[Wylug-help] strange hard drive problem

david powell dave at whipy.demon.co.uk
Mon Jan 16 17:17:13 GMT 2006 

On Monday 16 January 2006 9:35 am, Andreas Erbe wrote:
> > now what i find is suspect is once this has happend there is no way i
> > have found to recover any data from the drive , so i have been unable to
> > review the logs , and software on the drive for sign's of beeing hacked
> > or wether it was a virus , and the same one 3 times in the last 5 years
> > is suspect
>
> Is there no way to boot it on Knoppix and access the drive (before you do
> all the other things that lead to windows refusing to install)?
>
knoppix boots from live cd  but the partition info on the drive had been 
corrupted
this is a ibm thinkpad  with a 30Gb drive 
the parttiton table had been changed by the "virus" so that the first 
partition stated at sector 0, track0, head 0
as this information had been corrupted knoppix or any other o/s for that 
matter would have dificulty accessing the drive 

methods tried to recover the data and partition info 

i have some tools that should recover from this sort of thing 

basicaly you wipe the partition table , boot sector and mbr 
re write a new mbr , and run another program that will analize the data on the 
disk and create a new partition table from what it finds 

originaly the drive had 2 partitons a ntfs main partiton and a fat16 recovery 
partition 

after running this the patition table was still invalid and included a new 
overlapping partiton , so it seems that the program changed the info in the 
partition block and forced its initalisation 
this renederd the drive data useless 

so although the data is not recoverable that was the inital goal theres 
another problem about the reinsatall 
this relates to another problem , its another setting of the drive , and 
someting that is not reset with a low level format of the drive 
i know  ide drives have some other features like a serial number lock
and some other settings , allthough not in detail , i tend to suspect that it 
is one of thease settings that has been changed 

the installation problem is not a media problem , it installs , just that once 
installed it fails to boot 

from the drive that was " infected " last time i even tried linux/ windows 
dual boot on it , the windows never booted but linux would , even with grub 
loader or lilo , so its some setting that stops ntfs file system booting that 
has changed , like i also mentioned after other attempts the onboard flash in 
the drive has been reflashed and still the same 

> > the drive appears to be faulty , but , it is posible to install linux on
> > it without any problems at all , so its not a hardware problem , even all
> > the drive tests show no faults , but a windows install on it will fail to
> > boot
>
> So a windows installation disc will not even consider booting, or does it
> come up with an error when detecting the harddisc?
>
the error it comes up with is pad partition table , unable to install once 
that is fixed it installs but fails to boot once installed 

the bios  lba modes etc are all ok and what they should be

 
> You will hate me for this - but that virus sounds interesting :-)

yes , it seems to be one that does a good job of trashing data 
how it is transfered to the machine in the first place is a puzzle also 

the laptop is not used for email , for surfing its a second machine i do all 
my surfing in linux on this pc , so i tend to limit the surfing to trusted 
sites the main ones are , bbc.co.uk  the video works better than linux, and 
sometimes msn, because there site is not that linux freindly 

any external access to my network from the internet gets routed to a different 
pc , there is only 1 active internet service running on that , the rest is 
firewall protected on that machine ,

so direct hacking seems unlikely 

some of the points that i find odd , and realy odd is the first indication i 
got of this virus was a unexplained system crash ,
then rebooted , the virus checker found a virus on reboot , infact 240 copies 
of seid virus ,  odd because the virus it was finding was not there 6 hrs 
prior when it last did a scan , and what is more odd is that the virus it was 
finding  was a mass mailer virus that is not very distructive 
see 
http://www.bitdefender.com/VIRUS-125698-en--Win32.Worm.Mytob.BC.html
but before finishing the virus scan after boot  the virus checker crashed at 
84% finished 
leaving me to think that above virus was installed on the machine as a cover 
for a more eilusive virus , i guess the mistake i made here was to restart 
the machine again , and found the damage was done 
i have a knoppix live cd with bit defender on it also, but never got chance to 
give that a try before the drive got corrupted  
finding this puzzleing as is the speed and destructive nature of it 
from what i have found out the found virus would not itself cause the damage 
that the machine has suffered 

on another note , and not related to this "attack/virus" i have heard of 
others that have had the same problem installing windows on to some drives 
with pritty much the same problems in that it will not boot it after install 
so looks like some drive specific setting in the drive itself , but how to fix 
it i still have to find 


Dave  
>
> Good luck,
>
> Andreas.
>
>
> _______________________________________________
> Wylug-help mailing list
> Wylug-help at wylug.org.uk
> http://mailman.lug.org.uk/mailman/listinfo/wylug-help

More information about the Wylug-help mailing list