Forum Announcement

Welcome to the new CNET Forums! Please don't panic. You are not in the Twilight Zone, you are experiencing the new CNET forums platform! Please click here to read the details. Thanks!!

Spyware, Viruses, & Security

Question

Recovery of data from External HDD after worm attack

by achaudhuri66 / August 11, 2012 3:13 PM PDT

In my Seagate 500 GB External Hard disk recently, I noticed for the HDD, there are shortcut links for all the folders . I could open the folders in a new explorer window. Next day, antivirus detected attack in the HDD with Worm:Win32/Dorkbot!lnk. It deleted all the shortcuts. Now I can not find/open the folders though the files are there. I can understand the files are there during virus scanning or though disk usage.
Please help how to recover the data?

Answer This Ask For Clarification
Discussion is locked
You are posting a reply to: Recovery of data from External HDD after worm attack
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Recovery of data from External HDD after worm attack
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.

All Answers

Collapse -
Answer
As a start..
by Carol~ Forum moderator / August 12, 2012 2:26 AM PDT

You wrote, "Now I can not find/open the folders though the files are there". The way I view it, finding a folder and opening a folder could incorporate two separate issues. Given the fact it's Win32/Dorkbot!lnk (found by MSE?), I'm going to presume you mean you're unable to find them, in order to open them.

As a start, I would try the easiest thing first. And that would be to "Unhide files and folders". Also remove the check mark next to " Hide protected operating system files". You haven't included which OS you're running. For: Windows XP / Windows 7.

Best of luck..
Carol

Collapse -
Recovery of data from external HDD
by achaudhuri66 / August 12, 2012 2:59 PM PDT
In reply to: As a start..

Thanks Carol~,
I have OS WinXP SP3. You are right, I am not able to see the folders. I have already checked "Unhide files & folders" & also removed check mark "Hide protected operating system files". But result is the same.

Collapse -
Some thoughts..
by Carol~ Forum moderator / August 13, 2012 6:00 AM PDT

achaudhuri..

As you may have read in Microsoft's analysis of Dorkbot!lnk, "LNK files detected as Worm:Win32/Dorkbot!lnk are commonly found on removable drives, and are used to launch a Worm:Win32/Dorkbot executable file also found on the drive. If the user tries to open the shortcut file, it launches the worm executable and also opens an Explorer window.". It's just as you described.

Prior to making any further recommendations, I think it would be important to make sure your A/V completed the job. And also to be assured there is nothing else "lurking around". Try the below (free) tools..

Autorun Eater - You can read the developer's description of it here. See their FAQ if you have any questions. Autorun Eater v2.6 can be downloaded here.

Malwarebytes' Anti-Malware - http://www.malwarebytes.org/products/malwarebytes_free

ESET's Online Scanner - Their FAQ and Help sections should answer any questions you might have. (Temporarily disable your A/V prior to running the scan)

Let us know if there is anything remarkable to report..
Carol

Collapse -
Recovery of data from external HDD
by achaudhuri66 / August 13, 2012 2:27 PM PDT
In reply to: Some thoughts..

Thanks. I'll give a try

Collapse -
Recovery of data from external HDD
by achaudhuri66 / August 15, 2012 2:37 PM PDT

Yesterday, I installed the Quickheal AV with latest virus signature. Scanned the entire PC again with the external HDD. It did not find any. The computer was scanned before with AVG A/V & the HDD too. Still, the files/folders were not visible.
I then ran "uninstall.exe" . It took quite a while. Even at the end it reported the some registry entry repaired. But files/floders were still invisible.
What's next ?????

Collapse -
Uninstall.exe?
by Carol~ Forum moderator / August 16, 2012 4:27 AM PDT

Did you mean the unhide.exe?

If as you say your antivirus removed it, and you ran Autorun Eater, along with the other scanners, the infection should be gone. Gone with the exception of the damage it did.

I don't know what else to tell you. I don't want to suggest anything drastic, without having you first post at a Malware Removal forum. I've only found a couple which have had success unhiding the files.

If MSE found the threat, I would suggest first posting at their forum. It's not the first time they've dealt with your problem.

Otherwise, here a few other's to choose from:

http://www.bleepingcomputer.com/forums/forum22.html
http://www.spywareinfoforum.com/index.php?/forum/18-malware-removal/
http://forums.malwarebytes.org/index.php?showforum=7
http://aumha.net/viewforum.php?f=30
http://www.geekstogo.com/forum/forum/37-virus-spyware-malware-removal/
http://spywarehammer.com/simplemachinesforum/index.php#3

Lastly, I would warn against trying any "fixes" from unknown sites, unless you have a link scanner such as Web of Trust (WOT) installed. It might only make matters worse.

Best of luck..
Carol

Collapse -
Before closing the door..
by Carol~ Forum moderator / August 16, 2012 5:29 AM PDT
In reply to: Uninstall.exe?

Before closing the door, have a look in our own backyard. Happy

And that would be at the Storage Forum. I may be over-looking the obvious. Sad

Further good luck..
Carol

Collapse -
Recovery of Data from External HDD
by achaudhuri66 / August 17, 2012 2:58 PM PDT

Ultimately, I got the break !!!
I installed the Malwarebytes' Anti-Malware and ran it. It took more than 10 hrs. to complete and found 3 infected files in my HDD. But the folders were converted to System folder and then when I uncheck the Hide System Files tab, all the After that I could see all the folders (slightly dim as those are still with Hidden attribute) and files in them.
Now, probably, I have to transfer the files manually one by one under newly created folders and delete the old(hidden) folders !!!! Or, there is some other tools to do it automatically ?????
Thanks for the fabulous guidance, Carol !!!

Collapse -
facing same problem in my seagate Portable HDD
by kavit_sharma / November 16, 2012 9:32 PM PST

Carol, I am facing same problem as achaudhuri66 has faced. But i have already removed the virus named "Dorkbot.A" & "Dorkbot!Ink" but still I am unable to see my data in the HDD. while i can see the occupied space in HDD as "212GB". Also i can see the folders and files while scanning with Miscrosoft essential. But unable to see any folder in HDD rather it shows RYCLER and a shortcut of SYSTEM VOLUME INFORMATION. Both of them are hidden. Now is there any way to recover my data? Please help me its urgent.

Regards
Kavit Sharma

Popular Forums
icon
Computer Help 47,885 discussions
icon
Computer Newbies 10,322 discussions
icon
iPhones, iPods, & iPads 3,188 discussions
icon
Security 30,333 discussions
icon
TVs & Home Theaters 20,177 discussions
icon
HDTV Picture Setting 1,932 discussions
icon
Phones 15,713 discussions
icon
Windows 7 6,210 discussions
icon
Networking & Wireless 14,510 discussions

Tech Tip

Tired of your tricky Wi-Fi password?

Stop trying to memorize a complicated sequence of numbers and letters. Learn how to change the default password.