Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help getting info off a virus infected hard drive.


  • Please log in to reply
17 replies to this topic

#1 doingitwell

doingitwell

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:32 PM

Posted 06 May 2010 - 10:02 PM

First let me say I made my first post in the Introduction thread. It's good to feel welcomed. Although I've felt like part of the family for a long time as I've been lurking for who knows how long....please forgive me for not joining earlier!!! :thumbsup:

I'll cut to the chase, a couple days ago I had some family over and they used my computer to access the internet doing who knows what. Well, later that evening I had a sh!t load of problems. Pop-ups everywhere claiming a virus attack and all the normal BS that goes with it. The computer re-booted on its own and then I get something similar to the blue screen of death except there is a smaller page in front of it claiming I violated a copyright issue. I immediately knew it was bogus and did a hard re-boot as I couldn't control anything. Did that 3 times until I could get access to my desktop. Even after getting access to the desktop it took about 15 minutes of misc junk of pop-ups, .exe warnings, porn site(s), etc to load until I could even access the tool bar but still couldn't do anything, including accessing the internet. I then discovered I got hit by the infamous antimalware doctor virus. I have my normal firewall on and running the free version of Avast. The virus(s) obviously got past both.

There's a lot more that went along with the above problem but that's not why I'm here. I say that because I finally got all the needed AV programs on a jump drive and was ready to kick the dog poo-poo out of the virus, and get this, the computer would NOT fire up. Possibly coincidental, but I suspect the power supply has died. I'm talking a 5 1/2 year old computer here.

So, here is my need. I would like to salvage the info on the HD, but since it's infected how can I go about doing it using a different computer? I'm sure it will matter but my old computer was/is running XP and the computer I'm now using is running Vista Ultimate.

Thanks all!!!!

Edited by doingitwell, 06 May 2010 - 11:33 PM.


BC AdBot (Login to Remove)

 


#2 the_patriot11

the_patriot11

    High Tech Redneck


  • BC Advisor
  • 6,755 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wyoming USA
  • Local time:10:32 PM

Posted 06 May 2010 - 11:22 PM

well, what I do is I have a computer set up with linux that I hook virus infected drives up to as slave drives, and use it to get the files off of. If you have access to another computer, you could download a ubuntu live CD, then hook that hard drive to another system, either as a primary hard drive or a slave, and boot up with that ubuntu live CD, and you can get the files you need off it that way. Save them all to a jump drive, and make sure when you hook it back up to a windows PC that you scan it for viruses before opening it.

Directions to use Ubuntu: insert CD into drive. reboot. choose boot from CD, then the option try ubuntu out (not install) from there you should be able to figure it out, ubuntus fairly easy friendly, just find the home directory and the hard drive, and it should recognize any jump drives automatically, saving files is as easy as drag and click. Fairly easy to figure out.

picard5.jpg

 

Primary system: Motherboard: ASUS M4A89GTD PRO/USB3, Processor: AMD Phenom II x4 945, Memory: 16 gigs of Patriot G2 DDR3 1600, Video: AMD Sapphire Nitro R9 380, Storage: 1 WD 500 gig HD, 1 Hitachi 500 gig HD, and Power supply: Coolermaster 750 watt, OS: Windows 10 64 bit. 

Media Center: Motherboard: Gigabyte mp61p-S3, Processor: AMD Athlon 64 x2 6000+, Memory: 6 gigs Patriot DDR2 800, Video: Gigabyte GeForce GT730, Storage: 500 gig Hitachi, PSU: Seasonic M1211 620W full modular, OS: Windows 10.

If I don't reply within 24 hours of your reply, feel free to send me a pm.


#3 doingitwell

doingitwell
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:32 PM

Posted 06 May 2010 - 11:41 PM

Hey Patriot, thanks for the post. I will admit I've never heard of ubuntu live CD, but I will certainly be checking it out. However I do not have a stand alone computer only running linux. The best I can do right now is the system I'm using with Vista. But then again I've been kicking around the thought of building another computer myself. It's been about 7 years since I've done it, but I would the experience.

Thanks again Patriot. Should I be able to follow your advice I'll be sure to let you know how things go.

