Go Back   The Scream! > COMPUTER RELATED > PC Security

Reply
 
Thread Tools Display Modes
  #1  
Old 30-December-2001, 17:50
MegaTsunami MegaTsunami is offline
Waves goodbye
 
Join Date: May 2001
Location: Rochdale
Posts: 3,026
Default Infected, files deleted, in a mess - HELP !!!!

Someone help us please !

PC went pear shaped on Friday, desktop icons all disppeared, PC froze. Zone Alarm crashed and got some error message about Innoculate IT missing some .VET file ....

Pc then refused to boot up.

Spent all weekend formatting then loading uo Win.98 onto a spare old 260Mb hard drive so I could get on the net and ask for help.

Noticed to our horror that *ALL* of the jpeg pictures me and my girlfriend have saved on the hard drive over the last 3 years have been totally WIPED. She is in tears. (We were gonna burn them onto a CD when we could afford a CD burner).

Windows just refuses to work on the other hard drive

And where the hell have all these 1,000s of saved JPEG files gone too anyone ?

Am desparate for help over this.

What has happened please ???????

Yours extremely scared and p*ssed off,
MegaT & girlfriend

Can this be "undone" at all ?

Can we recover these 1,000s of deleted JPEGS at all ?

I have unplugged the infected hard drive (6.4Gb) and am crawling along using this ancient 260Mb one right now. Scared in case I somehow accidentally WIPE all of the other one, thats why I unplugged it.

Please help us. Some Xmas this has been so far

HOW THE HELL CAN A VIRUS DELETE ALL THE JPEG FILES, PLUS WIPE OFF OTHER WINDOWS FILES LIKE WIN.COM OFF THE DRIVE ????
Reply With Quote
  #2  
Old 30-December-2001, 20:51
Ian's Avatar
Ian Ian is offline
 
Join Date: Apr 2001
Location: Down South
Posts: 3,266
Default

There are virii that overwrite jpeg files, (Loveletter mainly) it then renames then .jpg.vbs (so picture.jpg would become picture.jpg.vbs)

On the other hand it sounds a bit more like corrupted data on the drive.

You could try running something like this : http://home.arcor.de/christian_grau/rescue/ over it to try an recover the missing files, if possible its also a good idea to try and not write the files back to the suspect drive, ie copy them to floppy or the other hdd (but I guess this might not be that easy)
Reply With Quote
  #3  
Old 30-December-2001, 21:06
fridgebuzz
Guest
 
Posts: n/a
Default

Stupid question I know Mega
But were you running anti-virus software and/or Firewall?

If not - I think you've learnt why you should

Hope you get it sorted
Reply With Quote
  #4  
Old 30-December-2001, 21:40
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default

humm, doesn't sound too good

You should be safe to put the other drive in as a secondary (ie don't try an boot from it). Get another virus checker an run it across the secondary drive (make sure you set it to 'warn' not 'clean' or it might wipe off loads of files?).

perhaps try one of free and easy online virus checkers and see what they turn up (be sure not to select 'auto clean' on any of them!).

You need to find out whats caused the problem (ie if it's a virus) b4 knowing what the next step is...

good luck

Sil

PS - fb - I think he was running inoculateIT ?
Reply With Quote
  #5  
Old 31-December-2001, 01:09
Huw's Avatar
Huw Huw is offline
Screamager
 
Join Date: Apr 2001
Location: Cotswolds
Posts: 342
Default Harry Enfield and chums

Fridgebuzz are you Harry Enfield's 'I bet you didn't want to do that character'?. If I ever post asking for help please do not offer me the 'you shouldn't have done it' type help. Inoculateit and zone alarm ARE the AV and Firewall you seem to suggest should have been used.

Anyone know what this loveleter virus puts on the HDD? If you can boot from a start-up floppy you can have a look at what files are left.

My DOS is rusty but isn't there a command that would rename all the 'jpg.vbs' s back to 'jpg' s - 'rename *.jpg.vbs *.jpg' perhaps or will all files need to be renamed individually?

I would not be too creative at this stage though until you have got shot of the cause. If you have the 'suspect infected' drive installed as a slave then as you are on line there are some online virus scanners that can help diagnose - perhaps silver has already linked to them.

