Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Virus added .html to many .jpg files.

Posted on 2013-05-17
7
925 Views
Last Modified: 2013-05-17
I am working with a client who was hit with some sort of virus that messed with his .jpg files.  He has cleaned up the virus successfully, but now we are trying to correct the damage.

Many (all?) of his .jpg files now have .html added to the end.  If you double-click on them you are taken to a web site that wants money to clean up the problem.

I'm presuming that the direction to that site is enclosed in the corrupted files as other .html files are viewed properly.

I've tried renaming the files by deleting the .html extension, but they only generate errors in whatever I use to view them.

It appears to be the same symptom as described in: http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_28085247.html

I've attached three examples of this to illustrate the problem.  I'd recommend extreme caution when opening them as they will take you to the site that I mentioned and I can make no claims as to what that site may try to do to your computer.

How do I retrieve the proper .jpg files from these?
CorrupteddPics.zip
0
Comment
Question by:CompProbSolv
  • 4
  • 2
7 Comments
 
LVL 10

Expert Comment

by:cpmcomputers
ID: 39174007
Just a thought
Are the files actually the genuine ones

Is it possible the virus has created HTML links by using the filenames

If nay be that the originals have had their attributes changed to hide them away

Try running

Attrib *.jpg -r -a -s -h on a folder with known Jpg's

If the files appear it should just be necessary to delete the .html bogus files
0
 
LVL 21

Author Comment

by:CompProbSolv
ID: 39174016
I looked in the folder with Windows Explorer configured to show hidden and protected files and didn't see any additional files.

The sizes of the files and the content (when viewed with notepad, for example) implies to me that the actual pictures are imbedded in there.  Of course, that could just be wishful thinking!
0
 
LVL 10

Expert Comment

by:cpmcomputers
ID: 39174033
Seems there are a few variants of this
Some straight rename/hide
Some encrypting the files
Some zipping the originals

The filesize seems to be the clue
A work in progress for me at the moment
Will post back later
0
Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 10

Expert Comment

by:cpmcomputers
ID: 39174035
Am on iPhone will look a zip later
To see if it reveals anything
0
 
LVL 10

Expert Comment

by:cpmcomputers
ID: 39174056
Looks like original file is encrypted and HTML link added
Does not appear anyone has a decryption option for this as yet ?
0
 
LVL 20

Accepted Solution

by:
marsilies earned 500 total points
ID: 39175561
I found this post where someone was able to recover the original files by using Previous Versions:
http://www.podnutz.com/forums/viewtopic.php?f=26&t=9996

Windows 7 has Previous Versions on all editions, instructions on how to use it here:
http://www.howtogeek.com/howto/11130/restore-previous-versions-of-files-in-every-edition-of-windows-7/

Vista had the Previous Versions feature in Pro and higher editions, but users of the Home editions could use the third-party program Shadow Explorer to recover files:
http://www.howtogeek.com/howto/windows-vista/recover-files-with-shadow-copies-on-any-version-of-windows-vista/


FWIW, I tried extracting the JPEG from the file using BitmapRip, ExtractJPEG, and deJPEG, and none of them could find a JPEG. I'm guessing that means the file is encrypted, or at least compressed.
http://mark0.net/soft-bitmaprip-e.html
http://www.gunamoi.com.au/soft/extractjpeg/index.html
http://betanews.com/2013/05/16/extract-jpegs-from-almost-any-file-with-dejpeg/
0
 
LVL 21

Author Comment

by:CompProbSolv
ID: 39176397
Good news!

I connected to the client's computer (Vista Home Premium), downloaded Shadow Explorer and started recovering files.

It is running now but the first results are excellent.  I moved all of the folders in Pictures to a folder I created named Bad before starting the restoration.  It had only done a handful of folders when I left it, but they all checked out.

Many thanks for the input!

I am curious as to whether or not anyone has a way to undo the damage to the files directly, though this will likely not be necessary in this case.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
LPT Port to USB Printer Windows 7 23 733
I/E toolbars 7 32
moving second domain to new remote site 2 20
PowerShell Script failing 3 58
This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question