Mallicious Virus doesn't like holiday snaps
January 19, 2010 8:03 AM   Subscribe

Excel files, word documents, pdf:s and pictures. All selectively corrupted by a virus. What virus was it, and can I restore the files somehow?

The computer in question has since the infection been wiped clean and everything else has been reinstalled from scratch, so I can't offer anything else but an account of the aftermath to help you make a diagnosis. One pertinent fact might be that all files were modified by the virus at roughly the same time and that some files were unaffected.
posted by JeNeSaisQuoi to Computers & Internet (8 answers total) 1 user marked this as a favorite
Wiped clean can mean a few different things. If it's been written over heavily, then odds are not good you will get the data back unless you physically take your hard drive out of your machine and send it to a data recovery lab.

Free software solutions may help if not much data has been written over- try Recuva.

The virus could have been a polymorphic virus that targets selective files and is very difficult to remove cleanly because it continues to replicate while you are removing it. AVG has a program called rmvirut that targets one of these types of viruses.

Another excellent free malware removal tool is Malwarebytes' Anti-Malware.

The safest thing to do is to monitor your browsing habits and never click on a link that you are unsure of, especially one that you find in your e-mail or one from an unknown person on Facebook. Also stop using Internet Explorer if you are, and start using Chrome, Firefox, Opera, or Safari. Any of those are safer than IE.
posted by ehamiter at 8:27 AM on January 19, 2010

Response by poster: Well, to clarify. I was the one who wiped the hdd and started over. I didn't want to risk having something that nasty lying dormant after a botched clean up attempt. I did backup the affected files before doing so. All files seem to have kept their original size (more or less) so I didn't think running a program such as Recuva would help since I assumed the virus modified the files in situ. I could have been wrong though. I guess I was hoping that the virus modified the files in a predictable manner so that the modifications could be reversed.
posted by JeNeSaisQuoi at 9:07 AM on January 19, 2010

What are you asking, exactly? Are you trying to identify the virus? What specifically went wrong with the files?
posted by Eicats at 12:36 PM on January 19, 2010

Response by poster: What are you asking, exactly? Are you trying to identify the virus? What specifically went wrong with the files?

1# I'd like to know what virus is associated with the consequences I listed. If I knew what virus did this I could google it to see what could be done to mitigate the damages.

2# I'd like to know if it is possible to repair the files affected by the virus.

I'm not sure exactly what is wrong with the files, all I know is that I can't open them anymore.
posted by JeNeSaisQuoi at 1:07 PM on January 19, 2010

This largely depends on finding out exactly which virus messed with your files.

There are a few nasty "blackmail" viruses that encrypt your files with a very secure encryption method, in an attempt to extort money from the victims to have them unencrypted.

Others variants can just be a simple scramble of your data (hopefully!) and some strains may just write random junk into your files (very bad!).

Until you find out exactly what virus was the culprit, you're likely not going to get very far.

A quick Googling of "encrypt file virus" shows some hits - and possibly some salvation in terms of tools to repair certain infections, including repairing your files.

An excellent website I've been using lately is - if you upload a file they will run around 40 different anti-virus scanners on it and report anything they find. This is great for tracking down a stubborn infection or for testing a downloaded file.

Once you track down the infection you can start searching for a remover or fixer - or you'll at least find out if you should just give up.

One such removal tool is here, from Symantec:
Trojan.Ramvicrype Removal Tool

Here's a recent story on one such virus: New Trojan encrypts files but leaves no ransom note

If you do find yourself without a solution, you can always try Recuva or PhotoRec (which rescues more than photos) to search your drive for file signatures. PhotoRec has a "paranoid" feature where it'll check the recovered files to make sure they aren't just junk. Depending on how the virus acted against the files, this may be able to find deleted (but unencrypted) versions - but that depends on how the virus wrote to the files. (If it made an encrypted copy and deleted the original, you may find the original. YMMV.)
posted by Fat Elvis at 1:12 PM on January 19, 2010

Response by poster: Thanks for the advice. The files had no new file extension which seems to be the norm if they've been encrypted, and I've not come across any ransom notes. Submitting an affected file to virustotal yields no results, which is what I would suspect since they're not executable files. I'll try the paranoid feature in photorec to see what I'm dealing with, but if the files are encrypted will they not show up as junk in photorec in that case?
posted by JeNeSaisQuoi at 2:26 PM on January 19, 2010

Response by poster: Update:

I found out the virus in question: it was new version of vuntu. The files were encrypted and they could be recovered.
posted by JeNeSaisQuoi at 3:34 AM on January 20, 2010

Excellent news! Congrats!

I'll tell you what I tell everyone - get MozyHome right now - it's unlimited on-line secure backup for $4.95 (USD) per computer per month. (Or there's others as well, I just like Mozy!)

Not only is your data backed up, but it's also backed up and changes are kept for 30 days. This way if a file is corrupted or deleted and you don't notice right away, you can always roll back to a version from the past 30 days.

It took about a week or so to get all my initial data automatically uploaded, but after that backups are automatic, quick and painless. I sleep better at night knowing that drive failure, virus, fire or theft won't "erase" all my digital memories and work.
posted by Fat Elvis at 4:33 AM on January 20, 2010

« Older How can I watch Hulu outside U.S. for free?   |   Option NOT to cure a lapse in health insurance... Newer »
This thread is closed to new comments.