CORRECTED
If you spend any time online, you’ve probably been hit with “Security Check” malware that mimics anti-virus software and warns, in an endless stream of pop-ups, of viruses infesting your computer. Cleaning off the malware can be a nightmare.
If you spend any time online, you’ve probably been hit with “Security Check” malware that mimics anti-virus software and warns, in an endless stream of pop-ups, of viruses infesting your computer. Cleaning off the malware can be a nightmare.
I recently got smacked with variation of the malware called “Windows Fix Disk.” Disguised as an official looking Windows function, it pops up and proclaims that your hard drive is really, really bad. And, to convince you, the malware changes settings on files and folder in you directories to “hidden.” Thus, when you check “My Computer” or “My Documents” you find … nothing, and you believe that your hard drive really is fried.
Below the fold is how expunged “Windows Fix Disk” malware from my Dell Inspiron 6000 laptop running Windows XP SP3.
DISCLAIMER: I’m an amateur. I don’t subscribe to a virus-protection software service. I’m describing, to the best of my recollection, the steps I took to rid my machine of “Windows Fix Disk” malware. The same steps may not apply or work for you. I suggest reading the entire post first, then proceeding cautiously and at your own risk.
DISCONNECT and “END TASK”: As soon as WFD pops up warning of the dire state of your hard drive, disconnect from the internet. Just as fast, open “Windows Task Manager” (ctl-alt-del). In the applications tab, click “Windows Fix Disk,” then click “End Task.” (Previous “security check” malware that I encountered blocked access to Task Manager, but WFD did not.) Repeat for any other alien looking applications running.
FIND MALWARE: WFD placed an icon on my desktop. Right click on the icon, click “Properties” in the drop-down menu, then click the “Shortcut” tab. The location of the malware is in the “Target” box. On my machine, the malware had nestled itself into “C:\Documents and Settings\All Users\Application Data.”
UN-HIDE FILES AND FOLDERS: Here’s where it gets a little tricky. You may find nothing when you look in your directories and folders. That’s because WFD, to trick you, changed your file and folder settings to “Hidden.” The line at the bottom of your empty files and folders screen tells you “0 objects.” But notice that there are a number of “hidden” files. You need to unhide the files and folders.
CORRECTION: Select "Control Panel" from the "Start Menu." Select "Folder Options" then click on the "View" tab. You'll find the "Hidden Files and Folders" under "Files and Folders" in the "Advanced settings" box. Click on "Show Hidden Files and Folders" then click "OK." This will show your hidden files and folders, but will not "unhide" them. You'll have to do that yourself.
Open "My Computer" and click on “Local Disk (C:).” Right-click on “Documents and Settings,” then click on “Properties.” In the “General” tab, under “Attributes,” unclick the “Hidden” box. Now you will be able to see all files and folders in the “Documents and Settings” directory. (You may need to check through other directories and folders to see if they’ve been hidden, too.)
REMOVE MALWARE: Now that you can see what’s in your directory, look for suspect “.exe” files in "C:\Documents and Settings\All Users\Application Data." One clue to identifying malware files is “Date Modified.” Date and time on offending files usually is about the time you were attacked. I found three offending .exe files: a “Windows Fix Disk” .exe; an .exe file named with a series of numbers; and an .exe file named with gobbledygook. All were modified about the time I was attacked.
Delete the offending files, then empty the recycle bin. If the malware deposited an icon on your desktop, delete it by right clicking on the icon, then clicking “Delete,” then empty the recycle bin.
All these steps got rid of the “Windows Fix Disk” and I seemed to be functioning normally. But I still had one more thing to do.
RUN WINDOWS “PC SAFETY SCAN”: Always a painful, time-consuming, and somewhat confusing process, but worth the effort. Go to the Microsoft Safety & Security Center and download the “Free PC Safety Scan.” The full scan took about an hour and a half on my machine. It found and removed something called “Trojan:Win32/FakeSysdef,” defined as “a rogue system optimizer that displays false alerts to coax the user into purchasing the program.” Bingo.
That’s how I did it. Good luck. Corrections, clarifications, and comments welcome.
Update: Some more amateur advice.
Update: Some more amateur advice.
I was hit by similar virus recently. Thanks for the info -- nice to have it written down as I spent hours combing internet looking for help and found very little useful.
ReplyDelete