Virus Scan Hosed Hard Drive

Hi, Not sure if this should be in the hardware forum, but I figured I would start here. I am guessing Malware or a Virus is behind the trouble here.

A friend dropped off his infected PC to me (one of those "your PC is infected click here to get XYZ Software to fix it" and then you lose control of your machine).

I have fixed several machines before using the advice found in the Malware Removal forum.

This machine was different as it was older (running XP (SP unknown)). When I tried to get into it to work on it both the keyboard and mouse were not working. This machine has ps/2 ports, so I guessed the owner never used USB HID's and thus didn't have the drivers installed. I was stuck as I no longer have ps/2 things.

In my infinite wisdom, I decided to remove the HDD from the PC and then attach it to a standalone laptop of mine via an external USB cable.

All was good, the laptop saw the drive and there were about 26000 files on it. I ran a virus check on it as a slave drive (e.g. not booted from) using Symantec. Symantec returned the result there were no infected files which I found curious.

I then decided to fix it back in its original environment, so I created a BART PE CD and plugged the HDD back into its original box and proceeded to try and boot from CD. (I figured BART PE would allow me to use the USB HIDs and be a workaround for my original issue)

This is where the issues start. BART PE didn't boot and I got the wonderful blinking cursor after post. I checked all connections, etc... Nope nothing.

Took out BART and tried to boot normally. Nope nothing.

Took the drive back out and reattached via usb cable to laptop. It was found, size was right, however Windows wants to format it. Looking at device properties the device name which had previously displayed properly as "Maxtor xxxxx" now displayed "Mahtmr 5 D0 0H2".

At this point I figured something corrupted the drive... duh. I am guessing something was corrupted at a low level messing with the proper hex values.

Here is where I need help. I am not sure what was corrupted or how to fix it.

I did download Get Data Back for FAT32 and ran the read only scan. I had to do the thorough scan (the two faster ones found nothing) and it looked like it found the folders and the right number of files (compared to the original Symantec virus scan stats).

However when going to the select files to recover tab, there was nothing there.

At this point I am looking for help on what to do with this drive. I really want to fix whatever got corrupted and then have a chance to clean it for my friend.

Any sage wisdom out there?

Thanks!

 

Hi,

I am comfortable I can cleanse the malware once I get the filesystem back.

At this point I have a hard drive Windows does not recognize any filesystem on (when a slave) and does not boot from when used as the boot device.

I agree if file recovery was not necessary then a reformat and clean install is easiest (isn't it always? who wants to spend hours running scans and fixes if they didn't have to...). However I need to recover files off of this drive.

Any idea on how to reconstruct or fix whichever tables were corrupted? Was it the MBR, FAT or some other low level corruption?

 

Hi

Try reinstalling the HDD in the original system, and using a live Linux CD to boot from (Mint, Ubuntu, Puppy, etc.). If you are able to boot into Linux, see if you can read the HDD's contents in Linux. If you can, use an external drive to backup the HDD's contents to, and we can go from there.

If that system won't boot into Linux, then try booting into Linux on your system, and try reading the HDD as an external drive with Linux on your system (and backup to another drive).

 

Thanks! Any particular distro better than others for this purpose?

 

Probably, but I wouldn't know the "best" one. Any I mentioned should work great, I use Mint myself.

 

I think Linux Mint automatically mounts all partitions on the computer including Windows partitions. Ubuntu by default doesn't mount Windows partition to protect it. So Mint is probably easiest.

I don't think it is difficult to mount the Windows partition in Ubuntu I just haven't tried that distro in a while.