Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Complete HD Failure...Is It Viral?!?!? Please Help Me!!! Thx!


  • Please log in to reply
25 replies to this topic

#1 Wendi_W

Wendi_W

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:04:55 AM

Posted 20 October 2014 - 06:06 PM

Hello….I really think I may have a virus that has destroyed the bootsect on my drive making it un-detectable to the computer!!!!

 

I cannot boot into the WinRE via a disk or partition at all!

 

[How It All Started] Over a month ago, the left button on my Elan Touchpad just randomly quit working. I have an Asus K52Jc Laptop with Intel i5 processor and a Seagate Momentus 7200.4 500GB HDD that is just over 3 years old. I have been running Webroot Secure Everywhere AV for all of this time and have never had a problem with a virus/rootkit of any kind before this random problem.  Therefore, I thought that maybe I just needed to upgrade the driver for the touchpad.

So I went to http://support.asus.com and downloaded the newest driver and install it…this didn't fix the left button issue.  So, I rolled back the driver and tried another Elan Touchpad driver...still didn't fix the problem.  Next, I took a look in the registry to see what the values were for the touchpad features…(to see if somehow the left button had been disabled)...and I found a lot of weird values...instead of 0's, 1's, or 2's, I found a couple of 13’s, a 14 value and many that were 3's and 4's!!! Weird!!! So I ran a scan with Webroot to see if maybe I had a virus of some sort…it just found a few pup files, but nothing that looked staggeringly dangerous!

[Mistake #1]  While searching for answers, I saw something about AVG's PCTune-Up Utilities 2014…(I hate to say it…but I think I found it from a “google advertisement” that happened to be on bleepingcomputer.com), so I started doing research on it & read a bunch of info about it that seemed pretty good at the time so I downloaded their trial (7 days...I think!)  

 

Well, it ran a bunch of tests and found a lot of errors, broken links, junk files, empty folders, etc. and it either got rid of then, or quarantined them.  After that, the computer really seemed to be doing a lot better, but that stupid left touchpad button still wasn't working. (I know…I SHOULD have asked for help at this point!!!)

[Mistake #2]  Well, since I had found all those strange values in the registry, I decided to do the "Registry Cleaner Utility" included in the AVG Utilities to see if it could find the error that was causing the left button to not function…(YES…I know...They are NEVER RECOMMENDED by most support people!!! Wish I had known that BEFORE I ran the cleanup!!!)

 

Anyway...it found a lot of errors and said that they had all been fixed and that I needed to restart the computer...which I did.  Then I got a message that there were quite a few drivers that needed to be updated.  So I did the driver update.  After that completed, it asked me to restart the computer.  When it came back on, it loaded Windows fine for about 10 minutes and then just suddenly closed and started to reboot….when it came back on the second time, it went to a black SOD!!! (It's acting much like what this poster described, or maybe like this one, but I didn't want to try any of the fixes suggested with out being told to do so!!!)  So, I don't know if it's viral, or related to a registry, or update item!!!

 

[One “Saving Grace”]   I do have a Western Digital External Drive for my back up, but I'm not religious about doing then & unfortunately the back up is over a year and a half old!!!  However, it does have a .vhd file of the Computer from 2013-02-13. It also has a BootSect.BAK, a Bootsect.exe.mui file in a "en-US" folder and a Recovery.dat file on it. There may even be an NTUSER.dat file in it, but I'd have to keep looking through the backup zip files for it. (There are 774 .zip files in the backup!)  Even with those files...at this point, I wouldn't want to try and install any of them, without your help and guidance through the process (for fear I'd "F" it up even more!!!!)  

 

[How I’m Connected Now]  I have an old HP Win XP computer (on which I'm writing to you now) so I originally downloaded AVG's Repair Disk and made a bootable USB, but I had no idea what I was doing, so I started looking for help from AVG.  What an absolute JOKE that was!!! 

 

Furthermore…I would NEVER recommend using any of AVG’s products, because their “Support Department" is, in my opinion, at best: extremely difficult to find (since they are India based agents), and at worst: an unintelligible, almost impossible to understand (because of their heavily accented & broken English) and a completely useless “resource” (if you can call it that), unless you’re willing to pay them for what their software messed up to begin with!!!  To me…it’s almost as bad as “ransomware”!  (Just My Opinion!!!)

 

I called a ton of numbers to even find them and when I was finally able to speak to an AVG Tech, they wanted me to pay over $300 to "try" to fix my issues!!! A--holes...pay them to fix an issue that THEIR SOFTWARE had created!!!  I told them they were crazy!!!  Now I figure that it may have been a rootkit that was installed somehow, but still...I think they SHOULD have helped me...WITHOUT A CHARGE!!! Oh well...what's done is done!

[My Thoughts]  Right now, it will not even read that the drive is installed. I don’t think that the heads have gone bad, or that the drive itself has failed…I think something has  just completely corrupted the entire Bootsect & MBR, because I can hear the seek-arm looking for the boot sector, and when it cannot find it, it quits, but the seek-arm is NOT stuck and platter IS spinning just fine.  (I also took the cover off and watched it!!!)