#4 the_patriot11

the_patriot11

    High Tech Redneck


  • BC Advisor
  • 6,755 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wyoming USA
  • Local time:10:32 PM

Posted 06 May 2010 - 11:51 PM

well, thats why I suggested a ubuntu live CD. You dont need the computer to be running linux at all-you just insert the CD, and boot up with that, and the OS runs off your ram, no installation required, you can back up files, even surf the net, without having to actually have it installed, once you shut down and remove the CD it boots back up under the original OS you had on it (in this case, vista), and is fairly simple to figure out.

Edited by the_patriot09, 06 May 2010 - 11:52 PM.

picard5.jpg

 

Primary system: Motherboard: ASUS M4A89GTD PRO/USB3, Processor: AMD Phenom II x4 945, Memory: 16 gigs of Patriot G2 DDR3 1600, Video: AMD Sapphire Nitro R9 380, Storage: 1 WD 500 gig HD, 1 Hitachi 500 gig HD, and Power supply: Coolermaster 750 watt, OS: Windows 10 64 bit. 

Media Center: Motherboard: Gigabyte mp61p-S3, Processor: AMD Athlon 64 x2 6000+, Memory: 6 gigs Patriot DDR2 800, Video: Gigabyte GeForce GT730, Storage: 500 gig Hitachi, PSU: Seasonic M1211 620W full modular, OS: Windows 10.

If I don't reply within 24 hours of your reply, feel free to send me a pm.


#5 hamluis

hamluis

    Moderator


  • Moderator
  • 55,252 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:12:32 AM

Posted 07 May 2010 - 12:03 PM

If you just remove the drive...slave it (make it a secondary drive) on a well-protected system and scan it with that system's AV, Malwarebytes, and SUPERAntiSpyware (before moving anything)...that should minimize the chance of infected data files.

Of course, you will be unable to move programs installed or the O/S itself to another system.

To access any data files stored in Docs & Settings folders...you will probably have to take ownership of such.

How to take ownership of a file or a folder in Windows XP - http://support.microsoft.com/kb/308421

Louis

#6 eastonch

eastonch

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:32 AM

Posted 07 May 2010 - 01:07 PM

As Described.

ubuntu is great. hook up a external or if you have some webspace, download filezilla which im sure works with ubuntu.

INstall to a partition, just split your drive a little if you can.

Although it works plug and play :D

#7 doingitwell

doingitwell
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:32 PM

Posted 07 May 2010 - 05:56 PM

If you just remove the drive...slave it (make it a secondary drive) on a well-protected system and scan it with that system's AV, Malwarebytes, and SUPERAntiSpyware (before moving anything)...that should minimize the chance of infected data files.

Of course, you will be unable to move programs installed or the O/S itself to another system.

To access any data files stored in Docs & Settings folders...you will probably have to take ownership of such.

How to take ownership of a file or a folder in Windows XP - http://support.microsoft.com/kb/308421

Louis


Hey Louis, how come I couldn't move the programs that I've installed on the HD? I ask as I've backed up all my pictures prior to the infection but there is mainly one program I would like to get off it, which is Autocad.

#8 hamluis

hamluis

    Moderator


  • Moderator
  • 55,252 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:12:32 AM

Posted 07 May 2010 - 07:46 PM

Programs depend on the O/S, which contains the registry.

When a system is infected, the infection can exist in system files, files installed (intentionally and unintentionally), and registry entries.

Moving any of these without the others...is a waste of time, since they interact...registry, system files, program files.

The only way to move a program installed...is to clone the drive or something similar. If the system is infected, what would be the point of such?

That is why there is always reference to moving "data files" from an infected system...otherwise, the infection may spread/continue.

Louis

#9 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:01:32 AM

Posted 08 May 2010 - 07:04 AM

To elaborate a bit more, When you install a program it writes to the registry. The registry tells windows where all the files are that are needed to execute the program if you move a program without the corresponding registry entries it won't work. The program has to be re-installed on the new system using the installation shell or installation program.

Chad Mockensturm 

Systems and Network Engineer

Certified CompTia Network +, A +


#10 doingitwell

doingitwell
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:32 PM

Posted 09 May 2010 - 11:01 AM

Programs depend on the O/S, which contains the registry.

When a system is infected, the infection can exist in system files, files installed (intentionally and unintentionally), and registry entries.

Moving any of these without the others...is a waste of time, since they interact...registry, system files, program files.

The only way to move a program installed...is to clone the drive or something similar. If the system is infected, what would be the point of such?

