Hi, everyone. Hopefully someone can help me out here or point me in the right direction.
I have a fairly new Acer laptop with windows 7 Home. I used the built in partition manager to create three more partitions when I set it up. The other day I got totally owned for the first time by the "System Fix Virus" (http://www.myantispyware.com/2011/11/15 ... fix-virus/). At first I actually thought it was a legit Win program until I saw the "But now" option. Basically, what it did was somehow make my quick launch icons disappear followed by the desktop icons, then, it shut down the two programs i was working in and a window popped up stating my ram was low, disk was turning too slow etc.
After several failed attempts, I finally back door'ed in and shut down the virus and took it out of launching at boot up. However, my extended partitions were all gone. I then found afew websites on this virus and made sure I followed all the removal options, one of which included an 'unhide' script which reverses the virus which goes in and changes the attributes on many files and folders. I've managed to get everything pretty much back to normal except the three partitions. Here's the clincher: one of those partitions is my Users partition. What I mean to say is all windows user files are contained in it, like My Docs, Windows Mail, Start menu etc. What's weird is Windows is acting kinda like it knows it's there. For example, my browser is set by default to save files to that partition and it does but then I cannot find the file. Same with start menu and quick launch, it's showing as normal now (but desktop is not).
Anyway, I downloaded and tried two partition recovery utilities.
Active Partition Recovery instantly found all three partitions and stated they were recoverable. So, I bought the program and unlocked it but when I select recover from the highlighted partition, I get a message stating "unable to write sectors to the device" andcan go no further. I am still waiting to hear back from them. There are two other options in this program to use, one creates a typical MBR and the other is Fix Boot Sector. Both are irreversible and I am hesitant to use them.
The other program is Freeware - EASEUS Partition Recovery. It, like the Windows partition tool, scans the hard drive and sees the hidden paritions and calls them 'UnallocatedSpace". When I tell EASEUS to scan the allocated space for lost partitions, it too finds all three and says they are 'undeletable'. However, when I tell it to undelete them, it proceeds and returns a success message but upon reboot, the partition are still not there.
Both programs give me the option to browse the partitions that are recoverable and when I do, I can see ALL of the files are there and untouched. It's a 1 TB drive that is 80% full so I cannot salvage these files and reinstall the partition. I'm afraid to take a further step without expert advice as I know how fragile the MBR etc. is. I know I made a boot CDfor win7 after I bought it but I'll be damned if I can find it. I know I didn't make a repair CD (at least I cannot recall).

Thanks for taking the time to read this. Any suggestions?

I'll attempt to point you in the right direction, but I don't have time to write beginner's step-by-step instructions. As an overview, one possible approach would be:

a) Stop making any further changes to your original disk. IMHO you've made too many such changes already. With respect, I'm not sure you should be trying further recovery without assistance from someone who has that disk in front of them. Remember that DIY recovery attempts have several different risks, including some that you've already taken (e.g. altering the original disk, which now cannot be undone, if any of them caused further damage to the filesystem(s) etc.). Some of the steps below also carry risks. If your data is important, and if you are unsure of your own skills / experience etc., you need to consider whether you want to take the risk of potentially making things worse, or instead to employ the services of a reputable DR company.

b) Due to the error messages you're getting from the recovery software, your OS may still be compromised by the malware. IMHO you can't boot from that OS and be sure of normal behavour of that recovery software, especially since your OS is not behaving normally either, as you describe.

c) Therefore using another PC (or a live bootable CD/DVD/USB OS), make a full, raw clone of that original disk onto another (blank) disk and verify that the clone copy is readable. For safety, you might make more than one clone. You must get the direction (source vs. target) of the clone correct, otherwise you erase your original data!

d) Then using recovery software on a PC which is not compromised by malware, you can see if the partition recovery software works as expected. If anything unexpected happens, the clone taken before that recovery attempt, could be used to restore things back to the previous state ready for further attempts. A DR professional might also decide to further investigate exactly how the partition table or filesystem(s) have been changed by the malware.

e) Other techniques could also be tried, perhaps needing another empty disk and using other recovery software (e.g. GetDataBack etc. etc.) to copy the files that you want onto a new disk.

f) Depending on exactly what has been done to that original disk's partition table and/or filesystem(s) by the malware, and whether the errors you report are due to the OS still being compromised, you may have no alternative but to recover files to a different disk, reinstall your OS from scratch (or recovery DVDs or whatever), and then copy back the recovered files onto the original disk with its re-installed OS.

As I said before, you need to decide whether you want to continue DIY, based on the value of your data and your skills / experience / available equipment & PCs / available time etc. As with any free internet advice, use of the above suggestions is at your own risk, because I don't know your skills / experience etc., I can't stop you making errors as I can't see what keys you press, and it's always possible that I've misunderstood what you're saying. Good luck with whatever you decide to do

I'd recommend you the following:
1. Stop trying to recover the partitions "on-site", obviously that won't give you any good but further damage the data.
2. Get a large external USB disk, maybe borrow it from a friend for a couple of days.
3. Use R-Studio Startup disk and recover files from the partitions to the borrowed disk. This article will help you with this procedure: Emergency File Recovery Using R-Studio Emergency. Most likely, you'll be able to preserve the original folder tree.
4. Reinstall the system and other partitions from the system recover disk.
5. Copy the files back to their partitions.
6. Return the external hard disk to its owner, if necessary

_________________
R-Studio Data Recovery Software

Thanks to both of you. After spending far too much time already with this problem, I have already started backing up files.
Yesterday, I managed to find the starting and ending sector numbers for the partition and was convinced that it was simply a matter of writing this back into the MBR. The reason why is years ago, the identical problem happened to me and i found some guy on the internet from Sweden on a forum like this. He sent me a little DOS program that did something to see where the recoverable partitions were. I mailed him back the log and he wrote a batch file that took all of 3 seconds to run and voila!, everything back to normal. I was SO hoping that would happen here.
For the record, I have not been making any changes to the system, just passive scans. And, I have been using a back up laptop for internet work.
someone suggested a program called Testdisk and I've tried it. It comes back with something wonky for ONE of the partitions and through that, I noticed that the sector values I found had gaps between them. This - along with otheradvice was enough to convince me to back up the partitions. This is was laborious for me at the start since it required me to take to smaller backup external drives and shift data around but, if i had of done this 2 days ago, i'd have been done by now.
BTW, I am positive my OS is not still corrupted.
When similar incidents have happened like this in the past, it's been with a tower PC so I just pull the drive and slave it to another and fix. This is a new laptop and I haven't the means.
Will letyou know how it goes.
Thanks

Thanks for the update.


Thanks - that certainly wasn't apparent to me from your first comments, where you said you had been performed several actions to (try to) remove the malware, and didn't mention the other laptop.

Given that you report your manual modifications of the partition table (in the MBR) have been successful (congratulations!), I could guess at the cause of the problems you reported from the partition recovery software:


... but since you're going ahead with your own plan, then I won't explore those earlier issues further. Good luck.

Ohhh, Vulcan, I am still very interested in your advice; there is no reason to believe this will never happen again.
I was basing my reply regarding the direction I am taking as the 'safest option'. Once I have backed up everything, I still intend to attempt some risky trial-and-error "learn the hard way" methods. Right now I am using EASEUS data recovery to save 500 G worth of data. Then, I'd like to see if I can still somehow restore the partitions without using a partition program to redefine new ones and copy data back. If you can provide direction, that would be much appreciated!

Ohhh, Vulcan, I am still very interested in your advice; there is no reason to believe this will never happen again.
I was basing my reply regarding the direction I am taking as the 'safest option'. Once I have backed up everything, I still intend to attempt some risky trial-and-error "learn the hard way" methods. Right now I am using EASEUS data recovery to save 500 G worth of data. Then, I'd like to see if I can still somehow restore the partitions without using a partition program to redefine new ones and copy data back. If you can provide direction, that] would be much appreciated!