|
05-06-2011, 08:32 AM
|
#1 (permalink) |
|
Deliberately unfocused
Location: Amazon.com and CDBaby
|
Hard drive recovery
My co-workers can't seem to resist clicking on fake virus scan pop-ups. The latest one wiped things so bad that "program files" shows as empty and the C: drive pops up blank. (running XP- pro)
I'm stumped, because XP starts and the IP address is still recognized by VNC viewer. I suspect that the registry was blown up... and no, no backup. Any ideas? I'd like to avoid format/reload. Thanks.
__________________
"Regret can be a harder pill to swallow than failure .With failure you at least know you gave it a chance..." David Howard |
|
|
05-06-2011, 09:49 AM
|
#3 (permalink) | |
|
Paladin of the Palate
Location: Redneckville, NC
|
How are you seeing the C: drive if it is blank? If the C: drive was accually empty, you wouldn't be in windows. I'm thinking the malware is showing you some fake stats. Can you boot into safe mode? If you can you can run MalwareBytes or a similar program to remove some of the bad files.
If you can't boot into safe mode, you can boot into the system with a liveCD (hirem's boot CD, UBCD) and run anti-malware programs from there. Safemode is your first stop right now. ****** Formatting and reloading is the last possible step, that's like dropping a nuke on a house to kill a spider. Boot into safe mode (with networking if you can) and download http://www.malwarebytes.org/ if you can, update and run. Should fix (most) problems. If that step doesn't work, we will go to step two and download you a live boot CD to fix it.
__________________
Quote:
Last edited by LordEden; 05-06-2011 at 09:54 AM.. |
|
|
|
|
05-06-2011, 12:45 PM
|
#4 (permalink) | |
|
Playing With Fire
Location: Disaster Area
|
Quote:
Reformat & Reinstall.
__________________
Syriana...have you ever tried liquid MDMA?....Liquid MDMA? No....Arash, when you wanna do this?.....After prayer... |
|
|
|
|
05-06-2011, 02:24 PM
|
#5 (permalink) |
|
Deliberately unfocused
Location: Amazon.com and CDBaby
|
Lord Eden... I'm ashamed that I didn't do that before calling for help.
 Last week I had to deal with a similar infestation, but all that one did was disassociate all of the .exe files. Not being able to see any of the programs at all threw me for a loop, and I had enough other bs on my plate that I didn't think things through. I'll attack the beast again... but likely not until Monday. Let you know how things work out.  Dave... you may be right, but I won't go there until forced into it. Thanks for the input!
__________________
"Regret can be a harder pill to swallow than failure .With failure you at least know you gave it a chance..." David Howard |
|
|
|
05-06-2011, 02:44 PM
|
#6 (permalink) |
|
Young Crumudgeon
Location: Canada
|
I will endorse Lord Eden's advice. Well, personally I'd recover the data using a Linux Live CD and then format and install Debian. But, y'know. Close enough.
__________________
I wake up in the morning more tired than before I slept I get through cryin' and I'm sadder than before I wept I get through thinkin' now, and the thoughts have left my head I get through speakin' and I can't remember, not a word that I said - Ben Harper, Show Me A Little Shame |
|
|
|
05-07-2011, 04:44 AM
|
#8 (permalink) |
|
Insane
Location: at home
|
I would suggest that you take the drive and attach it to an other computer (Win XP or newer) and do a full scan there both for malware and drive errors.
Booting from a suspicious drive, even in safe mode, is not ideal when fighting malware and viruses. Best of luck, ZB
__________________
Sodomy non sapiens. : I'm buggered if I know |
|
|
|
05-07-2011, 09:34 AM
|
#9 (permalink) | ||
|
Paladin of the Palate
Location: Redneckville, NC
|
Quote:
***** I'm with zman on this, try safemode and then if that fails (which it does sometimes, depends on the spyware) try hooking the infected drive to a PC and running malwarebytes on it from the host PC. That can take off enough of the spyware for you to be able to boot into the PC and install the anti-malware there and run it. ***** I've used this once before and it worked, it's free and might be worth a shot. Kaspersky Rescue Disk 10 There are SO many different resources for this kind of infection, formatting should be a last stand kind of thing. It's really a bitch to get the PC back to the way it was before for a work pc, especially if it's a work pc.
