Need NTFS undelete software.

[CZroe]

Title edited to stem the flow of trolls...
Removed: "God d@mn MS and script kiddies... "

This is all Microsoft's fault. I needed to get documents and send files to my home PC without Remote Desktop or other file transfer methods and I didn't have time to learn new FTP software. A couple demo FTP server program trials had already expired so I was left using Microsoft's built-in FTP server.

After spending two days trying to get it to JUST FREAKING WORK, I just had to set wide open read/write access for a few hours. Even though all permissions were correct, it would still have near-constant issues unless I did this.

When I got to class, I logged in to the FTP and found everything deleted. The only folder that remained was my "img" folder but the idiot who did this deleted the contents and replaced them with ServUDaemon.exe. The root had another folder called "scan by nokk8." Of course, the typical file and directory names with special characters prevented the outright removal/deletion of these folders.

Because these files were deleted through the FTP server process, they were not sent to the recycle bin. What free utility can/should I use to recover them?

 

[spidey07]

what is you got owned for the win alex???

c'mon man. a wide open FTP server will be found in under 30 seconds.

so god d@mn you for not knowing what the F you are doing.

-edit- sorry to be so harsh, but that's the truth.

 

[MercenaryForHire]

Originally posted by: spidey07
what is you got owned for the win alex???

c'mon man. a wide open FTP server will be found in under 30 seconds.

so god d@mn you for not knowing what the F you are doing.

-edit- sorry to be so harsh, but that's the truth.

Al Capowned.

Don Corleowned.

Sylvester Stallowned.

Al Pacinowned.

Calzowned.

Saxophowned.

Ice cream cowned.

Hippowned.

Flinstowned.

Potatowned.

- M4H

 

[neutralizer]

BWHAHAH pwned. So pwned.

 

[SLCentral]

Originally posted by: MercenaryForHire

Originally posted by: spidey07
what is you got owned for the win alex???

c'mon man. a wide open FTP server will be found in under 30 seconds.

so god d@mn you for not knowing what the F you are doing.

-edit- sorry to be so harsh, but that's the truth.

Al Capowned.

Don Corleowned.

Sylvester Stallowned.

Al Pacinowned.

Calzowned.

Saxophowned.

Ice cream cowned.

Hippowned.

Flinstowned.

Potatowned.

- M4H

M4H, you actually made my day with that list.

 

[skyking]

If you are using the compromised computer, quit now. Everything you do on it will tend to overwrite the unadressed data, and make any form of recovery more difficult if not impossible.
You can recover text fragments more readily than say, pictures or video. I don't know the name of the programs offhand, but after these guys quit ripping you for a minute they will provide a link

 

[tfinch2]

Originally posted by: SLCentral

Originally posted by: MercenaryForHire

Originally posted by: spidey07
what is you got owned for the win alex???

c'mon man. a wide open FTP server will be found in under 30 seconds.

so god d@mn you for not knowing what the F you are doing.

-edit- sorry to be so harsh, but that's the truth.

Al Capowned.

Don Corleowned.

Sylvester Stallowned.

Al Pacinowned.

Calzowned.

Saxophowned.

Ice cream cowned.

Hippowned.

Flinstowned.

Potatowned.

- M4H

M4H, you actually made my day with that list.

ICE CREAM COWNED. HAHAHAHAHAHA

<guinness>BRILLIANT</guinness>

 

[talyn00]

Originally posted by: MercenaryForHire

Originally posted by: spidey07
what is you got owned for the win alex???

c'mon man. a wide open FTP server will be found in under 30 seconds.

so god d@mn you for not knowing what the F you are doing.

-edit- sorry to be so harsh, but that's the truth.

Al Capowned.

Don Corleowned.

Sylvester Stallowned.

Al Pacinowned.

Calzowned.

Saxophowned.

Ice cream cowned.

Hippowned.

Flinstowned.

Potatowned.

- M4H

lol.

What kind of effort did you make to secure that FTP server?

 

[spidey07]

Thing is...I really don't want to ridicule CZoe. I just want to make it clear just how easy it is to totally own a system. yeah, I'm an old schooler/white hat now. I mean own. not "pwned"

CZoe - it really is in your best interest to format you machine. I'm the last person that would ever advocate formating a box. But in this case it is necessary.

