which is a Windows file, which may be useful for some things, but is open to corruption and misuse, as was the case here. There was no reason for it to be on my flash drive.

Everything is back to normal. I have warned a few people about that computer, but no one else has had a problem with it. In fact, I've used it before without nasty side effects. The only difference I can point to is using MS Excel this time. The virus is probably buried in some macro, out of my field of expertise. And it's probably been there for years (considering the last time I saw this particular attack). Since I'm not Admin, there isn't much else I can do other than avoid the computer and warn others, but at least if it strikes someone else, I'll have an idea what to do.

1 comment:

Matt Wynan said...

That's tough. Viruses can really just make a mess of things. Anyway, that is really great practice, in how it trains and hones you into working around it, in order to get to the fix. Your post should serve as a good manual as well, though it would be better off if we had more access to security tech and simply not have to deal with them. Thanks for sharing that! All the best!

Matt Wynan @ IDT