windows xp - A (probable) virus has rendered two hard disks unreadable. How can I recover them?

07
2014-07
  • user320606

    Warning in advance that this going to be a slightly long one.

    I had an old Dell laptop running XP die last year due to returning a HDD read error when attempting to boot. I booted from a live linux USB and was able to mount the backup partition (but not the main system partition) and rescue my backed-up data. I assumed that the disk was physically on its last legs so wrote the laptop off.

    Today I found the XP recovery CD and decided to have a go at reviving the laptop, which as you'll see was a big mistake. The XP Recovery Centre failed to resolve the problem so I removed the disk and connected it to a Samsung netbook via a HDD to USB connection. Unfortunately when I booted I forgot that I'd set USB to have priorty over the internal HDD and booted from the faulty drive. When I rebooted, the Samsung's internal drive (which had worked perfectly before) would no longer boot and produced the same error as the Dell drive. At that point tt dawned on me that the Dell laptop must have had some from of boot sector virus that I had now transferred to the netbook.

    Booting the Samsung from the Linux USB, it is no longer possible to mount the internal HDD. Running fdisk reveals why:

    Disk /dev/sda: 58.5 GB, 58506416640 bytes  
255 heads, 63 sectors/track, 7113 cylinders, total 114270345 sectors  
Units = sectors of 1 * 512 = 512 bytes  
Sector size (logical/physical): 512 bytes / 512 bytes  
I/O size (minimum/optimal): 512 bytes / 512 bytes  
Disk identifier: 0x00000000  
   Device Boot      Start         End      Blocks   Id  System  
/dev/sda1              63    14683409     7341673+  12  Compaq diagnostics  
/dev/sda2   *    14683410   163678207    74497399    7  HPFS/NTFS/exFAT  
/dev/sda3       163678208   312578047    74449920    7  HPFS/NTFS/exFAT

    The partitions are found correctly, but the disk size is reported incorrectly as 58.5Gb (it is actually 160Gb).

    When fdisk is run on the drive from the Dell this also returns the correct partition structure but again incorrectly reports the disk size as 58.5Gb.

    The fact that all the partition structure seems to be in place gives me hope that the disks could be restored to a functioning state, but I can't figure out how to rectify the problem and nothing I've found online so far has been terribly helpful.

    Can anyone offer any ideas?

    • Answers
  • composer

    To rescue the partition table using a linux ubuntu live USB, try testdisc and gpart.

    To recover your files even with non-booting, invalid partition tables, try magicrescue along with testdisc as well.

    I believe you are correct in thinking that changing the partition table to its original parameters is likely to yield a working system. (And if not, testdisk or magicrescue will still grab your files.) Of course there are many other recovery tools worth trying, but I mention the ones I have successfully used for similar predicaments. Good luck!


    • Related Question

    dell - Can a virus corrupt a hard disk?
  • sundar

    Shorter version: Hard disk corrupt, vendor claims warranty does not apply since it was "due to a virus" and "problems due to software are not covered under the warranty".

    Longer version: My Dell laptop recently refused to boot, and all attempts to 'repair' the Vista installation using the provided installation CD failed. I called up Dell support, and a representative took the laptop and after a day said the hard disk is corrupt. When I tried to ask for a replacement under the warranty, an official replied that the corruption was due to a virus, and "problems due to software are not covered under the warranty".

    Now, I get a doubt that he's trying to avoid having to provide it under the warranty. Is it possible for a hard disk to get corrupt due to a virus? If yes, is there any way we can detect it was due to a virus (as he claims to have detected)?


    • Related Answers
  • Wim ten Brink

    This Dell technician is partly right. In the past, there were viruses which could damage a hard disk. They did this my moving the read-head of the drive to a sector outside the existing range, causing the head to bump against the internal frame of the drive itself, causing damage to the disk. But that was almost 25 to 30 years ago and hard disks have become more robust ever since.

    Now, it is possible that something went wrong inside the BIOS settings of this laptop, thus the BIOS won't recognize the hard disk anymore, or just can't access it. This could be some virus trying to damage the firmware or just a user messing with the wrong settings. Restoring the proper BIOS settings should fix it, although you would need to know those settings first.

    Finally, if you have warranty on the hardware then it doesn't exactly matter how it got damaged beyond repair. It is broken so they have to fix it. (Although you might want to check the warranty papers that you received with your purchase for exact details.) Do make it clear that you demand a replacement for this disk, which falls under the warranty. (Else, be prepared to ask for legal advise!)

    I myself have a Dell desktop. I know they install their OS from a special disk image instead of doing an official setup. A regular setup would just format the disk, mark bad sectors and do a bunch of other stuff to make sure the disk is okay. Restoring a disk image won't do such checks but just does a quick format before putting the image back. If this fails for whatever reason, oops...

  • Magnetic_dud

    It's impossible, nasty viruses can erase the MBR, but a format can fix it. Try to wipe the disk and install it again (assuming that Dell, unlike HP and Lenovo, was rich enough to give a $0.40 Recovery DVD with a $1000 computer)

    But, poorly made recovery cds will hang if the partition table is different from the original one. Did you do some changes to the disk layout?

  • JamesRyan

    I think you are misunderstanding what the technicion is saying. If someone says a drive is corrupt that refers to the data on the drive, not the hardware. Corruption may be caused by physical damage or non physical such as a powercut or virus. If there is no physical damage then you don't need a replacement drive, you just need to reformat it.

    You can't 'repair' because the partition is corrupted so this needs to be deleted by reformatting and then you need to reinstall windows. The Dell install disk gives you this option. If you see an existing partition on the drive delete it and recreate a new one for the install.

    If you have data on the drive that you need to keep, you may be able to recover it by attaching it to another machine. If you don't know what you are doing take it to a professional (although this may well be expensive) without trying yourself because it is easy to render the data unrecoverable.

  • Brian Knoblauch

    Back in the bad old days when voice coil drives were new, there was a virus that would physically damage some particular hard drives. Doing a request to a cylinder greater than was available (repeatedly) would get the heads to do a reset cycle, followed by running out the number of cylinders/steps requested. That would be greater than the allowable travel, so the heads would crash against the stop, that would be detected, it would reset, retry... Eventually some hard drives would fail from that treatement. Way back in the 286/386 era they added better brains to the drives and that particular method of using software to damage hardware has disappeared.