Knights Reborn

can anyone work this out?? I know theres some geeks here to aswell as me who might know afew tricks

If after thursday I still dont have an answer ill hopefully ask chantelle who after this morning has went for minor surgey. Not to say she will know the answer either but its bamzoozled me!!!

Okay boss has given me his sons dell D610 laptop..

Its in a bad way but not the hardware.. he has got a bad virus and or messed up his OS.. I need to get his files off .. ( I know what it is I need to keep its a case of doing it).. so thats the basics get the data off and then i can wipe it... sounds easy BUT there are a few problems

1) cd drive wont install any software
2) cannot plug in usb devices they are disabled
3) Lan doesnt work so cannot get any IP address from DHCP to do anything
4) cannot seem to run any software on it in the way of spybot or his antivirus even in safe mode logged in as local administrator.
5) cannot repair windows OS

now few things I do know

2 + 3 are down to RPC and Plug n play services unable to start they fail. 1 cd drive works fine.. i swapped teh HDD out in another machine and the problem follows the hard drive build. (We have a spare redundant D610 here for presentations)
The virus i can see regenerates, I kill it and it returns.

Anyone think of a way to get the data off the laptop without spending money?

You can simply do it with spending just a little bit of money by getting a USB to laptop HDD connector and making it as external drive on another computer.

I realize you have thought of that, but it is the cleanest, fastest and easiest solution that I can think of.

Tried booting it into a live distro of Linux on a CD? Bypass windows completely. That should solve the majority of the issues. At least enough so you are able to use a flash drive to take off the important data.

I have to admit tho, that is one hell of a virus. I very much doubt that it's a single virus causing all those issues.

pho's idea sounds best. however, even tho i dont have much experience with linux, what i did notice during my short tie with ubuntu is that it did not recognize and could not interact with my ntfs partitions. therefor i couldnt swap any files between my windows partition and linux. if linux is on a cd however, it might be able to interact, idk ive never tried.

if that doesnt work, u can probably get a version of pocket windows to boot too. torrent is ur best friend for that. theres even versions that can be booted from a usb drive if u have the right software.

Hey Mel

i deal with Virus clean up's all the time at work,
my suggestion is, go and get that IDE/Sata - USB adapter

and download these tools

MalwareBytes Anti-Malware
http://www.malwarebytes.org/mbam.php

Super anti spyware
http://www.superantispyware.com/?tag=GO ... NTISPYWARE

Advanced System Care
http://www.iobit.com/advancedwindowscar ... r=download

install them on ur pc, and make sure u have an anti virus program with a resident sheild ( I Suggest AVG 8.0 free)

Update and run all the tools,

then after that put the hard rive back in the lap top and see if you can boot up in safe mode.

then run all the scans again.

and if u need to, try and find an OEM disk of your windows OS

and do a Repair install, NOT a clean install,

if those dnt work, send me a pm or contact me on msn

hope this Helps
Tai

Cheers for the replies..


Okay the position is this is not my laptop its the big boss at work..

He has just thrown it at me because Im the IT person hoping I can help him.. SO I nor the company will be parting with money unfortunateley. I had suggested a usb adapter for an external PC to take the data.

Grimm is regretably right.. from what i used to have Linux didnt interact with ntfs..

Taipan - I think you mis understood.. the usb / IDE idea would allow me to use a CADDÉ to extract on a 3rd party. not to install tools.. he has tools on there AVG etc but they are ineffective and practically disabled..I managed to drag spybot on it from a CD. That doesn't work though

Also Taipan as I said the repair didnt work it fails..

I have a company volume licence media which I can use I have all this available to me.

However I have reservations.. something such as bad as this should I really plug this into to our network and use company resoruces to fix this? If I am responsible for the network.

To be honest I think he has to buy the adapter.. although I begrudge plugging anything infected as that into our network, when its my job to keep that out. I am almost in the position saying wipe it or pay for the kit.


This is a good one isn't it lol

lol i didnt missread mel

ur ment to install those tools on the remote computer, and run them on the drive u slaved up,

but if ur sayign its rebuilding then it probably has a prefetch file or is scattering itself over the file system (more likely a prefetch),

but chances are its multiple viruses/Malware/Spyware

if ur having problems with permisisons try Dial a Fix

http://www.softpedia.com/get/System/Sys ... -fix.shtml

it removes most permisison problems,

and by the sounds of it, you might have a root Kit virus

and i really hate removing those, it took me quite a few hours to remove it

but i think the only way you are going to get this fixed is slave up the infected drive, u dont even need that adapter (tho it makes it a hell of alot easyer), just need to b able to plug it straight into another pc, so long as you dnt file share the other pc shouldnt get infected.

oh and if you can get the OS up an runnign Run a defrag through it with the Resident sheild runnign, and it will pick up any remaining little buggers

The infected pc boots up no problem.. just its castrated from any use..

Yep already thought of the slave option.. was my first idea but it didnt happen i'll explain why

Unfortunateley We all now have slim form factor PCs.. only option I can see is a DC which is also a GC.

Installing 3rd party software on a DC is a no go let alone sticking a ropey HDD in. Plus the DC runs Exchange, I cannot just take exchange off.

They are good ideas Taipan but I am sure you appreciate I am not just sticking or working with ANOTHER PC around me..

Software will need to be licenced also.

There are no NTFS permissions set I can access the files on the local machine and I have checked the ACLs on NTFS security permissions.. Plus of course if I copy NTFS to another location as long as the partition/ physical area is different, the newly created files will inherit the parent or root permissions of the new location.

I spoke to Chantelle (sister) she is too bamboozled by this, she is recovering from a minor op yesterday as well so didnt want to quiz her too much . She suggested alot of whats been covered. She has txted me saying she has two ideas both risky though.. Ill speak to her soon see what she suggests.. with risk. I don't like the sound of risk.

Her first idea does not appear to be working yet.. maybe I am noty doing enough or it right yet..

I have to back check all service dependencies and try to figure out where they are failing in order to push pnp and rpc locator.

I have about 15 things to go through and try reg hack.. I basically in her words have to hit the registry and blitz it.

Doing this in safe mode and trying to push the services in.. recreated a login profile..

Its a good idea but its yet to succeed.

Even she is baffled

But she says she has one idea but its very ropey.. I don't like the sound of tbh

You can access the majority of filesystems on Linux. You just have to mount the volume. Although because your running a live CD, I don't know whether you'd be able too. Should be worth a go through. There are various guides online, about how to mount FAT partitions- google is your friend

Pho~

You said Fat partitions though? does that mean you havent seen any on ntfs?

I know I could have googled.
But for now at least its too late

I gave it to Chantié to look at..

To be honest I kind of want her to fail lol..

I know shes alot more know how and alot more street wise in the tricks and spills etc than me.
I didnt dedicate 2 days don't get me wrong but I spent hours trying to figure this out and another forum. Mind you her having a go at it herself gives her the best chance i suppose.

Although she is off work for a few days should give her something to do tomorrow!!

Melissa wrote:You said Fat partitions though? does that mean you havent seen any on ntfs?

You can access the majority of filesystems on Linux. You just have to mount the volume.

Sorry I used FAT as an example- it works the same way for NTFS. I've only ever had to mount partitions a couple of times and thats been Linux installed on a partition on the HDD, or on the ram. It's worked for me in both cases- although i've never tried it with a live CD. So as I said before, i'm not to sure as to whether it would work.

Either way, i'm sure Chan can figure it out.

Pho~

Yeah well thanks anyway, maybe she would do that.. She does have copies of it she gave it to me on a PC I was given by her a few years ago.. although I admit after 6 months I got fed up with it..

Thing is she used to work where I do. well she left her post and I started as a Junior. SO she knows the person its for..

my guess is this thing is a trojan that opened the computer up for a worm. thats what happened to me and it shut down my firewall, shut off my antivirus and forced the internet connection to close if i tried to update the antivirus. it moved right in on the network and started sending spam, so i would highly recommend keeping this thing off any network, especially an important business one.

luckily when i ran the virus scan in safemode, it caught most of it and removed it. rebooted, scanned a few more times and it cleaned it fully, but this easy solution doesnt seem like its gonna work.

i would say try partitioning the drive with some sort of bootable partitioning software, then putting linux on that partiton. that gives u a nice stable environment to be able to mount the other partition like pho says. then from there....u know the rest, it gets simple from there

however, i dont know if u explained whether or not ur able to partition the drive, so im sorry if u mentioned that and i didnt catch it.

give my best to chan, i hope she feels better.

I'd actually go with Tai here. Sounds like a rootkit.

Without trying to offend but this does sound a bit like false economy. A laptop HDD -> USB converter is very cheap, and already you have spent two full days on it, and preparing to spend even more time.

Also, I wouldn't recommend hooking it into the work's network as an external drive anyway - just an old stand-alone box that is up-to-date with virus defs and has it's autorun disabled !!

Thanks

But again its the wrong end of the stick

Its not my laptop.. not my money.. Had it been me I would have done that straight away. I had not spent two solid days either it was a start something and leave it to run jobby but over the two days I probably spent several hours on it.
I also refused to link into the DC. I kept it off the server entirely save testing the Ethernet.

Grimm as I said RCP locator service disabled, no lan or anything works locally

I don't have the laptop anyway..

I managed to find an answer..

In fairness its one of those give me the laptop and ill have a go.

Only took an hour or two in the end.. Basically after I had a dig at the registry which regretibly had to be done, the removal tools such as suggested do not seem as effective when your dealing with this..

Anyway I hacked that away, it was partially better but I found I was fighting a lost cause..

Basically I purposely broke the OS, then used the media to inteninally remove the system folders and reinstall a new copy on top of the existing partition.

A few AD-HOC way of doing it but it was enough to stick a flash passport in. She can now flaw it clean and do as she/ he wants.

Had that not worked I would have just took it to work next week when I am back .. I have a USB adaptor there.



I have actually made a suggestion to her to do which I make to others also..

If this is your personal computer always no harm in making your OS partition separate.. you can structure better and you can wipe the OS and maintain your data

IMPORTANT - if your doing this do NOT start converting disks drives from basic to dynamic.. unless your looking at software RAID. I know someone who did this not realising it was a one way process.

i was thinking of converting my disk to a dynamic disk when i first learned about them in case i wanted the option of doing a raid platform (well that was in my old desktop that had two drives, not my laptop)

what are the advantages and disadvantages of doing so? it seems like its no different than a simple drive except the fact that it can do raid.

Dynamic disk, once it crashes you lose everything without much hope of recovery (in my experience)

I will never use dynamic again, if i need that kind of data security and data redundancy and auto backups i'll go with a hardware solution

I'm sure I'll be corrected, not my field of expertise, but they have given nothing but pain

Grimm wrote:i was thinking of converting my disk to a dynamic disk when i first learned about them in case i wanted the option of doing a raid platform (well that was in my old desktop that had two drives, not my laptop)

what are the advantages and disadvantages of doing so? it seems like its no different than a simple drive except the fact that it can do raid.

Dynamic volumes can have the data stripped, spanned , mirrored and RAID 5

In dynamic is becomes a volume not a disc because a volume can be on multiple disks.. In other words you can have a partition with all your music and games on which you might make the volume G: It appears as a single volume, when in reality it is maybe 4 physical drives. Of course if a single drive in that goes you lose your entire volume.. You can however set all this up within windows and not even have to restart.

There is some advantage in that you can hot swap a failed drive and repair a mirror or raid 5 with out taking a system down..

That said hardware raid systems for SAN and servers are better these days to regenerate when hot swapped.

Jawfin wrote:Dynamic disk, once it crashes you lose everything without much hope of recovery (in my experience)

I will never use dynamic again, if i need that kind of data security and data redundancy and auto backups i'll go with a hardware solution

I'm sure I'll be corrected, not my field of expertise, but they have given nothing but pain

what configuration you choose? if you choose a redundancy type it doesn't lose everything.. Thats only on a striped or spanned if my memory serves from my mcp book!

I guess its teh same as on hardware raid.. If you 0 raid on your board utility and stripe it.. a disk goes your still screwed.

additionally thanks everyones advice.. I think Chantelle having the luxury of being at the laptop allowed her to give it a good go over.

Basically yes. its a cheaper way of doing it without having the hardware.. but its less effective.

Anyway you wiped the notebook now? given them a clean secure system back

Melissa wrote:

Jawfin wrote:Dynamic disk, once it crashes you lose everything without much hope of recovery (in my experience)

I will never use dynamic again, if i need that kind of data security and data redundancy and auto backups i'll go with a hardware solution

I'm sure I'll be corrected, not my field of expertise, but they have given nothing but pain

what configuration you choose? if you choose a redundancy type it doesn't lose everything.. Thats only on a striped or spanned if my memory serves from my mcp book!

I guess its teh same as on hardware raid.. If you 0 raid on your board utility and stripe it.. a disk goes your still screwed.

I don't really understand these finer points - that's why I use hardware technicians >.<
I had converted my partition from Basic to Dynamic in Disk Management in the Computer Management
But all I recall is a few days later the whole partition just went missing (I think my PC lost power which may of caused it), and my favorite recovery programs couldn't find it (I use Easy Recovery Pro most of the time) or any of my files on it. So I avoid anything I can't fix myself

Kroll ontrack had to use them at work once or twice. expensive but needed


Hardware technicians? lol never heard of that role before! Do they literally just cover the insides? Over here, if you "primarily" administer the network and servers and support the users.. your expected to know all about the hardware.

As for the disk.. If you had a straight forward single disk converted to DD.. Chances are it made little difference. power loss etc wouldnt have made a difference.. likely coincidence. The risk of "some" dynamic disk configurations are the same as a RAID 0, where one disk goes you lose the volume.