Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Maxtor 3200 USB Drive failure after virus


  • Please log in to reply
12 replies to this topic

#1 Oboysfun

Oboysfun

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 21 March 2012 - 07:23 AM

The System Check virus was on our church secertary's PC. She had a Maxtor 3200 USB external drive where she kept her backups. I plugged the drive into another system but none of the files could be seen. When I performed a properties check on the drive it showed 130GB of disk used and displayed the free disk space. I am not sure how to recover the data on this drive. Any idea's or leads would be greatly appreciated.

Maxtor Personal Storage 3200 U01E160


Thanks,
Dave O.

BC AdBot (Login to Remove)

 


#2 James Litten

James Litten

    Ԁǝǝ˥q


  • BC Advisor
  • 1,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:07:12 AM

Posted 21 March 2012 - 10:54 AM

Hi Dave

I can try to help you.
Lots of questions first :)

What's the story with the virus? You know, like how was it determined that it was infected, what was done if anything to clean it.

What is the manufacturer/model of the computer that the drive was in?

What is the operating system of both the original machine and the one you are now trying to connect it to?

How many partitions are on the drive? Was it just one drive letter on it or does it have more than one drive on it?

James

#3 Oboysfun

Oboysfun
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 21 March 2012 - 11:06 AM

I had seen a similar virus like this before. I ran the Rkill/Iexplorer to stop the current activity. I tried running the Malware-bytes application but it would stop after 4-5 seconds of scanning. I tried this several times. I ended up pulling the drive out and scanned it with another machine. It cleaned off the viruses but I believe that the partition table maybe messed up on it now. Still checking on that.

The pc is a Dell Inspiron, dual-processor, 4GB RAM, 500GB local (c-drive) running Vista SP2. AVG 2012 is the anti-virus software installed.

The system I connected it to is XP Professional/SP3 with all the latest patches and updates.

The local drive has two partitions: the os and the recovery.

The Maxtor drive is one big partition. I did see that Seagate has a data recovery tool but I am not familiar with it, yet.

Thanks for the reply, let me know if you need more info.

Dave O

#4 James Litten

James Litten

    Ԁǝǝ˥q


  • BC Advisor
  • 1,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:07:12 AM

Posted 21 March 2012 - 11:31 AM

Sometimes pulling a USB drive off of a PC when it is not ready (even when it is not in use) can do this. I've done it myself and I'm generally pretty careful.

Since a partition is not showing that should be, you can try a partition recovery first. In order to do it safely without losing your data, you'll have to follow my instructions carefully. First we can look to see if we can easily fix it.
That is we look but do not change anything. :)

Get a copy of TestDisk from
http://www.cgsecurity.org/wiki/TestDisk_Download

When you extract the downloaded file one of the programs is
testdisk_win.exe
Double click it to run it and it will open a black window.

Make these selections

CREATE (to create a new log)
use up/down arrows to select the drive with the missing partition
select PROCEED and press enter
INTEL
Analyse
Quick Search
Answer Yes to the question about it being created with Vista or Win7 (even if it was not)
Let us know what partitions it lists and if they are green or white and if they have * P or D in front of them.

If you need to exit it before waiting for me to respond press the letter q 4 times to exit the program. We can always get back to that screen easily and quickly.

James

#5 rotor123

rotor123

  • Moderator
  • 8,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:08:12 AM

Posted 21 March 2012 - 12:11 PM

Since you can see the properties on the USB drive that means all is well, so to speak.

What you need to do is run unhide.exe http://www.bleepingcomputer.com/download/anti-virus/unhide with the USB drive hooked up.
Unhide.exe - A introduction as to what this program does
http://www.bleepingcomputer.com/forums/topic405109.html/page__p__2324554__hl__unhideexe__fromsearch__1#entry2324554

Many of these programs such as "The System Check virus"

They Hide many files including documents, music, video etc as a part of their scare tactics trying to get you to buy their bogus program which in reality only gives your credit card info to a thief.

They also hide the links from All Programs so you can't run anything to further scare you.

If no temp file cleaner was run the programs shortcuts and desktop icons can can usually be restored to view by Unhide.exe


Why do you say you think the partition table is damaged on the system disk?


Good Luck
Roger

Edited by rotor123, 21 March 2012 - 12:12 PM.

Fortune Cookie says: Fortune not Found: Abort, Retry, Ignore?

Sent from my All-In-One Desktop. Perfect for Internet, Not for heavy usage or gaming however.

How Does a computer get Infected? http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/
Forum Rules,    The BC Welcome Guide

167 @ June 2015


#6 Oboysfun

Oboysfun
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 21 March 2012 - 12:27 PM

After I scanned and cleaned the virus off the internal HD and existing the virus software I went to view the files on the drive. It was blank. I was running short on time and did not get to research it further yet. First glance type of reaction.

