Barry, and fellow listmembers, First: Do not run Windows until the virus is eradicated! The virus modifies WIN.INI (Win95) or the registry so that THE PROGRAM IS EXECUTED EACH TIME WINDOWS IS RUN. Start Windows 2 or 3 times and your files are so badly overwritten as to be unrecoverable unless protected by the Norton Utilities or similar program.
I made the mistake of calling the IT people right away. The woman who responded "diddled" with the machine repeatedly, shutting down and restarting. Finally, another woman arrived with instructions on how to find and remove the virus. These instructions may be found at: NOTE: USE SOMEONE ELSE'S MACHINE TO ACCESS THE WEB - THE FILES DOWNLOADED BY YOUR BROWSER MAY OVER- WRITE YOUR DELETED, BUT STILL INTACT FILES! http://www.symantec.com/avcenter/venc/data/worm.explorezip.pack.html I used Norton Unerase to recover what I could. Unfortunately, the IT people had played with the machine long enough to trash most traces of my files. Use Manual Unerase (ALT-M) and look for .doc or .xls files of at least 10k or larger size (usually hundreds of k). The trashed versions will be either 0 or 54 or similar bytes. Add likely sectors when prompted, and then save. Your best bet to recover data is to unerase files with names such as "~WRL001.tmp". These are often the previous version of Word files that have been saved multiple times. I reclaimed a 31-page test report from one of these files with a .tmp extension, complete with tables and graphics! Use Wordpad to look at them - I was able to identify several Word and Excel documents by the content. In future, at the first suspicion of a virus, SHUT THE POWER OFF. Then, reboot the machine from a clean boot floppy, and then use a clean virus eradication floppy to check the machine. Both floppies should be write-protected or they may be infected by a virus they don't recognize. Good Luck, and I'm sorry I don't have a better prognosis for your files. Scott Lacey > -----Original Message----- > From: [email protected] [SMTP:[email protected]] > Sent: Friday, December 03, 1999 11:08 AM > To: [email protected] > Subject: re: How to recover from yesterday's virus > > > Martin said: 'Several members of this list have contacted me asking how to > > recover damaged files from the "unzipped_files.exe" virus.' I am one of > them. > I was attacked. I don't have Norton Utilities. I did not backup my files. > If > somebody is able to recover his damaged files, please let me know. > Thanks. > Barry Ma > Anritsu Company > ---------- Original Text ---------- > > From: "Martin Rowe (TMW)" <[email protected]>, on 12/2/99 10:59 AM: > > > Several members of this list have contacted me asking how to > recover damaged files from the "unzipped_files.exe" virus. > Here's how I did it. > > I had Norton Utilities running on my PC at the time of the > virus. Norton creates an additional recycle bin called the > protected bin. > > Open the Norton Utilities integrator then open the Unerase > wizard. You'll get three choices. Select "Find all protected > files on local drives." Norton will need a few seconds to find > the files. Then you get a list of all the protected files. > Select your files and click Recover. Windows will ask you if you > want to overwrite the file with 0 bytes with the protected file. > Click "Yes." > > I sometimes got an error box saying "Unable to continue because > another application has been writing to volume. You may want to > close other programs and retry this operation." Just hit "Retry" > and your file will be recoverd. Or, close all other windows apps > and you won't get the error message. > > If you didn't have Norton installed on your system when the > virus struck, then you may or may not be able to recover your > files. I'm not sure. If someone installs Norton and tries to > recover the files, please let me know if you were successful or > not. > > So what did I learn from spending most of a day trying to figure > out how to recover? > > * Back up your files. At the very least, make copies of you Word > and Excel files in ZIP format. I keep archived files in zip > format and they were not damaged. > * IT people are rather useless. They had me uninstall and > reinstall MS Office 97, which did nothing. > * Never operate a PC without Norton Utilities. I use it both at > home and at work. > * Use a mail client by someone other than Microsoft. Most of > these e-mail based viruses use VBA code to do their dmaage or to > find new addresses. In fact avoid Microsoft wherever possible. > Heck, run Wordperfect. That's what I do at home. > > Now, back to your local EMC discussion. > > ---------------------------- /\ > | Martin Rowe | / \ > | Senior Technical Editor | / \ /\ > | Test & Measurement World | / \ / \ /\ ____ > | voice 617-558-4426 |/ \ / \ / \/ > | fax 617-558-4470 | \ / \/ > | e-mail [email protected] | \ / > | http://www.tmworld.com | \/ > ---------------------------- > > > > --------- > This message is coming from the emc-pstc discussion list. > To cancel your subscription, send mail to [email protected] > with the single line: "unsubscribe emc-pstc" (without the > quotes). For help, send mail to [email protected], > [email protected], [email protected], or > [email protected] (the list administrators). > > > > > --------- > This message is coming from the emc-pstc discussion list. > To cancel your subscription, send mail to [email protected] > with the single line: "unsubscribe emc-pstc" (without the > quotes). For help, send mail to [email protected], > [email protected], [email protected], or > [email protected] (the list administrators). > --------- This message is coming from the emc-pstc discussion list. To cancel your subscription, send mail to [email protected] with the single line: "unsubscribe emc-pstc" (without the quotes). For help, send mail to [email protected], [email protected], [email protected], or [email protected] (the list administrators).
