Retrieving Info From Infected C Drive

[webgyrl]

Hi All,

 

Well I had a fun weekend!

 

I logged off Saturday night and came back Sunday only to find myself completely locked out of my system. I would try to log in and my system would auto-log me out and no matter what mode I tried, I was hosed. I think some virus messed with my winlogon command. Anyway, I didn't want to take any chances so I had a new C drive put in and pulled the old one as I fear the registry was hacked about and I really didn't trust the drive after that.

 

OK, so I had all my programs to re-install and THOUGHT I had a full Outlook backup on my D drive... only it turns out, there was no backup, much to my dismay. I did not ask the tech guy to grab any files from my old C drive as I never keep files on C, I put them all on my secondary drive.

 

Anyhooo, long story short, my Outlook PST backup is on C somewhere and without that I have lost 5 years of emails and addresses, all my rules, notes... everything, gone!

 

Is there any SAFE way for me to get my Outlook backup off my C drive?

What would happen if I installed my old C drive into my computer in another drive bay and tried to get the Outlook backup? Could I risk infecting my PC?

 

What are my options here, if any? Data recovery is not an option as I don't feel it's worth it to just get the backup. I can re-start if necessary, tho I would love to get all that data if I can possibly do it.

 

Thanks for any suggestions you may have!

 

[TCH-Bruce]

Do you risk infection? If in fact the drive is infected you do.

 

Your Outlook files are most likely in the Documents and Settings folder under your login name.

[Madmanmcp]

Do you risk infection?

 

That all depends and can be a yes and no or maybe answer. You say "I think some virus messed with my winlogon command. ", so this isn't a positive virus infection. There are thousands of types of malware, virus, or just nasty programs and they use different methods to infect or get into systems. So there is a possibility but I believe there is a larger possibility that you won't.

 

Is there any SAFE way for me to get my Outlook backup off my C drive?

 

The safest way would be to install the old drive as a slave drive and then just find and copy the backup file onto your new C drive. BUT...if the virus came from your email then you risk being infected again once you restore.

 

Without knowing for sure if you had a virus makes this difficult. Good luck.

[webgyrl]

Hi Gentlemen!

 

Well from all the poking I did on the web it seems this was a virus, tho I didn't want to find out the hard way!

 

So as far as a slave drive... you mean like "E:".... is that what is meant by a slave drive?

 

I am going to weigh all the options to see if it's worth it to grab the backup. I don't want to risk something happening to my new drive.

 

If just a registry entry was affected would this pose a problem by just plugging in the drive.

 

I know we are hypothesizing here, but I am not quite sure what to do about digging into worms... if you know what I mean! LOL

 

Thanks!

[webgyrl]

Do you risk infection? If in fact the drive is infected you do.

 

Your Outlook files are most likely in the Documents and Settings folder under your login name.

 

Yeah I really think it is. I had been experiencing wonkiness (browsers crashing, long page load times) and ran a scan with Spybot Search and Destroy and it found a Trojan and got rid of it. After that I shut down, never to come back again.... funny thing is Avira didn't catch it, which I found very odd!

 

Maybe it's best to let the sleeping wormie lie?

[TCH-Bruce]

funny thing is Avira didn't catch it, which I found very odd!

 

Why do you find that odd? Spybot, AdAware, MS Antispam, AVG, Avast, CA and all the other spyware, malware, virus programs will not protect you 100%.

 

By slave drive, yes, another drive on your machine but you would have to jumper the drive to be a slave drive and may have to change jumpers on your new drive to be a primary drive.

[mhinton]

Yeah I really think it is. I had been experiencing wonkiness (browsers crashing, long page load times) and ran a scan with Spybot Search and Destroy and it found a Trojan and got rid of it. After that I shut down, never to come back again.... funny thing is Avira didn't catch it, which I found very odd!

 

Maybe it's best to let the sleeping wormie lie?

