Reply to this topicStart new topic
> Recovering Infected Documents, Help needed
Dejan Farkas
post Mar 26 2009, 11:22 PM
Post #1


Instructor
Group Icon

Group: GMC Instructor
Posts: 3.035
Joined: 27-November 07
From: Sarajevo, Bosnia
Member No.: 3.387



Hi guys smile.gif

I need some help here. A friend of mine gave me a USB stick which was infected by a virus and has a lot of important documents that are infected, and asked me if I can recover them somehow.

AVG reports "worm/vb.yb" and it renamed a bunch of .DOC files to .EXE

AVG gives only an option to delete these files, and even renaming them back to DOC do not solve the problem since the files are still infected and cannot be opened (AVG prevent the opening).

Does anyone knows if these files can be recovered and how, or are they completely lost?

Tried to google for solution, unsuccessfully


--------------------
Go to the top of the page
 
+Quote Post
kahall
post Mar 27 2009, 02:42 AM
Post #2


Learning Roadie
*

Group: Members
Posts: 989
Joined: 21-March 07
From: Springfield Missouri USA
Member No.: 1.393



Scan the jump drive with Malwarebytes. I bet it gets rid of it. I have had this happen a lot lately and it never lets me down. AVG is useless for this.

EDIT: After reading up a little on your problem this may not work, but it sure won't hurt. Since docs are renamed they might be tough to recover.

This post has been edited by kahall: Mar 27 2009, 02:45 AM


--------------------
Had a guitar hanging, just about waist high, and we are going to play these things until the day we die.
Go to the top of the page
 
+Quote Post
Ramiro Delforte
post Mar 27 2009, 04:23 AM
Post #3


Instructor
Group Icon

Group: GMC Instructor
Posts: 2.279
Joined: 4-August 08
From: Argentina, Buenos Aires
Member No.: 5.625



In the link below you'll find lots of great free programs to solve your problem.

http://www.techsupportalert.com/


--------------------
Check out my Instructor Profile and Board

LIVE VIDEO CHATS EVERY MONDAY AROUND 22PM (GMC HOUR)
Go to the top of the page
 
+Quote Post
Dejan Farkas
post Mar 27 2009, 03:23 PM
Post #4


Instructor
Group Icon

Group: GMC Instructor
Posts: 3.035
Joined: 27-November 07
From: Sarajevo, Bosnia
Member No.: 3.387



Thanks guys for replies, I will try that smile.gif

Any other solution? smile.gif


--------------------
Go to the top of the page
 
+Quote Post
Ivan Milenkovic
post Mar 27 2009, 04:06 PM
Post #5


Instructor
Group Icon

Group: GMC Instructor
Posts: 25.396
Joined: 20-November 07
From: Belgrade, Serbia
Member No.: 3.341



Unfortunately no solution Dejan, in those cases it is best to erase/remove the files. Possibly try with some other antivirus programs.


--------------------
- Ivan's Video Chat Lesson Notes HERE
- Check out my GMC Profile and Lessons
- (Please subscribe to my) YouTube Official Channel
- Let's be connected through ! Facebook! :)
Go to the top of the page
 
+Quote Post
Saoirse O'Shea
post Mar 27 2009, 05:37 PM
Post #6


Moderator - low level high stakes
Group Icon

Group: GMC Senior
Posts: 6.173
Joined: 27-June 07
From: Espania - Cadiz province
Member No.: 2.194



I think Ivan is right here Dejan. Normally if the file was recoverable then AVG - or whatever the scanner is - would give a 'recover' option. Sadly most trojans - and I think worms - can't be repaired as they corrupt the entire content of the file. So a scanner can really only allow you to quarantine or delete the infected file sad.gif .

I think the best your friend can do is remove the malware from his pc - probably via safe mode with system restore turned off temporarily and then running the virus scanner. S/he will however have lost those infected files sad.gif .


--------------------
Get your music professionally mastered by anl AES registered Mastering Engineer. Contact me for Audio Mastering Services and Advice and visit our website www.miromastering.com

Be friends on facebook with us here.

