Virus Help Asap!!!

Help! I got the Plan Colombia virus/vbs love letter virus about an hour ago. It was attached to a piture which instantly replaced all my jpegs with this .vbs extension.

Before I knew what happened I
scanned the orginal file and deleted it.
Then scanned my windows folder for virus, and got thousands becuase it infected all the jpegs in my temporary internet files.
At the moment I'm repairing "those" infected files with norton anti-virus, but I don't know if the files will be recovered.

All my jpegs are 12k know(or appear to be), do you think I can recover my old pitures??? How could a script delete thousands of pictures and turn them into 12k in an instant??? This really sucks because I had over a thousand pitures off my digital camera saved, with no backup.

Heres a link to norton describtion of it-
http://securityresponse.symantec.com/avcenter/venc/data/vbs.loveletter.bj.html

It says that is changes some files(the virus) if you restart, but actually I already did before I knew what happened. So know I'm afraid to turn of my computer without trying to repair everything.

Heres my big problem, it's 12:47 am know, and I have school at 8:00, and my computer is too noisy to sleep to. The current repair of the windows folder is going to take at least an hour too.

Should I turn off my computer and hope I can still but and fix this tommorow(or later today actually)? Or should I try and bear the noise and wake up periodically to check on the scan and click the next box?

its 1:00, I have to get some sleep, but I took a good dose of night-time medicine, I may get up in another hour or so to check on the current repair(of the windows folder)

wellll if i were you i dould simply seach for all vbs or what ever and trun them all in to jepg format

try one first and make sure they havent been corropted or anything

if they have you may be screwed

if not its just going to take a lot of time

hopefull you will find norton will do that for you

i wouldnt reset the machine if i were you some times thouse thing lay dorment after the main file has been deleted and start up on boot

my girlfriend managed to get a variant of that virus a year or so ago. all your jpegs are most likely gone if I remember correctly. I would check out some of the anti-virus sites(Norton, Mcaffee, etc..) they may ahve a tool that can help you some. Getting rid of the b*st*rd is hard enough with AV. I wish you luck...

*Edit* according to your link the virus does in fact overwrite your jpegs. Also PM me if you can get a copy of the code. You should be able to open it with notepad. I try to collect them as I remove them. Some of them are really interesting from a programming standpoint.

Also double check your run, and run services sectons of your registry, and your startup menu, and your win.ini "load=" those are the places these things tend to hide to reactivate.

It think that it gets into ur registry and tells it to convert those files.

nah just some script kiddie modifiying a copy of the original with something he saw once... vbscript is a B*tch if you allow windows scripting... I make it a point not to.

Well I was able to say the virus was gone at about 11:00 p.m. last night, that is 23.5 hours it took to repair. While I wasn't actually working for most those hours, norton anti-virus/utilities was running 22 of those hours. Man it is was so nasty and hard to get ride of. I had about 36,000 infected files. About half of those were in the windows ME restore file, which I had to manually delete, becuase the were protected by the restore. The rest were deleted by anti-virus.

I was actually able to to recover nearly half of my jpegs, a majority which were my digital camera pics. I had to search littearly 100,000 files and select the pictures which were deleted by the virus(and not restore infected files at the same time).

Also, it takes about 2.5hours to scan both my hard drives, so it was a very lengthly project.

I was able to delete the two things out of the registery before they did any damage.


And Krieger, norton deleted my text document of the virus sorry, but I did find a better describition of it on the web.
http://vil.mcafee.com/dispVirus.asp?virus_k=98684&
It is called the Plan Colombia virus, I remeber that form the script. It was dedicated to some person, and has something to do with the drug war in Colombia.

Since I deleted the registry things, It didn't change the logo.sys(I think that what it is, the starup pic)


Ok, so how can I prevent this kind of virus? I heard you can turn of scripting, how?, And why would I want it on? Is there any patches I download that would help prevent stuff like this, I do update windows regularly.

And last thank you everyone, this is the hardest thing I had to deal with, when it comes to computers.

I'm glad you were able to restore as much as you did. I've delt with a few dozen different viruses for different people and my last company. I;m not exactly sure how to turn off windows scripting, but a good start is to remove the windows scripting host if you have it installed. Also when you go to look at a file you were not expecting(I assume you contracted it through an email) check the file to make sure it is not an exe or vbs file. I've acutally seen some scripting viruses that make long file name like
filename.exe .vbs(No the spaces are intentional. The point is that you would not see the ".vbs" right away. The best thing you can do is be careful downlond anything, and I'll look into suting off windows scripting... it's the kind of things oyu do once and forget. Dont worry about the copy of the virus, it's just an odd hobby I have. I like to see what the do with them. Some of them are pretty clever while others are obvious knockoffs. Also if you recieved the virus through your email you might want to let the person who sent it tghat they also have it. Maybe help them get rid of it.

I had some trojan affect me the other day. It hid in my ME System restore and windows wouldn't let me delete it. Norton didn't know how to deal with it, so i rebooted off a boot disk, and deleted the restore folder manually. It was scary, since deleting the folder took 3 hours.

According to norton, it's the "W32.White.Worm" virus, and it's a "rare" virus. I guess it's so rare norton dosn't know how to kill it... Ahh, just deleting the restore folder worked, so i'm happy now.