 

Hi webgyrl,

 

First, my sympathies. I must commend you on your calmness over losing 5 years of data. Second, on to your problem. If I understand you correctly, you have your "old" C drive still. However, your concern is that it's infected with malware. Based on this, here's what I see for options.

 

(1) Pro's.I feel it's worth mentioning anyway. Bring in the pro's to recover the data. By "pro's" I mean someone with access to a clean room that can take the drive apart and reassemble it. I doubt this is needed in your case; however by having those sort of facilities, then it's an indicator that they make their living off data recovery. Ask for references as well.

(2) Windows.Set your "old" drive to slave and hook it up such that your "new" drive sees it as an additional drive. The new drive is running Windows (I presume) so there would be a chance that the new drive may get infected. If you have an anti-virus on the new install, one can scan the files as they get copied across.

(3) Mac. I've never done this, but in theory I don't see why it would not work. Put the old drive into an external hard drive case. Find a friend with a mac and hook it up. Mac's used to be able to read Windows files. Copy the files you want onto a USB drive then to new install.

(4) Linux.A do it yourself option would be to uninstall the "new" hard drive, put back your "old" drive. Then use a linux distro such as DSL or Knoppix to boot from a CD/DVD. Then look for your *.pst files. Your outlook address book is *.pab if I'm not mistaken. The below link explains the steps better using knoppix and has pictures of the process.

How to boot from Knoppix to recover files

 

In scenarios 2 and 4, you may have to set the jumpers. More information here: Jumper Information

 

I hope this helps. Good luck!

[webgyrl]

Why do you find that odd? Spybot, AdAware, MS Antispam, AVG, Avast, CA and all the other spyware, malware, virus programs will not protect you 100%.

 

By slave drive, yes, another drive on your machine but you would have to jumper the drive to be a slave drive and may have to change jumpers on your new drive to be a primary drive.

 

Hi Bruce!

 

Yeah I guess you are right. I used to run multiple AV, Malware scanners etc., but read that this is not a good thing to do. Oh well, this happens and it just sucks.

 

I am not familiar enough with the hardware to try to attempt this. I think I'll just be thankful most of my files were on my other drive and rebuild my contacts. It does suck, but I am too afraid to try to rescue my other data, especially since it might be infected.

Edited August 21, 2008 by webgyrl

[webgyrl]

Hi Mhinton:

 

Yeah well you know I did actually burst into tears when it initially happened. But then I realized that it was most likely my own damn fault for not scanning something manually. I had downloaded a file from the web w/o a manual scan. I was just tired and this laziness cost me.

 

I do have the drive here, so I could get someone to look at it. I called Geek Squad and they said data recovery started at $250.00 which I thought was a bit ridiculous. But hey, it's what it is. I would do that if it was an entire drive of data, but for just a PST file to be retrieved I am not sure I want to pay that much.

 

As I said to Bruce, I am not super comfortable workign with hardware. I've installed a drive before with a few little hiccups and I can install RAM, but this other stuff seems a bit out of my realm of comfort.

 

I have Windows XP Home and yes the new drive C is running that.

 

To be honest the guts of a computer put a little fear into me! LOL And I really am afraid of getting infected. I just spent 4 days re-configuring my system and installing all my crap and really don't want to have to do that again or rist another infected drive.

 

Do you, or does anyone know how I can make a boot disc or rescue if I don't have a floppy drive installed on my system?

 

Thanks for all the suggestions everyone!

[Madmanmcp]

Do you, or does anyone know how I can make a boot disc or rescue if I don't have a floppy drive installed on my system?

 

http://bootdisk.com/

 

Look under the section on bootable CD

 

I've installed a drive before with a few little hiccups and I can install RAM, but this other stuff seems a bit out of my realm of comfort.

 

If you have installed a drive thats all you need to know. Its simple actually, the hardest part is making sure the drives settings are set correctly. On the back where the cables and power cord go is a little box with dual pins side by side, usually a row of 4. They will have a little sleeve or "jumper" over a set of pins and this placement determines the setting for the drive.

