Hi,

I hope someone can help me because I’m sort of in a panic. I’ve tried to search around but I don’t think I’ve found the answer to my specific question.

It started when I was using someone else’s pendrive on my computer and Avast detected some viruses and trojans. I moved some of them to virus chest immediately and later when doing a boot-time scan moved the rest them to virus chest (I deleted one file accidentally).

The problem is all the files in the pendrive are gone. Can I retrieve them without the virus?

I’m using Avast 4.8 Home Edition. Here’s the viruses I can see from the virus chest:

Win32:Mirc-X [trj]
Win32:Sality
Win32:Trojan-gen {Other}
Win32:Rootkit-gen [Rtk]

I can’t remember all the files but some of them were Words documents including the one I was working on.

The problem is, right now I’m supposed to use this pendrive again and I suspect there would be some more virus (because of this other computer).

Please someone help me. I’m a bit tech-challenged so I would appreciate an easy to understand answer :).

Thanks.

Have a look in the avast! log and see what the file names were. It may be that the Word files were infected with a virus. If so, you could export them from the chest and see if avast! or maybe DrWeb CureIT can disinfect or repair them.

Win32:Mirc-X [trj] is an .exe infector.
Win32:Sality is a .com and .exe infector.
Win32:Trojan-gen {Other} could be a lot of things, but, generally, not file infectors.
Win32:Rootkit-gen [Rtk], ibidem.

So, I’m not that sure you’ll find any .doc into your Chested files, but, anyway, do not restore infected files or use extreme caution.

Hi guys thanks for trying to help me.

Have a look in the avast! log and see what the file names were.

This is what’s confusing, I can see in the virus chest but the files all end in .exe
I check the log viewer, all the files end in the same .exe
I can see the files name though, I’m not sure what to look for. Do I list them here?

Win32:Mirc-X [trj] is an .exe infector. Win32:Sality is a .com and .exe infector. Win32:Trojan-gen {Other} could be a lot of things, but, generally, not file infectors. Win32:Rootkit-gen [Rtk], ibidem. So, I'm not that sure you'll find any .doc into your Chested files, but, anyway, do not restore infected files or use extreme caution.

Yes, that’s exactly what I find in the virus chest. I haven’t restored anything. I’m afraid I would bring the virus back. Any ideas what I should do to get the files back?

I still have to use the pendrive again, but I have put it off till later, maybe after I get the files back.

Thanks.

Welcome to the forums, Rin.

Please list the exact names of the files you find in the “Infected files” section of the Chest.

Which files? You don’t seem to have any .doc file to be restored from Chest… only infected executable files…

Welcome to the forums, Rin. Smiley

Please list the exact names of the files you find in the “Infected files” section of the Chest.

Thanks Charley :). OK here’s the list:

Which files? You don't seem to have any .doc file to be restored from Chest... only infected executable files...

But all the document files are gone. Can’t I get them back?

Thanks.

I am sorry, Rin, but after researching the executables, they are all infected.

So, I will agree with what Tech posted above in that they are not recoverable.

They are infected with various malware including cloaked, key logger, worm, back door, and other malware.

EDIT : Since you are in Malaysia, I thought you might be interested in this link.

http://www.chem.utm.my/units/komputan/?Current_UTM_Virus_Threats

So, I will agree with what Tech posted above in that they are not recoverable.

So there’s nothing at all I can do? Not even repair the files? Some of them are pretty important :-[

Since you are in Malaysia, I thought you might be interested in this link.

http://www.chem.utm.my/units/komputan/?Current_UTM_Virus_Threats

From the link you gave me, there’s a similar file in my pendrive called ravmone.exe. But Avast didn’t detect it. But right now the infected pendrive is not with me anymore.

I’m pretty sure there should be something I could do before moving the infected files to the virus chest and not get all the files wiped out, is there?

I know it’s too late now but maybe in the future I wouldn’t too quick to move all the files to the virus chest.

Thanks anyway.

If they could have been repaired that option would have been available (not greyed out) on the detection.

Trojans generally can’t be repaired (either by the VRDB or avast virus cleaner), because the entire content of the file is malware, so it is either move to chest or delete, move to the chest being the best option (first do no harm). When a file is in the chest it can’t do any harm and you can investigate the infected warning.

