Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to recover files damaged by virus attack


  • This topic is locked This topic is locked
8 replies to this topic

#1 Ykassed

Ykassed

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 10 April 2015 - 02:07 PM

Hi All

 

I'm very glad to have found this site ; for all for sharing and helping.

 

Well please i'm faced to a malware that have crypted all files on my machine , any file word , excel or pdf is crypted as the picture below - Capture.JPG

 

I've installed Malwarebite , also kaspersky then i've formated my machine , but the files still corrupted. On internet i purchased office recovery also not give me my files as they were before.

 

Please help me 


Edited by hamluis, 10 April 2015 - 02:12 PM.
Moved from Win 7 to Gen Security - Hamluis.


BC AdBot (Login to Remove)

 


m

#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:02:02 AM

Posted 10 April 2015 - 02:09 PM

Hello there,

Did you saw any ransom note (instructions on how to recover your files) on your machine? What is their name? HELP_DECRYPT, DECRYPT_INSTRUCTION etc.?

Edited by Alexstrasza, 10 April 2015 - 02:10 PM.


#3 Ykassed

Ykassed
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 10 April 2015 - 02:12 PM

No nothing the incident is i've put on my laptop a usb from a friend then my machine been contamined 

also i've formated the harddrive i 've deleted all suspicious fils ; but my files can not delete them is my studies 



#4 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:02:02 AM

Posted 10 April 2015 - 02:36 PM

My best guess is that you got infected with CryptoWall or PClock. Without the ransom note it is hard to guess which one.

For CryptoWall go here: CryptoWall and HELP_DECRYPT Ransomware Information Guide and FAQ

For PClock go here: New PClock CryptoLocker Ransomware discovered

#5 Ykassed

Ykassed
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 10 April 2015 - 03:26 PM

Many thanks for your reply : i get an error when using For PClock go here: New PClock CryptoLocker Ransomware discovered .

Because my machine is formated no old files from my last system i ve this error : The description key for your system could not be found there is no way to decript your files .....



#6 Ykassed

Ykassed
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 10 April 2015 - 03:32 PM

when trying to use R studio have get this error 

 

[Environment information]
 Application: R-Studio Demo [x64,QT] v7.6 Build 156767
 System:      4 x Intel® Core™ i5-3320M CPU @ 2.60GHz, 2591 MHz, 8095 MB RAM
 OS:          Windows 7 Build 7601, Service Pack 1
[Memory usage information]
 System physical memory: Used: 3841920KB, Total 8289696KB
 System virtual memory:  Used: 3633900KB, Total 16577536KB
 Process virtual memory: Current 22940KB, Maximum: 22940KB
[Exception information]
 Exception Code:      0xc0000005 (Access violation)
 Exception Address:   0x40e62cc0
 Exception Operation: Read from address 0x0012dfbb
[Thread context information, TID=5536]
 [Registers]
  RIP=0000000140e62cc0 RSP=000000000012dce0 EFlags=   10206
  RAX=000000000000004d RBX=5041525400000003 RCX=000000000000004d RDX=00000000ffffffff
  RSI=0000000002b6b840 RDI=0000000002b56fc8 RBP=0000000000000000
  CS=00000033  SS=0000002b  DS=0000002b  ES=0000002b  FS=00000053  GS=0000002b
 [Bytes at CS:EIP]
  40E62CA0 2B CA 85 C9 0F 8E D4 01 00 00 48 63 C1 85 C9 7E +?????????Hc????
  40E62CB0 20 4C 8D 84 14 8F 02 00 00 0F 1F 80 00 00 00 00 ?L??????????????
  40E62CC0 42 80 3C 00 20 7F 0A FF C9 48 FF C8 48 85 C0 7F B?<??????H??H???
  40E62CD0 EF 83 F9 26 0F 85 A4 01 00 00 48 89 AC 24 30 01 ???&??????H??$0?
 [Bytes at SS:ESP]
  0012DCE0 00 00 00 00 54 52 41 50 10 00 00 00 54 52 41 50 ????TRAP????TRAP


#7 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:02:02 AM

Posted 10 April 2015 - 04:00 PM

If your file is encrypted by PClock then you can try Fabian Wosar's suggestion.

If you got CryptoWall then you're out of luck. I'm sorry.

#8 passacaglia

passacaglia

  • Members
  • 323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vina del Mar, Chile
  • Local time:11:02 PM

Posted 10 April 2015 - 08:19 PM

If the malware corrupted files you had in some "documents" folder in any other drive than the OS drive, formatting your OS won't help you. What you need is to recover your files. If the malware destroyed the "headers" there is absolutely nothing you can do, since recovery programs start from the "header" down.

 

But if this is not the case there are quite a few recovery programs. I don't need to quote them since you can google them. The problem is that most of them don't address specific cases and you might run two or three with no results. Just google for "best recovery programs" and read reviews of them to see which best suits your needs.

 

But you may feel queasy that there is malware hunting your computer.

 

A good antivirus/antimalware is Bitdefender. You can customize a scan to go through the whole computer. One of the top antimalware programs is Malwarebytes. You can also download the Free Emsisoft Emergency Kit and do a full scan.

 

These should take care of most malware and viruses..

 

If you have a heavily infected computer there are other options, but .NEVER USE COMBOFIX ON YOUR OWN UNLESS YOU HAVE A TRAINED PERSON BY YOUR SIDE.  IT CAN WREAK HAVOC ON YOUR COMPUTER.

 

And don't take this lightly. I would guess that in 99% of virus/malware problems, Bitdefender + Malwarebyte + Spybot + Emsisoft Emergency Kit + adwcleaner + Rogue Killer are more than enough to solve 99.9% of those problems. More would be overkill. And if you believe there is more, call a computer technician.



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,563 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:02 PM

Posted 10 April 2015 - 09:15 PM

The best solution for encrypted data is to restore from backups. Newer ransomware variants typically delete all Shadow Volume Copies so that you cannot restore your files System Restore or using a program like Shadow Explorer...but it never hurts to try in case the infection did not do what it was supposed to do. In some cases Data Recovery Tools may be helpful but there is no guarantee.

If that is not a viable option, then as my security colleague Nathan (DecrypterFixer) has stated several times to victims of various ransomware infections..."if there is no fix tool, the only other alternative is to save your data as is and wait for possible updates".Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in one of those topic discussion.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users