Tilted Forum Project Discussion Community

Tilted Forum Project Discussion Community (https://thetfp.com/tfp/)
-   Tilted Technology (https://thetfp.com/tfp/tilted-technology/)
-   -   Hard drive recovery (https://thetfp.com/tfp/tilted-technology/171213-hard-drive-recovery.html)

grumpyolddude 05-06-2011 08:32 AM

Hard drive recovery
 
My co-workers can't seem to resist clicking on fake virus scan pop-ups. The latest one wiped things so bad that "program files" shows as empty and the C: drive pops up blank. (running XP- pro)
I'm stumped, because XP starts and the IP address is still recognized by VNC viewer. I suspect that the registry was blown up... and no, no backup.
Any ideas? I'd like to avoid format/reload.
Thanks.

DaveOrion 05-06-2011 08:36 AM

reformat & reinstall XP, hopefully you have a XP installation disk.

LordEden 05-06-2011 09:49 AM

How are you seeing the C: drive if it is blank? If the C: drive was accually empty, you wouldn't be in windows. I'm thinking the malware is showing you some fake stats. Can you boot into safe mode? If you can you can run MalwareBytes or a similar program to remove some of the bad files.

If you can't boot into safe mode, you can boot into the system with a liveCD (hirem's boot CD, UBCD) and run anti-malware programs from there.

Safemode is your first stop right now.

******

Formatting and reloading is the last possible step, that's like dropping a nuke on a house to kill a spider.

Boot into safe mode (with networking if you can) and download http://www.malwarebytes.org/ if you can, update and run. Should fix (most) problems. If that step doesn't work, we will go to step two and download you a live boot CD to fix it.

DaveOrion 05-06-2011 12:45 PM

Quote:

Originally Posted by LordEden (Post 2899464)

Safemode is your first stop right now.

******

Formatting and reloading is the last possible step, that's like dropping a nuke on a house to kill a spider.

Boot into safe mode (with networking if you can) and download Malwarebytes : Free anti-malware, anti-virus and spyware removal download if you can, update and run. Should fix (most) problems. If that step doesn't work, we will go to step two and download you a live boot CD to fix it.

I've been done this road before, also worked on my daughters PC, sure try safe mode but most likely that wont work. Forces are constantly at work to make our lives difficult, especially if you have a PC. I could elaborate ad nauseum about all the threats and what they entail but needless to say your PC is probably fucked from what you've said.

Reformat & Reinstall.

grumpyolddude 05-06-2011 02:24 PM

Lord Eden... I'm ashamed that I didn't do that before calling for help.:shakehead:

Last week I had to deal with a similar infestation, but all that one did was disassociate all of the .exe files. Not being able to see any of the programs at all threw me for a loop, and I had enough other bs on my plate that I didn't think things through. I'll attack the beast again... but likely not until Monday. Let you know how things work out.:thumbsup:

Dave... you may be right, but I won't go there until forced into it.

Thanks for the input!

Martian 05-06-2011 02:44 PM

I will endorse Lord Eden's advice. Well, personally I'd recover the data using a Linux Live CD and then format and install Debian. But, y'know. Close enough.

grumpyolddude 05-06-2011 08:32 PM

As fond as I am of penguins, I'm stuck in the XP mire, Martian.

Zweiblumen 05-07-2011 04:44 AM

I would suggest that you take the drive and attach it to an other computer (Win XP or newer) and do a full scan there both for malware and drive errors.
Booting from a suspicious drive, even in safe mode, is not ideal when fighting malware and viruses.
Best of luck,
ZB

LordEden 05-07-2011 09:34 AM

Quote:

Originally Posted by DaveOrion (Post 2899517)
I've been done this road before, also worked on my daughters PC, sure try safe mode but most likely that wont work. Forces are constantly at work to make our lives difficult, especially if you have a PC. I could elaborate ad nauseum about all the threats and what they entail but needless to say your PC is probably fucked from what you've said.

Reformat & Reinstall.

Dave, I've been down that road so many times, I've got a street named after me. I've spent the last 3 jobs doing nothing but cleaning up facebook viruses and click happy end users' messes. Format and reinstall is a LAST resort in this fight, especially in a work envoriment. Format/reload at home is not as big of a deal, one full day of work and you are back on looking at facebook; it's not the same in a work environment. Reloading of work software, reloading data, setting up network connections, printers, ect... that shit takes a lot of time (depending on what they did on the PC at work).

*****

I'm with zman on this, try safemode and then if that fails (which it does sometimes, depends on the spyware) try hooking the infected drive to a PC and running malwarebytes on it from the host PC. That can take off enough of the spyware for you to be able to boot into the PC and install the anti-malware there and run it.

*****

I've used this once before and it worked, it's free and might be worth a shot.

Kaspersky Rescue Disk 10

There are SO many different resources for this kind of infection, formatting should be a last stand kind of thing. It's really a bitch to get the PC back to the way it was before for a work pc, especially if it's a work pc.

grumpyolddude 05-09-2011 04:57 PM

Monday update:
Safe mode got me absolutely nowhere, so I ran Kaspersky. That cleaned out 14 infected files. Still, no programs were visible and the C: drive showed blank. Seems the virus had switched the properties of every file in the system to "hidden." Clicked "show hidden files" and unchecked "hidden" for everything, which refilled the programs list. Tomorrow, I try to figure out why none of the executables are showing up in the programs list, and where all of my shortcuts got to... the programs all run from the files in My Computer, but the staff needs the shortcuts.

For the record: I don't work on computers for a living. I manage an auto parts store. Between 6 stores, I'm the least computer illiterate fool in the company, so, by default I am the company IT guy. I muddle through. I appreciate all of the help... past, present and future.

