Need help getting info off a virus infected hard drive.

First let me say I made my first post in the Introduction thread. It's good to feel welcomed. Although I've felt like part of the family for a long time as I've been lurking for who knows how long....please forgive me for not joining earlier!!!

I'll cut to the chase, a couple days ago I had some family over and they used my computer to access the internet doing who knows what. Well, later that evening I had a sh!t load of problems. Pop-ups everywhere claiming a virus attack and all the normal BS that goes with it. The computer re-booted on its own and then I get something similar to the blue screen of death except there is a smaller page in front of it claiming I violated a copyright issue. I immediately knew it was bogus and did a hard re-boot as I couldn't control anything. Did that 3 times until I could get access to my desktop. Even after getting access to the desktop it took about 15 minutes of misc junk of pop-ups, .exe warnings, porn site(s), etc to load until I could even access the tool bar but still couldn't do anything, including accessing the internet. I then discovered I got hit by the infamous antimalware doctor virus. I have my normal firewall on and running the free version of Avast. The virus(s) obviously got past both.

There's a lot more that went along with the above problem but that's not why I'm here. I say that because I finally got all the needed AV programs on a jump drive and was ready to kick the dog poo-poo out of the virus, and get this, the computer would NOT fire up. Possibly coincidental, but I suspect the power supply has died. I'm talking a 5 1/2 year old computer here.

So, here is my need. I would like to salvage the info on the HD, but since it's infected how can I go about doing it using a different computer? I'm sure it will matter but my old computer was/is running XP and the computer I'm now using is running Vista Ultimate.

Thanks all!!!!

Edited by doingitwell, 06 May 2010 - 11:33 PM.

well, what I do is I have a computer set up with linux that I hook virus infected drives up to as slave drives, and use it to get the files off of. If you have access to another computer, you could download a ubuntu live CD, then hook that hard drive to another system, either as a primary hard drive or a slave, and boot up with that ubuntu live CD, and you can get the files you need off it that way. Save them all to a jump drive, and make sure when you hook it back up to a windows PC that you scan it for viruses before opening it.

Directions to use Ubuntu: insert CD into drive. reboot. choose boot from CD, then the option try ubuntu out (not install) from there you should be able to figure it out, ubuntus fairly easy friendly, just find the home directory and the hard drive, and it should recognize any jump drives automatically, saving files is as easy as drag and click. Fairly easy to figure out.

Hey Patriot, thanks for the post. I will admit I've never heard of ubuntu live CD, but I will certainly be checking it out. However I do not have a stand alone computer only running linux. The best I can do right now is the system I'm using with Vista. But then again I've been kicking around the thought of building another computer myself. It's been about 7 years since I've done it, but I would the experience.

Thanks again Patriot. Should I be able to follow your advice I'll be sure to let you know how things go.

well, thats why I suggested a ubuntu live CD. You dont need the computer to be running linux at all-you just insert the CD, and boot up with that, and the OS runs off your ram, no installation required, you can back up files, even surf the net, without having to actually have it installed, once you shut down and remove the CD it boots back up under the original OS you had on it (in this case, vista), and is fairly simple to figure out.

Edited by the_patriot09, 06 May 2010 - 11:52 PM.

If you just remove the drive...slave it (make it a secondary drive) on a well-protected system and scan it with that system's AV, Malwarebytes, and SUPERAntiSpyware (before moving anything)...that should minimize the chance of infected data files.

Of course, you will be unable to move programs installed or the O/S itself to another system.

To access any data files stored in Docs & Settings folders...you will probably have to take ownership of such.

How to take ownership of a file or a folder in Windows XP - http://support.microsoft.com/kb/308421

Louis

As Described.

ubuntu is great. hook up a external or if you have some webspace, download filezilla which im sure works with ubuntu.

INstall to a partition, just split your drive a little if you can.

Although it works plug and play :D

If you just remove the drive...slave it (make it a secondary drive) on a well-protected system and scan it with that system's AV, Malwarebytes, and SUPERAntiSpyware (before moving anything)...that should minimize the chance of infected data files.

Of course, you will be unable to move programs installed or the O/S itself to another system.

To access any data files stored in Docs & Settings folders...you will probably have to take ownership of such.

How to take ownership of a file or a folder in Windows XP - http://support.microsoft.com/kb/308421

Louis

Hey Louis, how come I couldn't move the programs that I've installed on the HD? I ask as I've backed up all my pictures prior to the infection but there is mainly one program I would like to get off it, which is Autocad.

Programs depend on the O/S, which contains the registry.