Hope we can sort this.
__________________
Huw
Reply With Quote
  #6  
Old 31-December-2001, 01:17
fridgebuzz
Guest
 
Posts: n/a
Default

Yeah Huw, sil pointed that one out!

This Year I have mostly been not noticing when someone has been using what I asked what they've not been using!

You ain't seen me!
Reply With Quote
  #7  
Old 31-December-2001, 01:35
Techtips
Guest
 
Posts: n/a
Default

Dont put ANYTHING on the affected drive,

Use the above data rescue program to recover those that were lost.
Reply With Quote
  #8  
Old 31-December-2001, 02:19
Huw's Avatar
Huw Huw is offline
Screamager
 
Join Date: Apr 2001
Location: Cotswolds
Posts: 342
Default ?

What is the problem with putting 'ANYTHING' on the infected drive?
__________________
Huw
Reply With Quote
  #9  
Old 31-December-2001, 02:23
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default

I think the key is to work out whats caused the problem first

Run the housecall AV in the link to online scanners an see what it reports..

Sil
Reply With Quote
  #10  
Old 31-December-2001, 02:29
Huw's Avatar
Huw Huw is offline
Screamager
 
Join Date: Apr 2001
Location: Cotswolds
Posts: 342
Default where is it?

Have you 'plugged' the infected drive back in as a slave Mega?
__________________
Huw
Reply With Quote
  #11  
Old 31-December-2001, 09:10
MegaTsunami MegaTsunami is offline
Waves goodbye
 
Join Date: May 2001
Location: Rochdale
Posts: 3,026
Default

Hi first off, yes, I do have the affected hard drive plugged in as a slave, should I disconnect it NOW ?

And also remove it from the BIOS setup so I just have the 260mb C: drive only ?
Reply With Quote
  #12  
Old 31-December-2001, 11:19
Techtips
Guest
 
Posts: n/a
Default

No you dont need to disconnect the drive.

Adding Data of any sort to the drive could make the situation worse. It may not but hey do you want to take that chance?

leav it on as a slave and make sure your BIOS Boot sequence doesnt try and boot from it.

If you have a spare machine put it in that with an Antivirus Rescue boot disk. Those five or so you may have made up from when installig orton or whatever it was at the time.

If you have got this facility then use /install an AV on the new system and then scan the slave drive.

HOWEVER I would be tempted to use the recovery program Ian mentioned above first to recover and of the deleted JPGs. and then put then in a seperate folder for processing AV/checking
Reply With Quote
  #13  
Old 31-December-2001, 14:13
MegaTsunami MegaTsunami is offline
Waves goodbye
 
Join Date: May 2001
Location: Rochdale
Posts: 3,026
Default

HI.

having trouble running any on-line virus scanners, keep getting cut off from Freeserve Anytime

However, I DID find out that this is the culprit...

Found on the infected 6.4Gb hard drive at the exact time this PC went pear shaped :

54214151d.zip which when unzipped contains the following suspect files :

!!!!!!!!.jpg 0Kb jpeg image
0049.jpg 0Kb jpeg image
OH..YEAH.exe 27Kb application

Don't worry, these are on a floppy disk, and NOT on my 260Mb hard drive.

Is there any way of exploring exactly what is in this OH..YEAH.exe file anyhow without running it ?!?!

I am desparate to know what the little b*gger is capable of, and how it has screwed up this PC and deleted our precious *.jpg image collection. The *.bmp files are all still there and all our *.mp3 files - it just wiped selected crucial windows system files and ALL out *.jpeg images

Gotta go to work now, hope someone will have replied by the time I get back in tonight ?!?!

Thanks for all the support, it's not looking like a Happy New Year for us two right now
Reply With Quote
  #14  
Old 31-December-2001, 14:45
Techtips
Guest
 
Posts: n/a
Default

Have you done any programming?

Assembler perhaps? You can use Debug.exe

BUT if you havent used it and you have no understanding of Assembly then there is little point. I could do it for you but I havent got the time ATM and TBH it seems the file has done its damage and I would be more concerned about how to get back my lost data.