We use professional, mastering grade hardware in our mastering studo. Our hardware includes:
Cranesong Avocet II Monitor Controller, Dangerous Music Liasion Insert Hardware Router, ATC SCM Pro Monitors, Lavry Black DA11, Prism Orpheus ADC/DAC, Gyratec Gyraf XIV Parallel Passive Mastering EQ, Great River MAQ 2NV Mastering EQ, Kush Clariphonic Parallel EQ Shelf, Maselec MLA-2 Mastering Compressor, API 2500 Mastering Compressor, Eventide Eclipse Reverb/Echo.
Go to the top of the page
 
+Quote Post
Dejan Farkas
post Mar 28 2009, 12:53 AM
Post #7


Instructor
Group Icon

Group: GMC Instructor
Posts: 3.035
Joined: 27-November 07
From: Sarajevo, Bosnia
Member No.: 3.387



Her computer at work was infected as well and had to be reformatted so she lost all the files on computer, so only copies of documents remained on her USB drive, which was also infected, and these documents are very important to her.

I read about one possible solution, to install another copy of windows, without antivirus and to try to extract all data I can from the infected files, and then simply to remove these infected windows. If I don't find any other (read: easier) solution I think I'll have to go with this one.

Thanks all for the replies smile.gif


--------------------
Go to the top of the page
 
+Quote Post
Azzaboi
post Mar 28 2009, 02:38 AM
Post #8


GMC:er
*

Group: Members
Posts: 1.485
Joined: 23-March 09
From: New Zealand
Member No.: 6.965



Are the documents Microsoft Word?

I heard WordFIX is a Microsoft Word recovery software designed to restore corrupt or damaged document files back into new trouble free files. Safely recovers documents that have been infected by viruses. I've however never been infected / tried it myself.

CODE
http://www.word-fix.com/


Flobo Word Recovery is another, might want to google for them...

As for getting re-infected, i don't know if that's a smart move? See what the virus/trojan does and stay offline on that computer if its sending/retrieving data.

Also use Anti-spyware to clean up, if needed:
Ad-Aware Personal
CODE
http://www.lavasoftusa.com/software/adaware/

and/or
Spybot Search and Destroy
CODE
http://www.safer-networking.org/



--------------------


Play Games Arcade
Take a break, Play Games! Play the best free online flash games at Aaron's Game Zone like Bloons Tower Defense 4!
Go to the top of the page
 
+Quote Post
Dejan Farkas
post Mar 28 2009, 10:40 PM
Post #9


Instructor
Group Icon

Group: GMC Instructor
Posts: 3.035
Joined: 27-November 07
From: Sarajevo, Bosnia
Member No.: 3.387



These were word documents

It seems the documents are lost for good, I changed extension of some files to .txt and saw that they were overwritten, and they are all identical, it seems to be a program written in Visual Basic 6, some code is visible inside.

Thanks Azzaboi anyway smile.gif

regarding re-infection, I did not mean to do it on my current Windows, but to install the second copy of windows on same computer and later on to remove it


--------------------
Go to the top of the page
 
+Quote Post
JCJXXL
post Mar 29 2009, 05:21 AM
Post #10


GMC:er
*

Group: Members
Posts: 327
Joined: 22-January 07
From: AMERICA THE BEAUTIFUL!
Member No.: 1.101



Honestly to have to reformat a computer due to a virus is rare if you know what you're doing and have the right protection. I would recommend installing Nod32 on a computer that is "clean", update it and run the scan on the drive.

This post has been edited by JCJXXL: Mar 29 2009, 05:25 AM
Go to the top of the page
 
+Quote Post
kahall
post Mar 29 2009, 05:38 AM
Post #11


Learning Roadie
*

Group: Members
Posts: 989
Joined: 21-March 07
From: Springfield Missouri USA
Member No.: 1.393



QUOTE (Dejan Farkas @ Mar 28 2009, 04:40 PM) *
These were word documents

It seems the documents are lost for good, [..]


Ouch! Give your friend my best. I've been there...ONCE. It makes you feel ill for days.


--------------------
Had a guitar hanging, just about waist high, and we are going to play these things until the day we die.
Go to the top of the page
 
+Quote Post
Dejan Farkas
post Mar 29 2009, 12:52 PM
Post #12


Instructor
Group Icon

Group: GMC Instructor
Posts: 3.035
Joined: 27-November 07
From: Sarajevo, Bosnia
Member No.: 3.387



QUOTE (JCJXXL @ Mar 29 2009, 06:21 AM) *
Honestly to have to reformat a computer due to a virus is rare if you know what you're doing and have the right protection. I would recommend installing Nod32 on a computer that is "clean", update it and run the scan on the drive.


That was her computer at work, it was not protected at all and not really sure what happened when taken to servicing. Only thing I know they're lost smile.gif

QUOTE (kahall @ Mar 29 2009, 06:38 AM) *
Ouch! Give your friend my best. I've been there...ONCE. It makes you feel ill for days.