#7 James Litten

James Litten

    Ԁǝǝ˥q


  • BC Advisor
  • 1,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:07:12 AM

Posted 21 March 2012 - 12:39 PM

Thanks for pointing that out Roger :)

To see if they are hidden, you can open Windows Explorer and

Click TOOLS
FOLDER OPTIONS
on the VIEW tab check
SHOW HIDDEN FILES AND FOLDERS
uncheck HIDE PROTECTED OPERATING SYSTEM FILES

Let us know if the files appear now.

You may want to change those settings back when we finish fixing the problem.

James

Edited by NeverSayDie, 21 March 2012 - 01:34 PM.


#8 hamluis

hamluis

    Moderator


  • Moderator
  • 56,284 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:07:12 AM

Posted 21 March 2012 - 03:49 PM

FWIW: I may be incorrect...but I don't believe putting a hard drive in a second system and doing malware scans is effective when it comes to the registry of the infected drive.

My understanding is that the registry must be actively employed in order for scans to be effective. That means that the drive must be the boot drive or the registry must be exported to a second system and then accessed.

I will check my thoughts with some of our personnel more familiar with malware and confirm/refute my suspicions.

Louis

Edit: Nothing to worry about :thumbsup: , I was just worried about the possibility of the system still being infected.

Edited by hamluis, 23 March 2012 - 10:04 AM.


#9 rotor123

rotor123

  • Moderator
  • 8,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:08:12 AM

Posted 21 March 2012 - 05:17 PM

Louis, I suspect you're 100% right.

However there is the possibility that pulling and scanning the drive is the only way to get it clean enough to boot and run the tools?

Best regards
Roger

Edited by rotor123, 21 March 2012 - 05:18 PM.

Fortune Cookie says: Fortune not Found: Abort, Retry, Ignore?

Sent from my All-In-One Desktop. Perfect for Internet, Not for heavy usage or gaming however.

How Does a computer get Infected? http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/
Forum Rules,    The BC Welcome Guide

167 @ June 2015


#10 Oboysfun

Oboysfun
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 22 March 2012 - 08:38 AM

Gentlemen I really appreciate your replies and here is an update of my progress on resolving this issue.

When I brought the Maxtor drive home to work on I misplaced the power cable. I should have that today. What I have been working on is the desktop unit. As I mentioned before I removed the harddrive and scanned it in another system. It cleaned the virus off or as much as it can. I could not see any files on the drive. So I performed the steps to unhide the files in the folder options as mentioned in one of the responses. I was then able to recover all of the files located in the My Documents folder (2.7GB) and burned them to a DVD. I also copied off the user profile and burned to DVD too. Now I returned the harddrive to the original desktop unit. I booted it up and then used the UnHide program that was mentioned earlier to recover desktop and folder options. With the note about the registry and getting it scanned, I decided to make another attempt to install Malware-Bytes. This time it was successfull. I initated the full scan and it was still running when I left for work. When I get home today I hope to see all is better with the desktop unit. I will then work on the Maxtor drive tonight.

Thanks for your replies, I am making progress and will keep you up to date later this evening.

Dave O

#11 rotor123

rotor123

  • Moderator
  • 8,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:08:12 AM

Posted 22 March 2012 - 09:28 AM

I suspect that having the External drive attached and running Unhide.exe again will put everything back in view.

Or you could try what NeverSayDie and then when you can see the files right click on the folders and choose properties. Then check the hidden button and apply, just in case, then uncheck it and apply again. Being sure to select do all subfolders and files each time.

Then you can reverse what NeverSayDie said and all will most likely be good.

Cheers
Roger

Fortune Cookie says: Fortune not Found: Abort, Retry, Ignore?

Sent from my All-In-One Desktop. Perfect for Internet, Not for heavy usage or gaming however.

How Does a computer get Infected? http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/
Forum Rules,    The BC Welcome Guide

167 @ June 2015


#12 Oboysfun

Oboysfun
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 23 March 2012 - 08:33 AM

Now with the power cord the work on the external drive continued. I simply ran the Unhide.exe and everything came back. This was the first time I have ever used the Unhide.exe program. So what I thought was a hardware failure or loss of data is more of a viurs related issue. I apologize for posting in this forum but I am very happy with the responses and especially the out come.

Thanks everyone I appreciate you sharing your knowledge here. It will make me look like a hero to the secretary.

Dave O

#13 rotor123

rotor123

  • Moderator
  • 8,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:08:12 AM

Posted 23 March 2012 - 09:27 AM

Yup, Virus related. They do that to scare you into buying their bogus software. Sadly that means giving your credit card to a crook, which too many seem to do.

If that information on the external drive is important I suggest having it in more than one place. Hard drives do die.

Just in case this happens again. Be sure not to run any temp file cleaners until after unhide. Many of these viruses hide all the shortcuts from the start menu in a temp folder and cleaning that first means you will have to recreate them manually. A real chore.

Good Luck
Roger

Fortune Cookie says: Fortune not Found: Abort, Retry, Ignore?

Sent from my All-In-One Desktop. Perfect for Internet, Not for heavy usage or gaming however.

How Does a computer get Infected? http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/
Forum Rules,    The BC Welcome Guide

167 @ June 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users