Here is the full story.

Some how my Paypal was breached and two things were purchased on ebay. I assumed this was due to some malware or virus I acquired. I noticed on the computer that I was unable to go to google or ebay and that Excel files would not open without giving some macro error. I ran Malwarebytes and it found a bunch of things, I don't recall what and now the log files are corrupted and make no sense when I open the text file. My files were still available and could access and open them as far as I looked as I was dealing with the other parts of this issue.

The system is Windows XP Pro 64 bit and has a 1TB SATA drive with two partions, a 500GB SATA drive single partition, and an 160GB IDE drive single partion. OS is on the first partition of the 1TB drive.

I installed Eset Nod32 and set it to run on all drives and left it over night. I woke up and it seems to have rebooted and now said BOOTMGR missing. I ran bootcfg /list and it said there was no boot.ini. I did a bootcfg /rebuild to make a new one. That did not solve the issue. I ran fixboot then ran fixmbr. Once it had the new boot.ini I then got ntldr missing so I replaced that and then ntdetect.com when it said it was missing. Then it said Hal.dll was missing or corrupt. Replaced Hal.dll in both system32 and syswow64 and it still persists with missing Hal.dll.

But the biggest problem is that somehow between running the AV and doing the above all my files on the 500GB and second partition on the 1TB are gone along with what looks like only the My Documents files on the first partition but other folders in C:\ are still there, and mostly My Documents in the 160GB and perhaps other are gone. These files appear gone in the recovery console in a PE that I used from Hirens Boot CD, and when putting the drives in another computer.

At this point I am not as concerned with it booting, I can reformat if needed, I just need to get my data back. I would be nice to know how to fix this issue by my data is of paramount importance. Having done any and all of the above procedures on different computers over the years I have never had any drive show it as completely blank or show missing file from particular locations.

How or what caused my data to get lost? More importantly how do I get it back as I hope that it is not truly gone just not visible in the OS. Is it a MBR issue, a partition table, virus or what would cause this and how to fix it?

Any help you can give to help resolve this issue is greatly appreciated.

I would start by making a sector-by-sector clone of the hard drive onto another one, using (for example) HDD Raw Copy Tool (you can find it in this site and it is free). Please do not use Ghost, acronis etc. If you're familiar with linux a very good solution would be GNU ddrescue, but I'd go to this step if my Linux skills would be above average and if HDD RCT failed to make the clone.

Then I would scan the clone with a good recovery software like R-Studio, DMDE or GetDataBack (or others).

The fact that all those system files were missing makes me guess that either all of them were infected and your AV deleted them, or there is a problem with your hdd and stressing it by running full AV scan overnight made things worse.

Best thing to do is image your drive ASAP to another one.

My $.02

_________________
http://www.northwind.gr
SandForce SSD Recovery
Ransomware Reverse Engineering - NoMoreRansom! partners

Thanks for the suggestions.

Unfortunately, I am not familiar with linux. I do not have other hard drives that are big enough so I would need to go get some. I do have another computer that has enough space on its drive for the 500GB. Can I make an image of the drive and put it on that computer and run the recovery software on the image file? Or does the software only work on a physical drive and not an image file of the drive?

Is there any harm in hooking the bad drives up to another computer and running the recovery software?

I read that many of the software say they are not destructive to the drive. Is that true or is there some writing, etc. to the drive that occurs during the recovery process that the software uses that further corrupts the drive?

Thanks

You're welcome



That's ok. You can use HDD Raw Copy Tool on Windows. It's really straightforward. Just choose source, destination and boom.




Yes you can use that other computer and create the image there. Then, run the software on that image. Having said that, just hook the drive-in-question in that other computer that has enough free space (make sure it won't run any checkdisk or anything during startup), download HDD Raw Copy Tool, select as source the hdd in question and as destination an image file. Be careful here, because wrong selections will be destructive. Make sure you press the right buttons. Think 3 times before the last OK, and then think a 4th a time.
After the 5th time, press OK and let it finish imaging.
Then run a software like r-studio on that image.


Yes. Recovery software should be ran on an image (image file or a sector-by-sector clone), and not on the sick drive. If that's what you mean.


They do not write anything during the recovery process, but the drive itself is stressed. If there is any physical problem with the drive, it will get worse.
There is a saying I use for data recovery on sick drives: Sectors should only be read once - during imaging.

Good luck.

_________________
http://www.northwind.gr
SandForce SSD Recovery
Ransomware Reverse Engineering - NoMoreRansom! partners

Thanks for the response.

First, you mention to make sure CHKDSK does not run. I am afraid the cat is out of the bag on that one as I believe I ran that as it turned up as a potential fix when it wasn't booting. As such what does CHKDSK do that is damaging and could it have contributed to the issue on the 1TB 1st partition I detail below?

As there is nothing physically wrong with the drives, I did not do the imaging first but perhaps will due to the 1TB 1st partition issue.


I connected the 1TB and ran Ontrack Easy Recovery on the 2nd partition, which just had data on it, while scanning the dialog box said it has found files but when it finished there was nothing. I do not know if I have some settings wrong or why that occurred. So I decided to try Easeus Data Recovery Wizard on that 2nd partition. It found the files fine while names and directory structure correct. As far as I can tell it got most everything.

