Author Topic: Recovering deleted files following pre-boot scan  (Read 4293 times)

0 Members and 1 Guest are viewing this topic.

Offline Mike Wellman

  • Newbie
  • *
  • Posts: 2
Recovering deleted files following pre-boot scan
« on: March 13, 2012, 07:27:41 PM »
My wife's computer was recently infected with a Trojan Horse virus indicating an indexation problem.  I downloaded and installed Avast free software and it immediately found the infection.  I then chose to do a pre-boot scan.  After a short time into the scan an infected file was found and this is where I think I made a mistake; I chose to delete the file.  The scan then did that and continued to run, finding another infected file.  I then chose to 'delete all' and away Avast went.  This scan took over 5 hours to complete. 

Now my wife has no pictures, documents, etc.  The only thing I can think of is that I should have selected some action other than 'delete all'; repair maybe.

Is there a way to recover all the lost data files?  I'm in real trouble.

Thanks

Offline Pondus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 26329
Re: Recovering deleted files following pre-boot scan
« Reply #1 on: March 13, 2012, 07:34:24 PM »
sorry...you went for the option...that have no more options


Clean, Quarantine, or Delete?
http://antivirus.about.com/b/2007/03/11/clean-quarantine-or-delete.htm
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 71441
  • No support PMs thanks
Re: Recovering deleted files following pre-boot scan
« Reply #2 on: March 13, 2012, 07:36:10 PM »
Deletion is never a good first option, you have none left.

The only way to recover deleted files is through an application to recover deleted files (google that, there should be plenty of options, many free). The longer between deletion and any recovery attempt, the less likely the success rate.

You would also have to know what it is that you seek to recover (date, time of deletion roughly) as there could be hundreds of hits in its search for deleted files. Avast may well alert when trying to recover these files, if so sending to the chest is the best/safest option.

Look in the C:\Documents and Settings\All Users\Application Data\Avast Software\Avast\report\aswBoot.txt file (XP location) C:\ProgramData\Avast Software\Avast\report\aswBoot.txt (Vista, Win7 location), check this file using notepad for info on the scan/detections, etc.

Copy and paste that information, file name, location and malware name of the detections. That gives us something to work with (and also when you attempt to undelete these files), to say what the likelihood of the detection being good.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2015 10.2.2215 R2/ Outpost Firewall Pro9.1/ Firefox 36.0.4, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.1.4/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11403
    • AVAST Software
Re: Recovering deleted files following pre-boot scan
« Reply #3 on: March 13, 2012, 07:37:08 PM »
I find it rather unlikely that the images and documents were infected (and removed)...

Offline Pondus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 26329
Re: Recovering deleted files following pre-boot scan
« Reply #4 on: March 13, 2012, 07:38:33 PM »
maybe something for Essexboy and his Harry potter tools then ?
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline CraigB

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9048
Re: Recovering deleted files following pre-boot scan
« Reply #5 on: March 13, 2012, 07:44:40 PM »
Wouldn't restoring bring back the lost files ??? otherwise there is this nice little recovery tool by Piriform http://www.piriform.com/recuva

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 35974
  • Dragons by Sasha
    • Malware fixes
Re: Recovering deleted files following pre-boot scan
« Reply #6 on: March 13, 2012, 07:52:06 PM »
They are not lost - just hidden

Lets get them back for you


  • Download RogueKiller  and save it on your desktop
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ... 
  •     Click on Scan
   
 
  • Wait for the end of the scan. 
  • The report has been created on the desktop. 
  • Click on the Delete button.
     
  • The report has been created on the desktop.
  • Next click on the ShortcutsFix   

  • The report has been created on the desktop.
Please post:    All RKreport.txt text files located on your desktop.

THEN

Download OTL  to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
%Temp%\smtmp\1\*.*
%Temp%\smtmp\2\*.*
%Temp%\smtmp\3\*.*
%Temp%\smtmp\4\*.*
Drives
CREATERESTOREPOINT

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Post both logs
AND FINALLY

Download aswMBR.exe ( 4.1mb ) to your desktop.
 Double click the aswMBR.exe to run it  Click the "Scan" button to start scan 



On completion of the scan click save log, save it to your desktop and post in your next reply



Offline Mike Wellman

  • Newbie
  • *
  • Posts: 2
Re: Recovering deleted files following pre-boot scan
« Reply #7 on: March 14, 2012, 02:02:38 AM »
I'm overwhelmed by the response from all of you--thanks.  I've begun to download programs and compile the information requested and will post soon.

I believe the Trojan that started all this was Win32:FakeSysdefs-A as indicated in the Avast pre-boot scan log I have saved and will include in a future post.

Thank you again!

Offline akashpoddar83

  • Newbie
  • *
  • Posts: 2
Re: Recovering deleted files following pre-boot scan
« Reply #8 on: March 14, 2012, 12:19:49 PM »
please help me to recover my pictures which are very important to me...i have attached the reports of roguekiler....please help me...

Offline Pondus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 26329
Re: Recovering deleted files following pre-boot scan
« Reply #9 on: March 14, 2012, 12:25:21 PM »
please help me to recover my pictures which are very important to me...i have attached the reports of roguekiler....please help me...
Helping multiple users in the same topic will be chaos

Start your own topic where you explain the problem
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.