Author Topic: Recovering deleted files following pre-boot scan  (Read 9185 times)

0 Members and 1 Guest are viewing this topic.

Mike Wellman

  • Guest
Recovering deleted files following pre-boot scan
« on: March 13, 2012, 07:27:41 PM »
My wife's computer was recently infected with a Trojan Horse virus indicating an indexation problem.  I downloaded and installed Avast free software and it immediately found the infection.  I then chose to do a pre-boot scan.  After a short time into the scan an infected file was found and this is where I think I made a mistake; I chose to delete the file.  The scan then did that and continued to run, finding another infected file.  I then chose to 'delete all' and away Avast went.  This scan took over 5 hours to complete. 

Now my wife has no pictures, documents, etc.  The only thing I can think of is that I should have selected some action other than 'delete all'; repair maybe.

Is there a way to recover all the lost data files?  I'm in real trouble.

Thanks

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
Re: Recovering deleted files following pre-boot scan
« Reply #1 on: March 13, 2012, 07:34:24 PM »
sorry...you went for the option...that have no more options


Clean, Quarantine, or Delete?
http://antivirus.about.com/b/2007/03/11/clean-quarantine-or-delete.htm

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Recovering deleted files following pre-boot scan
« Reply #2 on: March 13, 2012, 07:36:10 PM »
Deletion is never a good first option, you have none left.

The only way to recover deleted files is through an application to recover deleted files (google that, there should be plenty of options, many free). The longer between deletion and any recovery attempt, the less likely the success rate.

You would also have to know what it is that you seek to recover (date, time of deletion roughly) as there could be hundreds of hits in its search for deleted files. Avast may well alert when trying to recover these files, if so sending to the chest is the best/safest option.

Look in the C:\Documents and Settings\All Users\Application Data\Avast Software\Avast\report\aswBoot.txt file (XP location) C:\ProgramData\Avast Software\Avast\report\aswBoot.txt (Vista, Win7 location), check this file using notepad for info on the scan/detections, etc.

Copy and paste that information, file name, location and malware name of the detections. That gives us something to work with (and also when you attempt to undelete these files), to say what the likelihood of the detection being good.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Recovering deleted files following pre-boot scan
« Reply #3 on: March 13, 2012, 07:37:08 PM »
I find it rather unlikely that the images and documents were infected (and removed)...

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
Re: Recovering deleted files following pre-boot scan
« Reply #4 on: March 13, 2012, 07:38:33 PM »
maybe something for Essexboy and his Harry potter tools then ?

Offline CraigB

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 11239
  • No support PM's thanks
Re: Recovering deleted files following pre-boot scan
« Reply #5 on: March 13, 2012, 07:44:40 PM »
Wouldn't restoring bring back the lost files ??? otherwise there is this nice little recovery tool by Piriform http://www.piriform.com/recuva

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Recovering deleted files following pre-boot scan
« Reply #6 on: March 13, 2012, 07:52:06 PM »
They are not lost - just hidden

Lets get them back for you


  • Download RogueKiller  and save it on your desktop
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ... 
  •     Click on Scan
   
 
  • Wait for the end of the scan. 
  • The report has been created on the desktop. 
  • Click on the Delete button.
     
  • The report has been created on the desktop.
  • Next click on the ShortcutsFix   

  • The report has been created on the desktop.
Please post:    All RKreport.txt text files located on your desktop.

THEN

Download OTL  to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
%Temp%\smtmp\1\*.*
%Temp%\smtmp\2\*.*
%Temp%\smtmp\3\*.*
%Temp%\smtmp\4\*.*
Drives
CREATERESTOREPOINT

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Post both logs
AND FINALLY

Download aswMBR.exe ( 4.1mb ) to your desktop.
 Double click the aswMBR.exe to run it  Click the "Scan" button to start scan 



On completion of the scan click save log, save it to your desktop and post in your next reply



Mike Wellman

  • Guest
Re: Recovering deleted files following pre-boot scan
« Reply #7 on: March 14, 2012, 02:02:38 AM »
I'm overwhelmed by the response from all of you--thanks.  I've begun to download programs and compile the information requested and will post soon.

I believe the Trojan that started all this was Win32:FakeSysdefs-A as indicated in the Avast pre-boot scan log I have saved and will include in a future post.

Thank you again!

akashpoddar83

  • Guest
Re: Recovering deleted files following pre-boot scan
« Reply #8 on: March 14, 2012, 12:19:49 PM »
please help me to recover my pictures which are very important to me...i have attached the reports of roguekiler....please help me...

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
Re: Recovering deleted files following pre-boot scan
« Reply #9 on: March 14, 2012, 12:25:21 PM »
please help me to recover my pictures which are very important to me...i have attached the reports of roguekiler....please help me...
Helping multiple users in the same topic will be chaos

Start your own topic where you explain the problem