 

[What I’ve Tried]  Initially, I did try chkdsk and fdisk (I think…it’s been over a month now!) and the drive initially showed up, but then all of the sudden it was gone…so maybe I messed it up further!  Also...I have also tried the Partition MiniTool, TestDisk and PhotoRec, all to no avail, because as I said…it doesn’t even show the hard drive at all anymore as being connected at all...as a dev/sda, dev/sda0 or dev/sda1!  

 

When loading the AVG Repair Disk I have been able to see that it says "NTFS signature is missing"! AND "cannot mount dev/sda...boot mgr corrupt or missing"!  Also, during the 'Startup Repair Diagnosis' I think I also got this error "0xc0000e9"  And, in a 'Temp File' on the Desktop there's one that says it found the "Error Code = 0x15 Boot Mgr is missing or corrupt" (I think that's from when I had the drive in an external enclosure trying different tests!)

 

[I Got a "Matched Drive"]  I was able to find another drive on eBay that was made within a month of mine and ALL of the data, firmware, etc. (including the numbers on the stickers on the PCBs) are the same as on mine!!!  So when it got here, I swapped out the PCBs to see if it would be able to read the Boot Sector on that corrupt HD...it would not…but then again, that could have been because there was NO information on the RAM of that PCB yet...I'm not sure!!! 

 

See, at that point, I had NOT restored my backup onto it, nor had it been formatted or partitioned yet (because I don’t know how to do that!)  So my thought process now is that maybe if I can “Restore” the backup from last year on that new drive, and THEN change out the PCBs…maybe it would actually see it…who knows!?!?!?!  Or maybe you’ll have a way to walk me through something else...like a software fix, and then that won't be necessary?!?  I'm not sure!!!

 

I have also purchased “Recovery Software” and a “System Disk” from neosmart.net (neither of which did any good) and I bought “Recover My Files” from getdata.com (which did absolutely nothing either…it couldn’t even see the drive either), so now I’m completely at a loss.

 

I have also taken the computer completely apart and cleaned every inch of it's insides (which was extremely dirty!)  The point of doing this was to get to the CMOS button battery below the keyboard, because a tech I know suggested that taking it out for about 30 seconds which, he said, should reset the CMOS!  But that didn’t do anything to help the situation.  (Stupidly, I just put the same one back in the board and then put it back together…I probably should have put a new one back in its place, but it's too much trouble now to take it all apart and put it back together again, just for that one little battery...unless you think it'll make a difference?!?!?)

 

[The Bottom Line]  What it comes down to is that I'd REALLY like to be able to fix this drive if there is ANY POSSIBLE WAY and not lose all of that data from the last year and a half!!!  Because, if I can't, it will devastating! I cannot tell you how many hours of work that is!  

 

Oh...and since I cannot even boot the computer, except into Parted Magic, or to Hirens or one of those, I don't know if I could even run the Gmer or the DSS items on the Asus Computer, because it cannot find the HD, much less boot into Windows!!! But I could post the information that Parted Magic gives me in the "System Information" program if you need it.  I’ve also been able to boot into MiniXP on the Hiren’s Live Boot CD. 

 

At the urging of my tech friend, I posted on techsupportforum.com…I did get a response from a tech…but without even trying ANYTHING at all, he told me the drive’s shot and to just install from the backup and start from there on the new drive!  Really frustrating!!!  So, that support ticket is now closed.  I have also downloaded a ton of things like Puppy, RuntimeLiveCD, Systemresccd, and a lot of others, but at this point I haven’t tried to do anything with them, because I didn’t want to make more of a mess of this thing without asking YOU GUYS first for your help and ideas…I now know now that’s what I should have done to begin with!!!

 

[One Bit of Really Good News!!!]  When I was booted into either Parted Magic or one of the programs on the Hiren’s disk…the left button on the touchpad DID WORK!!!  So, this tells me that, as I suspected, the problem is NOT A HARDWARE FAILURE…is has to be a software setting that “something”, such as a virus, had changed the settings for the touchpad, making it partially unusable!

 

[Maybe More Good News]  I forgot to mention, that when this drive was functional, I had stored all of the Windows files and all of the Program Files on the C: Partition...and all of my Data Files were on the other D: Partition!  In other words, if I could only recover that D: Partition, I would have all of my files back from the last year and a half!!!  I hope that helps in some way!!!

 

Currently, the newly purchased empty eBay drive (which has all the same numbers as the original corrupt drive: ST950042AS, PN: 9HV144-286 & FW: 0003SDM1…even the numbers on the PCB stickers are identical!!!) is installed inside the ASUS computer.  The original drive (the one with the corrupt Boot Sector) is in an external enclosure and connected via USB and I think it is showing up in Midnight Commander as the /sr0 drive but I can’t be positive! Do I need to put it back inside the Asus before we proceed?

 

I also went to Tiger Direct and bought another 1 Terabyte Seagate SSHD that I thought about either installing as the main HD, once all of this is figured out…or I can just take it back for a refund, if we find that my drive can be saved, and then I’ll used the one from eBay as another backup (or vice versa), or as extra storage in an external enclosure. 