LordEden 05-09-2011 05:25 PM

Windows XP or Vista/7? Check the "documents and settings" folder (for XP) or the "users" folder for Vista/7. Check the main user's folder to see if it's not hidden too.

Did you run malbytes inside of the OS after you got programs to work? I'd recommend doing that, might be a registry file that is fucking you up still.

grumpyolddude 05-09-2011 07:03 PM

Thanks, LE. WinXP Pro. I'll start with those ideas tomorrow morning, and see where things go from there.

Tuesday: Could not find any files or folder checked "hidden." Malwarebytes found 9 infected files, but did not resolve things.
When I try to run system restore, error message: "The application failed to initialize properly" pops up, but is gone before I can note the code at the end.
I called the field tech for the company who provides our software. He spent a long time snooping around in the system. Claims he's never seen this problem... just like this. He's in favor of bombing it back to the stone age and starting from scratch. I don't wanna, but the boss is getting crabby.

Zweiblumen 05-11-2011 03:45 PM

Here is an idea that will not break the bank (I hope), get a new hd and an external closure for hd might be a nice idea too. Remove the hd from the computer and start from scratch. When you are up and running, then the old drive can be connected to the computer and you can run anti-virus and malware removal tools of your choice. This way you might be able to retrieve data from the hd that would otherwise be lost if a reinstall of the OS is done over the old install.

Yours
ZB.

grumpyolddude 05-11-2011 07:39 PM

Thanks for the input, ZB. The issue right now is not detecting and eliminating the malware. It's undoing the damage the malware did. I going to clone the hard drive of one of the other workstation onto an external hard drive, wipe the affected machine and reload off of the external. Then I plan to clone every f@#$@$#king pc in the company! My only obstacle is time.

LordEden 05-12-2011 04:32 AM

GOD (Dude, your name spells GOD, I never noticed that... I think i need more coffee...), is the only problem right now shortcuts and program files? Or are you still having a problem with .exe files not loading. I've got a registry fix for the .exe files not loading, but I think you fixed that already.

If it's just the shortcuts and program files... it might be that the malware corrupted your profile on the pc. If that's your only problem left, I'll see if I can find you some kind of fix.

Cloning a HD and keeping a backup cloned copy of each PC is awesome idea, depending on your network setup and how much they want to spend on it, you could get it setup to clone the PC everyday day and store it on the server. I'm also pulling things out of my ass 'cause I've never seen your pcs and/or network.

Martian 05-12-2011 02:51 PM

I don't really do Windows stuff anymore, but if the problem is the profile wouldn't the quick and easy fix be to just create a new one?

In terms of imaging, that's how most pros do it (including us). Storage is cheap. Do a fresh install, create a disk image, and then if things ever get too crazy you can just re-image the drive.

You could also just set the machines up with the basic software necessary and then lock them down. Create a separate admin profile and take away your user's permissions to install or modify programs. Lock them out of the important directories while you're at it. That's a lot of work though, and might be tricky if you're not a dedicated IT guy and somewhat versed in Windows admin.

Hektore 05-12-2011 05:51 PM

+1 for Martian's imaging advice. There are some linux liveCDs floating around the web designed with that purpose in mind. You can even store the image on the same drive or a thumb drive and leave it in your desk drawer (I have an XP home image on a dual layer DVD, with Diablo 2 loaded~!:lol:).

GOD, as far as undoing the damage the malware did, there really is no way to be sure you get it all. Heck, there is even no way to make sure that the malware is actually completely gone without starting from scratch. If there isn't any vital info on there I'd just nuke it, because you're not dealing with a spider, but a preteen godzilla.

LordEden 05-12-2011 06:06 PM

Bad thing about a corrupt profile is that you lose all the shortcuts on the desktop a long with the Docs files. You can recreate it, but it just grabs the default profile and whatever is in "all users". Unless there is a roaming profile in effect (which I highly doubt it), it will just make a default first time user profile. Might be you could recreate the profile and then copy shortcuts from another user's pc.

I know I said against nuking it, but it might be the next choice. If I had it in front of me, I could tell you more. I could remote into it and check it out, for some concert tickets ;).

MSD 05-13-2011 05:35 PM

The latest fake AV programs go a step beyond the usual and install rootkits in Windows processes, then when you think you have them cleaned they phone home and reinstall. Combofix seems to get the current generation, anything that checks for rootkits should do the trick.

grumpyolddude 05-15-2011 10:26 AM

Nice input, everyone. I haven't been able to work on this for the past several days... crazy busy then a funeral.

As things stand, I can run all of the programs, but can't create shortcuts. Interesting thing: in the Control Panel, Administrative Tools is empty. There is only one user account and that has administrative priveleges.

Combofix sounds like a useful tool. Will it do things that Kaspersky and malwarebytes won't? Willing to give it a try.

I've procured an external drive and a copy of Hiren's Boot 9.7... should i look for an updated version? Planning on blowing this thing up tomorrow (Monday 5/16).

This would have all been a bit easier if a) Dell had shipped discs with this model PC, b) Dell had put recovery info in a partition on the hard drive, or c) the (supposed) tech who set these up had made recovery discs.

Oh, well. Gonna give Combofix a shot, then go shopping for low yield explosives.

grumpyolddude 05-17-2011 06:45 PM

It's done. I looked into the ComboFix thing and decided I would just be getting further over my head than I already was. So, we went with imaging the other workstation's drive and loading it onto the affected machine. Over the next few weeks, I plan to image every pc in the organization as a restoration tool.

Thanks again for the support and suggestions. Always and forever, you guys rock!


All times are GMT -8. The time now is 05:48 AM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Search Engine Optimization by vBSEO 3.6.0 PL2
© 2002-2012 Tilted Forum Project


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360