If as symantec say the file changes the JPGs themselves then Im not sure if you may have any "GOOD" ones left on your hard drive to recover.
Reply With Quote
  #15  
Old 31-December-2001, 16:46
Huw's Avatar
Huw Huw is offline
Screamager
 
Join Date: Apr 2001
Location: Cotswolds
Posts: 342
Default

I could not find any 'oh yeah' virus but loveletter does overwrite JPGs. Sophos says : Any JPG or JPEG files are also overwritten by the worm but have the extension .VBS added to the existing filename. If you can tell us the subject line of the e-mail that carried the 54214151d.zip that will help

You can download some emergency disks 'for home use evaluation' here

http://www.sophos.com/downloads/prod...gdos_1078.html
__________________
Huw
Reply With Quote
  #16  
Old 31-December-2001, 19:17
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default

Try something like nod32 http://www.nod32.com/ - it has an eval copy that can be downloaded (as always remember to press the 'update' function after installing it). It's not simple to set up (there's a few options to choose from) but it is highly regarded as an av scanner and it should be able to tell you exactly what type of virus you might have.

Also try http://www.kaspersky.com/ perhaps?

Remember you might want to first make sure that any av scanner you try out has the option to 'clean files' turned off - set it to 'warn' - that way it won't go off and delete files.

If you have a virus then try to determine what it is b4 you take any remedial action.

If you wish you can mail me one of the 'jpeg' files and I'll see if I can find out whats been done to it. Firstly zip the suspect jpeg file and then attach it to an email which you can send to me (don't send me a suspect file which might turn out to be a jpeg of a 'personal nature' )

Good luck

Sil

Last edited by silver; 01-January-2002 at 17:42.
Reply With Quote
  #17  
Old 31-December-2001, 19:24
Ian's Avatar
Ian Ian is offline
 
Join Date: Apr 2001
Location: Down South
Posts: 3,266
Default

Theres also a free dos based virus scanner called FProt : http://www.fprot.org/fr_english.htm (1.4MB)
Reply With Quote
  #18  
Old 01-January-2002, 17:15
MegaTsunami MegaTsunami is offline
Waves goodbye
 
Join Date: May 2001
Location: Rochdale
Posts: 3,026
Arrow Sh*t ! Sh*t ! Sh*t !

Oh, bloody hell, we have been hit with the :

W32.Maldal.D@mm virus which does indeed screw up your ZoneAlarm & InoculateIT virus defense settings AND deletes JPEG files and COM files

More info. here :

http://vil.nai.com/vil/virusSummary.asp?virus_k=99288

Thing is, we can't find how to REMOVE the darned thing yet, well, not using Inoculate anyway....

Please help before its too late.

MegaT & 'er indoors
Reply With Quote
  #19  
Old 01-January-2002, 17:20
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default

ahh - yeah - the ones you sent me (which I asked you to ) show same thing,.,.

OH..Yeah.exe - Win32.Maldal.E worm

should be some info on the web etc.. will have a look round in a bit

Sil
Reply With Quote
  #20  
Old 01-January-2002, 17:29
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default

ok - is also described at

http://www.europe.f-secure.com/v-descs/cmas.shtml

it looks like it has actually wiped those files,. your (only/) best bet to recover the original files is to run an undelete on all the jpeg files, all isn't lost at this point (potentially) since a 'simple delete' may not have actually removed the files totally from the harddisk.

What you need is basically an undelete program - the best I know of comes with norton systemworks (2002).

I wouldn't bother to clean the infected files at this point - remember the 'jpeg file'.vbs gives you an indication of the original file name - i.e. the original jpeg file - in that case you can use that to find files in the undelete program (or just search for all .jpg / .jpeg files).

I'm not sure there's an 'eval version' of norton systemworks abt - but if you don't have it perhaps post - u never know - somone might know of a cut down / eval version

Sil
Reply With Quote
  #21  
Old 01-January-2002, 17:30
MegaTsunami MegaTsunami is offline
Waves goodbye
 
Join Date: May 2001
Location: Rochdale
Posts: 3,026
Default

Thanks Sil.

Cheers for confirming that it is a virus

I owe you an apology as I have a mate round here who sent you the attachments and he rather red facedly admitted he'd accidentally sent you the virus infected *.exe file when he was only meant to send you the 2 jpeg files..... sorry !

Anyway, what do we do know then ?!?!

And, how come it showed up on your anti-virus scan as Win32.Maldal.E when it showed up as D on this PC ?

Someone please help us remove this bloody thing !

