bootloader ok but still won't mount

[xiephoire]

Hi all! A week ago I was trying to remove a trojan from an HP Pavilion with Win XP, but when the antivirus software tried to quarantine/remove the infected files, the system crashed and produced a blue screen of death.

The disk wouldn't boot afterwards. I booted from a linux live cd and was able to mount the HP recovery partition, but not the primary partition. However, I could see both the partitions from the partition table (using fdisk -l). Everything there looked legitimate. When I try to mount it I get an error.

Further, I tried using testdisk. It could also see the partitions just fine and everything said it was ok until I tried to actually look into the files. It then told me that my file system could be damaged.

My question is, what could be damaged here? It's probably not a hardware problem because I'm able to mount the recovery partition just fine. It's likely not the MBR since the partition table seems to be intact. Perhaps a volume boot record on the primary partition? I don't know enough about disks to say whether or not that would prevent me from mounting. Any help is appreciated! Thank you

P.S. I don't want to shred/reformat because I want the files on the disk. Thanks again!

[Vulcan]

when the antivirus software tried to quarantine/remove the infected files, the system crashed and produced a blue screen of death.

What was the error? It might be telling you about unreadable sectors in your primary partition.

The disk wouldn't boot afterwards. I booted from a linux live cd and was able to mount the HP recovery partition, but not the primary partition.

Same question as above - what exact error message did you get, when you tried to mount the primary partition? That info may be helpful.

However, I could see both the partitions from the partition table (using fdisk -l). Everything there looked legitimate.

Unfortunately that just tells you that the partition table is readable - it tells you nothing about the ability to read enough of the primary partition's filesystem to mount it.

Further, I tried using testdisk. It could also see the partitions just fine and everything said it was ok until I tried to actually look into the files. It then told me that my file system could be damaged.

Which just means it was a dirty shutdown of that filesystem, and so the filesystem may have internal inconsistencies. There are things you could attempt to do via the Windows XP recover console, but they are irreversible, and without knowing what errors you originally saw, I wouldn't take the risk of doing anything without making a clone first (see below).

It's probably not a hardware problem because I'm able to mount the recovery partition just fine.

Impossible to say that - mounting the recovery partition does not mean that the primary partition is readable.

It's likely not the MBR since the partition table seems to be intact.

Agreed. As I said, a "damaged" filesystem usually means one where the "dirty" bit is set.

I suggest that to avoid making an irreversible changes to that primary partition, you should clone that disk (or at least the primary partition and MBR) to another disk first.

That cloning serves 2 purposes for you: (a) it proves that the whole of the primary partition is readable (if not, you'll get errors during cloning), and (b) you can then run logical recovery procedures (anything from just running chkdsk, up to running expensive paid-for software and anything in between those extremes) on that clone, without losing the ability to go back to the original disk to restart the process again, if it is still readable. Alternatively, by keeping one clone as a "master" and doing any logical recovery onto yet another disk, you avoid needing to recreate the first clone, in case you want to repeat doing different logical recovery techniques, but at the expense of at least one more disk.

If any parts of the original disk are not readable, then that tells you what some or all of the original problem was. It would also help if you answered my questions above about error messages. Unreadable sectors in Windows system files often result in BSOD, so that might be unrelated to the virus.

[xiephoire]

Good call. I'll try to make a duplicate image tonight and also get those exact error messages using verbose mode.

[Vulcan]

OK, thanks for the update. FYI, if you get any read errors during cloning, you'll need to use a cloning program that knows how to work around them. There have been previous threads about suitable cloning software on the forum.

[xiephoire]

Ok, I have some error messages produced by Ubuntu.

fdisk -l produces:

Code:

Disk /dev/sde: 60.0 GB, 60022480384 bytes
240 heads, 63 sectors/track, 7753 cylinders
Units = cylinders of 15120 * 512 = 7741440 bytes
Disk identifier: 0x07eca173

   Device Boot      Start         End      Blocks   Id  System
/dev/sde1               1         677     5118088+   b  W95 FAT32
/dev/sde2   *         678        7752    53487000    7  HPFS/NTFS



Here's what happens when I try to mount the primary partition:

Code:

# mount -v -t ntfs /dev/sde2 /mnt/sde2
$MFT has invalid magic.
Failed to load $MFT: Input/output error
Failed to mount '/dev/sde2': Input/output error
NTFS is either inconsistent, or you have hardware faults, or you have a
SoftRAID/FakeRAID hardware. In the first case run chkdsk /f on Windows
then reboot into Windows TWICE. The usage of the /f parameter is very
important! If you have SoftRAID/FakeRAID then first you must activate
it and mount a different device under the /dev/mapper/ directory, (e.g.
/dev/mapper/nvidia_eahaabcc1). Please see the 'dmraid' documentation
for the details.

And if I try to clone the primary partition I get an error:

Code:

# dd if=/dev/sde2 of=./sde2.img
dd: reading `/dev/sde2': Input/output error
5701856+0 records in
5701856+0 records out
2919350272 bytes (2.9 GB) copied, 741.902 s, 3.9 MB/s

I get that same error if I try to dd the entire drive (/dev/sde)

Mounting the recovery partition works:

Code:

mount -v -t vfat /dev/sde1 /mnt/sde1
/dev/sde1 on /mnt/sde1 type vfat (rw)

As does cloning it:

Code:

# dd if=/dev/sde1 of=./sde1.img
10236177+0 records in
10236177+0 records out
5240922624 bytes (5.2 GB) copied, 1085.96 s, 4.8 MB/s

As for the original blue screen of death, I was not able to capture it because I lacked the resources at the time.

I'm going to go ahead and educate myself on using advanced cloning software

[dick]

Hiya, I notice the drive in question is only 60gb so you could consider using the copyr.dma software which is also free and will most likely be able to work around the unreadable sector/sectors. That is a direct drive to drive copy app so you would need a spare drive to clone to.

Your hard drive has very likely developed a bad sector which might have been caused by the system crash when you removed the trojan. A trojan rootkit can do this so you might also find there is some trojan code in the mbr.

[Vulcan]

And if I try to clone the primary partition I get an error:

Code:

# dd if=/dev/sde2 of=./sde2.img
dd: reading `/dev/sde2': Input/output error
5701856+0 records in
5701856+0 records out
2919350272 bytes (2.9 GB) copied, 741.902 s, 3.9 MB/s

I get that same error if I try to dd the entire drive (/dev/sde)

So that confirms you do, as suspected, have one or more unreadable sectors in that partition, and a standard dd command will simply report that fact & stop.

As for the original blue screen of death, I was not able to capture it because I lacked the resources at the time.

Understood. Therefore it might have been related to the unreadable sector(s) too - but we'll never know.

I'm going to go ahead and educate myself on using advanced cloning software

I'd suggest doing some reading about ddrescue, since you seem you're comfortable using Linux, but as dick has said, there are other options.

[xiephoire]

Ok, thank you both for your help! I'll look into these types of software and if I make any progress I'll post it back asap.