What to do with a virus-riddled computer with photos?

One of my users just asked:

I am helping my partner’s parents to reconcile a mountain of data across a pile of computer and drives so that it is usable/accessible for them as they downsize into an apartment. The machines are reported to have a virus or multiple viruses that spread across networks and so I am keeping them isolated off my home network.
Please let me know if there’s any way I can get the folder structure-by-date copying functionality without bringing the machine online

My Dad’s computer was in exactly this situation (sadly, several times!). Good on you to step up to this task!

Viruses are bad. No, like, really, really bad.

If a windows computer has (any!) virus infection, as soon as you boot the computer, you can’t trust any software on that computer to do what is expected, including antivirus applications. System calls, like stat and readdir can be “shrinkwrapped” to hide the current infection, and spread the infection to every relevant file. Data loss should be expected.

Assume every file the computer has access to (including your NAS!) may be cryptolocked and subsequently lost (never pay any ransom–that encourages the bad guys!)

Although PhotoStructure tries to be resilient against file and directory corruption by “firewalling” file access to the sync sub-process, if the OS itself is compromised, all bets are off.

Any process can be made to do anything.


I wouldn’t install PhotoStructure on a computer with known active viruses.

If possible, don’t boot your infected OS

Either live-boot Linux (like Ubuntu) from a USB drive, or pull the drives and mount them on another computer using existing SATA connectors, or an “external drive docking station.”

For HDDs, I’ve had good luck with StarTech, Inateck, and Sabrent hard drive docks, but check customer reviews first, and buy from a retailer that has a reasonable return policy in case it doesn’t work on your computer.

For SSDs, I’ve yet to find a really robust external enclosure that I can recommend. If you have a computer with an open PCI-express slot, an adapter like this one from StarTech may work for you.

If possible, configure your OS to not allow any file from the infected computer’s drives to be executed. On Linux, mount with noexec,nodev,nosuid. On Windows, right-click the drive, pick the “security” tab, and uncheck “read and execute” and leave “read” checked.

Then install PhotoStructure, ideally pick a new external drive with enough free space to hold everything, and in the settings page, pick “automatic” for the “Where else are your photos and videos?” section:

See also