Home \ Articles \ Computer viruses - beware of re-infection

Computer viruses - beware of re-infection

ZAR has been discontinued
After about twenty years, I felt ZAR can no longer be updated to match the modern requirements, and I decided to retire it.

ZAR is replaced by Klennet Recovery, my new general-purpose DIY data recovery software.

If you are looking specifically for recovery of image files (like JPEG, CR2, and NEF), take a look at Klennet Carver, a separate video and photo recovery software.

If a filesystem went down due to the virus attack and was subsequently recovered, the files restored from the damaged volume will still contain dormant virus copies. These files should be cleaned before they enter the working system. The virus will lay dormant until you launch one of the infected files or open an infected document. Unless an infected file is opened, you are safe. However, recovered files are of no use if you cannot open them.

This is typically solved just as any other virus infection. You should run your usual antivirus software to check the files you've recovered. Some of the files may be corrupted and you may get a warning from the antivirus software notifying you that it was unable to analyze the particular file(s). These files should be deleted without attempting to launch them, because they are useless anyway and there is still a chance they may contain a virus. Another drawback is that antivirus software is usually not very robust in regard to damaged executables. This usually manifests itself as occasional AV scanner lockups. Files that cause your antivirus to lock up should be deleted as well.

A simplistic approach is to delete the executable files altogether. Usually most of the executables are readily available from their corresponding distribution disks and do not contain any data of interest. Valuable information is stored in data (document) files instead. So, just reinstall the software you need and put your data files back into the working environment. Take care with Microsoft Office documents though. They are somewhat unique in their ability to hold both useful data and virus code at the same time.

We advise to you treat any kind of data loss as virus-induced unless proven otherwise. This is simply because the question "what exactly went wrong" is often difficult to answer and we prefer to err on the safe side. The only exception is physical drive damage (no virus strain is known to damage a hard disk physically, at the time of this writing).

Copyright © 2001 - 2023 Alexey V. Gubin.