Printable Version of Topic

Click here to view this topic in its original format

GMC Forum _ Electronic Entertainment _ Recovering Infected Documents

Posted by: Dejan Farkas Mar 26 2009, 11:22 PM

Hi guys smile.gif

I need some help here. A friend of mine gave me a USB stick which was infected by a virus and has a lot of important documents that are infected, and asked me if I can recover them somehow.

AVG reports "worm/vb.yb" and it renamed a bunch of .DOC files to .EXE

AVG gives only an option to delete these files, and even renaming them back to DOC do not solve the problem since the files are still infected and cannot be opened (AVG prevent the opening).

Does anyone knows if these files can be recovered and how, or are they completely lost?

Tried to google for solution, unsuccessfully

Posted by: kahall Mar 27 2009, 02:42 AM

Scan the jump drive with http://malwarebytes.org/. I bet it gets rid of it. I have had this happen a lot lately and it never lets me down. AVG is useless for this.

EDIT: After reading up a little on your problem this may not work, but it sure won't hurt. Since docs are renamed they might be tough to recover.

Posted by: Ramiro Delforte Mar 27 2009, 04:23 AM

In the link below you'll find lots of great free programs to solve your problem.

http://www.techsupportalert.com/

Posted by: Dejan Farkas Mar 27 2009, 03:23 PM

Thanks guys for replies, I will try that smile.gif

Any other solution? smile.gif

Posted by: Ivan Milenkovic Mar 27 2009, 04:06 PM

Unfortunately no solution Dejan, in those cases it is best to erase/remove the files. Possibly try with some other antivirus programs.

Posted by: tonymiro Mar 27 2009, 05:37 PM

I think Ivan is right here Dejan. Normally if the file was recoverable then AVG - or whatever the scanner is - would give a 'recover' option. Sadly most trojans - and I think worms - can't be repaired as they corrupt the entire content of the file. So a scanner can really only allow you to quarantine or delete the infected file sad.gif .

I think the best your friend can do is remove the malware from his pc - probably via safe mode with system restore turned off temporarily and then running the virus scanner. S/he will however have lost those infected files sad.gif .

Posted by: Dejan Farkas Mar 28 2009, 12:53 AM

Her computer at work was infected as well and had to be reformatted so she lost all the files on computer, so only copies of documents remained on her USB drive, which was also infected, and these documents are very important to her.

I read about one possible solution, to install another copy of windows, without antivirus and to try to extract all data I can from the infected files, and then simply to remove these infected windows. If I don't find any other (read: easier) solution I think I'll have to go with this one.

Thanks all for the replies smile.gif

Posted by: Azzaboi Mar 28 2009, 02:38 AM

Are the documents Microsoft Word?

I heard WordFIX is a Microsoft Word recovery software designed to restore corrupt or damaged document files back into new trouble free files. Safely recovers documents that have been infected by viruses. I've however never been infected / tried it myself.

CODE
http://www.word-fix.com/


Flobo Word Recovery is another, might want to google for them...

As for getting re-infected, i don't know if that's a smart move? See what the virus/trojan does and stay offline on that computer if its sending/retrieving data.

Also use Anti-spyware to clean up, if needed:
Ad-Aware Personal
CODE
http://www.lavasoftusa.com/software/adaware/

and/or
Spybot Search and Destroy
CODE
http://www.safer-networking.org/


Posted by: Dejan Farkas Mar 28 2009, 10:40 PM

These were word documents

It seems the documents are lost for good, I changed extension of some files to .txt and saw that they were overwritten, and they are all identical, it seems to be a program written in Visual Basic 6, some code is visible inside.

Thanks Azzaboi anyway smile.gif

regarding re-infection, I did not mean to do it on my current Windows, but to install the second copy of windows on same computer and later on to remove it

Posted by: JCJXXL Mar 29 2009, 05:21 AM

Honestly to have to reformat a computer due to a virus is rare if you know what you're doing and have the right protection. I would recommend installing Nod32 on a computer that is "clean", update it and run the scan on the drive.

