Spyware, Viruses, & Security

General discussion

Virus disabled Windows - Need to get files off hard drive

by masb_01 / January 4, 2006 11:25 AM PST

I am running Windows XP Pro on a Dell Dimension 4500 and suffered a spyware/virus attack. We have Norton Antivirus protection but it was disabled. (?!?) On the surface it appeared to be a spyware attack but behind the scenes, a Trojan dialer was taking over the phone line. The only alert was an added toolbar in IE that directed us to Stopzilla Anti-Spyware software. I ran Spybot and cleaned up many files but as I started to load Norton Antivirus, it crashed and something strange happened to the operating system. I can log on and see my desktop but all the icons (except IE) were replaced by a generic Windows page icon AND NOTHING RUNS (except IE). Windows is not recognizing EXE files but I can use the internet, cut, paste and print. Some programs, such as ewido (which identified the Trojan viruses), Spy Sweeper and HiJackThis, do work (magically?). They each identified and claimed to remove many malicious files but Windows is still not working. I would reinstall Windows but have some files (without backups) I'd really like to keep and none of the programs which copy from the hard drive will function (Windows Explorer, My Computer & Roxio). The files are all still there and I can view some of the directory but can't copy or move files. Any suggestions?

Post a reply
Discussion is locked
You are posting a reply to: Virus disabled Windows - Need to get files off hard drive
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Virus disabled Windows - Need to get files off hard drive
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Seeing as you have a copy of
by roddy32 / January 4, 2006 12:04 PM PST
Collapse -
Thanks
by masb_01 / January 4, 2006 10:49 PM PST

The log is posted. We'll see what comes of it.

Collapse -
(NT) (NT) Good luck, Keep us posted.
by roddy32 / January 4, 2006 10:51 PM PST
In reply to: Thanks
Collapse -
Thanks to ALL!
by masb_01 / January 6, 2006 10:32 AM PST

My problem has been resolved but not by me. Jim at my local Computer Depot performed a sucessful repair install of the OS, then went through the arduous task of finding and removing 11 viruses, 14 trojans, and 1800 spyware objects. Fortunately, he also gave me some advice on how to reduce the possibility of this happening again. Hard as it may have been, this was a great lesson for me. Thanks for your insights.

Collapse -
(NT) (NT) Glad you got it fixed, Thanks for posting back.
by roddy32 / January 6, 2006 10:42 AM PST
In reply to: Thanks to ALL!
Collapse -
Masb, Please Try This...
by Grif Thomas Forum moderator / January 4, 2006 12:07 PM PST

Download the Fixswen.inf file from the McAfee link below. The link is a direct link to the file and should cause your download dialogue window to open. Direct the file to your desktop. Once it's on the desktop, RIGHT click on the file, choose ''Install''. Running the file should cause the registry entries that botched your programs to be fixed and hopefully allow you to start them again.

http://download.nai.com/products/mcafee-avert/Fixswen.inf

Hope this helps.

Grif

Collapse -
Thanks
by masb_01 / January 4, 2006 10:50 PM PST

I did try to get this to run but windows won't do it.

Collapse -
To copy your files it depends on..
by Melati Hitam / January 4, 2006 1:07 PM PST

WHERE the files are located or belongs to... - which username, what folder, etc.

IF let's say its on shared documents folder, you can easily copy by removing your HD and make it a slave drive on other computer.

If you ever 'make private' the username folder, then you can not use the above methode, you might need KNOPPIX CD, to do it.

Collapse -
Thanks
by masb_01 / January 4, 2006 10:51 PM PST

I think I am going to have to remove the HD to get the files off.

Collapse -
Father's computer
by forkboy1965 / January 8, 2006 10:57 PM PST
In reply to: Thanks

My father's computer suffered a similar calamity last year. In the end I took rather draconian measures, but they worked: installed his OS (Win XP Pro) a second time and not over the original. Booted the machine with the second install OS and saved all his files. I then wiped clean the harddrive and re-installed Win XP. Again, lots of work, but I was able to do it without paying for help and it was only time consuming, not technically challenging.

HOWEVER, one should note that there is a warning somewhere in the either the install process of the OS or at Microsoft's website that files saved in the My Documents folder can be lost (not "will" be lost, but "can" be lost) if one is forced to re-install their OS (if they don't first format their hard-drive which erases those files anyway). I strongly recommend either partitioning your hard-drive (only recommended if you do a clean start - format hard-drive and reinstall everything) so that you might save files on a "D" drive or, at the very least, do not use the My Documents folder (and subsequent folders) for saving files. Create a separate folder that isn't tied to Windows directly.

Collapse -
What did the .exe's change to?
by NWRCS / January 4, 2006 2:00 PM PST

I had something similar happen not too long ago.
Dang near every .exe file changed to a .lnf file (I think that's what it was).

I had a MS Certified Software Engineer come by and work with me, here's what we think happened:

I have all the goodies, SpyBot, SpywareBlaster, MS Anti-Spyware, AVG, AdAware, and the constant running add-on, AdWatch.

I had an AVG update.
I am quite concerned about security, as I've been hijacked several times, and now know pretty much what to do to prevent it.

The AdWatch started throwing up "attempted Registry changes", allow or block?

There had to be 30 of them (I was able to save a logfile, still have it somewhere) and only one mentioned AVG.
Well, when you're adrenalin is pumping, thinking some yay-who is trying to grab your system, you hit "block, block, block, block".

Almost every other change is fully identified by name of program (symantec, when I had it, lavasoft, MS ASW, etc) but not these ones.

Apparently, the update changed my registry, or tried to, but it deleted stuff first, or was in the process.

We tried everything, couldn't even get regedit.
Safe-mode, nada.
After 6 hours of me and 2 more with him, we decided to re-boot and ACCEPT all the registry mods (couldn't lose anything at that point), and it's been perfect ever since.

So, I ain't no ex-spurt, but can you tell me what it changed the .exe's to and what program had just run before this happened?

TOC

Collapse -
Thanks
by masb_01 / January 4, 2006 10:54 PM PST

The EXE files did not get altered, they just are not recognized by the OS. I was tring to install Norton Antivirus when the OS changed. That may just be coincidence.

Collapse -
(NT) (NT) Notify Your Phone Co. To Block Charges!!CheckDisk ??
by tobeach / January 4, 2006 3:48 PM PST
Collapse -
Thanks
by masb_01 / January 4, 2006 10:47 PM PST

We did manage to disconnect the phone line after only 1 unauthorized call and the phone co. very nicely removed it from our account.

Collapse -
What might be easier...
by bulldogzerofive / January 4, 2006 10:05 PM PST

... is (using a clean machine) to go to a website that offers bootable CD based OS's for download (like knopper.net or ubuntu.org) and download an image and burn it to a CD (not forgetting to make it bootable).

Then, on your infected you can boot a safe operating system from the CDROM. Copy the files you want or need to another media (USB drive, floppy disk, etc).

Then, use your windows CDs to totally re-format the drive and re-install windows, install and configure your AV software and firewall, then connect to the internet and download all available updates. Then you should be ready to go.

As arduous as this sounds, I am willing to bet that you will get a working system faster this way than with any kind of clean up. It is also safer since that malware might have opened a backdoor on your system that the virus/spyware/adware repair people are not aware of, leaving you open in the future.

Just a thought

Collapse -
Thanks.
by masb_01 / January 4, 2006 10:56 PM PST

I am well into arduous now so a little more won't matter.

Collapse -
Win-DOS errorlevels
by LLLActive / January 8, 2006 5:05 PM PST

Do you know the 5 Win-DOS errorlevels?

1. Reatart Program
2. Restart/Reboot Windows or press reset button
3. Re-Install programme thet 'acts up'
4. Re-Install Windows
5. If all else fails, install Linux for a new life experience

Happy

Collapse -
LLLActive, do you think if you install
by Melati Hitam / January 8, 2006 5:37 PM PST
In reply to: Win-DOS errorlevels

linux, then windows will not have the error?

I tried your suggestion, I install linux, but my windows still have an error.

How can you fix windows error by installing linux?

Collapse -
No jokes now
by LLLActive / January 8, 2006 5:37 PM PST
In reply to: Win-DOS errorlevels

Jokes aside.

I used and am indirectly using Win in all versions since its existence. About a year ago I changed all my servers and my personal workstations to Linux. After a small learning curve, I am on the same level with Linux now. I still service a small team of Win XP & 2K users.

I have never needed or installed any of the protective software for virus and trojan threats. I also never had such problems since using Linux in the internet or elsewhere.

Playing with Linux cluster servers and the like is not as easy as with some Win products, but it works more stable as Win-Servers. The new Novell SuSE 10.1 desktop is 'almost as good-looking' as windows; it is worth a try. It is just as effective for normal users. OpenOffice 2 is still on its way to be as good as MSOffice 2003. Power users may still have some problems. Normal users will be able to do everything they need.

