0

We had a customer bring in a PC infected with a rootkit, MBR virus, and a myriad of malware. After cleaning the drive, we found the data was totally inaccessible. Windows XP and Windows 7 both reported the drive type as RAW (drive was originally NTFS-Windows XP Home).

Using a disk editor I looked at Sector 0 of the drive, as well as the first sector of the former NTFS partition. Both were gibberish. I tried fixmbr, fixboot, mbrfix, all the normal Windows tools. None of these worked. I tried several tools that claimed to be able to recover problems like this. None of them worked (including the one that ended up working).

In retrospect, probably any of the packaged (non-Windows) tools I tried (Partition Magic, Partition Tools, and other similar programs) would probably have worked had I tried this. All of these tools have a "partition recovery" feature. Running these natively wouldn't work - they all saw the RAW partition as a "real" partition. I presume for all they knew, the RAW partition was as it was supposed to be. These tools and wizards were built to recover deleted partitions and put them back like they were before they were deleted.

I was ready to format the drive and reinstall Windows, when I had a thought - what if I actually deleted the RAW partition? At this point, I had nothing to lose - I was gonna format it anyhow right? So I deleted the RAW partition. Afterward, I told the tool I was using (which happened to be Partition Tool free edition (http://partition-tool.com/personal.htm), but as I mentioned, most-likely Partition Manager or other similar tools would have done the same thing), to recover the deleted partition. I kind of expected it to put it back as a RAW partition. To my surprise (and utter delight) it recovered the partition as NTFS! All the user's data and programs were there, intact and working (which was good because he has some archaic programs on there that I don't think can be obtained anymore.)

I wouldn't probably recommend this as a first choice unless you know you have a good copy of your data. It worked for me when nothing else would. And I was ready to format/reinstall, so there was nothing to lose at this point.

Hope this helps someone.

Sam
CSI Computer Service
Logan IA
samatcsilogandotcom

4
Contributors
4
Replies
7
Views
6 Years
Discussion Span
Last Post by JVimes
0

Hey Sam, Thanks for taking the time to post the tip! I will keep it tucked away in the recesses of my mind just in case I run into a similar situation.

0

The user ownership issue due to virus problem. May too less page file error at user login startup. And nothing works later. Even check disk. Add local or the user on domain / workgroup as owner to the drive partition

0

Partition Master just saved my skin, too, when I had the same problem (NTFS partition seen as RAW). My problem started just after using a Linux disc to backup an image of my system. I did the "scan partition" option, and it was able to get ChkDsk to see the filesystem. ChkDsk fixed some things and now I'm safely copying off my files.

Edited by JVimes: clarification

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.