That is why there is always reference to moving "data files" from an infected system...otherwise, the infection may spread/continue.

Louis


Ok, so far I'm understanding most of everything from the posters. But how could I operate the drive using my current O/S (Vista) when the O/S on the virus infected drive is XP? Or is that not even possible?

If it can't be done then could I slave the HD without conflict since the O/S are different?

#11 mb9023

mb9023

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:32 AM

Posted 09 May 2010 - 02:45 PM

Slaving a drive doesn't require the OS to operate in any way, it basically just recognizes it as a storage drive. Like a flash drive or an external drive would be. If you plug a drive into your system as a slave, it will show up in your current system's 'My Computer' as just a secondary hard drive, which you will have access to all the files. All you need to do is open it, find your needed documents and copy them over. After scanning with the many suggested AVs of course. Just do NOT copy any system files or anything from Program Files, as they will most likely be infected. You will have to reinstall anything such as Autocad, but you can copy over any saved pictures or files with no problem. (most likely). :thumbsup:

#12 doingitwell

doingitwell
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:32 PM

Posted 09 May 2010 - 03:50 PM

Slaving a drive doesn't require the OS to operate in any way, it basically just recognizes it as a storage drive. Like a flash drive or an external drive would be. If you plug a drive into your system as a slave, it will show up in your current system's 'My Computer' as just a secondary hard drive, which you will have access to all the files. All you need to do is open it, find your needed documents and copy them over. After scanning with the many suggested AVs of course. Just do NOT copy any system files or anything from Program Files, as they will most likely be infected. You will have to reinstall anything such as Autocad, but you can copy over any saved pictures or files with no problem. (most likely). :thumbsup:


Thanks MB, I getting more knowledgeable every post.

So is it a matter of opening up my current case, mounting the drive and plugging it in to an extra plug? Would I need to change BIOS settings or anything? Since my HD that I'm using now is set for primary in the BIOS I'm thinking I wouldn't have to do anything with the slave one. Or would I? I guess I could also go with the external enclosed docking station, but my access to the HD would be slower, correct?

And, after I get what I want off the drive, should I just format it afterwards to rid myself of any infected files?

Edited by doingitwell, 09 May 2010 - 03:52 PM.


#13 mb9023

mb9023

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:32 AM

Posted 09 May 2010 - 04:06 PM

Basically that should be all you have to do. Most mobo's can read two drives even if they're both set to Master. I'd say the best thing to do would be to just try it out. If you want you can look in your BIOS after hooking it up, and make sure it at least shows the second drive. Your computer might also tell you during startup that new hardware has been added and ask you to confirm it, which is always a good sign.

I would actually keep the second drive unformatted, for a while at least, just in case you realize you forgot to pull something off it and you can go back and get it. If you plan on using it right away and you're sure you've got everything though, formatting it would definitely be the best idea to get rid of those pesky viruses.

Also, make sure when you're opening the case that you have everything unplugged out of the back of it. Power, mouse, keyboard, etc. You will also want to touch the metal outside of the case to ground yourself before you start messing with cords and the like. Just mount the drive, preferably not in a slot directly next to your current drive if there's room, plug in the power and SATA or IDE cable, close it up, plug everything in, and you should be good to go. If you give this a try, let us know how it goes for you. :thumbsup:

-mb

#14 doingitwell

doingitwell
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:32 PM

Posted 09 May 2010 - 04:25 PM

Thank you again MB. I used to tinker and build computers quite a bit, but we are talking way back even before WWW was created...I'm talking Bulletin Boards. Gosh I really dated myself. :flowers:

I've not done it in a while but it appears that mostly everything is the same in regards to building, but other things have changed which I'm still trying to wrap my head around.

I will certainly let the board know how it goes after getting it done.

Right now I'm battling installing Adobe Acrobat, I keep getting this funky error. Looks like I'll be heading over to another thread for that problem. :thumbsup:

Thanks

Edited by doingitwell, 09 May 2010 - 04:25 PM.


#15 doingitwell

doingitwell
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:32 PM

Posted 10 May 2010 - 09:17 AM

I got my other problems fixed so I'm back to this one. Assume I slave the infected HD and clean it up from the virus(s). Couldn't I use the O/S, (XP), that's on it and open programs that are on THAT drive? I hear people running two different O/S systems all the time without problem.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users