 

When the drive is installed it will assign a new drive letter and you can copy your file. Once done just remove the drive.

 

See if this helps.

h_tp://www.helpwithpcs.com/upgrading/install-hard-drive.htm#install-new-hard-drive

[mhinton]

Webgyrl - do you have a CD or DVD burner installed?

 

Madman had a good suggestion. Alternately, buy an USB external floppy drive. Then tell your computer to boot off that.

 

Madman - I corrected your link:

http://www.helpwithpcs.com/upgrading/insta...-new-hard-drive

 

That link describes what's called an IDE drive. You may have a SATA. Instead of that grey cable, it'll be not nearly as wide. Same principle.

[Just_Rob]

Couldnt she get an external drive case? Pull the old drive out and get an external enclosure to put it in and connect it to a USB port?

[TCH-Bruce]

Rob, good idea although she would still run the risk of infecting her "C" drive.

[Just_Rob]

No matter what she does while trying to copy data off that drive, external enclosure, slaving it to her C drive will run that risk. It really depends on where that infection is. If it came in an email then she runs the risk when she goes back to that message. If it is sitting in the temp files on that old drive or in the system32 folder it is less likely as those areas shouldnt be touched if she is only copying data from the Outlook folder on the slaved drive.

[webgyrl]

Hi again!

 

Sorry it's taken me a few days to get back...

 

Here is exactly what happened that caused me to get a new drive:

 

My system was behaving very funkily for a few weeks:

browser crashes galore

slow system performance

general wonkiness

 

I scanned with Avira and it was clean

I shut down and then logged back on

I downloaded Spybot Search and Destroy and enabled teatimer and some other IE helper

I ran a scan and it detected a Trojan virus (the name escapes me, I know, I should have written it down.... sorry!)

I had SSD fix it

I went on my merry way

I started to get some windows memory warnings and I had read that the teatimer could affect performance

I went into SSD and unchecked the teatimer and the IE helper

Finished my work that night

Shut down my system

Came back and could not log in

 

 

Now what's interesting is my boyfriend had Downloaded SSD when i did, tho he pays much more attention to those pop up messages and he said he noticed something to do with the winlogon (winlogin?) and some registry change. We think that either me deleting that Trojan is what hosed me or me disabling the teatimer function then did something to the winlogon value in the registry which locked me out. I could not access via any safe mode.

 

I would turn the computer on, get to the welcome page, punch in my password to log on and and it would just say "logging off" and leave me at the welcome page ready to try another "log on".

 

I found several articles dealing with this problem:

http://www.google.com/search?q=xp+logs+in+...lient=firefox-a

 

I didn't feel comfortable at all messing with the registry and I really didn't want to pay to have someone fiddle around, so the best option was to trash the drive and get a new one. So the thing was I THOUGHT i had that PST backup on my E drive, so I just opted to remove the C drive as it was very small (40GB, SATA) anyway, and I upgraded to a 160GB IDE drive.

 

Of course now I am so mad about the backup and have lost everything in Outlook. BUT I really don't want to mess up the clean system I have now so if it's going to cause me problems, I'll just realize a hard lesson learned. Thankfully all my other data and files was backed up, it's just Outlook that was hosed forever.

 

So I am not sure how I got the Trojan, or if this even was the Trojan that caused the problem. From what I am reading clearly the winlogin value got changed, but I have no idea if this was caused by my disabling Teatimer in SSD or if it was via the Trojan being deleted and wreaking havoc on me for deleting it!

To answer your questions:

mhinton: yes, I have a CD/DVD dual layer drive installed

 

I am thinking at this point it's best to let sleeping dogs lie. I have called everyone close to me to get their info again and luckily I did have close family and friends info in my Gmail. I have lost a tons of other contacts though, but I figure if they really care, they'll email me again.

 

And perhaps this is a lesson in not hoarding data! LOL My PST file was a Gig or so big! LOL