Hard drives inaccessable

Hi there,

I recently went through the steps of posting on the malware removal forum due to a win32/mebroot.k trojan popping up in Eset. I am told from the logs that I posted that I no longer have this trojan.

My problem now lies in the fact that I have 2 physical drives of data that I cannot access. I'm not sure if this is the work of the trojan but it happened at the same time as the trojan. First my drive labelled "Downloads" would turn into a "Local Disk", would not open, and after several seconds say that it needs to be formatted. For awhile I could restart the computer and chkdsk would automatically run and make the drive accessable again. This is the same time that I started to get the message from Eset regarding the trojan. Now the chkdsk will not make the drive accessable anymore and a second physical drive has also become inaccessable.

I have tried chkdsk manually with the windows system restore on both drives. The first gets to 25% and then says there are "unrecoverable problems." The latest drive that went says "unrecoverable problems" right away.

I have also tried a program called Ontrack EasyRecovery. The first drive took awhile to scan and some if not most of the files appear to be there. The second drive took just a second and everything popped up.

Basically I am wondering if there is a program that can fix the file structure or MFT or whatever is wrong with these drives. They appear to still have all my data on them but it just cannot be viewed in Windows XP right now. I have ordered a new computer and was hoping to just plunk these two drives of data into it.

On a side note, does this sound like something this trojan can do or is it just a coincidence. My computer is pretty old and freezes a fair bit, especially while playing videos which is why I ordered a new one. Not sure if the restarts may have caused this problem with the drives.

I am using Windows XP SP3 32 bit. Please advise if any other info is needed. This is just my 2nd post in these forums. Thanks in advance for the help

 

1. Are these data HDDs correctly detected in the bios?

2. I take it that your priority here is to extract the data from these drives.
In which case I would do the following:

I would boot from a Linux Live cd (Puppy is good as it's only 100mb and runs in ram) when you get to the Puppy Linux desktop, you should see the drives / partitions as icons in the bottom left hand corner.

Click on the drives and see if you can access them (green dot will appear on drive). If yes, then if you connect an external usb drive while in Puppy (it will show up on desktop after connected with no windows type fuss), then you will be able to easily copy your data. Don't forget to Unmount the volume after use (green dot will disappear)

As to the reason why your drives show up as unformatted, there has obviously been some corruption of the mbr / partition tables. This can be addressed but once your valuable data is removed. So try Linux first.

 

Thanks for your response.

1. Yes these hard drives are detected correctly in bios.

2. Data recovery is my goal on one of the drives. The other is not as big of a deal.

I have never used Linux and do not have a Linux cd. Is this something I should download and burn?

I guess I just thought that since ontrack EasyRecovery found the files so easily that there might be a way or a program that could repair the mbr's/ partition tables to get the drives back to where they were before. As I said before, chkdsk was recovering the one drive every time I restarted the computer. Sounds like from what you are saying is that repairing the mbr/ partition table may make my data unrecoverable ... is that accurate?

 

You will need to download a Linux Live cd (Puppy as I said is nice as its 100mb). Got to the Puppy Linux site and download the .iso file. Burn to cd. Boot from Puppy Live cd. Once on desktop you can remove the Puppy cd as it will be entirely in ram.

When you get to the Puppy desktop you will/should see icons in the bottom left hand corner which will be for your HDDs / Partitions. See if you can click on an icon to access. A little green dot will appear on the icon.

If all works ok, connect a usb drive, an icon will appear in a similar manner. Then its just copy paste. After you finish unmount the drives before shutting down. Right click icon and select unmount.

There are several posts by users whop have this used this method successfully.

Good Luck