someone please help me recover my HDD from trojan attack(W32.Whiter.Trojan)

Jerboy

Banned
Oct 27, 2001
5,190
0
0
update:CAUSE FOUND, need solution now

Update:

using a software called Easy Recovery Professional, I was able to recover some data and some researching on the internet identified the culprit to be this Trojan horse. No I did not download the XP key gen, but I am suspecting something I downloaded was a renamed XP key gen.

Upon further investgations using Hack man, many files has been displaced with 33bytes file filled with 0's(in hex editor), others had file extensions mixed up, first character of the file replaced with "_" and other files were displaced with the phrase "You did a piracy, you deserve it."

Some files are functional. All the functional mp3 files are renamed to DOS 8+3 capital letter only system.

Ok... now how do I fix it???

Data recovery will cost me minimum of $350 and I really don't want them seeing my personal files and I would like to avoid it unless I am absolutely hitting the bottom.






the original post
\/

Ok first of I'd like to say this maybe off-topic for this forum and I understand the resistnace, however this is where most my AT friends are and I need all the help I can get. I am sorry if this doesn't agree with your idea.

Today has been a extremely bad day for me. I was running Diskeeper defrag as I was watching TV. After watching the TV for a while, the defrag was done I decided to reboot. When I rebooted I got bunch of errors so I had to use the reset button. When the computer rebooted, it says invalid system disk. I booted up using a DOS boot up floppy to see what was going on. To my astonishment the volume info said basically my drive was 100% empty.

Not only was my system drive trashed, all my data partitions on a separate physical drive was completely trashed. All four partitions are accessible and all directories are intact, but files are gone just like when you use del *.* command on MS-DOS. I am suspecting hacking or virus action and since all the directories are intact I'd like to hope the files are just tagged as deleted and not actually been wiped out.

I only have the backup for the C partition which gets corrupted the most often. The data partitions are on a physically separate drive and I never thought this would happen so I don't have any back up.



On the data partitions I had considerable amount of files that has alot of sentimental values to me. The affected files includes all my chat ICQ logs from past three years, chatroom logs, family photo, my school papers, pics I took with friends in school, pics I took with my current and all previous S.O.'s and pretty much all my school papers and projects since eigth grade. I would be completely terrified to lose any of these files and I'd like to know if there is anything I can do about it.

The system was running Windows Me, connected to the internet at the time of the incident. The hard drives are configured as follow:

Quantum 7200RPM 40GB pri master holds C:\, system drive(20GB) ; E:\, temporary storage. The second drive is on a RAID controller of my onboard RAID controller and it is a Western Digital 40GB holding D:\, data partition 1(20GB); E:\data partition 2(20GB). All I know is that everything is lost.

Please go to "my rigs" sig and click on "trashed rig" if you need to know more about the hardware. Should you have any questions, please post here, PM me or email me at email, whichever is convenient for you.


I yanked out the DSL modem and am using my PIII 600MHz machine as I type this, so I do have access to the net. I didn't want to risk further messing up the hard drive by using it without knowing what I am doing on it. The poor Athlon rig is sitting on corner of my room :(
Any help would be appreciated.


Thank you,

Jer

 

Zim Hosein

Super Moderator | Elite Member
Super Moderator
Nov 27, 1999
64,967
387
126
Jerboy, what happens if you boot into SAFE MODE? Are you able to?
 

Jerboy

Banned
Oct 27, 2001
5,190
0
0


<< Jerboy, what happens if you boot into SAFE MODE? Are you able to? >>




My system wouldn't even boot :(


It tells me system disk is invalid. My first suspect was mbr, which I already attempted to fix. When I realized xxx,xxx,xxx, bytes free quoted when I did the DOS command C:\dir just about equaled the capacity of the whole partition, I KNEW something more serious is going on.
 

Zim Hosein

Super Moderator | Elite Member
Super Moderator
Nov 27, 1999
64,967
387
126
Jerboy, since you have more than one rig, what about recovering the data by taking the "bad" HD from the rig that won't boot, and making it a slave in a rig that does boot?
 

Jerboy

Banned
Oct 27, 2001
5,190
0
0


<< Jerboy, since you have more than one rig, what about recovering the data by taking the "bad" HD from the rig that won't boot, and making it a slave in a rig that does boot? >>




Do you know how I'd go about recovering the data? I am raised on Macintosh and I've learned to love Windows, but when it develops serious problems like that, I know jack about it..

I think I can try connecting the drive to this machine, except that if this is a virus attack, I am risking further activating the virus and further destroying data to point of no possible recovery.
 

Zim Hosein

Super Moderator | Elite Member
Super Moderator
Nov 27, 1999
64,967
387
126
Jerboy, while I'd love to help you if I could, since you mention Mac, and I'm Mac illeterate, I don't want to give you the wrong info. Consider this a "bump" for your issue and I hope a "MAC" user can help you out. Good luck.
 

Sluggo

Lifer
Jun 12, 2000
15,488
5
81
Cant you just dump the drive as a slave in another system w/ good virus software, run a virus check on it, and check around to see what is recoverable.

You might also check the thread about the dude who got busted with bus passes or some crap, there was some good data recovery info in that thread, or at least some people who were knowledgeable on data recovery. :)
 

Jerboy

Banned
Oct 27, 2001
5,190
0
0


<< Cant you just dump the drive as a slave in another system w/ good virus software, run a virus check on it, and check around to see what is recoverable.

You might also check the thread about the dude who got busted with bus passes or some crap, there was some good data recovery info in that thread, or at least some people who were knowledgeable on data recovery. :)
>>




OTOT, does anyone know WHAT VIRUS exibit a behavior that deletes(compareable to *.*) files and leaves the directory structures intact? Could a hacker do this on me?

If I could find out the cause or the virus, I can pinpoint what I need to reserach and try to find an appropriate solution.
 

Jerboy

Banned
Oct 27, 2001
5,190
0
0
Update:

using a software called Easy Recovery Professional, I was able to recover some data and some researching on the internet identified the culprit to be this Trojan horse. No I did not download the XP key gen, but I am suspecting something I downloaded was a renamed XP key gen.

Upon further investgations using Hack man, many files has been displaced with 33bytes file filled with 0's(in hex editor), others had file extensions mixed up, first character of the file replaced with "_" and other files were displaced with the phrase "You did a piracy, you deserve it."


Ok... now how do I fix it..

Data recovery will cost me $350 and I really don't want them seeing my personal files and I would like to avoid it unless I am absolutely hitting the bottom.

Thank you