__________________
Quote:
|
||
|
|
|
05-09-2011, 04:57 PM
|
#10 (permalink) |
|
Deliberately unfocused
Location: Amazon.com and CDBaby
|
Monday update:
Safe mode got me absolutely nowhere, so I ran Kaspersky. That cleaned out 14 infected files. Still, no programs were visible and the C: drive showed blank. Seems the virus had switched the properties of every file in the system to "hidden." Clicked "show hidden files" and unchecked "hidden" for everything, which refilled the programs list. Tomorrow, I try to figure out why none of the executables are showing up in the programs list, and where all of my shortcuts got to... the programs all run from the files in My Computer, but the staff needs the shortcuts. For the record: I don't work on computers for a living. I manage an auto parts store. Between 6 stores, I'm the least computer illiterate fool in the company, so, by default I am the company IT guy. I muddle through. I appreciate all of the help... past, present and future.
__________________
"Regret can be a harder pill to swallow than failure .With failure you at least know you gave it a chance..." David Howard |
|
|
|
05-09-2011, 05:25 PM
|
#11 (permalink) | |
|
Paladin of the Palate
Location: Redneckville, NC
|
Windows XP or Vista/7? Check the "documents and settings" folder (for XP) or the "users" folder for Vista/7. Check the main user's folder to see if it's not hidden too.
Did you run malbytes inside of the OS after you got programs to work? I'd recommend doing that, might be a registry file that is fucking you up still.
__________________
Quote:
|
|
|
|
|
05-09-2011, 07:03 PM
|
#12 (permalink) |
|
Deliberately unfocused
Location: Amazon.com and CDBaby
|
Thanks, LE. WinXP Pro. I'll start with those ideas tomorrow morning, and see where things go from there.
Tuesday: Could not find any files or folder checked "hidden." Malwarebytes found 9 infected files, but did not resolve things. When I try to run system restore, error message: "The application failed to initialize properly" pops up, but is gone before I can note the code at the end. I called the field tech for the company who provides our software. He spent a long time snooping around in the system. Claims he's never seen this problem... just like this. He's in favor of bombing it back to the stone age and starting from scratch. I don't wanna, but the boss is getting crabby.
__________________
"Regret can be a harder pill to swallow than failure .With failure you at least know you gave it a chance..." David Howard Last edited by grumpyolddude; 05-10-2011 at 11:50 AM.. |
|
|
|
05-11-2011, 03:45 PM
|
#13 (permalink) |
|
Insane
Location: at home
|
Here is an idea that will not break the bank (I hope), get a new hd and an external closure for hd might be a nice idea too. Remove the hd from the computer and start from scratch. When you are up and running, then the old drive can be connected to the computer and you can run anti-virus and malware removal tools of your choice. This way you might be able to retrieve data from the hd that would otherwise be lost if a reinstall of the OS is done over the old install.
Yours ZB.
__________________
Sodomy non sapiens. : I'm buggered if I know |
|
|
|
05-11-2011, 07:39 PM
|
#14 (permalink) |
|
Deliberately unfocused
Location: Amazon.com and CDBaby
|
Thanks for the input, ZB. The issue right now is not detecting and eliminating the malware. It's undoing the damage the malware did. I going to clone the hard drive of one of the other workstation onto an external hard drive, wipe the affected machine and reload off of the external. Then I plan to clone every f@#$@$#king pc in the company! My only obstacle is time.
__________________
"Regret can be a harder pill to swallow than failure .With failure you at least know you gave it a chance..." David Howard |
|
|
|
05-12-2011, 04:32 AM
|
#15 (permalink) | |
|
Paladin of the Palate
Location: Redneckville, NC
|
GOD (Dude, your name spells GOD, I never noticed that... I think i need more coffee...), is the only problem right now shortcuts and program files? Or are you still having a problem with .exe files not loading. I've got a registry fix for the .exe files not loading, but I think you fixed that already.
If it's just the shortcuts and program files... it might be that the malware corrupted your profile on the pc. If that's your only problem left, I'll see if I can find you some kind of fix. Cloning a HD and keeping a backup cloned copy of each PC is awesome idea, depending on your network setup and how much they want to spend on it, you could get it setup to clone the PC everyday day and store it on the server. I'm also pulling things out of my ass 'cause I've never seen your pcs and/or network.
