Help - Search - Members
Full Version: KAV Rescue Disk problem - lost data
Kaspersky Lab Forum > English User Forum > Protection for Home Users > Kaspersky Internet Security & Anti-Virus for Windows
pprod
KAV Rescue Disk problem - lost data

200 gigabytes gone from hard-drive after running

I have an AMD Anthlon w/ 4GB RAM running MS-Windows XP Pro SP3 with a 300GB SATA hard-drive (of which about 230GB was occupied by data, programs, etc.)

I had no real reason to think I had a real virus problem, but I wanted to check, so I booted Kaspersky Rescue Disk v8.8.129 from my DVD drive. I updated the virus definitions (03/31/09 3:10am) via a download from the internet and launched KAV scan.

I set the option Prompt Off, disinfect, delete if unable. (Won't do that again).

I received numerous warnings about a Trojan…html (?-can't remember precisely) in various emails contained with my Thunderbird inbox (and various subfolders). This led to a prompt saying the options were delete or skip. I skipped every time. I had the "details" on screen and recognized many of the emails (various phishing spoofs from pseudo "PayPal" and such).

I saw no other events or indication of any virus posted in the details as it was running.

At 29% I decided to stop the process and defer to running it overnight (it had been running for about 2 hours).

I saved the log in my root directory.

I closed KAV and then selected Logoff.

The program seemed to exit normally, the screen went blank, but after about 5 minutes the machine had still not powered down.

I pressed the power button and the machine went off.

When I rebooted I received the message:

NTLDR missing, CTRL-ALT-DEL to restart.

I pulled the drive and attached it to a different machine (similarly running MS-Windows XP SP3) as a non-booting drive. With Windows Explorer, I discovered that much of my drive is now empty. Lost was almost all contents of "Documents and Settings" and the various sub-folders. The one exception being the presence of one single large (perhaps the size of part of my saved emails) file

\Document and Settings\[username]\Application Data\Thunderbird\Profiles\[profilekey].default\Mail\[mail account]\.fuse_hidden000021340000005b

I see no evidence of the log I saved.

I do see the folder:

\Document and Settings\All Users\Application Data\Kaspersky Lab\AVP8 with 4 sub-folders and a tgz file.

Windows Explorer currently reports that there are 29.0GB of data on the drive. (There had been about 230GB of data on the drive).

I am currently exploring the drive with Runtime Software's Get Data Back v3.66.

I have not written to the drive at all since the KAV incident.


Baz^^
Hi,

Is this the linux based scan cd?

If so that is in Beta, and problems are to be expected but this seems to be a bit extreme.

Is there any indication that the hard drive is failing to cause this data loss?
pprod
QUOTE(Baz^^ @ 1.04.2009 01:55) *
Hi,

Is this the linux based scan cd?

If so that is in Beta, and problems are to be expected but this seems to be a bit extreme.

Is there any indication that the hard drive is failing to cause this data loss?


I believe it is Linux based: on boot, first screen:

***
ISOLINUX 3.09 2005-06-17

Kaspersky v8.8.1.29

...

Press enter to start (approx)

***
and during the load of various drivers, etc. I noticed: gentoo.linux

Once up in full-screen comes with these choices via lower left pop-up:

KAV
X File Explorer (v1.04)
Terminal
Screenshot
---
Logout

====

As for possible hard-drive failure, none before or after (currently running deep-level search by Runtime Software's "GetDataBack for NTFS" and no problems reading the drive.

Phillip


and
pprod
QUOTE(pprod @ 1.04.2009 02:29) *
I believe it is Linux based: on boot, first screen:

***
ISOLINUX 3.09 2005-06-17

Kaspersky v8.8.1.29

...

Press enter to start (approx)

***
and during the load of various drivers, etc. I noticed: gentoo.linux

Once up in full-screen comes with these choices via lower left pop-up:

KAV
X File Explorer (v1.04)
Terminal
Screenshot
---
Logout

====

As for possible hard-drive failure, none before or after (currently running deep-level search by Runtime Software's "GetDataBack for NTFS" and no problems reading the drive.

Phillip
and

Hello Baz+,

In my effort to "intelligently" try to recover some of my critical files, I'm wondering what KAV does when it "deletes" the boot sector or partition table of an "infected" drive (although I received no indication that this was the case) or when it "deletes" individual "infected" files. Is there any technical information concerning this?

I'm still trying to determine what happened before attempting any recovery. I have cloned an image of the drive, so I'm ready to try a few things, but my low level exploration of the drive has not been encouraging.

Any assistance would be greatly appreciated. Even if it just points me to where I might need to look for details.

Thanks,

Phillip
Lucian Bara
hello
kaspersky doesn't delete the boot record, it will disinfect them the option is available (eg. if the mbr is copied somewhere by malware, and the copy is available), otherwise it just reports them. as for deleting files, it deletes them like you do when you want to delete a file, it's no complicated algorithm since it's not needed.
plazmica
QUOTE(pprod @ 1.04.2009 00:47) *
KAV Rescue Disk problem - lost data

I set the option Prompt Off, disinfect, delete if unable. (Won't do that again).

I received numerous warnings about a Trojan…html (?-can't remember precisely) in various emails contained with my Thunderbird inbox (and various subfolders). This led to a prompt saying the options were delete or skip. I skipped every time. I had the "details" on screen and recognized many of the emails (various phishing spoofs from pseudo "PayPal" and such).

I saw no other events or indication of any virus posted in the details as it was running.

At 29% I decided to stop the process and defer to running it overnight (it had been running for about 2 hours).

I saved the log in my root directory.

I closed KAV and then selected Logoff.

The program seemed to exit normally, the screen went blank, but after about 5 minutes the machine had still not powered down.

I pressed the power button and the machine went off.

When I rebooted I received the message:

NTLDR missing, CTRL-ALT-DEL to restart.

I pulled the drive and attached it to a different machine (similarly running MS-Windows XP SP3) as a non-booting drive. With Windows Explorer, I discovered that much of my drive is now empty. Lost was almost all contents of "Documents and Settings" and the various sub-folders. The one exception being the presence of one single large (perhaps the size of part of my saved emails) file

\Document and Settings\[username]\Application Data\Thunderbird\Profiles\[profilekey].default\Mail\[mail account]\.fuse_hidden000021340000005b

I see no evidence of the log I saved.

I do see the folder:

\Document and Settings\All Users\Application Data\Kaspersky Lab\AVP8 with 4 sub-folders and a tgz file.

Windows Explorer currently reports that there are 29.0GB of data on the drive. (There had been about 230GB of data on the drive).

I am currently exploring the drive with Runtime Software's Get Data Back v3.66.

I have not written to the drive at all since the KAV incident.


The same problem I had. Classical scanning through the night, where KAV deleted a few viruses. After a successful scan, I opened the File manager to delete temp folders. I deleted pagefile.sys and hidden file .fuse_hiddenxxxxxx appeared so I tried to delete but unsuccessfully. Then I went to logoff. While I was wait to shutdown, it show that the C drive can not be unmount and demanded my password, or to press Ctrl + D to continue. because I do not have a password, I pressed Ctrl + D and continued with the message that drive C is not unmount. After re-starting computer, C partition was completely empty. With GetDataBack i saw that files are on hard disk "deleted" and gives me the option to recover them. I don't want to recover them, I want my partition back. So how to restore back the previous partition? dash1.gif

version. KAV 8.8.131

plazmica
QUOTE(Lucian Bara @ 2.04.2009 17:48) *
hello
kaspersky doesn't delete the boot record, it will disinfect them the option is available (eg. if the mbr is copied somewhere by malware, and the copy is available), otherwise it just reports them. as for deleting files, it deletes them like you do when you want to delete a file, it's no complicated algorithm since it's not needed.


any suggestions for my previous post?
IgorNM
Hi, I have the same problem.

After scan my pc, leaping the infected files, I log off.
When i start Windows, it had problem: "NTDL is missing."

I boot via the live CD and discovered that my files were deleted.

I tried to recover by Active Undelete, but it did not find the files.

I will try now with the GetDataBackup for NTFS ...

Is something else I can do?

Thanks for all!
Whizard
Boot from CD into the Recovery Console and type FIXMBR, followed by FIXBOOT restart the computer.
IgorNM
I lost all files! A simple FIXBOOT and FIXMBR solve my problem? I am afraid to do this and could not recover my files.

This work? Guaranteed?

Thank you!
JayE
I just ran the scan last night and discovered that MY ENTIRE HARD DRIVE is gone!!! Everything!!!

I went from having a handful of mildly-irritating viruses to having nothing -- no data, no photos, no apps, nothing.

What is the resolution to this?? I am out of my mind at this point.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2014 Invision Power Services, Inc.