First if at all possible TURN off the computer and put the infected drive on another system that is not infected.
If for one reason or another you can not you should cosider one of the cdrom or floppy based
recovery systems and an extra drive.
You should preform recovery to a different filesystem then the one being recovered from other wise you risk overwriting some files as you recover others.
Be aware some companies offer demos that identifies “lost” files but doesn’t save the files it finds.
Here is a short list of forensic tools and data recovery tools.
- PC Inspector File Recovery is a german software, it’s multilanguage and well-done, even if it’s not so intuitive to use;
- Drive Rescue comes from Italy, and it seems to share the PC Inspector engine. The application is, anyway, more light and functional;
- Disk Investigator is a tiny app, hard to manage, that reads the disk in a deeper and physical mode, and it allows a low-level access to the data. It can be used in “extreme” cases and it can be intended for experts;
- Ultimate Boot CD is a suite of selected softwares, grouped in a single ISO file and burnable into a CD: it can be used to boot a PC that endured a data loss. It has a lot of applications for data and settings recovery, useful if you’re in trouble for a data disaster.
- TestDisk is good to recover entire partitions, deleted by an error. It can recover and make them bootable again.
Linux/Unix based tools:
CDROM based Bootable images
FCCU GNU/Linux boot CD 10.0 from the Belgian “Federal Computer Crime Unit”
Fire from SourceForge
FoRK from Vital Data
Requires a registration.
Here is a good list of forensic’s tools.
If you want remove W32.Blackmal.E@mm, read here.