The VRDB only protects certain files, mainly .exe files, it doesn’t protect data files or all files, it is not a back-up program, so there are going to be many occasions where repair won’t be an option.

Only true virus infection can be repaired, e.g. when a virus infects a file it adds a small part to it, provided that file is one that avast’s VRDB would monitor and you have run the VRDB, then it may be possible to repair the file to its uninfected state.

However, for the most part so called viruses, trojans (adware/spyware/malware, etc.) can’t be repaired because the complete content of the file is malicious.

Are they listed into Chest? Seems you can recover if they’re not there… Or, at least, they wouldn’t be infected with that viruses.

Can you send the samples to virus@avast.com ?
You can zip and password the files… Inform a link to this thread and the password used.
You can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks.

Maybe you need to disable Hide protected operating system files and enable View hidden files and folders’ to manage the file(s).

You can also submit the file to www.virustotal.com to be sure it’s infected.

If they could have been repaired that option would have been available (not greyed out) on the detection.

I don’t remember whether it was greyed out or not.

Are they listed into Chest?

Yes. It seems that all document files were infected except for .jpeg.

Is it possible to recover the documents files using one of those programs that recover deleted files?

Can you send the samples to virus@avast.com ? You can zip and password the files... Inform a link to this thread and the password used. You can send the files to Chest and, from there, resend to Alwil for analysis.

I’m quite confused now as to which files do you mean? All the files in the virus chest or the ravmone.exe?

I do know how to zip files but I don’t think I know how to password protect it…

Thanks.

The executable files aside, and the viruses aside, if you had word documents on this pendrive, and they are not there anymore, I don’t think it has to do with avast nor the viruses that were on the drive.

Avast may have removed the viruses but the word docs (if they weren’t infected) should still be on the drive.

You stated that,

The problem is all the files in the pendrive are gone.

My suggestion now, would be to use a program called, “Restoration” found here:
http://www.snapfiles.com/get/restoration.HTML

You can use that to attempt to recover any files that may have become corrupted when you removed the drive, and possibly get the docs back. Just don’t recover any files that were viruses!

Hi guys,

About Ravmone, I made a mistake. It is not ravmone but ravmonlog file that’s in the pendrive.

After the first incident, Avast detected a few more infected files when I tried to run the pendrive. I believe the file was autorun.inf and isi32.exe. I moved them to the virus chest immediately.

I have since tried to scan using Avast and MBAM but the scan returned that there was no infected files. However, I can still see a ravmonlog file in the pendrive. Is this harmful? I have tried to do some online research. Some say it’s not harmful but others say it is. Some even say that I can just delete the file. Any ideas?

My suggestion now, would be to use a program called, "Restoration" found here: http://www.snapfiles.com/get/restoration.HTML

Great! Thanks scythe944, I think I need to figure out about ravmonlog first before I try to recover the corrupted files.

Thanks!

You can remove ravmonlog after removing the exe. This guide seems pretty good:

http://stylez.wordpress.com/2006/10/09/a-guide-to-removing-ravmoneexe/

- after you find the file, laugh in an evil manner to yourself and say, “you can’t escape me, bwhahahahhaha!”

;D

;D That is one of the sites I came across.

But I can’t seem to find ravmone.exe if that’s what you mean. There’s no ravmone.exe running in my Task Manager. Not even when I run the pendrive. There’s no ravmone in my Windows folder either or ravmonlog for that matter. I have the ‘Show hidden files and folders’ on.

Do you think Avast got rid of it? But why is ravmonlog still there? I’m sorry I’m just thinking out loud here.

I have since tried to scan using Avast and MBAM again but nothing came up.

From the same site I came across this link which specifically addresses pendrive problem with ravmone:
http://stylez.wordpress.com/2007/07/02/a-guide-to-fix-the-thumbdrive-virus-ravmoneexe-part-2/

It says

1. Look for the file called Autorun.inf

2. It should be shaped like an orange gear with a notepad in the background as its icon.

3. Select it and delete it.

4. Check for other files such as Cn911.exe, sxs.exe, Ghost.exe, whether if they are present.

5. If those files mentioned above are present, please select them and delete them as well.

I remember Avast detected Autorun.inf as being infected and I moved the file to the virus chest.

Sorry I keep repeating myself. But I’d appreciate any more advice on why and how I should deal the ravmonlog file.

Thanks everyone!