how, if at all, can i restore photos after a virus?

February 13, 2017 at 06:16:37
Specs: Windows 7
The photo extensions on all show the 'type' of file as MERRY rather JPEG. I am HOPING this can be reversed and that the files themselves aren't corrupted.

See More: how, if at all, can i restore photos after a virus?

Report •

#1
February 13, 2017 at 06:19:08
Might be useful to know make/model of the phone?

Report •

#2
February 13, 2017 at 07:32:10
Right, sorry. Not a phone a desk PC. It was a ransomware virus called MERRY Christmas.
System runs fine now that virus is removed but the file extensions on all the photos indicate the file TYPE as MERRY file(.MERRY) not as JPEG.
Research indicates a high probability the files are corrupted however I am HOPING that reverting the extensions back to original may recover the photo's for use.

Report •

#3
February 13, 2017 at 08:30:38
Right click on one of your photos, click Copy, then Paste into the same folder. New file will be called "photo - COPY.merry". Try changing the extension to .jpg. Ignore the warning & click Yes. Double click on the newly named copy & see if it opens properly.

Report •

Related Solutions

#4
February 13, 2017 at 08:36:18
You can try changing the name of the file but it probably is encrypted. Just right click on a file and select Rename, retype the name with the proper extension. Then try to open it.

Do you have a back up of these files?
Are many of these photos also on your camera's SD card and on your phone/phone microSD card?
Have you sent copies of these previously to others like friends and family?
Have you posted many of these online (Facebook, etc.)?
Photos taken on Android or iPhone may be in the cloud if your phone is sync'd even if you did not realize this.
If you emailed copies of some photos, your email outbox may have clean copies.
In the future make sure that there are two or more copies of any file you would be upset if you lost it, this is especially true of personal pictures as well as important work files.

You have to be a little bit crazy to keep you from going insane.


Report •

#5
February 13, 2017 at 10:01:38
Tried. didn't work. In this scenario, the ransonware altered the file TYPE to be MERRY not whatever app was used to create it. It also affected only my personal files not the system. We removed the virus successfully. My hope is, the ransom gave me five days to pay up and they would release the key to revert all back to original.(if they played nice).
My interpretation is that the files TYPE was changed so this key could easily change it all back. The files could be corrupted, yet at present I cannot manage to change even one file TYPE and see if it is indeed corrupted.
Unfortunately until this happened my employer did not consider my PC of importance to provide protection. And for six years I never had an issue, so I let it be as well. Now he needs/wants the pictures and I can't do anything except shrug my shoulders.
Now I lack in depth knowledge, however, it just seems to me if a instruction string can be inserted to alter a characteristic of a file there must be some way to reverse it.
It has been over three weeks since the virus appeared and i can do anything and everything I used to do before except use those pictures.

Report •

#6
February 13, 2017 at 11:09:31
I've PM'd one of resident gurus who is frequently successful in dealing with these nasties... Hopefully he will drop across later and have a look-see etc...

Although a bit late at this juncture... "always" make copies/duplicates of "anything" you really wouldn't wish to lose; regardless of what/where it is. Typically to DVD at least (make two sets, label and keep safe); and to an external hard drive too is nice(r)...

I know of a situation where a colleague at work once made his own copies/duplicates of some critical setup files for a very complex piece of broadcast studio kit. When that kit was serviced, failed parts replaced, and some settings had to be re-entered/rebuilt, no-one had a clue what they were; nor were there any backup/copies of the settings... The kit would/could not go back on air until those settings were recreated/re-entered...

What further compounded the problem was that a backup controller pc had also been replaced, and whilst the files were on that, the replacement pc didn't have them...; and that original backup pc had been dumped...

Said colleague brought out his own flash drive which resolved the dilemma. He had also put them on a shared technical resource server - just in-case the flash drive failed, or he wasn't around if the settings were required...

After that event those settings/files were duplicated in several server locations; including several flash drives left with those who "might" need them...

message edited by trvlr


Report •

#7
February 13, 2017 at 12:05:54
"We removed the virus successfully"

How did you go about it? Are you sure you totally removed the infection? I'm guessing you did not. These three programs get recommended a lot, download & run them in order:

Adwcleaner: https://www.malwarebytes.com/adwcle...

JRT (Junkware Removal Tool): https://www.bleepingcomputer.com/do...

Malwarebytes Anti-Malware: https://www.malwarebytes.com/

You also need a good anti-virus program, which one are you running?


Report •

#8
February 13, 2017 at 13:29:44
You may be in luck, see here:

https://decrypter.emsisoft.com/mrcr

Supposed to be decryption software for your particular variant of the bug.

MIKE

http://www.skeptic.com/


Report •

#9
February 13, 2017 at 20:42:44
#8 seems like a viable option to try.
Please note that the files were not randomly scrambled but encrypted which is a more systematic process. Depending upon the encryption process they potentially could be very difficult to untangle (decrypt). If there is an available process and it works reliably on that one in particular then the encryption process is somewhat simpler and obviously more predictable.
Let us know how it goes, especially as this would help many others who come across it in the future.
Going forward make sure that your protection is up to date as well as secure verified back ups of anything important.

You have to be a little bit crazy to keep you from going insane.


Report •

#10
February 14, 2017 at 11:46:37
mmcconaghy,,,thanks for the lead. Am in process of working with them to see how it goes. If good I will definitely let you guys know.
As for removal. My immediate manager jumped in and loaded a virus removal program, then used another running scans and all. And finally loaded Norton, though I would prefer Kerpsersky or Webroot. Then I rebooted and ran a Microsoft antivirus in safe mode. So far its been okay.


Report •

#11
February 14, 2017 at 11:49:06
Also, this incident has impressed me with the communities for helping. I gave cudo's to Computing.net to Emsisoft. Let the sharing continue. Can't say thank you enough!

Report •

Ask Question