But if you had a system/root level process delete those files without your knowledge then you really, really need to. Save what data you can and re-install the os. You may have better feedback if a mod moved this to software.

Just trying to help.

 

[Goosemaster]

currently the best way to remotely access files is to put on a fake beard and walk to the data center....


...oh, and make sure to fake a limp

 

[EyeMWing]

GetDataBack for NTFS.

Recovered everything on an entire drive I have where the filesystem got eaten.

 

[Goosemaster]

Originally posted by: EyeMWing
GetDataBack for NTFS.

Recovered everything on an entire drive I have where the filesystem got eaten.

yeah, and it's cheap.


ontracks easy recovery is $$$

 

[jagec]

PC Inspector File Recovery might work, and it's freeware.

If it doesn't, you'll probably have to pay for something else, like File Scavenger.

 

[SLCentral]

Originally posted by: EyeMWing
GetDataBack for NTFS.

Recovered everything on an entire drive I have where the filesystem got eaten.

Worked for me too for the same issue. Recovered everything.

 

[chusteczka]

[*]Data Recovery Programs

• TestDisk
• R-Studio
• Runtime's GetDataBack
• Spinright
• Ontrack's Easy Recovery Pro
• Quetek
• File Scavenger
• HDD Regenerator
• Freeware Data Recovery Tools ***Free***
• Free Tools to Recover lost data ***Free***
• Freeware Restoration ***Free***
• PC Inspector ***Free***
• Smart NTFS Recovery***Free***
• Smart FAT Recovery***Free***
• ACR Data Recovery
• DataRecoveryWizard
• Recover My Files
• Handy Recovery
• Digital Camera Memory Recovery: PC Inspector
• BadCopy Media Recovery

[*]Rescue Disks

• UBCD4Win
• BartPE
• Insert
• Knoppix
• Hiren's BootCD
• Ubuntu LiveCD

 

[SSP]

Originally posted by: jagec
PC Inspector File Recovery might work, and it's freeware.

If it doesn't, you'll probably have to pay for something else, like File Scavenger.

PC inspector one worked for me when a drive went kaput. It didnt recover everything but most were recovered.

 

[CZroe]

Originally posted by: spidey07
what is you got owned for the win alex???

c'mon man. a wide open FTP server will be found in under 30 seconds.

so god d@mn you for not knowing what the F you are doing.

-edit- sorry to be so harsh, but that's the truth.

You think I don't know that? This is about the 12th time I've encountered such a thing. I came here knowing full well what had happened with only one request: file recovery software. The fact that I gave the back story wasn't some invitation to bolster your ego. Stop posturing and pretending that you know more than me about this. Not only that, 30mins is a huge exaggeration. Many factors can influence the time it takes. I left a honey pot on this very system open for two months earlier this year and it was never modified.

You know what I said was MS' fault? FORCING someone who is completely aware of what happens to a wide-open FTP to leave it wide open just to get it working. It's their fault that it would not work otherwise.

Originally posted by: skyking
If you are using the compromised computer, quit now. Everything you do on it will tend to overwrite the unadressed data, and make any form of recovery more difficult if not impossible.
You can recover text fragments more readily than say, pictures or video. I don't know the name of the programs offhand, but after these guys quit ripping you for a minute they will provide a link

Yeah, I'm aware of that but a lot has been done already (it's a Media Center PC and it recorded some programs automatically). I used my laptop to download the software (Handy Recovery 1.0) and used a USB enclosure to analyze it. It recovered almost all of the larger files (auction pictures) but hardly any of the thumbnails (most can be recereated from the larger pictures). For some reason, it doesn't see that there ever was a certain file (containing an archive of almost everything) and a certain folder + contents (about a week old vs. a few months for everything else). It seems totally unaware and doesn't give me the option to recover even a corrupted version so I'm hoping other software might help there.

