Recovering Folders converted to shortcuts by virus

windows attrib virus

There is nothing more annoying and frustrating than trying to copy files to a client’s computer using a usb drive and realizing that the clients computer has a virus and it has turned all your files into a shortcut. If you had important files and allow an antivirus to clean the usb drive, you may end up losing the files. This has happened to me on several ocassions and there are times I end up losing files.

It is possible to manually cleanup the USB drive and recover all your files without infecting your computer with the virus. Below are the steps when using a Windows computer.

  1. Select the Start button, Control Panel > Appearance and Personalization.

  2. Select Folder Options, View tab, make sure:

    • Show hidden files, folders, and drives is selected
    • Hide extensions for known file types is unchecked
    • Click OK

  3. Open windows command prompt

  4. Type the following on the command prompt.

        attrib -H -R -S /S /D F:\*.*

    Replace F: with the drive letter assigned to your USB drive

    The attrib DOS command is used to change attributes for files. The sign clears an attribute on a file/folder while a + sets an attribute. -H clears hidden file attribute, -R clears read-only attribute and –S clears the system file attribute. /S processes sub-directories found within the current folder while /D processes folders as well.

    After above command, all files/folders on the usb drive are now visible

    Alt “Visible files/folders after attrib command”

    On this ocassion, the virus created a folder with a space and moved all my files and folders to this folder. It also created a shortcut which has the following target %homedrive%\WINDOWS\System32\rundll32.exe _WVF.nil,rundll32

    Alt “Infected usb drive shortcut properties”

  5. I renamed the folder with a space and deleted the shortcut file, _WVF.nil which was being launched through the shortcut and finally let the antivirus cleanup.

In a previous instance, I ran into a similar problem with slight differences. This time, the virus created two folders Z and 000 and 4#UH.ini file in the root of the usb drive. All original files/folders were moved to the Z folder and any Microsoft Word documents converted to executable files. It also placed a csrss.exe in every folder on the usb drive and finally created a shortcut with the following target %homedrive%\WINDOWS\System32\rundll32.exe 4#UH.ini, rundll32

Windows Rundll and Rundll32 Interface have information on rundll32.exe which may give an insight on how the files may be misused and how to identify rogue instances.