Posted by: kahall Mar 29 2009, 05:38 AM

QUOTE (Dejan Farkas @ Mar 28 2009, 04:40 PM) *
These were word documents

It seems the documents are lost for good, [..]


Ouch! Give your friend my best. I've been there...ONCE. It makes you feel ill for days.

Posted by: Dejan Farkas Mar 29 2009, 12:52 PM

QUOTE (JCJXXL @ Mar 29 2009, 06:21 AM) *
Honestly to have to reformat a computer due to a virus is rare if you know what you're doing and have the right protection. I would recommend installing Nod32 on a computer that is "clean", update it and run the scan on the drive.


That was her computer at work, it was not protected at all and not really sure what happened when taken to servicing. Only thing I know they're lost smile.gif

QUOTE (kahall @ Mar 29 2009, 06:38 AM) *
Ouch! Give your friend my best. I've been there...ONCE. It makes you feel ill for days.


It will not make her ill, it will make her work long hours to create these documents again huh.gif

And I'll make sure she knows what backup is for smile.gif

Posted by: 29a Mar 30 2009, 04:58 PM

QUOTE (Dejan Farkas @ Mar 29 2009, 01:52 PM) *
And I'll make sure she knows what backup is for smile.gif
Make sure she uses incremental backups. Otherwise she'll just end up with an infected backup.

However there's one thing you could try: Recovering the original files from the usb stick. It's possible that they are still there and recoverable. So you might be able to recover the files the same way you can undelete photos from a digital camera / flash card. PhotoRec is one software that can do this: http://www.cgsecurity.org/wiki/PhotoRec. And now worries, it's not just for photos.

On the other hand, no virus protection, no proper backups and only one copy of the files on one PC AT WORK, that's pretty much negligence.

Cheers,
Jonas

JCJXXL, I would always set up an infected computer from scratch. A) It's mostly not worth the effort to try to fix everything. cool.gif It's very difficult to be certain that the system is clean again. Who knows what other things they've smuggled onto your computer while they've had access.

Posted by: Dejan Farkas Mar 31 2009, 12:07 AM

Thanks for the solution, I managed to recover all deleted files, but unfortunately those word documents were overwritten by the worm, none of them successfully recovered.

I agree with you about the negligence, but there are many people who don't know much about computers, they have basic knowledge in word and excel and that's it. smile.gif

Posted by: Dejan Farkas Mar 31 2009, 08:21 AM

Update: the documents are fully recovered smile.gif

I noticed that folders on USB stick showed that there are some files inside, but when opened there were none (although show hidden files is activated on my computer). I added one folder to RAR archive and suddenly all documents appeared in the archive, and I could open them all biggrin.gif

And when I extract them back to a folder they remain hidden, but anyway they are here smile.gif

Posted by: 29a Mar 31 2009, 09:08 AM

QUOTE (Dejan Farkas @ Mar 31 2009, 01:07 AM) *
I agree with you about the negligence, but there are many people who don't know much about computers, they have basic knowledge in word and excel and that's it. smile.gif
That's why I wrote at work. I understand that not everybody has advanced knowledge of computers. But if you have a company that works with computers you should have somebody there with advanced knowledge to make sure everything is backed up and as secure as possible. Otherwise that company and their customer data are at risk.

What you describe sounds very weird. But then again malware is known to do very weird things (that's why computers should always be set up from scratch after infection). Anyway, I'm glad you saved the day! smile.gif

Posted by: kahall Apr 1 2009, 05:03 AM

QUOTE (Dejan Farkas @ Mar 31 2009, 02:21 AM) *
Update: the documents are fully recovered smile.gif

[..]


You kicked that viruses butt. Way to go. ;-)

Powered by Invision Power Board (http://www.invisionboard.com)
© Invision Power Services (http://www.invisionpower.com)