Hackfly.com

This is the story of an ultimately successful, albeit roundabout way of restoring a laptop to its former glory. It involved a badly infected laptop, an unrelated but inconveniently timed hard drive failure (minor but with enough bad sectors to prevent recovery of backup files), and unnecessarily convoluted scripting to get recovery files from a remote location. But it worked, and that is the satisfying part.

First of all, it is always a good idea to have your programs and data on separate partitions. This can make setting up automatic backups easier (so they tell me, I haven't quite set things up the way I'd like yet) and can make the recovery process smoother.

Second, make sure you actually have valid backups. For the data partition drag-and-drop / copy-and-paste to another drive works fine, but for the OS and programs you'll need to have an image of the drive -- this just means that every single bit is stored in its exact relative position on the drive instead of file by file. For Windows systems I highly recommend the free and robust drive imaging software DriveImageXML available here. That will allow you to make a backup image while running Windows, and even store it to the same drive you are imaging. After using commercial products such as Norton Ghost, I can say that DriveImageXML works better, is easy to use, and is surprisingly free.

For this incident, I had a backup image of the C drive stored in a directory on the D drive, and also on a DVD offsite.

Now, what happens if one of the backup image files for the infected laptop is damaged because of a hard drive problem, and your DVD with the alternate backup is thousands of miles away at a low bandwidth connection? Well, first you recover as much of the damaged file as possible. I recommend PC Inspector Data Recovery available here. With this I was able to recover most of the backup image. Then you use rdiff -- a great unix tool for calculating only the parts of files that have changed. I found a version compiled for Windows here. You can use rdiff to generate a signature of the damaged file, then write a script that compares that signature to the good file and generates a delta. Give that script & signature to someone with access to the alternate backup, and they will be able to send you a very small file instead of the original. Using this technique I was able to get a 562KB delta file instead of the several GB original. Then all you have to do is use rdiff again to reconstruct a good original file, replace the bad hard drive (this is where an extended warranty and a couple weeks worth of patience comes in handy), reformat and repartition it, restore the backup image files to the drive using DriveImageXML on a Windows boot cd (I highly recommend the Ultimate Boot CD for Windows), copy the backed up data files, and you are back in business.

I should also mention that my rdiff script also uses fsum (available from Slavasoft here) to calculate an md5 hash of the original file, which is how I make certain that my reconstituted copy is a perfect duplicate of the original. The script is just saved as a .bat file in the same directory as rdiff, fsum, and the signature file. Your accomplice should just have to double-click on it and they will get the delta file as output in the same directory.

Here is the script:


echo off
cls
echo Please insert the DVD with the backup image files.
pause
cls
echo Press any key to open a File Explorer window.
echo Please note the exact path (ie E:\backupset\ ) to where the
echo 'Drive_C.dat' file is located, then return to this window.
pause
%windir%\explorer.exe
:GetInput
cls
echo What is the full directory path where the 'Drive_C.dat' file is located?
echo ie. G:\ImageC\
set /P DatDir=
cls
echo Processing, please wait ...
if exist "%DatDir%Drive_C.dat" (
rdiff delta Drive_C.dat.sig "%DatDir%Drive_C.dat" Drive_C.dat.dif
) else (
echo Please check the path to 'Drive_C.dat' and try again.
pause
goto GetInput
)
echo Delta file generated, creating md5 of original. Please wait ...
fsum "%DatDir%Drive_C.dat" > Drive_C.dat.md5
cls
echo Finished!
echo Please make a note of where the 'Drive_C.dat.dif' and
echo 'Drive_C.dat.md5' files are located so that you can email them.
pause


Finally, here are a couple of suggestions for avoiding viruses:

• Use AVG free available here
• Go to getK9 and download their filtering software and install it. It is very easy to install, easy to configure (it works fine using the default settings), and should prevent browsing to most offensive or dangerous sites.
• If you install any software, be sure that you need it and that it is from a reputable source. Be especially suspicious of free games, screen savers, toolbars, plugins, and video codecs.
• If you install any Microsoft products be sure to immediately afterward go to "Microsoft Update" from your start menu and select "Custom", then download all critical and recommended updates (as there have been numerous serious security flaws corrected since the programs were initially released), with the following exception:
• Do not install Windows Service Pack 3. It might prompt you with a popup from the taskbar (select "Do not show this again" and dismiss it) or from the "Microsoft Update" page, it might preselect it if you choose the "Custom" update option or it could install it automatically if you select "Express." For some folks the update works fine, but for many (including on 2 of my machines) it makes the system unstable and produces strange errors including lockups, "the blue screen of death", and endless reboots. It doesn't really provide you with anything you need and you can safely ignore it. If it somehow gets installed automatically, just go to the "Control Panel", "Add or Remove Programs", then look for Windows Service Pack 3 and select "Remove".

I can't guarantee that these steps will work for everyone, but they seemed to work well enough this time. I posted them here in case they might help someone else, but also so that I can remember what I did.