Virus added .SAVEfiles to files. How do I remove?

K

Kusaywa

Weaksauce
Joined
Mar 11, 2003
Messages
127
A virus, malware or ransomware added .SAVEfiles to a lot of my files. Example: Folder.jpg is now Folder.jpg.SAVEfiles
Is there a batch I can run to remove the .SAVEfiles extension? I've done a few manually and files seem ok. There are a lot so I was looking for a faster way. Thanks
 
Usually when a ton of documents get renamed like that it indicates a ransomware infection. If your files have been encrypted, and not just renamed, all you can really do is hope your backups are up to date.
 
grumperfish said:
Usually when a ton of documents get renamed like that it indicates a ransomware infection. If your files have been encrypted, and not just renamed, all you can really do is hope your backups are up to date.
Click to expand...

This gentleman is correct and what he said is most likely the reason for your problem. Do you have a functional backup?
 
Yea, it's ransomware. Luckily it wasn't anything too important. Unfortunately, no backup but I will start now. I'll hold onto the files for a bit in case someone can decrypt them, Kapersky or somebody. Eh, it was time for a fresh install anyway. Thanks for the help
 
Good idea. A decryption tool may eventually be released. Kaspersky releases decryption tools for dharma variants and others periodically, usually some months after that ransomware has run its course.
 
As others have said, that's a sign of ransomware. If renaming the extension (old school viruses used to just do that trick) doesn't work to get the file back, you could try to use a forensic drive examiner or a recovery tool.

I've used them in the past. Depending how the ransomware was written and how much free space you had on the drive (and/or the type of drive), the original files may still be there. The OS won't overwrite deleted files (they're just marked in the file system as overwriteable) until it needs that space.

So if the ransomware loaded the file into memory, encrypted it, and saved the copy out with .SAVEFile before deleting the original, the originals may still be retrievable if the OS hasn't reused the space.

https://www.howtogeek.com/169344/how-to-recover-a-deleted-file-the-ultimate-guide/
 
You must log in or register to reply here.
Back
Top