Jump to content

Retrieving files from an infected external HD after formatting it

Almighty

By Almighty
in Recuva

 Share

Recommended Posts

  • Moderators
Augeas

Augeas

Posted
  • Moderators
Posted

Quite possibly. You will lessen the chance if you recover non-executable personal files such as docs or jpgs, and increase the chance if you recover executable system files, exe's, dll's etc. When you recover your files to a new separate folder scan the folder with your anti-virus program.

Link to comment
Share on other sites
Almighty

Almighty

Posted
  • Author
Posted

Before I format it, I scanned it with my anti-virus

Quite possibly. You will lessen the chance if you recover non-executable personal files such as docs or jpgs, and increase the chance if you recover executable system files, exe's, dll's etc. When you recover your files to a new separate folder scan the folder with your anti-virus program.

 

Thanks for your reply. Before I format it, I first scanned it with my anti-virus program and malwarebytes as well but it doesn't show any viruses but still I can't open it and the hard drive location itself is still a shortcut. :(

Link to comment
Share on other sites
  • Moderators
Augeas

Augeas

Posted
  • Moderators
Posted

If you scanned the drive before formatting it then you will have scanned live files. Recuva finds deleted files which may not have been scanned. But if you can't 'open' the drive then you're not at the Recuva stage.

Link to comment
Share on other sites
Almighty

Almighty

Posted
  • Author
Posted

Problem could be elsewhere. Where are you at on this and what have you exactly done to the disk?

 

At first, when I'm opening my external HD, there's a shortcut there of my HD itself and when I'm opening it, it opens new window containing my files and folders. I scanned through it with my anti virus program and found some virus and delete it. But still the HD itself is still a shortcut icon so I Googled it and found some answers that I have to delete and by the time I deleted it, I can't open now my HD so I formatted it.

 

I scanned my HD through Recuva to retrieve my files. The icon for each files is green and the status is Excellent but once it was all done retrieving, all files where 0 bytes. How could this be happening and what else can I do?

 

Thanks and hoping for your reply very soon.

Link to comment
Share on other sites
Almighty

Almighty

Posted
  • Author
Posted

If you scanned the drive before formatting it then you will have scanned live files. Recuva finds deleted files which may not have been scanned. But if you can't 'open' the drive then you're not at the Recuva stage.

 

I can open the drive but the retrieved files are in 0 bytes. What action will I do next? Thank you!

Link to comment
Share on other sites
Guest Keatah

Guest Keatah

Posted
Posted

Ok I understand it this way.

 

You had a shortcut to Drive "X".

You click on it and it opened Drive "X" in a new windows explorer window.

You scanned this drive with your anti-virus program.

The anti-virus scanner found some malware in several files.

You then deleted (or quarantined) those files by advice of your anti-virus.

 

Here's where I get lost:

 

"But still the HD itself is still a shortcut icon so I Googled it and found some answers that I have to delete and by the time I deleted it, I can't open now my HD so I formatted it."

 

This tells me the disk still had an icon or shortcut on the desktop. And you Googled that. And the results told you to delete the shortcut. And then you couldn't access the disk. And then you formatted the disk. And now you're trying to use Recuva to bring back the files after a fresh format.

 

My new questions:

Why couldn't the disk be accessed? Missing icon? Or did it develop an error?

Why did you have to delete a perfectly functioning shortcut & icon?

Why was the format done? To bring back a desktop icon?

What os are you using?

What are the disk size(s) of all your drives?

Is this an external USB disk?

I assume you did a fast/quick format?

 

 

Sorry for the tedious questions. In data recovery every detail means success or failure. And since I don't have the disk in front of me I can't observe every detail. Questions have to be asked.

Link to comment
Share on other sites
Almighty

Almighty

Posted
  • Author
Posted

Ok I understand it this way.

 

You had a shortcut to Drive "X".

You click on it and it opened Drive "X" in a new windows explorer window.

You scanned this drive with your anti-virus program.

The anti-virus scanner found some malware in several files.

You then deleted (or quarantined) those files by advice of your anti-virus.

 

Here's where I get lost:

 

"But still the HD itself is still a shortcut icon so I Googled it and found some answers that I have to delete and by the time I deleted it, I can't open now my HD so I formatted it."

 

This tells me the disk still had an icon or shortcut on the desktop. And you Googled that. And the results told you to delete the shortcut. And then you couldn't access the disk. And then you formatted the disk. And now you're trying to use Recuva to bring back the files after a fresh format.

 

My new questions:

Why couldn't the disk be accessed? Missing icon? Or did it develop an error?

Why did you have to delete a perfectly functioning shortcut & icon?

Why was the format done? To bring back a desktop icon?

What os are you using?

