saving data on infected computer

[Laurel]

Long story short- i have a terrible virus. I cannot do a system restore,
cannot connect to the internet, most of my programs wont open and the ones
that will open wont do anything but give me an error message. I cant even
scan it to find out what is on it to try and fix it. i plan on doing a system
recovery but before i do i need to get my photos off of it. my cd burner will
not open, media player will not open and when i tried to use a flash drive it
would not recognize it. i was going to save to floppy but files are all too
large and wont fit. i have the correct cables to connect it to another
computer but am not exactly sure how to do that and am nervous that the nasty
virus will infect the other computer as well
if i do a system recovery will i be able to go in and somehow locate the
files and save them later? or can i move them somewhere that recovery wont
touch them?
at this point, i just want to get my pictures off and wipe everything out
unless anyone has any other suggestions.
thanks so much
Laurel

 

[Buffalo]

Long story short- i have a terrible virus. I cannot do a system
restore, cannot connect to the internet, most of my programs wont
open and the ones that will open wont do anything but give me an
error message. I cant even scan it to find out what is on it to try
and fix it. i plan on doing a system recovery but before i do i need
to get my photos off of it. my cd burner will not open, media player
will not open and when i tried to use a flash drive it would not
recognize it. i was going to save to floppy but files are all too
large and wont fit. i have the correct cables to connect it to
another computer but am not exactly sure how to do that and am
nervous that the nasty virus will infect the other computer as well
if i do a system recovery will i be able to go in and somehow locate
the files and save them later? or can i move them somewhere that
recovery wont touch them?
at this point, i just want to get my pictures off and wipe everything
out unless anyone has any other suggestions.
thanks so much
Laurel

One method is to remove the HDD, change it jumpers to set it as Slave and
put it in another computer.
Then you should be able to save what you want and perhaps even 'clean' it up
with a good anti-virus and some good anti-malware programs.
Two free , powerful and excellent anti-malware programs are:
MalwareByte's Anti-Malware (MBAM)
SuperAntiSpyware (SAS)
Even though your CD burner doesn't open, you should be able to open it
manually (small hole where you insert a paper clip or similar) and perhaps
you can use a cd to clean your system.
Look in the anti-virus and anti-spyware ngs to find out how to make such a
cd.

 

[Bob Lucas]

There are two problems to consider.

Problem 1 - The virus infection.

Obviously, I don't know what virus has infected your computer.
However, it prevents access to the Internet, prevents you from
using a USB thumb drive, and will not allow you to open many
programs.

If you have access to a different computer that is free from any
infection, you could try the procedure at
http://tech.amikelive.com/node-144/tdss-trojan-and-bediddle-adware-removal-guide.

The article describes a way disguising Malwarebytes, to allow
Malwarebytes to remove a TDSS rootkit infection. However, this
method might also work with other infections.

Problem 2 - Move your photos to another computer (if you can't
remove the virus)

Provided your computer has an Ethernet networking card, you might
be able to connect it to a similarly equipped computer, using an
Ethernet crossover cable. However, I fear the virus will
probably prevent networking. In any case, I would be reluctant
to connect a badly infected computer to a clean computer.

It might be better to physically remove the HDD from the infected
computer. Place it in a USB caddy and use the USB connection to
connect the caddy to an uninfected computer. (Make sure the host
computer has effective security protection.) Then, you should be
able to copy your data files.

 

[Laurel]

i have already tried the solution you suggested (disguising malwarebytes) and
it showed nothing.
if i were to move the hdd to the good computer wont that risk an infection

 

[Shenan Stanley]

Long story short- i have a terrible virus. I cannot do a system
restore, cannot connect to the internet, most of my programs wont
open and the ones that will open wont do anything but give me an
error message. I cant even scan it to find out what is on it to try
and fix it. i plan on doing a system recovery but before i do i
need to get my photos off of it. my cd burner will not open, media
player will not open and when i tried to use a flash drive it would
not recognize it. i was going to save to floppy but files are all
too large and wont fit. i have the correct cables to connect it to
another computer but am not exactly sure how to do that and am
nervous that the nasty virus will infect the other computer as well
if i do a system recovery will i be able to go in and somehow
locate the files and save them later? or can i move them somewhere
that recovery wont touch them?
at this point, i just want to get my pictures off and wipe
everything out unless anyone has any other suggestions.

Boot with a BartPE/Ultimate WIndows Boot CD and hook up an external USB
drive. Copy the stuff you want off the computer - leaving behind any/all
executables. Try to get your pictures, your documents, your internet
favorites/bookmarks, your product keys for various products (you might have
installed and have the product keys stored in a file), etc.

Once you have that copied - I personally would suggest making a complete
image (using something like Ghost, TrueImage, BootItNG, etc) of the
partition/drive so that if I realized I forgot to copy a file - I could open
the image later and copy just the files I need out in relative safety.

With or without that - you can then wipe the drive (I suggest Darik's Boot
And Nuke) and then install your operating system and applications fresh (and
while disconnected for as long as possible - physically- from any network.)

During that time - take the drive you copied your stuff onto to another
computer with a virus scanning application (updated) and perform a specific
scan of the drive/material you copied.

 

[mc]

Pick up an ULTRA cable at compusa or where ever, and remove the HD and
connect to a usb 2.0. I did this with Kaspersky on the good computer and got
the varment
mc

 

[Bob Lucas]

There is a fundamental difference between using an Ethernet
connection - and moving the HDD to a good computer.

You need to boot the infected computer, before you can use an
Ethernet connection. Booting the infected computer will activate
the virus (as a resident infection). There is a possibility that
the virus could infect the other computer.

On the other hand, connecting the infected drive to a host
computer (as slave or in a USB caddy) merely moves its folder and
file system. You do not need to boot from the infected drive.
You will not run any programs on the infected drive, so the virus
should remain inactive.

I don't know the nature of the infection, so I suppose there
could be a remote risk of infecting the host computer. However,
you can minimise that risk by:

a) ensuring that the host computer has good security software
and

b) not running any executable files from the infected HDD

As another respondent has said, you might even be able to use
Malwarebytes and other security software to disinfect the drive.
Run more than one security program for extra safety.

 

[Laurel]

thanks everyone for your quick and helpful responses. i'm going to try
putting the hdd into the good computer. hopefully i will end up with 2
working computers and not 2 dead ones and one giant headache!
thanks again
-L

 

[Buffalo]

thanks everyone for your quick and helpful responses. i'm going to try
putting the hdd into the good computer. hopefully i will end up with 2
working computers and not 2 dead ones and one giant headache!
thanks again
-L

Remember to put it in as a Slave: you need to change the jumpers on the
infected drive to Slave.

 

[Ken Blake, MVP]

Remember to put it in as a Slave: you need to change the jumpers on the
infected drive to Slave.

What you say is *probably* correct if it's IDE, but not necessarily.
There are other two situations to consider:

1. Normally most computers have two IDE port and each port can take
two drives. If he has a hard drive on one IDE port and a CD or DVD
drive on the other, then each of them is a master and if he adds the
hard to the cable on one of those ports, then yes, it has to be a
slave.

However, although it's unusual, it's possible that he's using only one
of his IDE ports, with both the hard drive and CD/DVD on it. If that's
so, he needs to connect the infected drive to the other port, with
another cable, and the drive needs to be set as master.

2. If the drives are connected with "Cable Select" cables, he needs to
set the jumper on the infected drive to Cable Select.

 

[Buffalo]

What you say is *probably* correct if it's IDE, but not necessarily.
There are other two situations to consider:

1. Normally most computers have two IDE port and each port can take
two drives. If he has a hard drive on one IDE port and a CD or DVD
drive on the other, then each of them is a master and if he adds the
hard to the cable on one of those ports, then yes, it has to be a
slave.

However, although it's unusual, it's possible that he's using only one
of his IDE ports, with both the hard drive and CD/DVD on it. If that's
so, he needs to connect the infected drive to the other port, with
another cable, and the drive needs to be set as master.

2. If the drives are connected with "Cable Select" cables, he needs to
set the jumper on the infected drive to Cable Select.

Thanks for the clarification.
Perhaps you could also tell Laurel the proper way to do it with SATA.
I only have IDE on my PC.

 

[Ken Blake, MVP]

Thanks for the clarification.

You're welcome. Glad to help.

Perhaps you could also tell Laurel the proper way to do it with SATA.
I only have IDE on my PC.

Although my current desktop has SATA drives, I didn't build it, and I
don't pretend to be an expert on SATA. If Laurel's drive is SATA
(probably not, from my understanding of the thread), I'm sure someone
else here can do as you suggest much better than I can.

 

[Patrick Keenan]

Long story short- i have a terrible virus. I cannot do a system restore,
cannot connect to the internet, most of my programs wont open and the ones
that will open wont do anything but give me an error message. I cant even
scan it to find out what is on it to try and fix it. i plan on doing a
system
recovery but before i do i need to get my photos off of it. my cd burner
will
not open, media player will not open and when i tried to use a flash drive
it
would not recognize it. i was going to save to floppy but files are all
too
large and wont fit. i have the correct cables to connect it to another
computer but am not exactly sure how to do that and am nervous that the
nasty
virus will infect the other computer as well
if i do a system recovery will i be able to go in and somehow locate the
files and save them later? or can i move them somewhere that recovery wont
touch them?
at this point, i just want to get my pictures off and wipe everything out
unless anyone has any other suggestions.
thanks so much
Laurel

Sometimes it's faster to just start over. And if the drive is really
badly compromised, it may be better to just get a new one. Where I am, a
new 250 gig drive is under $70. Remove your old one and set it aside, put
the new one in and do the new install. Set it up, install the antivirus
and get it fully updated. Now, attach the old drive, scan it, locate the
temp folders and temporary internet file folders and delete all the
contents, empty the wastebasket (those folders are the key entry points for
malware). Copy your pictures to the new drive and then disconnect the old
drive, set it aside.

This assumes that your system came with recovery *disks*, not a recovery
*partition*.

If you don't have disks, you're not in a particularly good situation, as you
*will* run into a situation where the drive will fail and you cannot restore
from the partition. At that point, you have no options but to buy a new
disk AND a new XP license. If you don't have disks now, contact the system
manufacturer and order them. There will be a small charge, and it's worth
it.

HTH
-pk

 

[Patrick Keenan]

Thanks for the clarification.
Perhaps you could also tell Laurel the proper way to do it with SATA.
I only have IDE on my PC.

SATA drives have no jumpers. The motherboard has a number of ports,
varying between one and four, and each port accepts one drive. You just
plug the drive in to data and power and restart the system.

If all ports are in use, use an external USB drive adapter.

HTH
-pk

 

[Daave]

Booting the infected computer will activate the virus (as a resident
infection).

One way around this is to boot off a rescue disk like UBCD4Win or
Knoppix.

 

[jnez367]

There are two problems to consider.

Problem 1  -  The virus infection.

Obviously, I don't know what virus has infected your computer.
However, it prevents access to the Internet, prevents you from
using a USB thumb drive, and will not allow you to open many
programs.

If you have access to a different computer that is free from any
infection, you could try the procedure athttp://tech.amikelive.com/node-144/tdss-trojan-and-bediddle-adware-re....

The article describes a way disguising Malwarebytes, to allow
Malwarebytes to remove a  TDSSrootkit infection.  However, this
method might also work with other infections.

Problem 2 -  Move your photos to another computer (if you can't
remove the virus)

Provided your computer has an Ethernet networking card, you might
be able to connect it to a similarly equipped computer, using an
Ethernet crossover cable.  However, I fear the virus will
probably prevent networking.  In any case, I would be reluctant
to connect a badly infected computer to a clean computer.

It might be better to physically remove the HDD from the infected
computer.  Place it in a USB caddy and use the USB connection to
connect the caddy to an uninfected computer.  (Make sure the host
computer has effective security protection.)  Then, you should be
able to copy your data files.






- Show quoted text -

Cleaned a variant of TDSS off of a relatives computer.
Problem: Associated DLL's cannot be deleted from Windows. Associated
registry entries are hidden.

Quite involved but might be worth it if all else fails.
DO AT YOUR OWN RISK. See MS Warning about playing in the registry.
Registry problems may require reinstall of Windows XP

A portion of the Root kit is installed as a non-plug and play device
in device manager. Boot into safe mode and remove it. You will need
to change view in device mgr to show hidden devices.

Boot from Windows XP CD. Select repair. Select Windows version to
repair. Probably will be only 1. Enter administrator password.

Change directory to c:\windows\system32

Do dir TDSS* -----> About six files. Can be deleted with del
command.

Change Directory to drivers

dir TDSS* 1 file may be present. Delete it.

Reboot into safe mode.

regedt32 ------> Search for TDSS.

Lots of entries. Delete them.

Reboot Normally

This unblocked access to AV sites. Update antivirus software and
scan. Other malware will likely be present.