VIRUS has formatted hard drive

[dkny1221]

i had a bad virus attack on 19/11/2011 and it formatted my hard drive but for some strange reason took all of my files but left notepad files ive used a program to find some system restore files and there from before the 19/11/2011 and there on my usb drive and don't know what to do with them in case i damage my computer more ive lost over 200GB of files what would be my next steps to recover all of my files as ive used one certain program called undo delete and it saying that the all the files are still there ive not done anything else since then

 

[emaraszek]

You can still boot into windows, right?

If it were me, I'd make an image backup of the infected hard drive and then try using the undo delete software. Then if it recovers what you're looking for, save those files on an external hard drive and attempt a system restore by booting off the Windows 7 installation disc.

That way, if the undo delete process fails or messes something up, you can restore the image as it is right now and try something else. Otherwise, if it does work you'll have the files you want extracted and can safely attempt to restore the machine without worrying about losing your data. If the restore doesn't work properly you can do a clean install; you'll have to reinstall all of your programs as well but at least you'll have your files

Good luck!

 

[dkny1221]

yes i can still boot into it and everything so what do you want me to do as my next few steps and il follow your instructions please as i really really need these files back some way some how thank you

 

[GianniDPC]

yes i can still boot into it and everything so what do you want me to do as my next few steps and il follow your instructions please as i really really need these files back some way some how thank you

Well you will be able to recover some files with programs but you will never be able to recover ALL the files on the formatted drive

 

[emaraszek]

Do you have multiple hard drives/volumes or was the data stored on the same volume as the OS? If you have a standard setup, you most likely have one physical disk with a ~100mb system partition and one main partition for all programs, files, etc. If this is your setup and you can still boot into windows then your drive was NOT formatted

 

[dkny1221]

i dont think it completely formatted it as once the virus had attacked the pc and took all of the files windows did not as to be re installed or anything

 

[dkny1221]

for all what i know i only have a C drive 290GB hard drive

 

[GianniDPC]

for all what i know i only have a C drive 290GB hard drive

you say it formatted your hard drive and now your saying that you're still able to boot into windows ???!!

 

[dkny1221]

when the vrius attacked my pc i restarted it and it just let me log back in as usual but all of the files have disapiered and it took my hard drive to over 200GB off free space so im not sure if the vrius has formatted it or just taken the files and hidden them or something

 

[emaraszek]

for all what i know i only have a C drive 290GB hard drive

you say it formatted your hard drive and now your saying that you're still able to boot into windows ???!!

My thoughts exactly, which is why I wanted to check the hard drive configuration

@dkny1221 Do you have an external hard drive you can use to store a backup? Not a flash drive, this will need to be almost the same size as your system drive (depending on how full your drive is)

 

[PooMan UK]

Have a looky here pal windows recovery virus ... maybe you were hit with something like this which has hidden your files

If your drive was formatted you wouldn't be able to boot into windows

 

[dkny1221]

i have got a seagate expansion portable usb drive if that is any help which is a 250gb drive

 

[emaraszek]

i have got a seagate expansion portable usb drive if that is any help which is a 250gb drive

Perfect, how much free space do you have on it?

 

[dkny1221]

ive got 50gb available but if need be i can just copy them files onto my ps3 or something if you want me to

 

[emaraszek]

Yes you'll likely need most of that 250gb for a backup if you indeed have 200gb worth of files.

Before you proceed, as PooMan UK suggested, are you sure that these files aren't simply hidden?

Refer to the following and see if showing hidden files reveals the data you think is missing:
http://www.sevenforums.com/tutorials/394-hidden-files-folders-show-hide.html

There are three possible outcomes:
1. You enable it and see your files
2. A virus won't let you enable it
3. You enable it and still can't find your files

Let me know what happens and we can proceed from there
http://www.sevenforums.com/tutorials/394-hidden-files-folders-show-hide.html

 

[Jacee]

See if Unhide.exe (http://download.bleepingcomputer.com/grinler/unhide.exe) (by Grinler) helps...
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run."

 

[dkny1221]

just tried it and it didnt reveal the missing files just like the notepad files that are in the folders not the videos aswell though but when i was using that undo delete i managed to recover some files dont know if they could be of any help there is ntuser.dat.LOG1
ntuser.dat.LOG2
ntuser.dat.LOG2.LOG1
ntuser.dat.LOG2.LOG2
ntuser.dat.LOG2{c6f31789-28b0-11e1-8963-0021853beaf7}.TM.blf
ntuser.dat.LOG2{c6f31789-28b0-11e1-8963-0021853beaf7}.TMContainer00000000000000000001.regtrans-ms
ntuser.dat{7cc945c0-12ae-11e1-817a-0021853beaf7}.TM.blf
ntuser.dat{7cc945c0-12ae-11e1-817a-0021853beaf7}.TMContainer00000000000000000001.regtrans-ms
ntuser.dat{7cc945c0-12ae-11e1-817a-0021853beaf7}.TMContainer00000000000000000002.regtrans-ms
NTUSER.DAT{059eedb3-7ec7-11e0-b93a-0021853beaf7}.TM.blf
NTUSER.DAT{c1b2f318-ec00-11e0-b4fc-0021853beaf7}.TMContainer00000000000000000001.regtrans-ms
NTUSER.DAT{c1b2f318-ec00-11e0-b4fc-0021853beaf7}.TMContainer00000000000000000002.regtrans-ms
NTUSER.DAT{c768b1eb-86b0-11e0-a74d-0021853beaf7}.TM.blf
ntuser.pol

also just noticed on all of my files it has a strange user on it with like a coded type of username but not a registered user off my pc

 

[GianniDPC]

just tried it and it didnt reveal the missing files just like the notepad files that are in the folders not the videos aswell though but when i was using that undo delete i managed to recover some files dont know if they could be of any help there is ntuser.dat.LOG1
ntuser.dat.LOG2
ntuser.dat.LOG2.LOG1
ntuser.dat.LOG2.LOG2
ntuser.dat.LOG2{c6f31789-28b0-11e1-8963-0021853beaf7}.TM.blf
ntuser.dat.LOG2{c6f31789-28b0-11e1-8963-0021853beaf7}.TMContainer00000000000000000001.regtrans-ms
ntuser.dat{7cc945c0-12ae-11e1-817a-0021853beaf7}.TM.blf
ntuser.dat{7cc945c0-12ae-11e1-817a-0021853beaf7}.TMContainer00000000000000000001.regtrans-ms
ntuser.dat{7cc945c0-12ae-11e1-817a-0021853beaf7}.TMContainer00000000000000000002.regtrans-ms
NTUSER.DAT{059eedb3-7ec7-11e0-b93a-0021853beaf7}.TM.blf
NTUSER.DAT{c1b2f318-ec00-11e0-b4fc-0021853beaf7}.TMContainer00000000000000000001.regtrans-ms
NTUSER.DAT{c1b2f318-ec00-11e0-b4fc-0021853beaf7}.TMContainer00000000000000000002.regtrans-ms
NTUSER.DAT{c768b1eb-86b0-11e0-a74d-0021853beaf7}.TM.blf
ntuser.pol

also just noticed on all of my files it has a strange user on it with like a coded type of username but not a registered user off my pc

Maybe you still have some viruses on your computer also....

do a Hitman Pro scan please: Home - SurfRight
after that TDSSKiller: Anti-rootkit utility TDSSKiller

 

[emaraszek]

Other than the missing files, how is the computer running? Are you getting any fake antivirus warnings that popup or scans that start by themselves? Is there any abnormal behavior other than the missing files?

The most common infections I've been seeing lately are the fake antivirus ones. I always use Maleware bytes at work to clean out infections, it's free and keeps itself updated:
Malwarebytes Anti-Malware 1.60.0.1800 - TechSpot Downloads

Try running a scan with it and see if it picks anything up. Might I also ask what antivirus software, if any, you use on your computer?

 

[dkny1221]

ive ran them and surfright found loads of errors but nothing to techinical and anti rootkit found

Event Object
Suspicious sptd ( LockedFile.Multi.Generic )
and 3 files found in the following locations
HKLM\SYSTEM\ControlSet001\Services\sptd
HKLM\SYSTEM\ControlSet002\Services\sptd
C:\Windows\System32\Drives\sptd.sys

also i use avast anti virus as my anti virus device