My wife’s computer was recently infected with a Trojan Horse virus indicating an indexation problem. I downloaded and installed Avast free software and it immediately found the infection. I then chose to do a pre-boot scan. After a short time into the scan an infected file was found and this is where I think I made a mistake; I chose to delete the file. The scan then did that and continued to run, finding another infected file. I then chose to ‘delete all’ and away Avast went. This scan took over 5 hours to complete.
Now my wife has no pictures, documents, etc. The only thing I can think of is that I should have selected some action other than ‘delete all’; repair maybe.
Is there a way to recover all the lost data files? I’m in real trouble.
Deletion is never a good first option, you have none left.
The only way to recover deleted files is through an application to recover deleted files (google that, there should be plenty of options, many free). The longer between deletion and any recovery attempt, the less likely the success rate.
You would also have to know what it is that you seek to recover (date, time of deletion roughly) as there could be hundreds of hits in its search for deleted files. Avast may well alert when trying to recover these files, if so sending to the chest is the best/safest option.
Look in the C:\Documents and Settings\All Users\Application Data\Avast Software\Avast\report\aswBoot.txt file (XP location) C:\ProgramData\Avast Software\Avast\report\aswBoot.txt (Vista, Win7 location), check this file using notepad for info on the scan/detections, etc.
Copy and paste that information, file name, location and malware name of the detections. That gives us something to work with (and also when you attempt to undelete these files), to say what the likelihood of the detection being good.
[*] Download RogueKiller and save it on your desktop.
[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan
[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in netsvcs
%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U*.* /s
%Temp%\smtmp\1*.*
%Temp%\smtmp\2*.*
%Temp%\smtmp\3*.*
%Temp%\smtmp\4*.*
Drives
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs
AND FINALLY
Download aswMBR.exe ( 4.1mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan
I’m overwhelmed by the response from all of you–thanks. I’ve begun to download programs and compile the information requested and will post soon.
I believe the Trojan that started all this was Win32:FakeSysdefs-A as indicated in the Avast pre-boot scan log I have saved and will include in a future post.