USB/SD Card files turning into shortcuts and/or disappearing WORM/Lodbak.Gen Virus!
(100% Complete solution including permanently removing the virus)
Lots of people are having the same problem with this virus. It spreads via USB memory sticks or external hard drives and cell device's SD cards converting all the files into shortcuts.
Fortunately the real files are still there, but unable to view/access these.
The problem is fixed in two processes
Solution A - Retrieving the 'lost files' on USB/external hard drives/SD cards of cell fone:
This temporary solution is good enough to recover the data ONLY.
1. Click on 'Start'
2. Click on 'RUN'
3. Type 'cmd' and press ENTER
4. On the black Window that appears [technically called the Command prompt], write the commands shown below. Replace the letter X with the letter of your infected drive:
[For example, if your affected drive letter is F]
then the command:
attrib -h -r -s /s /d F:\*.*
5. After writing the command hit 'Enter' and wait a few seconds while the changes are made.
6. Go back to the 'File Explorer' and access drive F to see the files are back to normal.
7. In order to secure/recover/retrieve the data, copy and paste the data OFF or from the USB drive to your hard drive.
Solution B - Removing the virus permanently:
To eliminate the threat entirely and deleting the virus as a more permanent solution, there is no need to install any MALWARE softwares if a working and updated antivirus software is active in the computer. A file "WSCRIPT.EXE" in WINDOWS folder is responsible for all the infection caused by the [in my case] "WORM/Lodbak.Gen Virus!". In order to remove the virus from the computer, the wscript.exe file needs to be 'switched off' by taking the following steps:
1. Open Task Manager (Ctrl+Alt+Del)
2. Go to the Processes tab
3. Look for WSCRIPT.EXE that is currently running.
4. End the process.
Now, in order to permanently contain the WSCRIPT.EXE from reactivating again, its OWNERSHIP needs to be changed to deny further access. There seems to be no need to delete the file at this, or any later, stage.
5. RESTART THE COMPUTER IN SAFE MODE.
6.Go to Explorer Window, select "Windows" directoy"
7. Search for WSCRIPT.EXE. More than one may be found but changing properties of one will result the same for the other copies.
8. 'Right click' on the wscript.exe file(s) and select "Properties". On the dialog box that appears:
- Pick "Security" and then "Advanced"
- On the new dialogue box, pick "Owner"
- The "Current Owner" is changed to "Trusted Installer" by the virus.
- From the list called "Change Owner to:", select "Administrator".
9. Click OK.
10. As done in Step 7, again, Right click on the virus file:
- Pick "Properties"- and again "Security".
- This time, on the dialog that pops-up, click on "Edit"
11. A new (almost identical) window will pop up.
- Click on "SYSTEM" and deny "Read & Execute" and "Read".
- Repeat the same operation with all the elements of "Group and user Names"
After this is done, the computer will not be able to run this virus executable file.
Now, to take out the threat.
[I am going to refer those antivirus softwares which I used to eliminate the threat]
While still in SAFE MODE:
[Assuming your antivirus is up-to-date]
12. Scan the PARTITION C: completely.
- [I had AVIRA FREE ANTIVIRUS and it took out all the threats]
- The infectious files may include [in my and most of cases] WORM/Lodbak.Gen [worm] which was creating two m*.exe files in the PROGRAM DATA folder.
13. If not during scanning, or prompted for action later, delete all the identified threats.
14. Restart the computer in NORMAL mode.
15. Download and install KASPERSKY TRIAL ANTIVIRUS version.
16. After installation is done. Do NOT restart the system.
17. Uninstall the previous [in my case, AVIRA] antivirus software.
18. Once done, restart the computer.
19. Update the new Kaspersky antivirus database.
20. Scan the computer again for ONE remaining 'malicious' file and disinfect it upon prompt.
CONGRATULATIONS. Your computer is now 100% virus free.
[Additional Note: It took me around 10+ hours to finally resolve the issue. Now, its been more than a day when I finally decided to close this chapter after trying and testing around 9 different USBs. The shortcut issue is not popping up anymore and everything is working fine with USBs and data remained intact, and not disappearing.
The reason I used Kaspersky in the end, its trial version did the job without asking purchasing of complete version. I google and tried many malware softwares but each one failed to remove the virus. They all found something suspicious or threatening but demanded full version through purchasing in order to remove these.
Once the trial period is over, I'll be resorting back to AVIRA which did in fact traced and deleted the virus from the computer in the first place but got itself infected during the process of my search for solution and experimenting. It's 'realtime protection' was disabled and was not being enabled. Other than this, Avira remained an outstanding experience since the last 3 years I've been using it. Somehow this screwup slipped past.
I hope my this experience helps those who are still out there looking for a solution.
Have a nice time hunting the virus, folks.]