__________________
Quote:
|
|
|
|
|
05-12-2011, 02:51 PM
|
#16 (permalink) |
|
Young Crumudgeon
Location: Canada
|
I don't really do Windows stuff anymore, but if the problem is the profile wouldn't the quick and easy fix be to just create a new one?
In terms of imaging, that's how most pros do it (including us). Storage is cheap. Do a fresh install, create a disk image, and then if things ever get too crazy you can just re-image the drive. You could also just set the machines up with the basic software necessary and then lock them down. Create a separate admin profile and take away your user's permissions to install or modify programs. Lock them out of the important directories while you're at it. That's a lot of work though, and might be tricky if you're not a dedicated IT guy and somewhat versed in Windows admin.
__________________
I wake up in the morning more tired than before I slept I get through cryin' and I'm sadder than before I wept I get through thinkin' now, and the thoughts have left my head I get through speakin' and I can't remember, not a word that I said - Ben Harper, Show Me A Little Shame |
|
|
|
05-12-2011, 05:51 PM
|
#17 (permalink) |
|
Junkie
Location: Greater Harrisburg Area
|
+1 for Martian's imaging advice. There are some linux liveCDs floating around the web designed with that purpose in mind. You can even store the image on the same drive or a thumb drive and leave it in your desk drawer (I have an XP home image on a dual layer DVD, with Diablo 2 loaded~!
 ).GOD, as far as undoing the damage the malware did, there really is no way to be sure you get it all. Heck, there is even no way to make sure that the malware is actually completely gone without starting from scratch. If there isn't any vital info on there I'd just nuke it, because you're not dealing with a spider, but a preteen godzilla.
__________________
The advantage law is the best law in rugby, because it lets you ignore all the others for the good of the game. |
|
|
|
05-12-2011, 06:06 PM
|
#18 (permalink) | |
|
Paladin of the Palate
Location: Redneckville, NC
|
Bad thing about a corrupt profile is that you lose all the shortcuts on the desktop a long with the Docs files. You can recreate it, but it just grabs the default profile and whatever is in "all users". Unless there is a roaming profile in effect (which I highly doubt it), it will just make a default first time user profile. Might be you could recreate the profile and then copy shortcuts from another user's pc.
I know I said against nuking it, but it might be the next choice. If I had it in front of me, I could tell you more. I could remote into it and check it out, for some concert tickets  .
__________________
Quote:
|
|
|
|
|
05-13-2011, 05:35 PM
|
#19 (permalink) |
|
The sky calls to us ...
Super Moderator
Location: CT
|
The latest fake AV programs go a step beyond the usual and install rootkits in Windows processes, then when you think you have them cleaned they phone home and reinstall. Combofix seems to get the current generation, anything that checks for rootkits should do the trick.
|
|
|
|
05-15-2011, 10:26 AM
|
#20 (permalink) |
|
Deliberately unfocused
Location: Amazon.com and CDBaby
|
Nice input, everyone. I haven't been able to work on this for the past several days... crazy busy then a funeral.
As things stand, I can run all of the programs, but can't create shortcuts. Interesting thing: in the Control Panel, Administrative Tools is empty. There is only one user account and that has administrative priveleges. Combofix sounds like a useful tool. Will it do things that Kaspersky and malwarebytes won't? Willing to give it a try. I've procured an external drive and a copy of Hiren's Boot 9.7... should i look for an updated version? Planning on blowing this thing up tomorrow (Monday 5/16). This would have all been a bit easier if a) Dell had shipped discs with this model PC, b) Dell had put recovery info in a partition on the hard drive, or c) the (supposed) tech who set these up had made recovery discs. Oh, well. Gonna give Combofix a shot, then go shopping for low yield explosives.
__________________
"Regret can be a harder pill to swallow than failure .With failure you at least know you gave it a chance..." David Howard |
|
|
|
05-17-2011, 06:45 PM
|
#21 (permalink) |
|
Deliberately unfocused
Location: Amazon.com and CDBaby
|
It's done. I looked into the ComboFix thing and decided I would just be getting further over my head than I already was. So, we went with imaging the other workstation's drive and loading it onto the affected machine. Over the next few weeks, I plan to image every pc in the organization as a restoration tool.
Thanks again for the support and suggestions. Always and forever, you guys rock!
__________________
"Regret can be a harder pill to swallow than failure .With failure you at least know you gave it a chance..." David Howard |
|
|
| Tags |
| drive, hard, recovery |
|
|
