Recovering a PC

Introduction

Since my mum's computer was wiped out the other day by a virus, this was the opportunity to write a little howto on how to recover from this kind of accident.

General Procedure

1. Turn the computer off ASAP. The sooner the system is shut down, the less damage is done to the filesystem and the files it contains
2. From another host, go to the Net, and look for bootable, recovery programs like OnTrack's EasyRecovery (ex-Tsunami, I think). If you're lucky, the virus only blew the MBR and the FAT; If you're not, files were corrupted before taking care of the filesystem, in which case recovering files won't do you much good since they'll be unusable by their respective editor
3. Once the system has been recovered, or reinstalled from scratch, secure Windows.

Anti-virus Rescue Disks

This is a list of anti-virus that come in the form of a live CD, so you can boot a Windows host and scan its hard-disks for any malware.

Avira AntiVir Rescue System

• GUI-based, in English or German
• http://free-av.com/en/tools/12/avira_antivir_rescue_system.html

AVG

Text-based

Kaspersky Rescue Disk

• Linux-based with GUI
• ETA to scan two 200GB disks : 12 hours
• As of April 2010, booted OK on one PC, couldn't start on another PC

ClamAV, ClamWin, ClamAV for Windows

As of April 2010: ClamAV is an open-source anti-virus database. ClamWin uses the ClamAV database and is a Windows port; It can only scan files manually, but not watch for malware in RAM. ClamAV for Windows is a free but closed-source product that apparently uses "the cloud" to enhance detection but also uses ClamAV, but only monitors malware in RAM, ie. currently it cannot be used to scan mass-storage devices for malware; This is planned for a later release

Avast linux edition

Scan a Windows PC for Viruses from a Ubuntu Live CD

McAfee

BitDefender

Trend Micro

Panda Antivirus Pro

Norton Internet Security

F-Secure

Windows 2000

This time, it's my dad's computer at work that was hosed. Since the partition was still available, I could access it when booting from the W2K CD, and only the system files (eg. BOOT.INI, NTLDR, etc.) were missing, it was most likely a virus. New proof that having an antivirus, udated every day, is no foolproof solution.

Here's what you can try to recover a hosed W2K host:

Boot with the W2K install CD, and use the Repair option, and see if it solves the issue

If the system files are missing, the repair option won't work. From another W2K host, go into Program Files | Accessories | System Tools | Backup, and choose to build a repair disk from the Tools menu. This will just copy three files to the floppy (dummy CONFIG.SYS and AUTOEXEC.BAT, and SETUP.LOG)

http://support.microsoft.com/default.aspx?scid=kb;EN-US;216337

http://www.computerhope.com/issues/ch000465.htm

http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prkd_tro_bohs.asp

http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prmb_tol_zldj.asp

http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prkd_tro_blyy.asp

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:%20%2080/support/kb/articles/q255/2/20.asp&NoWebContent=1

http://www.winternals.com/

http://www.sysinternals.com/ntw2k/freeware/ntrecover.shtml

http://www.sysinternals.com/ntw2k/freeware/ntfsdospro.shtml

http://www.sysinternals.com/ntw2k/freeware/remoterecover.shtml

http://www.sysinternals.com/othresources.shtml

http://www.experts-exchange.com/Operating_Systems/Q_20882632.html

http://www.xxcopy.com/xxcopy33.htm

http://www.bootix.com/us/newsevents/970417nt_fr.shtml

http://www.alpi40.org/Maintena/NT/NT.htm#-8

http://www.alpi40.org/Maintena/NT/NT.htm#-4

http://pot-pourri.fltr.ucl.ac.be/wint40/installation.htm

Linux

• System Imager ("SystemImager is software that automates Linux installs, software distribution, and production deployment."), Creating Images Of Your Linux System With SystemImager
• Filesystem snapshots with unionfs ("One of the capabilities of unionfs is to offer the possibility of consistently freezing the status of the filesystem at any given point in time (snapshot).")

Q&A

After rebooting, hard disk info in BIOS is messed up

If you unplugged the PSU, it could be that the CMOS battery is dead, which was not apparent if you never turn the PC off.

Reboot, enter the BIOS, find the option to "Load System Defaults", save, and reboot.

Resources

• Partition Recovery
• NTFS.com
• Runtime Software (including GetDataBack)
• PC Inspector File Recovery (said to be inferior to GDB)
• Paragon Hard Disk Utilities
• Windows Ultimate CD Boot, a.k.a. WinUBCD
• System recovery with Knoppix by Carla Schroder
• Recovery Studio
• Ontrack Easy recovery
• Get SMART about disk failures By Chris Mellor
• Linux Bootable Business Card (LNX-BBC)
• Dead disk drive? What would Fonzie do? by Lee Schlesinger
• The Linux ER by Roderick W. Smith
• "The Sleuth Kit (TSK) is a collection of command line tools based on The Coroner's Toolkit (TCT). Autopsy is a graphical interface to the command line tools in TSK."
• "Smart Boot Manager (SBM) is an OS independent and full-featured boot manager with an easy-to-use user interface. There are some screen shots available."