What are the disk size(s) of all your drives?

Is this an external USB disk?

I assume you did a fast/quick format?

 

 

Sorry for the tedious questions. In data recovery every detail means success or failure. And since I don't have the disk in front of me I can't observe every detail. Questions have to be asked.

 

Here's the scenario:

 

My external hard drive is G:/ and when I open it there's a shortcut there of G:/ itself before I can access my files in a new window which has $Recycler folder. After Googling and deleting whats's in the instruction, I cannot longer access it and popups an error like looking for $WI.FAT (I am not sure if that was really the name) So I formatted it. The icon isn't on the desktop but it is on the external HD itself. And no matter how many times I scanned it, it always brings back unusual folder names that's why I formatted it instead in a usual way. I am using Windows 7 Ultimate and the size of my external HD is 465GB.

 

Many thanks!

Link to comment
Share on other sites
Almighty

Almighty

Posted
  • Author
Posted

Holligan13

I had the same problem, which was caused by the program CIEUHU.EXE. it sucked.... basically what it did was change all folders on my flashdrive to shortcuts, but the drive still showed that it had data. The fix for this is was relatively easy for me and I hope it works for you.

1. Go to control Panel, Folder Options -- select VIEW--- select Show hidden files and folders and uncheck Hide protected operating system files (recommended) now click APPLY

2. go to your external media and it should show you all your folders hidden including the virus----- delete the virus and all the shortcut folders that have no data in them. create new folders and copy the data from YOUR hidden folders into them. once that is done delete the old hidden folders.

3. enter task manager--- find the program that is still running which will have the same name as the one you just deleted off the hard drive---- right click it and select open file location---- this should show you the virus location---- delete it!

4. return back to control panel, Folder options select view----- select DO NOT show hidden files and folders and recheck Hide protected operating system files (recommended)

5. Restart computer---- open task manager and ensure that the program is no longer running

 

This worked for me and I hope it works for you. Good Luck

 

http://answers.microsoft.com/en-us/windows/forum/windows_7-files/files-on-external-drive-have-changed-to-shortcuts/695db4cc-645f-4bd1-85c7-41671457fe11

 

This is where I relied but didn't worked.

Link to comment
Share on other sites
Guest Keatah

Guest Keatah

Posted
Posted

Google + Data Recovery = Disaster

 

Part of data recovery is accurate diagnosis up-front. And Google is pretty bad at that despite putting on the appearance of having an answer for everything. Just read some of the e-how articles or messages on other boards giving totally incorrect advice. Unfortunately the incorrect advice is only recognized as such after it (and variants of it) have been tried and failed.

 

Now the question of if nefarious malware could be the cause enters into the picture, who's to say what's really happening? Is the host system 100% verified clean?

 

Without going in long speeches and tedious reading. I would "guess" you're going to need semi-pro level software here. Something more than what Recuva can offer. And you're also going to want to work off an imaged copy to avoid any further damage and changes to the original disk.

 

There might even be manually hands-on re-building of some of the metafiles that "control" the organization of the disk structure.

 

But if anyone here knows how to use Recuva in this situation I want to hear about it!

Link to comment
Share on other sites
Alan_B

Alan_B

Posted
Posted

I had the same problem, which was caused by the program CIEUHU.EXE.

http://answers.micro...c7-41671457fe11

 

This is where I relied but didn't worked.

That topic had many "same problem but solution failed" posts.

There were at least two alternative executables which required different actions.

Did you at least confirm that you were infected by CUIEUHU.EXE.

 

 

A pain in the abdomen might be cured by anything from a strong laxative to removal of the appendix.

 

I fully agree with Keatah - you need accurate diagnosis before selecting a course of treatment.

 

I fear that every failed attempt which modifies the contents of the disc

(including. a "normal" format - whatever that may be)

will make it more difficult and expensive to achieve recovery.

 

I think it is more common for malware to target your system partition (C:\) before it targets external drives.

If your malware protection failed to protect your external drive I would not trust its internal protection,

and malware could :-

1. Have damaged system files which are required for use by Recuva;

2. Could still be present and actively degrading operation of your system.

 

I suggest that you get help to ensure your computer system is free of malware before you try to Recuva your external drive files.

Here is a list of suggestions

http://forum.pirifor...showtopic=34786

Link to comment
Share on other sites
Guest Keatah

Guest Keatah

Posted
Posted

I tend to agree. And ths is most likely a logical recovery situation. That means software and/or user activity corrupted the data. There doesn't seem to be any hardware failure here.

 

If I had this disk in my lab I'd be cloning it first and then plugging the image into some other more sophisticated software. There's other things that can be done too

 

Suffice it to say, you need to ensure you're working on a copy of the disk AND also working on a clean system.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept