Hi all! A week ago I was trying to remove a trojan from an HP Pavilion with Win XP, but when the antivirus software tried to quarantine/remove the infected files, the system crashed and produced a blue screen of death.

The disk wouldn't boot afterwards. I booted from a linux live cd and was able to mount the HP recovery partition, but not the primary partition. However, I could see both the partitions from the partition table (using fdisk -l). Everything there looked legitimate. When I try to mount it I get an error.

Further, I tried using testdisk. It could also see the partitions just fine and everything said it was ok until I tried to actually look into the files. It then told me that my file system could be damaged.

My question is, what could be damaged here? It's probably not a hardware problem because I'm able to mount the recovery partition just fine. It's likely not the MBR since the partition table seems to be intact. Perhaps a volume boot record on the primary partition? I don't know enough about disks to say whether or not that would prevent me from mounting. Any help is appreciated! Thank you

P.S. I don't want to shred/reformat because I want the files on the disk. Thanks again!

What was the error? It might be telling you about unreadable sectors in your primary partition.


Same question as above - what exact error message did you get, when you tried to mount the primary partition? That info may be helpful.


Unfortunately that just tells you that the partition table is readable - it tells you nothing about the ability to read enough of the primary partition's filesystem to mount it.


Which just means it was a dirty shutdown of that filesystem, and so the filesystem may have internal inconsistencies. There are things you could attempt to do via the Windows XP recover console, but they are irreversible, and without knowing what errors you originally saw, I wouldn't take the risk of doing anything without making a clone first (see below).


Impossible to say that - mounting the recovery partition does not mean that the primary partition is readable.


Agreed. As I said, a "damaged" filesystem usually means one where the "dirty" bit is set.

I suggest that to avoid making an irreversible changes to that primary partition, you should clone that disk (or at least the primary partition and MBR) to another disk first.

That cloning serves 2 purposes for you: (a) it proves that the whole of the primary partition is readable (if not, you'll get errors during cloning), and (b) you can then run logical recovery procedures (anything from just running chkdsk, up to running expensive paid-for software and anything in between those extremes) on that clone, without losing the ability to go back to the original disk to restart the process again, if it is still readable. Alternatively, by keeping one clone as a "master" and doing any logical recovery onto yet another disk, you avoid needing to recreate the first clone, in case you want to repeat doing different logical recovery techniques, but at the expense of at least one more disk.

If any parts of the original disk are not readable, then that tells you what some or all of the original problem was. It would also help if you answered my questions above about error messages. Unreadable sectors in Windows system files often result in BSOD, so that might be unrelated to the virus.

Good call. I'll try to make a duplicate image tonight and also get those exact error messages using verbose mode.

OK, thanks for the update. FYI, if you get any read errors during cloning, you'll need to use a cloning program that knows how to work around them. There have been previous threads about suitable cloning software on the forum.

Ok, I have some error messages produced by Ubuntu.

fdisk -l produces:


Here's what happens when I try to mount the primary partition:


And if I try to clone the primary partition I get an error:



I get that same error if I try to dd the entire drive (/dev/sde)

Mounting the recovery partition works:


As does cloning it:



As for the original blue screen of death, I was not able to capture it because I lacked the resources at the time.

I'm going to go ahead and educate myself on using advanced cloning software

Hiya, I notice the drive in question is only 60gb so you could consider using the copyr.dma software which is also free and will most likely be able to work around the unreadable sector/sectors. That is a direct drive to drive copy app so you would need a spare drive to clone to.

Your hard drive has very likely developed a bad sector which might have been caused by the system crash when you removed the trojan. A trojan rootkit can do this so you might also find there is some trojan code in the mbr.

So that confirms you do, as suspected, have one or more unreadable sectors in that partition, and a standard dd command will simply report that fact & stop.


Understood. Therefore it might have been related to the unreadable sector(s) too - but we'll never know.


I'd suggest doing some reading about ddrescue, since you seem you're comfortable using Linux, but as dick has said, there are other options.

Ok, thank you both for your help! I'll look into these types of software and if I make any progress I'll post it back asap.