Virus has make drive inaccessible

R

RegEdit

New Member
Reaction score
3
Location
Pacific Palisades, CA
So I customer of mine says that they caught a virus, then upon reboot the computer quickly blue screens out. I slaved the drive to my bench computer and the drive shows up under My Computer, but when I double click it, it says that the drive is not formatted. Yikes. I ran Crystal Disk Info and everything appears healthy. So what did the virus do? Screw with something in the System Volume folder? Anyone ever come across viruses like this? I'm gonna proceed to use R-Studio or GetDataBack to recover the customer's data. It would be nice if there was a simple fix to this to avoid a reinstall though.

R-Studio says "The selected disk does not contain any of supported file systems or it's file system is corrupted."
This virus was nasty! : (
 
Last edited:
RegEdit said:
So I customer of mine says that they caught a virus, then upon reboot the computer quickly blue screens out. I slaved the drive to my bench computer and the drive shows up under My Computer, but when I double click it, it says that the drive is not formatted. Yikes. I ran Crystal Disk Info and everything appears healthy. So what did the virus do? Screw with something in the System Volume folder? Anyone ever come across viruses like this? I'm gonna proceed to use R-Studio or GetDataBack to recover the customer's data. It would be nice if there was a simple fix to this to avoid a reinstall though.
Click to expand...
Personally I'd start with an immediate drive image, then some sort of partition rescue software to make sure everything is rebuilt properly from the MBR down. That might be all you need before you can start disinfection (if they're actually infected, of course)!

I think I'd image (sector-by-sector) with R-Studio or GDB though; that way if all goes south you can always just continue with the file-level recovery and cut your losses.


EDIT: Alternatively, you could try reinstalling the drive (after imaging) in the customer's system, booting to a Vista/7 CD (whichever applies), and then attempting a Startup Repair. If it's XP, you could always boot to recovery console and attempt to run a fixmbr command, followed by a fixboot command. Can't hurt to try if you've got your image!
 
Last edited:
first, you need to figure out if they got a virus or if this is the "virus". Our client's don't know the terminiology very well and call things they aren't all the time. They could have also gotten a virus and this just happen at the same time. 99% of popular viruses today do not damage computers in any way because they are more interested in information on them or credit card information.

As for getting the data back, no, there isn't much else you can do unless you can recover the partition table.
 
As long as you're dealing with NTFS, you can likely recover the files anyway... but nabbing an image first thing is good practice. :)

Granted, if the drive does happen to be failing (more likely, as MrUnknown says above; few viruses have been known to corrupt filesystems to my knowledge), I always like to call the customer first to inform them of the risks of data recovery attempts. I explain the risks, the probable cost if they choose to go with a pro DR firm, and then ask them what they think they want to do. 95% of the time they choose to have me try and recover it for them (and I usually do).

The good thing is, if you start by attempting an image, the first bad sector you run into will throw up a flag in either R-Studio or GetDataBack... so then you'll know it's probably on its way out.
 
Last edited:
RegEdit said:
I ran Crystal Disk Info and everything appears healthy.
Click to expand...
CDI won't tell you anything beyond the smart status of the drive. What you appear to have here is a logical problem. Something has damaged your drive's logical structure, most likely the partition table.

GDB will find the partition and allow you to recover that data, if it hasn't been overwritten. There are dozens of programs that will allow you to attempt recovery of the partition table e.g. Easus Partition Recovery
 
seedubya's thinking the same thing I am. Logical corruption can be caused by a wide variety of things, including power failures, NTFS transactional mishaps, bad RAM, bad sectors on the drive... most likely this is easily fixed with the proper DR software. Partition recovery software is best at this, as sometimes it's as easy as just rebuilding the partition data.

But GDB and R-Studio can get the files most likely anyway. Hopefully it's not actually a drive failure issue, which is possible.

Let us know what happens!
 
Last edited:
CDI won't tell you anything beyond the smart status of the drive. What you appear to have here is a logical problem. Something has damaged your drive's logical structure, most likely the partition table.
Click to expand...
Western Digital's SMART test just gave the ole' question mark symbol.

GDB will find the partition and allow you to recover that data, if it hasn't been overwritten. There are dozens of programs that will allow you to attempt recovery of the partition table e.g. Easus Partition Recovery
Click to expand...
So far GDB is working. 46% and counting...
Easus Partition Recovery. That sounds like the ticket!!!! Thanks for the hot tip!!

EDIT: Alternatively, you could try reinstalling the drive (after imaging) in the customer's system, booting to a Vista/7 CD (whichever applies), and then attempting a Startup Repair. If it's XP, you could always boot to recovery console and attempt to run a fixmbr command, followed by a fixboot command. Can't hurt to try if you've got your image!
Click to expand...
Great idea. It's running Vista.
 
I had high hopes for EaseUS Partition Recovery but no such luck...
easeus-partition.jpg

I am unable to virus scan the drive (when slaved). Under "properties" the drive shows 0 byes of free space and 0 byes of used space.

I'm gonna search for other utilities such as this old Trend Micro tool from back in 2006.

I was able to image it with GetDataBack.
 
I think my next step'd be Startup Repair, just to see where that gets you. It might be all that's required.

The good thing is that now that you've got a sector-by-sector image, you have really nothing to worry about :)
 
tip:

Don't attempt repairs on your original image. Create another copy of the image, and work on that, so that if anything goes wrong you still have your original image.
 
Can R-Studio open any .img file? I created an image with GetDataBack but wasn't able to expand that image with GetDataBack. So I tried opening the image with R-Studio. No luck either. It gave me the error code FF0000

As previously mentioned earlier, R-Studio wasn't able to image the drive.
 
Yeah, I suppose you could make a copy of every image... only thing is, these programs are supposed to only read from the image! So it shouldn't be a problem...

GDB couldn't figure anything out based on the image?

Maybe the drive really is troubled somehow then. Could it potentially be a firmware problem, and you actually aren't getting anything but garbage data from the drive in the first place (but the drive is reporting a successful read)?

This is starting to sound like it may be a hopeless case after all if so...
 
After the drive has been imaged.
I have formatted the drive and then ran GetDataBack to recover the information on the drive.
Note: this does not work every time but has worked for me.
 
This is a strange one... definitely let us know of your developments.

You know, if the GDB image doesn't seem to be cooperating, you could always try simply running R-Studio on the drive. Technically you have a working copy of whatever was there to start with (I've never seen GDB think it had an image but fail). Thus if the data really is corrupt at this point (or the firmware has pooped out--it's possible), then you really have done all in your power to correct it.

Something else that just popped into my head however... have you tried booting to an imaging solution using the customer's actual PC? It may also be a problem with the connection to the PC being used to examine the drive!
 
Perhaps firmware module damage. The files that I was able to extract were useless. They were organized in a few folders called text document, unicode document, DVM video, etc. There was some other folder.... exe files and zip files I think. The text files were numbered. In opening them, the files were useless junk. So maybe firmware module damage or something. I've used R-Studio and GDB and when they work they work. This time no luck.
 
I've read through the posts here, and my Spidey-sense is telling me that the drive itself is toast, with no "real" spyware/virus infection. I.E., basically something is wrong with the drive physically, be it the platters, electronics board, etc.

I've seen weird stuff like this before that, even after running diagnostics on the drive, showed it to be good. In reality, the drive was hosed, even though it could be "partially" read by Windows Explorer, Linux flavors, boot CDs, etc.

I know you are in the midst of doing this now, but I have a feeling the only thing that MAY save this drive is IF you can image the drive to a new one, and then boot from there to see if it works. Quite a longshot, I'd say. Hope your customer has backups.
 
The customer tells me that they got this virus telling them that their computer was infected, they rebooted, and then immediately got this blue screen error
EPOS ERROR LOG
STOP! Can't recover from error.
001 002 003 [etc etc]
System halted

I've never seen a virus do this and I infect test machines every week. I've read about the Tedious virus, but I've also heard about the Chupacabra. Must be coincidence. I don't know if it's firmware module damage or what but I doubt it's a virus. I'll report if I find out. They're taking the drive to a recovery place.
 
You must log in or register to reply here.

Similar threads

Appletax
[SOLVED] Computer occasionally deletes audio drivers on Dell Vostro 7500
Replies
3
Views
551
Appletax
Appletax
RetiredGuy1000
Stumped by Asus Bios
2
Replies
34
Views
4K
NJW
NJW
Appletax
[REQUEST] BSOD 0xc000000f After Mobo/CPU Upgrade
2
Replies
24
Views
6K
Markverhyden
Markverhyden
H
[SOLVED] Another couple questions about bad hard drive recovery
Replies
8
Views
2K
Joep
Joep
16bwhitt
Need help with failing Hard drive
2
Replies
27
Views
4K
cyde_ePhex
cyde_ePhex
Back
Top