Recovering from a Virus - some advice

Some people are really stupid. Take me for example. I let my OS (Windows 7 Pro) get infected with a Trojan. Or did I? I’ll let you decide after you read about my dilemma and recovery frustration.

To begin, my first clue that I had a problem was when strange things began to happen. Glitchy and slow operation, black screens before apps loaded, Google searches that went somewhere I hadn’t meant. But the real clue happened when I tried to open a doc and the response was “access denied”. WTF?! Some searching determined that all my folders were empty. WTF x 2. I did a dos attrib scan and discovered EVERY file was access denied! If you’ve ever had a true sinking feeling click on one of your important folders and see the message “folder empty” and you can’t open any file. Now, up until this point I naively thought I had a minor system problem because….my system was protected by one of the top internet security programs, Bitdefender Internet Security. It was installed on my desktop and three laptops and I slept well at night knowing I was protected. Or was I?

I won’t bore you with the details but suffice it to say that I have spent two weeks trying to recover from this tragedy. And what I want to share is some advice and some warnings – and I hope it benefits the Windows community.

I am not an “expert”, not even close. What I am is obdurate and relentless when it comes to a challenge. I’m also seventy-eight years old, so if I can recover from this so can all of you.

1. My first mistake was not recognizing the seriousness of a virus. We read every day about what a pain malware has become and the proliferation of “recovery” programs has lulled us into a state of complacency. Malware, including everything from phishing attempts to full blown Trojans can be anywhere from a pain in the behind to completely destroying your computer. ASSUME THE WORST and hope for the best!

2. My second mistake was not reacting quickly enough with the correct response. One big clue was that my C: drive was rapidly filling up, but how? I spent three days trying to find a “super-hidden” file that was maxing my HD out. Instead, I should have been taking every step possible trying to stop and eliminate whatever was causing the problem in the first place. I did invoke Bitdefenders “full system scan” and stupidly let it run for 5 ½ days before I stopped it. (Scanned three million files? Really?) It didn’t occur to me that a really dangerous Trojan can render your security system useless once it gets in. And it was definitely IN.

3. After a week of pulling my hair out I finally took one of the right steps. It was fortunate that I still had an internet connection (but no Email) and I had been posting on all the Windows forums for help. I was surprised how little advice I got, both good and useless…except the suggestion that I should do a clean install of the OS. That would require offloading all my personal files but what if they were infected? How would I clean them before I offloaded them? FINALLY, I downloaded Malwarebytes, ran their free scan and it found what I didn’t want it to find. The Trojan roraccoon. Wow! It also found a large number of PUP’s. I deleted everything. But my system was still a mess. I had determined that all my folders still contained the data, they were just “hidden”. I spent several more days un-hiding folders and taking ownership of my files and getting full access.

4. So, having used Malwarebytes I sort of assumed that my problems were over. I had found the Trojan and deleted it along with a bunch of other junk. At that point I decided to use CCleaner and see if it could help speed my system up. Wow again. It deleted a huge bunch of worthless registry junk and found a lot of other stuff but nothing really improved. Hmmm, what else could I do? Then I tried another free download, ESET. It found even more stuff that Malwarebytes hadn’t, virus’s like teslacrypt, cryxos, oroles, etc. The list was long and troubling. WTF x 3! So then I tried another freebie from Sofos and it turned up FakeAV!

5. Today I’m pretty sure my system is “clean” and I have downloaded all my personal files. Believe it or not my system has “recovered”. It’s as fast as ever, everything works as it should but I still intend to do a re-install of Windows 7.

Bottom line – and I hope I’ve got your attention here.

IF YOU ARE DEALING WITH A VIRUS FOLLOW THESE STEPS BEFORE GIVING UP! YOU MIGHT RECOVER!

1. Assume the worst! Can you really afford to lose everything?!
2. Your virus protection failed (see below). Deal with it later but now do multiple scans with Malwarebytes, ESET, Sofos – anything available. Keep scanning until you’re sure there is nothing else there! Then run CCleaner and scan again! Then recover your “empty folders” and “access denied” files if that happened to you.
3. Then download all your personal stuff to a clean (NEW) external HD. P.S. Don’t ever plug one in to your USB drive until AFTER you have cleaned the system!!!
4. Do a multiple-scan once a month and after everything is clean then back up all your files to the external HD. There are some good free backup apps out there.

Was I stupid? Maybe, maybe not (at least partially!). How did all this stuff get by Bitdefender? Thinking about it I think I have an answer and a WARNING – and a suggestion for all the internet security systems providers.

There are times when we turn our desktops off – vacation, extended down-time – and laptops especially are prone to being turned off for lengthy periods of time. In my case maybe two or three weeks at a time. The first thing I do when I return is turn the computer on, immediately check my emails and maybe browse the internet for some product or service or go to some interesting site I just heard about. Then…..almost as an afterthought, I click on my Bitdefender icon only to discover that my system is vulnerable because the last update was two weeks ago! Crap! I click on “update” and hope for the best after having been exposed to whatever for an hour. Big note!!! It's not just internet, it's email as well!!!

What’s missing – and I can only speak to Bitdefender but I also have experience with Kaspersky – is a flashing red alert that pops up immediately after the computer is turned on after having been off for maybe 24-48 hours, saying “ALERT. VIRUS PROTECTION NOT UPDATED. DO NOT OPEN BROWSER OR EMAIL UNTIL UPDATED. UPDATE IS BEGINNING.”

Anyway, hope all that is helpful.

First of all, you are not stupid. However, you are not a geek, so there is no way for you to have a good understanding of these issues. The bad people know that, and that's how they are able to hijack your computer.

Very few non-geeks have clean computers (i.e. clean from viruses). My wife is a rare exception. When I first met her a few years ago, I checked her laptop and found that it was as clean as a whistle - not a bit of malware of any kind. She is very careful about what she clicks on, and more importantly, about who she lets use her computer.

The first thing that you should have done when you began to suspect malware was to unplug your computer from the internet. I am guessing that you are connected with an Ethernet cable; therefore a simple unplugging of the cable would have prevented additional infection or other nefarious online activity. If you use a wireless connection, then turning off your router would have killed the connection.

At this point, the best way to proceed is to get a pre-Windows scanning program, that is, a program which loads before Windows has a chance to load. These types of programs have a much better chance of finding and eradicating malware which is buried deep in Windows. One example of a pre-Windows scanning program is the free Windows Defender Offline (WDO) program. Get a blank CD or DVD, go to a clean computer, and then go to the following website:

"Access Denied"

(I don't know why it says Access Denied. It is a Microsoft site.)

Scroll to the bottom of the page, then click on the appropriate link for your version of Windows (32-bit or 64-bit). Follow the instructions to create the WDO disk.

Boot the infected computer with the disk you just created, and run a full scan. It will take a long time to run, so be patient. I have had good results with Windows Defender Offline - it has found and eradicated malware that I couldn't get rid of any other way.

Once you have done a full scan with WDO, do another full scan, this time with another antivirus program. For example, you could go to trendmicro.com and download Housecall, a free offline virus scanner. Trend Micro is a highly rated program, so this would be a good one to run. Housecall is not a pre-Windows scanner; it runs inside of Windows.

The above may not fix everything, but it will be a good start.

Good luck.