Originally posted by: spidey07
Thing is...I really don't want to ridicule CZoe. I just want to make it clear just how easy it is to totally own a system. yeah, I'm an old schooler/white hat now. I mean own. not "pwned"

CZoe - it really is in your best interest to format you machine. I'm the last person that would ever advocate formating a box. But in this case it is necessary.

But if you had a system/root level process delete those files without your knowledge then you really, really need to. Save what data you can and re-install the os. You may have better feedback if a mod moved this to software.

Just trying to help.

The system was not compromised. Anonymous logins simply had Read/Write/List/Delete access to the wwwroot through the ftp server. The FTP server process was doing as instructed, and not hijacked. It was done with my full knowledge, just not by me. The warez couriers simply deleted everything in case I was low on FTP space or something (so they could cram more of their crap).

I managed to get the folders deleted, though I do need to format anyway. Even using the same techniques, I have two files on my Desktop that were corrupted long ago when I was expirementing with them and they are undeletable (8.3 filenames are corrupt though LFNs are fine; dir /x shows nothing).

Originally posted by: chusteczka
[*]Data Recovery Programs

• TestDisk
• R-Studio
• Runtime's GetDataBack
• Spinright
• Ontrack's Easy Recovery Pro
• Quetek
• File Scavenger
• HDD Regenerator
• Freeware Data Recovery Tools ***Free***
• Free Tools to Recover lost data ***Free***
• Freeware Restoration ***Free***
• PC Inspector ***Free***
• Smart NTFS Recovery***Free***
• Smart FAT Recovery***Free***
• ACR Data Recovery
• DataRecoveryWizard
• Recover My Files
• Handy Recovery
• Digital Camera Memory Recovery: PC Inspector
• BadCopy Media Recovery

[*]Rescue Disks

• UBCD4Win
• BartPE
• Insert
• Knoppix
• Hiren's BootCD
• Ubuntu LiveCD

Thanks (you too jagec and EyeMWing)! That's a list I'll keep around.

 

[randay]

Originally posted by: CZroe
dee dee dee

No sorry, you owned yourself. Don't blame microsoft for your own mistakes.

 

[promposive]

Originally posted by: randay

Originally posted by: CZroe
dee dee dee

No sorry, you owned yourself. Don't blame microsoft for your own mistakes.

FTW. IIS FTP is easy as F to setup with at least a password! There were so many alternatives to "wide open ftp" and yet you chose the "ID-10-T" method.

 

[CZroe]

Originally posted by: randay

Originally posted by: CZroe
dee dee dee

No sorry, you owned yourself. Don't blame microsoft for your own mistakes.

There was no mistake in it. I knew it would happen and malfunctioning software forced my hand. I had to do it anyway. It was either that or fail the class. Thanks for being a know it all.

And don't say it was unreasonable to expect that "maybe it might be alright for just a few hours." Like I said, I left it wide open for months trying to attract this and got no bites for a school project earlier this year. I've seen it happen several times to many other people and have gotten it to happen to PCs I've owned in years past. Five years ago, one of my instructors explained that it happened to a friend in some major IT company and I guided him through deleting the directories.

Before anyone mentions it, I have returned to school after working two full time jobs. I have not been failing my networking classes for half a decade. Grow up and get over your "superiority" reflex (and complex). If it makes you feel better, go ahead with your "HA HA HA What a dumba$$ LOLOLOL" crap but keep it to yourself.

 

[CZroe]

Originally posted by: C0BRA99

Originally posted by: randay

Originally posted by: CZroe
dee dee dee

No sorry, you owned yourself. Don't blame microsoft for your own mistakes.

FTW. IIS FTP is easy as F to setup with at least a password! There were so many alternatives to "wide open ftp" and yet you chose the "ID-10-T" method.

Like I said, it was not an "ease of use" thing, it was malfunctioning. It was refusing access when it shouldn't. Only by throwing the doors wide open could I ensure access for myself from school (CRITICAL. Moreso than the data lost). I've had to entirely remove IIS and do a recovery installation to fix it.

 

[DurocShark]

Originally posted by: CZroe

The system was not compromised. Anonymous logins simply had Read/Write/List/Delete access to the wwwroot through the ftp server. The FTP server process was doing as instructed, and not hijacked. It was done with my full knowledge, just not by me. The warez couriers simply deleted everything in case I was low on FTP space or something (so they could cram more of their crap).

Originally posted by: CZroe
When I got to class, I logged in to the FTP and found everything deleted. The only folder that remained was my "img" folder but the idiot who did this deleted the contents and replaced them with ServUDaemon.exe.

How did ServUDaemon.exe, that is normally in program files, get into your FTP directory?

Here's some more info on that:

Description: File ServUDaemon.exe is located in a subfolder of "C:\Program Files" or sometimes in the folder C:\Windows\System32 or in a subfolder of C:\Windows\System32. Known file sizes on Windows XP are 3187200 bytes (18% of all occurrence), 568832 bytes, 1043968 bytes, 3364352 bytes, 2142720 bytes, 565248 bytes, 2121216 bytes, 806912 bytes, 3266048 bytes, 1930240 bytes, 3310080 bytes, 3209216 bytes, 3367424 bytes, 2112512 bytes, 887808 bytes.
The program is not visible. ServUDaemon.exe is not a Windows core file. Program listens for or sends data on open ports to LAN or Internet. It is a file without information about the maker of this file. You can uninstall this program in the control panel. ServUDaemon.exe is able to hide itself. Therefore the technical security rating is 62% dangerous, however also read the users reviews.

If ServUDaemon.exe is located in a subfolder of C:\Windows then the security rating is 90% dangerous. File size is 1810432 bytes. There is no information about the maker of the file. The program is not visible. ServUDaemon.exe is located in the Windows folder, but it is not a Windows core file. The file is not a Windows core file. The process uses ports to connect to LAN or Internet.

From file.net.

 

[CZroe]

Originally posted by: DurocShark

Originally posted by: CZroe

The system was not compromised. Anonymous logins simply had Read/Write/List/Delete access to the wwwroot through the ftp server. The FTP server process was doing as instructed, and not hijacked. It was done with my full knowledge, just not by me. The warez couriers simply deleted everything in case I was low on FTP space or something (so they could cram more of their crap).

Originally posted by: CZroe
When I got to class, I logged in to the FTP and found everything deleted. The only folder that remained was my "img" folder but the idiot who did this deleted the contents and replaced them with ServUDaemon.exe.

How did ServUDaemon.exe, that is normally in program files, get into your FTP directory?

Here's some more info on that:

Description: File ServUDaemon.exe is located in a subfolder of "C:\Program Files" or sometimes in the folder C:\Windows\System32 or in a subfolder of C:\Windows\System32. Known file sizes on Windows XP are 3187200 bytes (18% of all occurrence), 568832 bytes, 1043968 bytes, 3364352 bytes, 2142720 bytes, 565248 bytes, 2121216 bytes, 806912 bytes, 3266048 bytes, 1930240 bytes, 3310080 bytes, 3209216 bytes, 3367424 bytes, 2112512 bytes, 887808 bytes.
The program is not visible. ServUDaemon.exe is not a Windows core file. Program listens for or sends data on open ports to LAN or Internet. It is a file without information about the maker of this file. You can uninstall this program in the control panel. ServUDaemon.exe is able to hide itself. Therefore the technical security rating is 62% dangerous, however also read the users reviews.

If ServUDaemon.exe is located in a subfolder of C:\Windows then the security rating is 90% dangerous. File size is 1810432 bytes. There is no information about the maker of the file. The program is not visible. ServUDaemon.exe is located in the Windows folder, but it is not a Windows core file. The file is not a Windows core file. The process uses ports to connect to LAN or Internet.

From file.net.

Oh come on. Gee, how do files get put on an FTP that was left open for the very purpose of putting a file on it Anonymously? You've got to be kidding me! You know the difference between an executable file and an executED file. It not installed. It was simply uploaded... probably in hopes that I would execute it. If it were anywhere else, then I'd have something to worry about. I'm good. :thumbsup:

 

[Pepsi90919]

lol @ OP. blaming everybody but himself for his mistakes.

 

[KLin]

Please no one help him since he can't find the correct forum to post this in. . Oh one more thing. OWNED!!!!!!!!!11111111111 :laugh: