Trying to help a friend

[The Incredible...]

A friend of mine has gotten in to a pickle trying to 'fix' another friends laptop, here is what he's posted on another forum but not got any helpful hints yet

Hi, a friend of mine recently asked me to look at her windows xp home laptop which was running very slowly and had all sorts of pop-ups. After using the usual hijack this etc to clean out the spyware i saw she hadn't updated windows at all and wasn't running an anti-virus. The laptop was running nicely at this point and so i installed AVG and ran windows update. The usual 'windows needs to restart' bit popped up so obviously i did, only on rebooting there was nothing, just a black screen. I couldnt get into safe mode either, all it gave me was the "load needed dlls kernel" error. first step to try and fix this was to run chkdsk /r /p from the windows disc, but it got to around 25% and gave me an error message, saying that the file system is too damaged. Likewise the bootfix's from the windows disk did nothing. Next thought was this would need a reinstall of windows over the top of the old version to get into windows without loosing everything, but windows does not recognise an installation on either partition (there is one main partition and another 6GB one which is the usual packard bell 'recovery partition'). So i can't reinstall windows without formatting and it turns out she doesn't have any of her work backed up, important stuff which she 'needs'. I would leave this as a lesson for her to backup but as it was me who ran the windows update i can't help but feel partly responsible there.

Obviously i want to try and get the data off the main partition before formatting and i've used knoppix a number of times on computers to do just that, however when i boot from the cd on this laptop the only disk that is available is the 6GB 'recovery partition' and there is no sign of the main disc within the system. I'll be honest here my linux knowlage is pretty pathetic, i have ubuntu on my main pc but i rarely venture into the more technical side of things. It seems like i need to mount the other partition but i'm unsure where to find out the name of the other partition to mount it, i thought they were meant to just appear on the desktop and then you could mount them from there but as far as knoppix is concerned there is no other partition, only the rescue one. The tool testdisk sounds like a possible solution but when i try and run it i get "error loading shared libraries: libntfs.so.9: cannot open shared object file: no such file or directory. I assume this is because it is ntfs, can knoppix not read that at all?

I've read a ridiculous amount of guides in the last few days trying to sort it out but she needs some of the data for tomorrow and i'm really running out of ideas so any help would be really appreciated. I have large external hard drives i can copy the data accross to but the fact that even knoppix can't see the partition really worries me.

Thanks a lot in advance for any help or advice you can offer me!

The only thing i can think of myself is to replace the drive with a new one and stick the dodgy one in a usb enclosure and see if it can be recognised and recovered that way, but if knoppix won't recognise the drive it seems that may not work. any help i can pass on would ebe VERY much appreciated , as usual

[FatherJack]

Make a Bart CD, boot from that and wang everything off to an external drive. Then you're free to format/replace the internal drive. It does sound a little bit like the disk has failed though - which wouldn't be your mates fault, just unlucky.

In any case, it's a useful tool to have - I usually go in with one first when I don't know what I'm dealing with and a machine is particularly fucked up with nasties.

[The Incredible...]

he's had a look at that, but apparently you need to run the Bart CD on the machine BEFORE it dies to create the bootable disc, and he can't get the machine to boot at all

[buzzmong]

Hmmm, drastic solution is to open up the laptop, remove the 2.5" HDD, get a converter cable (iirc it IS a smaller cable, I could be wrong however) and wack it in a normal windows pc as a slave, you might then be able to save the data, format the drive, and do a fresh install once it's back in the lappy.

However, as you've run chkdsk /r and it's complained, you might just be able to get away with running from the XP Recovery Console command "fixmbr", which'll redo the master boot record and maybe restore enough to allow a chkdsk /r.
But I'd only do that as a last ditch after attemtping a backup.

[Dog Pants]

A quick lesson in the dangers of malware might be appropriate for your friend's friend. Doesn't help now, but at least the laptop won't be shagged again in a week's time.

[Dr. kitteny berk]

What buzz and DP said, only probably best to do your recovery to a non-windows system, for obvious reasons.

[The Incredible...]

Hmmm, drastic solution is to open up the laptop, remove the 2.5" HDD, get a converter cable (iirc it IS a smaller cable, I could be wrong however) and wack it in a normal windows pc as a slave, you might then be able to save the data, format the drive, and do a fresh install once it's back in the lappy.

However, as you've run chkdsk /r and it's complained, you might just be able to get away with running from the XP Recovery Console command "fixmbr", which'll redo the master boot record and maybe restore enough to allow a chkdsk /r.
But I'd only do that as a last ditch after attemtping a backup.

d "fixmbr", which'll redo the master boot record and maybe restore enough to allow a chkdsk /r.
But I'd only do that as a last ditch after attemtping a backup.
already done that, along with tje fixboot commands

[buzzmong]

Removal is the way to go then, but I'd not hold much hope if fixmbr and chkdsk /r havn't worked, you may need to run some of the recommended restoration programs that are mentioned in the Useful software thread once you stick it on another pc.

[FatherJack]

he's had a look at that, but apparently you need to run the Bart CD on the machine BEFORE it dies to create the bootable disc, and he can't get the machine to boot at all

You can make a Bart CD on another computer, it's essentially a self-contained bootable, uncorruptable copy of Windows on a CD. It runs entirely from the CD, you don't even need a working hard disk, just a machine that will get past POST (and set to boot from CD, ofc).

If it's not even getting that far, I guess you do need to get the drive out.

[deject]

sounds like the malware fuxored the partition table or something.

[The Incredible...]

sounds like the malware fuxored the partition table or something.

it was running fine after malware removal, from what he said it sounds like it was the windows update that fucked it

[Hehulk]

After the malware was removed, but before you rebooted it by any chance?

[The Incredible...]

After the malware was removed, but before you rebooted it by any chance?

After using the usual hijack this etc to clean out the spyware i saw she hadn't updated windows at all and wasn't running an anti-virus. The laptop was running nicely at this point and so i installed AVG and ran windows update. The usual 'windows needs to restart' bit popped up so obviously i did, only on rebooting there was nothing, just a black screen

didn't say whether he rebooted between getting rid of the spyware and doing the windows update, and he's not around to ask at the minute so not sure, butcould be

[Dr. kitteny berk]

Unfortunately, It seems like this problem would have been best avoided by doing the job properly.

You should never fuck around with an infected machine before taking backups of important data, It's really just asking for trouble.


Depending how fucked it is, it's probably easiest to plug the hdd into another machine and using (if the computer sees it, but windows won't mount it) getdataback to recover stuff.

If the bios won't see the drive, it's probably time to spend money on a proper recovery service.

[The Incredible...]

Unfortunately, It seems like this problem would have been best avoided by doing the job properly.

You should never fuck around with an infected machine before taking backups of important data, It's really just asking for trouble.


Depending how fucked it is, it's probably easiest to plug the hdd into another machine and using (if the computer sees it, but windows won't mount it) getdataback to recover stuff.

If the bios won't see the drive, it's probably time to spend money on a proper recovery service.

fair enough. i guess its just one of those things that you don't forsee a problem like that, especially not from just removing spyware and updating windows, but i think he will learn his lesson about backing up before doing anything in the future

[cheeseandham]

you don't forsee a problem like that, especially not from just removing spyware and updating windows

having seen machines trashed with just one of those (and even less) you should expect problems when making any change, particularly on a system that isn't your own!

[HereComesPete]

having seen machines trashed with just one of those (and even less) you should expect problems when making any change, particularly on a system that isn't your own!

Especially when you do it to impress a laydee, and even more so when she really needs some work of said machine urgently. I would have been surprised if it didn't fuck up.

[Dog Pants]

To be fair, I wouldn't have known what best policy was on recovering a machine left completely defenceless was either. Even on the ECDL (which is supposed to be a European standard on computer literacy) they don't teach anything about the dangers of malware, despite my protests. Protecting isn't that difficult, to varying degrees, but recovering I expect is an entirely different matter. Who doesn't have a friend or relative who AOLs their way through the internet, picking up viruses and trojans like an AIDS virus? Aside from my mercurial advice on prevention, I personally couldn't recommend or provide a cure for a case such as this bar flattening the system.

[buzzmong]

To be fair pants, I suspect that if it's been without protection for as long as it has, removing the valuable data (and putting it into quarantine just in case) and doing a full low level format is probably the best way to go.

[Dr. kitteny berk]

To be fair pants, I suspect that if it's been without protection for as long as it has, removing the valuable data (and putting it into quarantine just in case) and doing a full low level format is probably the best way to go.

and

Proper format: Yes.
Low level format: not in the last 10+ years (and not in the more modern sense of a disk nuke, completely pointless)