Monday, December 17, 2012

How to manually restore files after virus attack

Resolving the problem of files, folders and other important data missing because of virus malicious activity on infected computer has become the challenge number one for many PC security companies, sites, forums and blogs today. Users not only need to actually remove the virus which became the source of such problem but, surely, they want to recover all their files and the entire information that became hidden by malware programs. It should be noted that such badware programs performing the above-mentioned modifications to hide user’s data are referred to the group of fake hard drive defragmenters. In this blog they belong to the category named ‘fake HDD’. For successful restoration of infected computers after fake HDD virus attack not only the virus removal is necessary. This job can be accomplished quite easily for the powerful anti-virus. The very removal process is described on the example of File Restore virus, one of the representatives of the above-mentioned malware family. The next step that must be accomplished successfully is restoring the files hidden by virus. There are various applications that can be downloaded and executed in order to perform this restoration job automatically. We will make emphasis, however, on manual restoration of missing data. This is because sometimes the above-mentioned utilities do not work for some reasons.

Once successfully executed and installed onto the infected machine, the virus programs referred to as fake HDD applications actually hide the whole bunch of files, folders, desktop shortcuts, icons, quick launch items and the entire list of all available programs in the start menu. They also make the desktop totally empty, missing and black. All files and folders now have hidden attribute. Some users think that all their data is now removed (deleted) without the possibility to retrieve it again. Well, this is not exactly so. Fake HDD program indeed removes files, folders, icons and shortcuts from their initial locations, however, it creates the backup copy of them in a specially designated folder created by it. This folder is titled as smtmp. Its location differs depending on the type of the OS available on your computer (see the screenshots below). So, after you’ve run the legitimate anti-virus program of your choice the next important step is to restore all your information back to the place where it should be.

The first thing we need to implement is to make sure we see all our hidden files and folders, because the virus sets this hidden attribute for the files it relocated to smtmp folder. Running legitimate anti-virus applications would not remove this hidden attribute, so here is what we need to perform depending on the type of our operating system:

How to view hidden files in Windows XP:

  • Open "My Computer", go to "Tools" tab and select "Folder Options".
  • In the window that appeared select "View" tab and choose the option "Show hidden files and folders". Click "Apply" and "OK".

How to view hidden files in Windows Vista/7:

  • Open "My Computer", go to "Organize" tab and select "Folder and search options".
  • In the window that appeared select "View" tab and choose the option "Show hidden files, folders, and drives". Click "Apply" and "OK".

Our next step is to find smtmp folder and move all files from it to their proper and respective destinations. The location of smtmp folder is in %Temp%. Keep in mind that %Temp% stands for the Windows Temp folder. By default, it has the location C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\Current User\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\Current User\AppData\Local\Temp for Windows Vista and Windows 7. Below please find the examples of how the destination path for smtmp folder looks like in various operating systems:

Smtmp folder location in Windows XP:

Smtmp folder location in Windows Vista / 7:

Below please find the list of sub-folders found in smtmp folder and what locations the shortcuts should normally dwell in depending on the version of OS installed on your computer.

%Temp%\smtmp\1:
Windows XP: C:\Documents and Settings\All Users\Start Menu
Windows Vista and Windows 7: C:\ProgramData\Microsoft\Windows\Start Menu
%Temp%\smtmp\2\:
Windows XP: C:\Documents and Settings\[your username]\Application Data\Microsoft\Internet Explorer\Quick Launch\
Windows Vista and Windows 7: C:\Users\[your username]\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\
%Temp%\smtmp\3\:
Windows XP: It does not exist in XP. So, do not worry if you don't find %Temp%\smtmp\3 on Windows XP.
Windows Vista and Windows 7: C:\Users\[your username]\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar
%Temp%\smtmp\4\:
Windows XP: C:\Documents and Settings\All Users\Desktop
Windows Vista and Windows 7: C:\Users\Public\Desktop
.

In order to manually recover your desktop icons, quick launch items and other shortcuts you need to open up each of these sub-folders (from 1 to 4) available on your computer and copy their contents into the relevant folder specified above. Again, this depends on the type of the operating system you have. For example, if you have Windows XP, then you must copy the entire information located in %Temp%\smtmp\2\ to C:\Documents and Settings\[your username]\Application Data\Microsoft\Internet Explorer\Quick Launch\. If you have Windows Vista or 7, you should copy the information from %Temp%\smtmp\2\ to C:\Users\[your username]\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\.

Finally, here is the last but not the least piece of advise for you. If your computer is infected with fake HDD virus do not remove any of the files in this %Temp% folder of your computer. You should not execute any temp file cleaning utilities removing this backup folder. If you or such software applications delete this folder you will not be able to restore the icons and shortcuts back to where they should be.

Software recommended for malware removal:

No comments:

Post a Comment