Posted 10 October 2012 - 02:04 PM
Evening folks. I've got a problem with my niece's laptop which I think is probably too far gone to resolve, but I'd appreciate any advice from you experts as to whether it really is the end of the line for the data.
She contacted me a few days for advice as to whether her machine was totally broken as it she couldn't do anything with it, the screen was black and reporting disk failure etc. I asked whether she had experienced any other problems before this and she said it had shut down a few times due to overheating. At this point I assumed the black screen was a boot screen so something actually wrong with the HDD or config etc.
I arranged to get hold of the laptop, and pretty quickly found that the disk failure etc messages were the result of the File Recovery virus and set about cleaning it up.
Managed to boot in safe mode, but this didn't get past the little tinker as I couldn't browse to any security related sites. Just about managed to copy RKILL from usb drive, but couldn't copy or use any other tools from USB as it seemed to spot what I was up to so I had to resort to booting up from Kaspersky Rescue Disk on DVD.
This ran okay, but very slow so I left it running overnight (after going back for a final check at midnight when it said it had about an hour left to run), and of course by the morning it had done a thermal shutdown.
At 6:45am I wasn't at my brightest so I just booted it back up again. KRD had by that time found some 9 issues so I told it neutralise them and then kicked it all off again.
About three hours later and another overheating shut down before the process had managed to finish.
Once it had cooled down, I then did what I should have done before starting out and that was clean the fan. And kicked it all off again. No more issues found by the rescue disk, so ran the windows unlocker element as well, which quarantined a couple more bits.
Rebooted and ran Malwarebytes quick scan - 78 objects found, treated and rebooted.
Malwarebytes full scan - nothing found.
TDSSkiller - nothing found.
Hitman Pro, then RogueKiller, then Unhide.
By this point the File Recovery symptoms had disappeared and normal Wins 7 service was resumed.
BUT on checking things over, I found that the majority of the user files (documents, pictures, music) are unusable.
They have been renamed eg. a picture called "Turkey 2011 001.JPG" is now "locked-Turkey 2011 001.JPG.fgur", with the same format on all apart from different combinations of characters at the end.
Its not a simple rename, edit and try opening as an image results in 'format not supported'.
I've not seen any descriptions of this effect in any of the material I've found so far on the File Recovery virus so was rather disappointed that my efforts had gone so badly wrong.
On questioning my niece further, she then tells me that she has also been having problems with 'an FBI virus asking for money', which she has been handling by simply doing a system restore at boot up whenever the screens popped up.
It was only because the restore option had been hijacked this time that she asked for help!
And further questioning revealed that she has been doing this since at least April.
The machine was almost up to date with Wins updates, but way out on Java, Flashplayer and Adobe Reader.
It did have AVG free but no disk scans run for about six months.
And a fair selection of peer-to-peer/file sharing apps, random toolbars etc.
I'm reasonably happy that I've either cleared all viruses or can carry on running every tool I can find to flush them all out.
But I don't want to do any more damage if there is even the slightest possibility that the work files can be 'unlocked'.
So, can I beg for help please - is this file locking a standard feature of any specific virus, or something else?
Has anybody else experienced it, and is there anything I can do to recover at this stage or is the damage too far gone?
Many thanks for reading to the end of my tale of woe.