"Full of the sound of the Gran Fury, signifying nothing." (granfury)
08/19/2015 at 22:49 • Filed to: None
1
9|
"Full of the sound of the Gran Fury, signifying nothing." (granfury)
08/19/2015 at 22:49 • Filed to: None | 1
| 9 |
A friend’s kids computer got it’s drive scrambled by some virus recently. I did a scan and found nearly 200 of them, and think I successfully eradicated them. Possibly. After that I went to examine the contents of the drive and found it empty. Huh?
I ran some data recovery software and it found 1728GB worth of data to recover, which is somewhat surprising since this is only a 500GB drive. There are multiple directories with the same name but different contents, for example there are four ‘System Volume Information’ directories that it found.
Any suggestions on which of these directories I need to recover in order to get this machine working again?
boxrocket
> Full of the sound of the Gran Fury, signifying nothing.
08/19/2015 at 22:55 |
|
C drive or tertiary?
JGrabowMSt
> Full of the sound of the Gran Fury, signifying nothing.
08/19/2015 at 23:00 |
|
Crap. Has to be late at night?
Do you have access to the recovery partition at all, or do you have an install disc handy? What you need to do is go into the advanced recovery options, open command prompt and run a disk check on that first.
A lot of the viruses that have gone around in the past few years have been causing all sorts of trouble. Recovery is going to be a rough road with the sounds of it, not knowing where you started. Does the drive boot into windows, but you just don’t see any files?
If you just don’t see any files, or if you can’t open anything, you need to find a program called Shadow Recovery.
Alternatively, wait until the morning, and shoot me an email (username@gmail) and we can have a bit more direct back and forth on this. I was the lead tech at a shop for 5 years, so there’s that. Did you by any chance write/print or remember any of the viruses removed? Is there a log file from whatever program you used that you could try to find?
StoneCold
> Full of the sound of the Gran Fury, signifying nothing.
08/19/2015 at 23:14 |
|
1) Don’t use that drive until it is completely wiped and zeroed out. If the drive was that far infected, there really is no hope of getting it fully and truly clean again.
2) I’m guessing you have the drive out and in a SATA/USB bridge to pull files. I’d open it up in DOS and use dir to root around. That might be enlightening
|
Full of the sound of the Gran Fury, signifying nothing.
> boxrocket
08/19/2015 at 23:28 |
|
Of course it has to be the C: drive - damned kids couldn’t make this easy on me. There is a secondary drive, but there isn’t an OS installed on that one.
|
boxrocket
> Full of the sound of the Gran Fury, signifying nothing.
08/19/2015 at 23:45 |
|
*shrug* it wasn’t explicitly stated, and with drives used as backups, storage, various RAID configurations, it wouldn’t have to be the C drive.
Anyhow, it may be tedious, but consider copying individual folder families to a clean, isolated drive without booting to the full OS, and run a virus scan on each new deposited folder until all the folders are moved, before or after the move, or even both. May take a few hours, but it’s one way to isolate clean files, and discover where malicious items are lurking.
Alternately, do a clean install of the OS on an empty, clean drive, and set the entire file system to read-only (temporarily, to keep the viruses from spreading). Delete everything on the old drive except personal files or irreplaceable ones. Move the personal files to a second clean drive, scan the hell out of them, then wipe the original drive thoroughly and repeatedly, including formatting it. Then everything on the other two drives - which should ne clean - can be moved back to the original drive, or keep the two-drive setup and use the old drive as a backup drive.
|
Full of the sound of the Gran Fury, signifying nothing.
> JGrabowMSt
08/20/2015 at 00:12 |
|
Sorry - I spend the day looking for work and don’t have time for other tasks until the evening. There might be some recovery info on the secondary hard drive, but I don’t have that connected at the moment.
I miss the glory days when I worked in IT, from 1996 to 2002. The virus problems were relatively minor and easily preventable.
Windows can’t start. After the scans the disc showed 487GB free of 487GB - no files on the drive at all. The drive is now installed on a secondary system with a tertiary drive for recovery. I ran Stellar Phoenix Windows Data Recovery and am attempting to transfer some of the found files onto the tertiary drive, but I can’t tell which of the duplicate directories contain the actual files necessary to make this system run. I suspect that it is one of those things that really won’t be able to be figured out, and that perhaps I should just save the pictures and videos and reinstall from scratch, teaching the kids a lesson in what not to do.
It was several weeks ago that I ran the initial virus scan, and I can’t remember what technique I used. I probably transferred the drive over to a working system with AV and AM software and ran it from there. Unfortunately I can’t find a record of scan so I can’t tell you which viruses were found, although I think I sent a photo, which is probably on a different computer.
As I transfer files to this other drive, the AV software is giving me indication that I haven’t eradicated all of the old viruses. In just the last hour it’s found JS:Agent-DHB, HTML:Includer-CE, Win32:Agent-AVHK, a number of JS: items, Win32:Kryptik, Win32:MalOb-LP amongst others.
I chose a number of key directories (Windows, Users, System Volume Information and others) that would get me under the 500GB size restriction, but there may have been a better way to decide what to restore. At this point I’m losing hope that I can just restore directories and files and have a bootable drive, and probably shouldn’t assume that this is a possibility. I suspect that I should just go after key types of files, and just reinstall the OS and necessary apps afterwards.
|
Full of the sound of the Gran Fury, signifying nothing.
> boxrocket
08/20/2015 at 00:31 |
|
I hope my comment wasn’t read as having unnecessary snark on my part - I assure you that that’s not what I had intended. It was really one of those thoughts mired in resignation, with corollaries to Murphy’s Law popping into my head. You prepare yourself for the worst that you can imagine and then the situation exceeds even that. This whole thing started out as a simple virus removal and cleanup and has blown up to be a full data recovery situation, something I didn’t plan on.
|
boxrocket
> Full of the sound of the Gran Fury, signifying nothing.
08/20/2015 at 01:25 |
|
Fair enough, it’s a frustrating situation.
Alternate you could download several free antivirus programs and run each independently to see how much they eradicate in their own.
|
JGrabowMSt
> Full of the sound of the Gran Fury, signifying nothing.
08/20/2015 at 08:43 |
|
Yeah, you’ll end up having to reinstall no matter what. Honestly I would have only recovered the User folder at that point because without seeing the before and after myself, it’s hard to say whether it could actually be salvaged. I’ve brought some pretty impressively infected machines back from the brink, but it takes hours and hours to make it happen. Often clients don’t want to pay for the hours or wait for me to make progress.
But with a virus infection like that, what are they missing? iTunes music they can download again? Schoolwork they probably don’t need ever again? If they were english majors in college that would be one thing, but if they’re younger kids, I’m okay with giving them a harsh lesson in using a computer responsibly. It sucks, but it’s a really important thing to learn.
Also, make sure you scan the recovered files as well, and get a virtual machine or something to test opening them. Wouldn’t want to release the Kraken all over again on your machine.