EDIT: Posted while you were making your post, sorry Sil !
Reply With Quote
  #22  
Old 01-January-2002, 17:39
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default

heh - I noticed you'd sent me the exe - it's no bother

I don't run Outlook and am not in the habit of running *anything* people email me

Sil

PS > why you shouldnt use outlook express
Reply With Quote
  #23  
Old 01-January-2002, 21:05
Steed Steed is offline
Screamager
 
Join Date: Jun 2001
Posts: 1,892
Default

Hi MT

I had a look around for freeware undelete progs and they seem to be pretty rare.

I only found one, here

http://www.sover.net/~whoi/WinUtils2.html

called Final Data. Biggest prob seems to be that you can only undelete 3 files with each prog start. So it would take ages for all your jpg's

Still, it may be of some use. Good luck with sorting things out.

[I'm not really very technical, maybe someone else could give an opinion about 'Final Data' as well]

Steed


[Edit: This page suggests that you can clean the virus with an InnoculateIt update now. However please do note again my lack of expertise, I think previous posts indicate that recovering your files first is best, if possible.
http://www3.ca.com/Virus/Virus.asp?ID=10737
Sil, can you advise? ]

Last edited by Steed; 01-January-2002 at 21:14.
Reply With Quote
  #24  
Old 01-January-2002, 21:11
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default

hi steed -

Are some other undeleter type apps in Deleted Files....Help

Sil
Reply With Quote
  #25  
Old 01-January-2002, 21:18
Steed Steed is offline
Screamager
 
Join Date: Jun 2001
Posts: 1,892
Default

Thanx Sil,

I should have checked through TS first

I was adding an edit to my previous post when you posted, what do you think? I don't want to give wrong advise to MT

Steed
Reply With Quote
  #26  
Old 01-January-2002, 21:27
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default

I think worldlife tried that 'final data' util - not sure what success he had

I'm not sure abt this cleaning either really, I was going to suggest cleaning first - but on a re-think I don't think it's the best plan - since (and I could be wrong) the 'clean' is just going to go delete the .vbs files - an not going to recover the old jpegs?

If this is the case - then I'd say don't run the 'clean' - it's only going to get in the way of the 'undeleting procedure'. Combine that with the fact the vbs files are on a secondary drive that isn't being booted - so the virus should be in a dormant state..

Perhaps do a test run - put one of the vbs 'jpeg' files onto a floppy - direct inoculateIT to scan + clean the floppy (just the floppy) and see what happens.

or something like that

Sil
Reply With Quote
  #27  
Old 01-January-2002, 21:30
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default

Looking at the link you posted - the link I posted says more or less the same
Maldal.E contains a destructive payload that searches for and deletes files with the following extensions:

"com", "bat", "mdb", "xls", "doc", "lnk", "ppt", "jpg", "mpeg", "ini", "dat", “zip", "txt"
- which I take to mean it deletes the files - ie they are not the original files with stuff added - but then that's possibly an assumption..?

Sil
Reply With Quote
  #28  
Old 01-January-2002, 21:33
Steed Steed is offline
Screamager
 
Join Date: Jun 2001
Posts: 1,892
Default

Sil

Sounds like good advice

Good luck MT, I know how we would feel to lose all are jpgs

Steed
Reply With Quote
  #29  
Old 02-January-2002, 09:25
Huw's Avatar
Huw Huw is offline
Screamager
 
Join Date: Apr 2001
Location: Cotswolds
Posts: 342
Default hold on

Before getting into any data recovery, have you confirmed they are gone not just renamed - the virus data seems to say the virus MAY delete JPGs. It the directory empty or missing? Try to search fro the name of one of the files.

Silver, could you clean/rename and open the file Mega sent you?
__________________
Huw
Reply With Quote
  #30  
Old 02-January-2002, 10:01
silver's Avatar
silver silver is offline
 
Join Date: Apr 2001
Location: Bournemouth, UK
Posts: 12,177
Default

He only sent me an exe file - MT - send me some of the zipped jpegs an I'll see what they look like

Sil

PS, same warning as b4 re 'personal pics'
Reply With Quote
Reply

Tags
assembly, collection, email, files, free, happy, harddisk, hdd, home, key, line, lost, mail, make, offer, online, opinion, product, public, software, sound, virus, web, windows, xmas, zone, zonealarm

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 05:44.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2018, vBulletin Solutions, Inc.
Copyright ©1999-2014 The Scream!