Data retrieval

[PaulJD]

Hi all,

A Dell inspiron 1525 running Windows 7 came in with lots of evidence of malware (many instances of avp32.exe in processes etc). Still booted to the desktop but lots of 16-bit program won't start errors.

My normal practice for heavy infestations has been to pull the drive and slave it, make an image and then work on it.

I connected it and started the workshop machine, the drivers installed and then the 2 partitions autoran (what would you like to do with the drive etc) but when I went to look at them in explorer, the OS partition needs to be formatted. I've tried to get to the files with Ubuntu but it won't recognise the partition either. It shows the SMART status as healthy.

The client has important files on the desktop and no backup.

Do I do a quick format and try Recuva?

Do I send her to a specialist?

What are your thoughts?

Thanks for your help!

[Skillachi]

Hey PaulJD as long as the HD is powering up you still have a chance of backing up data from the HD. Don't reformat as yet, give this software a try (Pandora Recovery 2.1.1) which you can find here for free, Also try some malware scans in safe mode using Malwarebytes or superantispyware etc. Keep us updated...

http://download.cnet.com/Pandora-Rec...-10694796.html

[PaulJD]

Thanks for the recommendation Skillachi, I'll give Pandora a try first thing in the morning (its 6.50pm here in rainy Sydney and time to knock off).

I forgot to mention that I also tried putting the drive back in the Inspiron and now it won't boot - after the Dell screen I get this:

Loading DMK version 8.00 (dell real mode kernel).

I'll let you know how I go.

[Skillachi]

Quote:

Originally Posted by PaulJD

Thanks for the recommendation Skillachi, I'll give Pandora a try first thing in the morning (its 6.50pm here in rainy Sydney and time to knock off).

I forgot to mention that I also tried putting the drive back in the Inspiron and now it won't boot - after the Dell screen I get this:

Loading DMK version 8.00 (dell real mode kernel).

I'll let you know how I go.

Hey PaulJD if that don't work try using a SATA and IDE Hard Drive & Optical Drive USB Adapter Kit COMBO check out the link;

(link)
http://www.cooldrives.com/index.php/saandidehadr1.html

But you can get it for much cheaper on ebay or amazon.com
keep us posted.....

[TLE]

DRMK is related to Dell recovery image on the Hard Disk.

What information does Disk Management give you about the drive when it is connected.

Quote:

Hey PaulJD if that don't work try using a SATA and IDE Hard Drive & Optical Drive USB Adapter Kit COMBO check out the link;

(link)
http://www.cooldrives.com/index.php/saandidehadr1.html

But you can get it for much cheaper on ebay or amazon.com
keep us posted.....

Connecting the drive via a different method will not make any difference!!!

[Skillachi]

Quote:

Originally Posted by TLE

DRMK is related to Dell recovery image on the Hard Disk.

What information does Disk Management give you about the drive when it is connected.



Connecting the drive via a different method will not make any difference!!!

It work for me before, many times too...

[TLE]

I have never come accross that, If one controller can't access the data, I don't think another would either...I could be wrong

This however sounds more like it is related to the disk being dynamic.

[PaulJD]

Thanks for your replies.

TLE:

Disk Manager shows F: as 140.84 GB FAT Healthy (Active, primary Partition) but it only has the recovery partition files on it. In explorer it shows as 62Mb.

Disk Manager shows G: as 8.20 GB RAW Healthy (Primary Partition) but explorer can't read it - it needs to be formatted.

So my analysis is that when the OS partition autoran as I turned on the worshop machine with the drive in question slaved, either the virus or Kaspersly (which found a Rootkit.Win32.TDSS immediately and cleaned it) wrecked the file structure.

Realistically, in a Dell PC of this age, only the recovery partition would be FAT. The operating system partition would be NTFS.

Neither Recuva or Panda can see anything other than the recovery partition files.

All is not lost though, I'm running a trial version of Advanced NTFS Recovery and it shows 3 versions of F: the 62Mb FAT 16 (Dell Utility), a 140Gb FAT 16 (Dell Utility) and a 32 Gb FAT 32 (NO NAME)
It also shows the NTFS 8.2Gb volume.

It is currently scanning the 140Gb drive (phew!) and has located 96064 folders and 1040000 files so far.

I'm keeping my fingers crossed.....

[PaulJD]

tried other trial including Get Data Back but this one (Advanced NTFS Revovery) was the only one that worked so forked out the $100 and all the data was retrieved.

I guess I'm going into the data retrieval business.

thanks for your help and interest.

[Martyn]

Quote:

Originally Posted by PaulJD

tried other trial including Get Data Back but this one (Advanced NTFS Revovery) was the only one that worked so forked out the $100 and all the data was retrieved.

I guess I'm going into the data retrieval business.

thanks for your help and interest.

Nice one, Getdataback has helped me a few times.