TechRepublic|Forums|Malware

Malware

Question

  • Creator
    Topic
  • January 7, 2011 at 9:07 am #2212797

    Where did my data go?

    Locked

    by leeyokum · about 13 years, 3 months ago

    Working on a PC for someone with a virus, my desktop is out out of commission so I got an external drive enclosure to use for this ATA drive out of a gateway computer, I hooked it all up and powered on the enclosure and was able to see the drive in my windows vista machine I saw an F and a G, F being the little recovery partition G being the primary partition with all the data on the drive, I was able to run a virus scan, a spyware scan, even defrag the hard drive without a single issue, I shut everything down and come back later on that evening and everything that was on the primary partition was gone, what was almost a 200GB partition shows as totally empty and windows tells me if I want to use it I must format it…which I did not do of course…so did I mess something up? did I maybe shut something off in the wrong order? is this guys stuff totally gone?

    Topic is locked This conversation is currently closed to new comments.
  • Creator
    Topic

All Answers

  • Author
    Replies
    • January 7, 2011 at 9:07 am #2878006

      Clarifications

      by leeyokum · about 13 years, 3 months ago

      In reply to Where did my data go?

      Clarifications

    • January 7, 2011 at 10:15 am #2877999

      Hard to tell, but could be several things

      by oldbaritone · about 13 years, 3 months ago

      In reply to Where did my data go?

      if windows wants to format, don’t! The damage may be done, but it may still be salvageable. The less you write on the drive, the better. It would be a good idea to get another drive and copy the data to the new one, instead of continuing to write on the customer’s drive.

      There are a couple of partition recovery products available for little or no money. They’re frequently used for hardware failures, but this may be a case where a partition scan can locate and reconstruct the data. Look around a little and you can find a good one. Then another 50-100 bucks for another drive and start the recovery process.

      Some viruses encrypt large blocks of data into another virtual drive, and then extort money to get the decryption key. If the virus was one of that type, the data may already be lost.

      Any time you do data recovery, it’s a good idea if possible to start by copying everything to another drive. That way, whatever you do can always be un-done by starting over. DON’T write on the drive you’re attempting to recover, if at all possible. Mount the drive as “Read-Only” and make changes only on the copy.

      When you’re all done, you’ll end up with a spare drive (whichever one) that you can wipe clean and put back on the shelf for the next disaster recovery. If the customer did it once, it will probably happen again.

      • January 7, 2011 at 11:32 am #2877985

        Hard to tell

        by leeyokum · about 13 years, 3 months ago

        In reply to Hard to tell, but could be several things

        I think I see where your going with that but, as far as windows can tell when it looks at that drive there is no data to copy over, it sees the drive that should have 2 partitions one smaller for recovery and a bigger main one, it sees that drive as having only 1, the smaller recovery partition is there and its the correct size but the rest of the drive shows like its just one big empty space needing to be formated so at this point I cant read because there isnt anything there to read as far as windows shows but I cant write either because I would have to format and I am not doing that…if the customer wants to do data recovery I can recommend a specialist or something, they are expensive but it depends on how much that data was worth, otherwise Id have to charge an exorbitant amount since im doing this by the hour or I’d have to take a hit and do like 10 hours of work for the cost of just a couple

        • January 8, 2011 at 4:32 pm #2877916

          That is waht partition recovery software is for. (nt)

          by seanferd · about 13 years, 3 months ago

          In reply to Hard to tell

           

    • January 7, 2011 at 6:54 pm #2877958

      How did you shut down this external drive here?

      by oh smeg · about 13 years, 3 months ago

      In reply to Where did my data go?

      If you turned off the computer without Dismounting first [i]That is using the Safely Remove Option on the Task Bar[/i] you may have corrupted the partition tables on the drive. Though under those conditions I would expect the Entire drive to require formatting not the main Partition being invisible and the Recovery partition remaining but it’s possible I suppose.

      However more likely is the fact that whatever infection was involved here has copied itself to your system and has triggered the Slave Drive to be Destroyed till you pay the Infection Writer for a program to recover your clients data.

      Instead of looking at the drive as a Slave refit it to the computer it came out of and see if anything at all happens when you try to boot. Naturally [b]Do Not[/b] use the recovery partition to rebuild the system.

      Here I would attack your system with a recovery Disc which you’ll have to download on a different system and burn to CD.

      In the mean time you could try running [b]chkdsk /whatever the drive letter should have been[/b] on your system to see if it can rebuild the Partition tables.

      You can read all about Rescue Disc’s in this TR Blog and then work from there though

      http://tinyurl.com/2caxc3o

      Col

    • January 9, 2011 at 7:26 am #2877870

      I have had this happen to me and what I did was to

      by sue t · about 13 years, 3 months ago

      In reply to Where did my data go?

      tell the computer to eject it and then put it in another usb port on the computer and it worked. Hopefully this will also work for you. Good luck.

  • Author
    Replies
Viewing 3 reply threads