Monday, August 20, 2007

Case 1

Skipping the introduction, as this should be pretty self-explanatory. Template may change over time.

Situation
Coworker was talking about her fried computer that won't even start up. Thinking this will make a good challenge and indicator of my abilities, I offer to get the pictures off her hard drive. Fortunately for me, she tells me that the computer has gathered dust for a while and all data was assumed lost long ago. Nothing to lose.

Initial Thoughts
No big deal. I'll plug it in, see if it POSTs (or turns on at all, as the case may be). Bad hard drive is likely the culprit, but hardware failure is never out of the question. If it is the hard drive, I'll stick it in my case, change the jumpers to Slave, and recover the data.

Process
When I booted the computer, it flashed the HP screen and went straight to an error message that said a file in the System32 folder needed to be reinstalled. Somebody fucked it up good, but far from hope being lost. So I yank the HDD out of the case, change jumper settings, and put it in my Antec case (which is awesome, review to follow).

First mistake (and I'm not entirely sure it was a mistake) was letting Windows scan the new disk for consistency. I was paranoid at first, since I have read that you have to be careful what you do with a corrupt disk, lest you write to it and fuck something up. Windows reports that the disk is unusable, which I find a little hard to believe.

Sure enough, when I pull it up in Explorer, most everything's there. WINDOWS, Program Files, and Documents and Settings. It's a cakewalk from here, I might as well pop in a blank CD now. But there's no data. All I can find are files that were bundled with the computer. Default pictures, songs, etc. None of the coworker's pictures. But...

There's something strange going on. Every directory has a common file. AXEL.DAV (a 24 byte file that reads "A" when pulled up in a text editor). A little bewildered, I turn to the God Almighty, Senor Google. Results aren't promising, but piecing together bits and pieces of forum discussion leads me to find that the drive was infected with the vbs_redlof.A virus. This doesn't explain the missing files (or the remaining ones for that matter), but I'm guessing that was on the user's end when she tried to use XP's restore.

Well, whatever. I run compmgmt.msc and delete both partitions (surprisingly, the backup partition was unaffected, despite the fact that most of the files had been removed). Clean drive goes back into the old computer and I start the XP setup. Formatting goes fine, but this machine will be God damned if it's going to install Windows. Every other component it tried to install was unable to be installed.

So fuck it, I'll start over. Except now the computer won't start up. Trying to enter the BIOS locks up the computer. A hard shut down and five minutes later, it reports that NTLDR is missing. Oops. Restart, enter BIOS, change boot priority, we're going to try this again. "Press any key to boot from CD..." is followed by the NTLDR error. Super cool. A half hour job is now at three hours and counting. Restart. Press any key before the fucker realizes that NTLDR ain't coming home.

Overwrite the partition I just created with a quick NTFS format. Before, Setup was at 0% when it found an error. This time I get all the way to 6% before it tells me a *.ttf (true type font) file is missing. Guess they're going to have to do without Courier for a while. But now we have a success.

Ladies and gentlemen, we are through the Looking Glass. Windows is installing. I'm going to install some third-party software and hopefully return an over-sized paperweight as a functioning machine. Fuck the pictures, at this point a revived hard drive is all that really counts for anything. I rename the computer MOTHER, and the rest of the install goes smoothly.

And of course, I forgot about drivers. Fortunately, HP has my back on this one. And with my Passport Drive, I can easily download and transfer files. Now, to you this might not seem like a big deal, but I've had to find drivers for entire systems on a 56k connection. 20 MB is a huge deal, especially if you end up with the wrong drivers... repeatedly. Thank God for 802.11b.

Drivers are good, so what about third-party software? I picked up a disc in a Maximum PC magazine a while back that came with some decent freeware that had been scavenged off the Internet. It's a good list, even though it's missing VLC and IZArc, two of my favorite programs (VLC supports streaming video over a network using UDP, which is just fucking awesome). Anyway, I went with AVG (virus scanning), Firefox (running IE on a fresh XP install is out of the question, I remember Blaster), HDDlife Pro (gave me an idea of how long the drive has before it dies), and of course, SpyBot (for spyware, most likely cause of all of these problems). Now to see how the coworker likes it.

Aftermath
Well, no recovered files. I don't know if I wrote over them when it checked the disk, if the virus got them somehow (shouldn't have targeted anything outside of .vbs, .html, and some other system files), or they got caught in some XP Recovery limbo, never to be seen again. (my money's on this one). I gave it back to my coworker this afternoon and explained what had happened and she didn't seem to be too surprised.

Post-ordeal Thoughts
First of all, I'm going to be more careful about quarantining the disk. I ran AVG on it when I got it/after I took it out and I have no idea if anything could have gotten onto my system anyway, but I should figure out a safer way to go about it next time.
Second of all, it might be worth it to invest in some recovery software if I end up doing anymore of this. I have a few freeware utilities in mind, but shelling out some cash might not be a terrible idea.

So that's it. Riddled with confusing problems and anticlimactic. This is one of the weirder things I've seen, and I have no reason to think it will stay that way.

No comments: