Recovering Infected Documents, Help needed
Dejan Farkas
Mar 26 2009, 11:22 PM
Instructor
Posts: 3.035
Joined: 27-November 07
From: Sarajevo, Bosnia
Hi guys smile.gif

I need some help here. A friend of mine gave me a USB stick which was infected by a virus and has a lot of important documents that are infected, and asked me if I can recover them somehow.

AVG reports "worm/vb.yb" and it renamed a bunch of .DOC files to .EXE

AVG gives only an option to delete these files, and even renaming them back to DOC do not solve the problem since the files are still infected and cannot be opened (AVG prevent the opening).

Does anyone knows if these files can be recovered and how, or are they completely lost?

Tried to google for solution, unsuccessfully

You are at GuitarMasterClass.net


Don't miss today's free lick. Plus all our lessons are packed with free content!

Don't miss today's free blues, jazz & country licks. Plus all our lessons are packed with free content!


--------------------
Go to the top of the page
 
+Quote Post
kahall
Mar 27 2009, 02:42 AM
Learning Roadie
Posts: 989
Joined: 21-March 07
From: Springfield Missouri USA
Scan the jump drive with Malwarebytes. I bet it gets rid of it. I have had this happen a lot lately and it never lets me down. AVG is useless for this.

EDIT: After reading up a little on your problem this may not work, but it sure won't hurt. Since docs are renamed they might be tough to recover.

You are at GuitarMasterClass.net


Don't miss today's free lick. Plus all our lessons are packed with free content!

Don't miss today's free blues, jazz & country licks. Plus all our lessons are packed with free content!


This post has been edited by kahall: Mar 27 2009, 02:45 AM


--------------------
Had a guitar hanging, just about waist high, and we are going to play these things until the day we die.
Go to the top of the page
 
+Quote Post
Ramiro Delforte
Mar 27 2009, 04:23 AM
Instructor
Posts: 2.279
Joined: 4-August 08
From: Argentina, Buenos Aires
In the link below you'll find lots of great free programs to solve your problem.

http://www.techsupportalert.com/

You are at GuitarMasterClass.net


Don't miss today's free lick. Plus all our lessons are packed with free content!

Don't miss today's free blues, jazz & country licks. Plus all our lessons are packed with free content!


--------------------
Check out my Instructor Profile and Board

LIVE VIDEO CHATS EVERY MONDAY AROUND 22PM (GMC HOUR)
Go to the top of the page
 
+Quote Post
Dejan Farkas
Mar 27 2009, 03:23 PM
Instructor
Posts: 3.035
Joined: 27-November 07
From: Sarajevo, Bosnia
Thanks guys for replies, I will try that smile.gif

Any other solution? smile.gif

You are at GuitarMasterClass.net


Don't miss today's free lick. Plus all our lessons are packed with free content!

Don't miss today's free blues, jazz & country licks. Plus all our lessons are packed with free content!


--------------------
Go to the top of the page
 
+Quote Post
Ivan Milenkovic
Mar 27 2009, 04:06 PM
Instructor
Posts: 25.396
Joined: 20-November 07
From: Belgrade, Serbia
Unfortunately no solution Dejan, in those cases it is best to erase/remove the files. Possibly try with some other antivirus programs.

You are at GuitarMasterClass.net


Don't miss today's free lick. Plus all our lessons are packed with free content!

Don't miss today's free blues, jazz & country licks. Plus all our lessons are packed with free content!


--------------------
- Ivan's Video Chat Lesson Notes HERE
- Check out my GMC Profile and Lessons
- (Please subscribe to my) YouTube Official Channel
- Let's be connected through ! Facebook! :)
Go to the top of the page
 
+Quote Post
Saoirse O'Shea
Mar 27 2009, 05:37 PM
Moderator - low level high stakes
Posts: 6.173
Joined: 27-June 07
From: Espania - Cadiz province
I think Ivan is right here Dejan. Normally if the file was recoverable then AVG - or whatever the scanner is - would give a 'recover' option. Sadly most trojans - and I think worms - can't be repaired as they corrupt the entire content of the file. So a scanner can really only allow you to quarantine or delete the infected file sad.gif .

I think the best your friend can do is remove the malware from his pc - probably via safe mode with system restore turned off temporarily and then running the virus scanner. S/he will however have lost those infected files sad.gif .

You are at GuitarMasterClass.net


Don't miss today's free lick. Plus all our lessons are packed with free content!

Don't miss today's free blues, jazz & country licks. Plus all our lessons are packed with free content!


--------------------
Get your music professionally mastered by anl AES registered Mastering Engineer. Contact me for Audio Mastering Services and Advice and visit our website www.miromastering.com

Be friends on facebook with us here.

We use professional, mastering grade hardware in our mastering studo. Our hardware includes:
Cranesong Avocet II Monitor Controller, Dangerous Music Liasion Insert Hardware Router, ATC SCM Pro Monitors, Lavry Black DA11, Prism Orpheus ADC/DAC, Gyratec Gyraf XIV Parallel Passive Mastering EQ, Great River MAQ 2NV Mastering EQ, Kush Clariphonic Parallel EQ Shelf, Maselec MLA-2 Mastering Compressor, API 2500 Mastering Compressor, Eventide Eclipse Reverb/Echo.
Go to the top of the page
 
+Quote Post
Dejan Farkas
Mar 28 2009, 12:53 AM
Instructor
Posts: 3.035
Joined: 27-November 07
From: Sarajevo, Bosnia
Her computer at work was infected as well and had to be reformatted so she lost all the files on computer, so only copies of documents remained on her USB drive, which was also infected, and these documents are very important to her.

I read about one possible solution, to install another copy of windows, without antivirus and to try to extract all data I can from the infected files, and then simply to remove these infected windows. If I don't find any other (read: easier) solution I think I'll have to go with this one.

Thanks all for the replies smile.gif

You are at GuitarMasterClass.net


Don't miss today's free lick. Plus all our lessons are packed with free content!

Don't miss today's free blues, jazz & country licks. Plus all our lessons are packed with free content!


--------------------
Go to the top of the page
 
+Quote Post
Azzaboi
Mar 28 2009, 02:38 AM
GMC:er
Posts: 1.485
Joined: 23-March 09
From: New Zealand
Are the documents Microsoft Word?

I heard WordFIX is a Microsoft Word recovery software designed to restore corrupt or damaged document files back into new trouble free files. Safely recovers documents that have been infected by viruses. I've however never been infected / tried it myself.

CODE
http://www.word-fix.com/


Flobo Word Recovery is another, might want to google for them...

As for getting re-infected, i don't know if that's a smart move? See what the virus/trojan does and stay offline on that computer if its sending/retrieving data.

Also use Anti-spyware to clean up, if needed:
Ad-Aware Personal
CODE
http://www.lavasoftusa.com/software/adaware/

and/or
Spybot Search and Destroy
CODE
http://www.safer-networking.org/

You are at GuitarMasterClass.net


Don't miss today's free lick. Plus all our lessons are packed with free content!

Don't miss today's free blues, jazz & country licks. Plus all our lessons are packed with free content!


--------------------


Play Games Arcade
Take a break, Play Games! Play the best free online flash games at Aaron's Game Zone like Bloons Tower Defense 4!
Go to the top of the page
 
+Quote Post
Dejan Farkas
Mar 28 2009, 10:40 PM
Instructor
Posts: 3.035
Joined: 27-November 07
From: Sarajevo, Bosnia
These were word documents

It seems the documents are lost for good, I changed extension of some files to .txt and saw that they were overwritten, and they are all identical, it seems to be a program written in Visual Basic 6, some code is visible inside.

Thanks Azzaboi anyway smile.gif

regarding re-infection, I did not mean to do it on my current Windows, but to install the second copy of windows on same computer and later on to remove it

You are at GuitarMasterClass.net


Don't miss today's free lick. Plus all our lessons are packed with free content!

Don't miss today's free blues, jazz & country licks. Plus all our lessons are packed with free content!


--------------------
Go to the top of the page
 
+Quote Post
JCJXXL
Mar 29 2009, 05:21 AM
GMC:er
Posts: 327
Joined: 22-January 07
From: AMERICA THE BEAUTIFUL!
Honestly to have to reformat a computer due to a virus is rare if you know what you're doing and have the right protection. I would recommend installing Nod32 on a computer that is "clean", update it and run the scan on the drive.

You are at GuitarMasterClass.net


Don't miss today's free lick. Plus all our lessons are packed with free content!

Don't miss today's free blues, jazz & country licks. Plus all our lessons are packed with free content!


This post has been edited by JCJXXL: Mar 29 2009, 05:25 AM
Go to the top of the page
 
+Quote Post
kahall
Mar 29 2009, 05:38 AM
Learning Roadie
Posts: 989
Joined: 21-March 07
From: Springfield Missouri USA
QUOTE (Dejan Farkas @ Mar 28 2009, 04:40 PM) *
These were word documents

It seems the documents are lost for good, [..]


Ouch! Give your friend my best. I've been there...ONCE. It makes you feel ill for days.

You are at GuitarMasterClass.net


Don't miss today's free lick. Plus all our lessons are packed with free content!

Don't miss today's free blues, jazz & country licks. Plus all our lessons are packed with free content!


--------------------
Had a guitar hanging, just about waist high, and we are going to play these things until the day we die.
Go to the top of the page
 
+Quote Post
Dejan Farkas
Mar 29 2009, 12:52 PM
Instructor
Posts: 3.035
Joined: 27-November 07
From: Sarajevo, Bosnia
QUOTE (JCJXXL @ Mar 29 2009, 06:21 AM) *
Honestly to have to reformat a computer due to a virus is rare if you know what you're doing and have the right protection. I would recommend installing Nod32 on a computer that is "clean", update it and run the scan on the drive.


That was her computer at work, it was not protected at all and not really sure what happened when taken to servicing. Only thing I know they're lost smile.gif

QUOTE (kahall @ Mar 29 2009, 06:38 AM) *
Ouch! Give your friend my best. I've been there...ONCE. It makes you feel ill for days.


It will not make her ill, it will make her work long hours to create these documents again huh.gif

And I'll make sure she knows what backup is for smile.gif

You are at GuitarMasterClass.net


Don't miss today's free lick. Plus all our lessons are packed with free content!

Don't miss today's free blues, jazz & country licks. Plus all our lessons are packed with free content!


--------------------
Go to the top of the page
 
+Quote Post
29a
Mar 30 2009, 04:58 PM
GMC:er
Posts: 356
Joined: 28-December 08
QUOTE (Dejan Farkas @ Mar 29 2009, 01:52 PM) *
And I'll make sure she knows what backup is for smile.gif
Make sure she uses incremental backups. Otherwise she'll just end up with an infected backup.

However there's one thing you could try: Recovering the original files from the usb stick. It's possible that they are still there and recoverable. So you might be able to recover the files the same way you can undelete photos from a digital camera / flash card. PhotoRec is one software that can do this: http://www.cgsecurity.org/wiki/PhotoRec. And now worries, it's not just for photos.

On the other hand, no virus protection, no proper backups and only one copy of the files on one PC AT WORK, that's pretty much negligence.

Cheers,
Jonas

JCJXXL, I would always set up an infected computer from scratch. A) It's mostly not worth the effort to try to fix everything. cool.gif It's very difficult to be certain that the system is clean again. Who knows what other things they've smuggled onto your computer while they've had access.

You are at GuitarMasterClass.net


Don't miss today's free lick. Plus all our lessons are packed with free content!

Don't miss today's free blues, jazz & country licks. Plus all our lessons are packed with free content!


--------------------
My Website | My Gear | Elixir Nanoweb Strings Review | Installing Schaller Security Locks
"If privacy is outlawed, only outlaws will have privacy." - Phil Zimmermann
Go to the top of the page
 
+Quote Post
Dejan Farkas
Mar 31 2009, 12:07 AM
Instructor
Posts: 3.035
Joined: 27-November 07
From: Sarajevo, Bosnia
Thanks for the solution, I managed to recover all deleted files, but unfortunately those word documents were overwritten by the worm, none of them successfully recovered.

I agree with you about the negligence, but there are many people who don't know much about computers, they have basic knowledge in word and excel and that's it. smile.gif

You are at GuitarMasterClass.net


Don't miss today's free lick. Plus all our lessons are packed with free content!

Don't miss today's free blues, jazz & country licks. Plus all our lessons are packed with free content!


--------------------
Go to the top of the page
 
+Quote Post
Dejan Farkas
Mar 31 2009, 08:21 AM
Instructor
Posts: 3.035
Joined: 27-November 07
From: Sarajevo, Bosnia
Update: the documents are fully recovered smile.gif

I noticed that folders on USB stick showed that there are some files inside, but when opened there were none (although show hidden files is activated on my computer). I added one folder to RAR archive and suddenly all documents appeared in the archive, and I could open them all biggrin.gif

And when I extract them back to a folder they remain hidden, but anyway they are here smile.gif

You are at GuitarMasterClass.net


Don't miss today's free lick. Plus all our lessons are packed with free content!

Don't miss today's free blues, jazz & country licks. Plus all our lessons are packed with free content!


--------------------
Go to the top of the page
 
+Quote Post
29a
Mar 31 2009, 09:08 AM
GMC:er
Posts: 356
Joined: 28-December 08
QUOTE (Dejan Farkas @ Mar 31 2009, 01:07 AM) *
I agree with you about the negligence, but there are many people who don't know much about computers, they have basic knowledge in word and excel and that's it. smile.gif
That's why I wrote at work. I understand that not everybody has advanced knowledge of computers. But if you have a company that works with computers you should have somebody there with advanced knowledge to make sure everything is backed up and as secure as possible. Otherwise that company and their customer data are at risk.

What you describe sounds very weird. But then again malware is known to do very weird things (that's why computers should always be set up from scratch after infection). Anyway, I'm glad you saved the day! smile.gif

You are at GuitarMasterClass.net


Don't miss today's free lick. Plus all our lessons are packed with free content!

Don't miss today's free blues, jazz & country licks. Plus all our lessons are packed with free content!


--------------------
My Website | My Gear | Elixir Nanoweb Strings Review | Installing Schaller Security Locks
"If privacy is outlawed, only outlaws will have privacy." - Phil Zimmermann
Go to the top of the page
 
+Quote Post
kahall
Apr 1 2009, 05:03 AM
Learning Roadie
Posts: 989
Joined: 21-March 07
From: Springfield Missouri USA
QUOTE (Dejan Farkas @ Mar 31 2009, 02:21 AM) *
Update: the documents are fully recovered smile.gif

[..]


You kicked that viruses butt. Way to go. ;-)

You are at GuitarMasterClass.net


Don't miss today's free lick. Plus all our lessons are packed with free content!

Don't miss today's free blues, jazz & country licks. Plus all our lessons are packed with free content!


--------------------
Had a guitar hanging, just about waist high, and we are going to play these things until the day we die.
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 




RSS Lo-Fi Version Time is now: 19th January 2021 - 12:47 AM