When a system is infected, the infection can exist in system files, files installed (intentionally and unintentionally), and registry entries.

Moving any of these without the others...is a waste of time, since they interact...registry, system files, program files.

The only way to move a program installed...is to clone the drive or something similar. If the system is infected, what would be the point of such?

That is why there is always reference to moving "data files" from an infected system...otherwise, the infection may spread/continue.

Louis

To elaborate a bit more, When you install a program it writes to the registry. The registry tells windows where all the files are that are needed to execute the program if you move a program without the corresponding registry entries it won't work. The program has to be re-installed on the new system using the installation shell or installation program.

Programs depend on the O/S, which contains the registry.

When a system is infected, the infection can exist in system files, files installed (intentionally and unintentionally), and registry entries.

Moving any of these without the others...is a waste of time, since they interact...registry, system files, program files.

The only way to move a program installed...is to clone the drive or something similar. If the system is infected, what would be the point of such?

That is why there is always reference to moving "data files" from an infected system...otherwise, the infection may spread/continue.

Louis

Ok, so far I'm understanding most of everything from the posters. But how could I operate the drive using my current O/S (Vista) when the O/S on the virus infected drive is XP? Or is that not even possible?

If it can't be done then could I slave the HD without conflict since the O/S are different?

Slaving a drive doesn't require the OS to operate in any way, it basically just recognizes it as a storage drive. Like a flash drive or an external drive would be. If you plug a drive into your system as a slave, it will show up in your current system's 'My Computer' as just a secondary hard drive, which you will have access to all the files. All you need to do is open it, find your needed documents and copy them over. After scanning with the many suggested AVs of course. Just do NOT copy any system files or anything from Program Files, as they will most likely be infected. You will have to reinstall anything such as Autocad, but you can copy over any saved pictures or files with no problem. (most likely).

Slaving a drive doesn't require the OS to operate in any way, it basically just recognizes it as a storage drive. Like a flash drive or an external drive would be. If you plug a drive into your system as a slave, it will show up in your current system's 'My Computer' as just a secondary hard drive, which you will have access to all the files. All you need to do is open it, find your needed documents and copy them over. After scanning with the many suggested AVs of course. Just do NOT copy any system files or anything from Program Files, as they will most likely be infected. You will have to reinstall anything such as Autocad, but you can copy over any saved pictures or files with no problem. (most likely).

Thanks MB, I getting more knowledgeable every post.

So is it a matter of opening up my current case, mounting the drive and plugging it in to an extra plug? Would I need to change BIOS settings or anything? Since my HD that I'm using now is set for primary in the BIOS I'm thinking I wouldn't have to do anything with the slave one. Or would I? I guess I could also go with the external enclosed docking station, but my access to the HD would be slower, correct?

And, after I get what I want off the drive, should I just format it afterwards to rid myself of any infected files?

Edited by doingitwell, 09 May 2010 - 03:52 PM.

Basically that should be all you have to do. Most mobo's can read two drives even if they're both set to Master. I'd say the best thing to do would be to just try it out. If you want you can look in your BIOS after hooking it up, and make sure it at least shows the second drive. Your computer might also tell you during startup that new hardware has been added and ask you to confirm it, which is always a good sign.

I would actually keep the second drive unformatted, for a while at least, just in case you realize you forgot to pull something off it and you can go back and get it. If you plan on using it right away and you're sure you've got everything though, formatting it would definitely be the best idea to get rid of those pesky viruses.

Also, make sure when you're opening the case that you have everything unplugged out of the back of it. Power, mouse, keyboard, etc. You will also want to touch the metal outside of the case to ground yourself before you start messing with cords and the like. Just mount the drive, preferably not in a slot directly next to your current drive if there's room, plug in the power and SATA or IDE cable, close it up, plug everything in, and you should be good to go. If you give this a try, let us know how it goes for you.

-mb

Thank you again MB. I used to tinker and build computers quite a bit, but we are talking way back even before WWW was created...I'm talking Bulletin Boards. Gosh I really dated myself.

I've not done it in a while but it appears that mostly everything is the same in regards to building, but other things have changed which I'm still trying to wrap my head around.

I will certainly let the board know how it goes after getting it done.

Right now I'm battling installing Adobe Acrobat, I keep getting this funky error. Looks like I'll be heading over to another thread for that problem.

Thanks

Edited by doingitwell, 09 May 2010 - 04:25 PM.

I got my other problems fixed so I'm back to this one. Assume I slave the infected HD and clean it up from the virus(s). Couldn't I use the O/S, (XP), that's on it and open programs that are on THAT drive? I hear people running two different O/S systems all the time without problem.