Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Permanently Modifies HPA of Hard Disk cloned and Locks it. damaging hard drives.


  • Please log in to reply
1 reply to this topic

#1 Jason Cousins

Jason Cousins

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 20 June 2012 - 04:21 AM

So the machine I am working with is a consumer line Dell Inspiron E1505 with Windows XP Media Center and the latest A17 bios. It came with a 60GB sata hard drive that was almost full and wanted to upgrade to a larger drive. I grabbed a brand new Seagate 320GB hard drive.

I booted up Acronis and attempted to clone to from a 60GB drive to a 320GB. Everything looked perfect. It saw all four partitions from the source drive and once done showed that for the destination as well. I shut off the computer install the new hard and proceed to boot. The computer attempted to boot but then received a stop 0x0000007b error (unmountable boot volume, for those unfamilar). Common issue when cloning disk so I proceeded to boot to an XP disk so I could repair the Windows install. Once it booted up, I noticed the drive was shown as a 58GB hard drive (the brand new 320GB drive). I restarted the machine checked the bios and it saw the drive as a 58GB hard drive. I pulled the drive and hooked it to four other machine that all stated the disk was now a 58GB hard drive. We checked disk management, booted to several hard drive testing tools and even poped it into a linux environment. The drive had been Permanently changed to a 58GB disk.

To my disbelief, I started investigating. I tried another 320GB new hard drive, this time with ghost booted from win 98. Same process, everything seemed perfect. Reboot, dosnt start. I check the BIOS. This drive as well has been Permanently changed to a 58GB.

Keep in mind at this point, the original hard still boots perfect. Goes to Windows, just low on disk space.

Next attempt, I try to clone the drive in a different environment to rule out the possibility the machine was causing the issue. I pulled the hard drive and grabbed yet another hard drive ( i have two I need to RMA now). I cloned the disk using a Windows based Ghost and it succeeded as well. I looked through the partitions and data and everything looked fine. I loaded the disk into the machine and got an "[XLDR] ATA Error". I decided to go straight to bios and the replacement drive (200 GB this time) is alos a 58GB hard drive.

I have now bricked three perfectly working hard drives. I have formatted, diskparted and everything else inbetween. I had to find out what the problem and decided to dig a little deeper. I took one of the 320GB cloned drives I had and I grabbed a copy of MHDD and proceeded to check the drive out. After a little digging, I found out that HPA had been modified to show this smaller size. I had found where it recognized the full limit of the drive. The command NHPA resets the drive back to it native max address limit. IT attempted to run but failed. I tried to unlock the drive and that didnt work either. I tried a tool to manually set the sector count back to it's original size and that failed as well.

So that's most of the story. Here are some details Iv'e discovered:
*The problem persist once the drive is inserted into the machine and turned on.
*Once cloned, the cloned drive shows a RAW filesystem
*I have used different branded drives and sized drives (Western Digital 320GB, Seagate 320GB, Samsung 200GB)
*It changes the drives serial number to "j352 **", where ** is often random letters or numbers
*Orginal Drive Sector Count - 114270344 | Cloned Drive Sector Count - 114270345

Please ask any questions that you need. I am trying a few more things to see if I can get this working.

I have also found this fourm that is about 5 pages long, unresolved that may be helpful. In the fourm, they talk about a Dell Media Direct issue that im more than familiar with. I don't think this is what is causing the issue as I have the latest BIOS A17 and I did the clone in another unit and the same thing still happened.

http://www.computerhope.com/forum/index.php/topic,95000.0.html

My personal thought is that a boot sector virus is doing this. Help me with your thoughts

BC AdBot (Login to Remove)

 


#2 Jason Cousins

Jason Cousins
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:15 AM

Posted 20 June 2012 - 11:15 AM

After some more research I have figured this out. I can post what the fix was if anyone is interested. It was NOT a virus, it was Dell Media Direct.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users