McAfee Quarantined virus infected files help

[popeydotcom]

I have been handed a machine to 'fix' which has a whole bunch of virus laden word docs. It has McAfee on it which has found and quarantined these files. According to the documentation, "Quarantine" means to encrypt and move the files to another location. McAfee claims it cannot clean the files, and as such I'm left with a directory full of "important documents" which are unreadable.

My plan is to:

1. Decrypt the files.
2. Open each in Word (it's Word 2K so I don't think wordpad will look at
them)
3. Save as RTF
4. Delete original Word docs
5. Scan & clean machine.

Stumbling block 1: So how does one decrypt these files?

Any help greatly appreciated.
Thanks.
Al.

 

[Kento]

Doesn't the quarantine folder give you the option to restore them to their original location? But if those files were overwritten with virus code then your files may be history. But what virus is it??

 

[popeydotcom]

There is indeed a "restore" function which allows you to bring a file out of quarantine. However, the user (or some other 'expert') appears to have moved, moved and moved files around so that whilst the quarantined files *are* in the McAfee Quarant folder, McAfee can't 'see' them. I've tried fooling McAfee into seeing them by editing a log file (which appears to index the files) in that directory, but to no avail.

I also did a test by creating a dummy virus laden file which sure enough was quarantined correctly, and I could restore it too. However the other 200+ files in the quarant directorty couldn't be seen.

I am away from the machine right now, there are two w97/ macro viruses w97/cap and another I can't remember the name of.

Cheers,
Al.

 

[Kento]

Well, about the only thing I could suggest is to try going to the quarantine folder manually through windows explorer and see if the files are there. But what's there may only be pointers to the original files but i don't know. As you said it sounds like someone moved or deleted them. Go to 'find files' and search for *.doc or whatever the extensions were and see if it finds them. Include the asterisk in the search.

 

[popeydotcom]

Hi Kento,

All the files are indeed in the quarantine folder. They were moved there by McAfee, and then encrypted. The original .doc files have been removed.

I think I'm going nowhere with this problem. The only thing I have left is to upgrade McAfee to the latest version (the one on there is old), and hope it finds the files..

Cheers,
Al.

 

[Kento]

What you said is confusing. You say the files are there but the originals were removed? What's that mean? If the original infected doc files were deleted then they aren't in there and you won't find them.

 

[popeydotcom]

Yes, sorry, the original word docs are gone, but there is an encrypted version of them in the quarantine folder. This is the one I am trying to get mcafee to recognise so I can 'restore' it.

 

[Kento]

I'm not sure that's the case but i don't use Mcafee. Normally when an av program like Norton (which I have) places a file in quarantine it puts the original file in there not a copy. Unless i'm confused which is very possible at this point, it sounds to me that you're saying Mcafee put copies in the quarantine folder then deleted the originals. Av programs don't do that. Even if they did it would be able to restore the copies. But if you open windows explorer and go to the quarantine folder through there rather than through Mcafee, what are the file sizes shown in there if indeed there are any files in there? That's where the files would be located if they exist. Do the file sizes correspond to what the doc file sizes should be? Do any files even show there? Again, i'm talking about viewing the quarantine folder's contents through windows explorer not through the mcafee program. If no files show in the quarantine folder when going there via windows explorer or those files are very small in size like 1 or 2kb then i'm guessing that all you're seeing in mcafee is a list put there by a registry entry. If i'm confused here and the files actually do exist in windows explorer then i don't know how you'll ever decrypt them. Maybe mcafee's tech support can tell you.

http://www.mcafee.com

 

[popeydotcom]

Take a step back, it's very simple. This is what happens.

1. Start virus scan
2. McAfee finds file which is infected
3. McAfee asks what you want to do with the file
4. You press 'quarantine'
5. McAfee takes the file (.doc), encrypts it, puts the encrypted version (.mcq) in the quarantine folder, and deletes the original file

So what you have is an encrypted file (.mcq) in the quarantine folder which can NOT be opened in Word (because it isn't a word document format file).

You can go to the quarantine folder in explorer and see lots of .mcq files. They cannot be recognised by anything because they are encrypted. They are my word documents (albeit in encrypted form) because the first part of the file names is the same as they were when they were word documents. McAfee has encrypted them and changed the file extension.

The problem is that the person who owned the PC moved the files out of the quarantine folder without using the 'restore' option. So they are STILL encrypted. They tried fixing this by moving them back to the quarantine folder, but now McAfee won't recognise that they are there.