It will not make her ill, it will make her work long hours to create these documents again huh.gif

And I'll make sure she knows what backup is for smile.gif


--------------------
Go to the top of the page
 
+Quote Post
29a
post Mar 30 2009, 04:58 PM
Post #13


GMC:er
*

Group: Members
Posts: 356
Joined: 28-December 08
Member No.: 6.464



QUOTE (Dejan Farkas @ Mar 29 2009, 01:52 PM) *
And I'll make sure she knows what backup is for smile.gif
Make sure she uses incremental backups. Otherwise she'll just end up with an infected backup.

However there's one thing you could try: Recovering the original files from the usb stick. It's possible that they are still there and recoverable. So you might be able to recover the files the same way you can undelete photos from a digital camera / flash card. PhotoRec is one software that can do this: http://www.cgsecurity.org/wiki/PhotoRec. And now worries, it's not just for photos.

On the other hand, no virus protection, no proper backups and only one copy of the files on one PC AT WORK, that's pretty much negligence.

Cheers,
Jonas

JCJXXL, I would always set up an infected computer from scratch. A) It's mostly not worth the effort to try to fix everything. cool.gif It's very difficult to be certain that the system is clean again. Who knows what other things they've smuggled onto your computer while they've had access.


--------------------
My Website | My Gear | Elixir Nanoweb Strings Review | Installing Schaller Security Locks
"If privacy is outlawed, only outlaws will have privacy." - Phil Zimmermann
Go to the top of the page
 
+Quote Post
Dejan Farkas
post Mar 31 2009, 12:07 AM
Post #14


Instructor
Group Icon

Group: GMC Instructor
Posts: 3.035
Joined: 27-November 07
From: Sarajevo, Bosnia
Member No.: 3.387



Thanks for the solution, I managed to recover all deleted files, but unfortunately those word documents were overwritten by the worm, none of them successfully recovered.

I agree with you about the negligence, but there are many people who don't know much about computers, they have basic knowledge in word and excel and that's it. smile.gif


--------------------
Go to the top of the page
 
+Quote Post
Dejan Farkas
post Mar 31 2009, 08:21 AM
Post #15


Instructor
Group Icon

Group: GMC Instructor
Posts: 3.035
Joined: 27-November 07
From: Sarajevo, Bosnia
Member No.: 3.387



Update: the documents are fully recovered smile.gif

I noticed that folders on USB stick showed that there are some files inside, but when opened there were none (although show hidden files is activated on my computer). I added one folder to RAR archive and suddenly all documents appeared in the archive, and I could open them all biggrin.gif

And when I extract them back to a folder they remain hidden, but anyway they are here smile.gif


--------------------
Go to the top of the page
 
+Quote Post
29a
post Mar 31 2009, 09:08 AM
Post #16


GMC:er
*

Group: Members
Posts: 356
Joined: 28-December 08
Member No.: 6.464



QUOTE (Dejan Farkas @ Mar 31 2009, 01:07 AM) *
I agree with you about the negligence, but there are many people who don't know much about computers, they have basic knowledge in word and excel and that's it. smile.gif
That's why I wrote at work. I understand that not everybody has advanced knowledge of computers. But if you have a company that works with computers you should have somebody there with advanced knowledge to make sure everything is backed up and as secure as possible. Otherwise that company and their customer data are at risk.

What you describe sounds very weird. But then again malware is known to do very weird things (that's why computers should always be set up from scratch after infection). Anyway, I'm glad you saved the day! smile.gif


--------------------
My Website | My Gear | Elixir Nanoweb Strings Review | Installing Schaller Security Locks
"If privacy is outlawed, only outlaws will have privacy." - Phil Zimmermann
Go to the top of the page
 
+Quote Post
kahall
post Apr 1 2009, 05:03 AM
Post #17


Learning Roadie
*

Group: Members
Posts: 989
Joined: 21-March 07
From: Springfield Missouri USA
Member No.: 1.393



QUOTE (Dejan Farkas @ Mar 31 2009, 02:21 AM) *
Update: the documents are fully recovered smile.gif

[..]


You kicked that viruses butt. Way to go. ;-)


--------------------
Had a guitar hanging, just about waist high, and we are going to play these things until the day we die.
Go to the top of the page
 
+Quote Post

Fast ReplyReply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 


RSS Lo-Fi Version Time is now: 25th September 2017 - 07:04 AM