Collapse -
(NT) (NT) ooh.. ok... I get what you mean... thanks
by Melati Hitam / January 8, 2006 5:42 PM PST
In reply to: No jokes now
Collapse -
Virus Disabled Windows - Need to get the files off
by perfrog / January 8, 2006 5:31 PM PST

I had the same problem about 3 years ago. After taking my laptop all over the city, receiving estimates from 100-400 dollars to recover the files on my hard drive. I was lost on what to do. I did not want to pay that much to recover the files. Then I saw in a magazine an empty storage box for a laptop hard drive. I did some investigation and found out that by using this box I can make my laptop hard drive an external USB drive.
Now, what to do to get a second hard drive for my laptop. I found a used computer store and bought a used 5 gig hard drive for a laptop. Plugged it in and loaded my recovery disc. After my OS was working correctly, I plugged in the laptop hard drive that I had taked out into the USB port and recovered all my files. Except for the OS. Total cost was 30 dollars. I also have used this remedy when someone changed the permissions for the OS files and my laptop could not boot. If you are doing this on a desktop, the idea is the same but the box will be different.

Collapse -
Getting rid of virus
by The Clue / January 8, 2006 6:56 PM PST

Heres the easiest way to get out viruses and other junk that I have found. If you cannot use your os and the removal tools won't clear up you hard drive, do these few steps and it usually will work. If you have a old pc that you can use make sure that it has all of the latest bug removal tools installed on it, then take out the infected hdd from the dell pc and set the pins to slave then hook it up to the old pc. Once installed in the other pc,use your virus and other tools on the slave drive. This should get rid of all or most of the infection on the hdd, if not it will tell you the name of the infection and you can get a removal tool and use it. Even if it is still infected you should be able to acess the files that you want and copy to the other hdd. The key to this process is that no programs will run on the slave hdd and you should be able to acess the files on it. Make sure that you put the files that you are copying into a folder and run your virus and other tools on the files before you open it. If the bug is still on the slave drive now you can reformat the hdd and clean it out completely then reinstall into the dell and reinstall the os and all of the files that you wanted to save. I have had to do this before and it works. Just a thought Happy

Collapse -
recovery of data from infected PC
by halbreich / January 8, 2006 10:04 PM PST

You could hook your hard disc to another computer to a secondary IDE through an ATA cable. This way you rely on the 2nd computer's OP to extract your files. Thencomes the arduous task of repairing whatever was damaged which is not evident.

Collapse -
Dual HDD'S
by scorpious / January 9, 2006 5:27 AM PST

You might like to think about a second hard-drive and use "norton ghost 2003" or similar app to make an exact copy of your original like i have done, and swapping between the two is a matter of flicking 2 switches to make one the master drive and the other the slave and back again when it's time to update the software at whatever interval,i now have 2 200GB hdd's installed and use the original 40GB as an xtra backup if ever the need arises and all that's needed is to remove one of the larger drives and install the 40GB,also with the 2nd drive installed you can drag any doc's to any of the partitions so nothing is lost if a failure occurs

PS: If ever a harddrive does not workdue to electrical component failure a way to revover data is to remove the actual metal disk and install it in a 2nd hdd casing that is the same model

Collapse -
to get rid of all the viruses
by harley65 / January 9, 2006 7:31 AM PST

if you can get on line go to http://www.emsisoft.com/
and down load a2 which is (a squared free virsion)
then signup for a free account so you can up date it
it works great. give it a try!


Also nortin is overrated and aint worth a crap i dont see why people buy it as for the best virus program
Avast free version is the best!!!!! so give these 2 a try and i beleve they will get you going Cstag60@yahoo.com send me a note and let me know how you do Ok??

Popular Forums
icon
Computer Help 47,885 discussions
icon
Computer Newbies 10,322 discussions
icon
iPhones, iPods, & iPads 3,188 discussions
icon
Security 30,333 discussions
icon
TVs & Home Theaters 20,177 discussions
icon
HDTV Picture Setting 1,932 discussions
icon
Phones 15,713 discussions
icon
Windows 7 6,210 discussions
icon
Networking & Wireless 14,510 discussions

Tech for the holiday

Find recipes for July 4 with these foodie apps

The Fourth of July means fireworks, fun and food. If you're planning on a barbecue this weekend, we've got the apps to help you find holiday-inspired recipes.