No “Folder Options” under the ‘Tools’ menu – The common leftover after a virus infection

The “Folder Options” from the ‘Tools’ menu of the windows explorer disappears mainly due to a virus infection. Brontok has been seen as the main culprit behind this apart from many other viruses which do this. Apart from removing the folder options such viruses also disable booting into safe mode.

There are many tools available which have a cure to these problems or at least claim to have a cure, like the RRT Tool etc. but in my experience there isn’t any single tool which works every time and on all PCs. Also, this problem may seem to be trivial for a seasoned administrator but in a large and complex environment it can really cause some pain.

Sometime back, after successfully tackling another zero day attack (have faced three so far), I found that the virus in question (later named as sality.z) has had the same affects on the infected PCs i.e; no folder options, no safe boot etc. which didn’t go away even though the computers were now completely disinfected. This time I didn’t want to use any random (read ‘unreliable’) tool as a workaround because the affected PCs were in geographically disparate locations and I wanted something 100% reliable and something which could be pushed centrally to all the infected PCs.

That’s when my good friend Mr. Murali Murugesan suggested using the Kido Killer tool from Kaspersky. Murali handles Kaspersky support in India. My current organization is the largest client (in terms of number of licenses) of Kaspersky in India. I have to say that this is the most reliable tool, I have ever used for this very common problem. Kido is the name given by Kaspersky to the now famous conficker/downadup virus. The main job for this tool, which is updated frequently, is to fight the kido/conficker/downadup virus but by using some of the available command line switches, one can easily use it as the most potent tool against the “No Folder Options” problem.

This tool can be found here for download.

After downloading the zip file, extract the contents (kk.exe file) to a folder, if that folder is stored in D:\Kido then open the command prompt and type “D:\kido\kk.exe –x –a –j –y” without the double quotes and press enter. If you are not able to open the command prompt, you can create a batch file (type the same command as above in a notepad and save it with .bat extension instead of the usual .txt extension) and run it on your PC. The tool runs, scans for the kido virus, re-enables the lost settings in the registry and then disappears. Folder Options and safe boot should be back after a quick reboot.

However, I used an automated way of doing the same (I’m an automation freak, you know) by pushing the kk.exe file with the said command line switches to the infected PCs through Kaspersky’s administration console. You can do the same by using any piece of software which can remotely execute files and takes command line switches as an option or you could use theKaspersky administration kitas that is also free to use.

Here’s the complete list of command line switches which can be used with Kido Killer

-p <Scan path> – scan a defined folder
-f – scan hard disks
-n – scan network disks
-r – scan flash drives, scan removable hard disks connected via USB and Fire Wire
-y – end program without pressing any key
-s – silent mode (without a black window)
-l <file_name> – write info into a log
-v – extended log maintenance (the switch -v works only if the -l switch is entered in the command prompt)
-j – restore the registry branch SafeBoot (if the registry branch is deleted, computer cannot boot in safe mode)
-z – restore the services 

• Background Intelligent Transfer Service (BITS), 
• Windows Automatic Update Service (wuauserv),
• Error Reporting Service (ERSvc/WerSvc)
• Windows Defender (WinDefend),
• Windows Security Center Service (wscsvc).

-t – registry clean up from the services that remain after removing the network worm using Kaspersky Lab’s       products.
-x – restore display of hidden system files
-m – monitoring mode to protect the system from getting infected
-a – disable auto start from all drives

Please do share your experiences with the kk.exe tool by commenting on this blog post.