So then I connected the 500GB drive, which was also only data, ran Easeus, and it worked well again. Finding files with names and directory structure.

The problem lies in the scan of the 1st partition of the 1TB where the OS resided. The Easeus scan marks files as lost or deleted. What it shows for the files that I recovered from the 500GB and the 2nd partition were lost files. On the 1st partition the scan turned up most things but they were marked as deleted. It could not get the directory structure and many files were only found RAW. As I cannot not remember the complete directory structure, nor the number of, say Excel files, thus I am unsure it got everything.

I mainly am concerned about the My Doc's, as you could imagine, because for some reason it seems to get things that were not in that particular folder much better. Why would that partition be any worse than the other two. Should I try another program to see if it can do a better job on that partition, after imaging?

It does not appear that HDD Raw Copy can make and image of just a partition, is this correct? Would and image made with r-studio be acceptable? Does the image need to be byte for byte or can it be compress as I am running out of space on my working computer?

What other techniques would you employ on the OS partition to get it to show the correct directory structure with the files in their proper places?

Thanks again, I appreciate it

Using R-Studio I got a better directory structure in the My Documents folder. Most things are there and I think the others are in the raw files, unfortunately.

Even before this occurred after I ran Malwarebyte and let it do its thing I could not open the Excel files. The same problem exists in addition to other types of files being corrupt, some with proper names and reasonable file sizes.

Are there any recommendations for software to repair corrupt files, mainly Excel, Word, PDF, JPEG, Publisher?

As it seems different software gives rather different results I will next try the getdataback after some work on trying to repair the corruption in the files.

Thanks

Rurede,


Small files? You maybe lucky.
Large files, usually partial fragments.

Without a File Table, which indexes the locations of all the fragmented parts of a file, the DR software may attempt to carve out files by recognising their first few bytes: a header.

It may then guess how large the file is by waiting til it gets a footer or another header before closing off the file.

The files you find as *corrupt* may be incomplete due to fragmentation.

This is why sometimes you will see a minor animation file, usually a few kb appearing as several megabytes in size.
Conversely, you may find the first 10k of a multi megabyte file readable, (after a file repair utility its used) and the rest is garbage.
This type of case is like trying to unscramble an egg.

File repair programs may manipulate the formatting on them in order to get at least some data out of the file. They aren't capable though, of finding all the disparate bits and gluing them back together.
Thats what the OS does when operating with a file table on a (usually heavily) fragmented file system.

Not optimistic news, but i hope it gets you a better picture of whats happened before you lay out loads on other file repair software.

hth

Kern

_________________
Когда хочется кушать – съешь всё.
Голод не тётка!

Unfortunately that's fundamentally not the best question at this stage. If you have "corrupt" files after a recovery, then what you recovered is not actually correct for the reasons which digitalferret explained. Running chkdsk (or Windows running its automatic version of that) earlier may have caused (at least part of) this problem. Trying to fix a "corrupt" file which is actually incomplete, or a mixture of different files etc., is often a waste of time which would be better spent trying different approaches, to get a more successful recovery.

So (a) don't try to "repair" the corrupt files on your original drive - nothing should be written to that (in case that's what you were suggesting); (b) as you found, different recovery software use different recovery algorithms and hence get different results - there is no "best in all situations" software, so you have a choice how much time & money you want to spend trying different trial versions of software. Also be aware that for limited trials of recovery software, you have to be very careful what guarantees they give of how accurate any estimates of success with the paid version will be. Trying lots of different software means you need lots of space to hold each set of recovered files, so you can choose the best (or least corrupt) recovery of each one. Therefore your limited space to hold files may quickly become a limiting factor and so you might want to buy an external drive or two (and thoroughly test them first) for holding the recovered files.

Yes most are small files, I did not have large files of the file types I mentioned. No, certainly not writing to bad drive.

I see your point about trying to get a better recovery than fixing corrupt files. I do not think, but of course do not know, that file fragmentation is the cause of the corruption. As I mentioned earlier as I could not open after I ran Malwarebyte but before the non-boot situation that leads me to believe the virus or what ever it was the cause of corruption.


If I take and example file that was 102kb originally after the virus it is now 160kb. My thinking is there was an injection of something to cause this increase in file size. If I take the corrupt Excel file and use a program called Repair My Excel it gives an message that says OLE Header Corrupt and OLE Header Structure Corrupt. Thus Excel does not know it is and Excel file. Using OffVis it says The Expected OLESS signature 0xD0CF11E was not found. If I open the file in a hex editor and at that hex value to the beginning of the file, where I found it in a good Excel file, the Repair My Excel program says the OLE Header is ok but not the OLE Header structure. Perhaps I am wanting this to be a good sign toward progress, if I need to manually fix each file, as again they seem to be all of correct size.

When I do a scan with data recovery software it shows many partitions for my one partition, are these partitions states that may yield different results in terms of the corruption of the files? They show different sizes and thus different start and end points on the drive.


Thanks for guiding me through this.