I know this is long, but…Thank You Soooo Much in advance for any help you can give me...I use this Asus computer for ALL of my work stuff and I am going to just be sick if y'all are unable to help me!!! Thanks again...Wendi



BC AdBot (Login to Remove)

 


m

#2 JohnC_21

JohnC_21

  • Members
  • 21,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 AM

Posted 20 October 2014 - 06:18 PM

Boot Parted Magic in the XP computer. Attach the drive in the external enclosure. Double click Disk Health on the Desktop. Does it detect the external enclosure drive? If it does, do a short test.



#3 Wendi_W

Wendi_W
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:04:55 AM

Posted 21 October 2014 - 01:10 PM

Hi John...I have the Runtime CD loaded in the machine right now and the Corrupt Drive is still in the ext. encl...on the main screen of Runtime, it says: 

 

"Welcome to the Runtime.Org Live System. 

 

The folowing harddisk devices have currently been detected: 

 

sda     ATA ST9500420AS [489GB]

sdb     WD My Passport 0730 [733GB]

sdc     Lexar USB Flash Drive [32GB]

sdd     SPIF30x USB2SATA Bridge

 

If you plan to write disk images or save recovered data to disk (requires registration).

please define a storage partition before starting one of the tools."

 

I can put the Parted Magic disk back in and it will boot, but I'm so sorry to say...but I don't know what a "short test" is!?!?!  

 

Can you please explain a little further?  Or is there possibly one of those tests on the Runtime CD.  (The only reason I ask is because everytime I change out the disk, the seek-arm on the corrupt drive in the ext. encl. starts looking for the Boot Sector and just keeps on going for about 2-3 minutes!  To me, this seems like it hard on the drive, but if you'd rather me use Parted Magic, I can certainly change it out!!!

 

Thank you so much for your effort!



#4 JohnC_21

JohnC_21

  • Members
  • 21,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 AM

Posted 21 October 2014 - 01:22 PM

Boot the Parted Magic disk. On the desktop is Disk Health. It could also be called Gsmartcontrol. Double click the icon and you should get the Gsmartcontrol window. Double click your drive shown in the main window. Select the Preform Tests tab and do the short test. Then press the view output button and post the results. I am not familiar enought with the Runtime CD. From what I can tell, it does have the GetDataBack program for both NTFS and FAT. Have you tried those? I also notice that Runtime sees the USB bridge but not the drive itself. Try the Parted Magic disk and see if Diskhealth can detect the drive.

 

Edit: You were not able to use the File Manager on the Runtime CD to see the contents of the disk?

 

main_ok.png

 

 

 

b03_pm-gsmartcontrol_reference.jpg


Edited by JohnC_21, 21 October 2014 - 01:27 PM.


#5 Wendi_W

Wendi_W
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:04:55 AM

Posted 21 October 2014 - 10:20 PM

Hi John....unfortunately, when in Parted Magic, GSmartControl does NOT see the drive...BUT...when in Parted Magic and I open the File Manager Program and go to "Devices", and then click "Storage", it DOES show up as "SPIF30x USB2SATA Bridge". But...it won't give me the "SMART Data" on the drive!!! I guess that's bad news!

However, as I mentioned, when I was in the Runtime CD earlier today, it was showing up as "HD/USB Storage device via a BridgedATA Connection"! Also while in that environment, there was a program called DiskDigger, and it showed corruption from the very beginning of drive sectors...it's like the virus attacked ALL of the boot information, including the POST instructions!!!

As I mentioned, I do have this backup with the Recovery.DAT & Bootsect.BAK files. I also extracted some more of the Backup zip files and found a file called K52JC_WIN7.30 (any idea what that is?!?!?), a "Boot" Folder (that includes a bootmgr.exe.mui & memtest.exe.mui file, as well as a BOOTSTAT.DAT file & a BCD file w/ BCD.LOG1 & BCD.LOG2 & a BCD.txt file!) there's also a "Config.Msi" Folder (with a bunch of .rbf files in it!)

I don't know if any of this helps you or not.....but for me...it is a tiny bit comforting to think that somehow, someway one of these itsy bitsy files will be able to help put back the first 512kb on my drive so I can possibly get my data & programs back!!!!

#6 Wendi_W

Wendi_W
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:04:55 AM

Posted 22 October 2014 - 07:24 AM

[UPDATE] I also wanted to tell you that when I initially tried using chkdsk and fdisk, I had no idea what I was doing (pretty dumb of me to have been trying to use tools I didn't fully understand! If it was a chainsaw...I could have cut my hand off!!!!) At this point, I'm not sure if those tools could help the situation or not, but I felt the need to disclose my stupidity to you so you don't think those tools were not an option should you deem them useful or necessary!!!

#7 JohnC_21

JohnC_21

  • Members
  • 21,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 AM

Posted 22 October 2014 - 10:30 AM

If the drive is not detected using the enclosure and it was not longer detected in the computer it was in then that is bad news. I think at this point the only way to recover data would be through a professional recovery service. If you place the drive back in the computer from the enclosure, is it detected. You may want to try detaching and re-attaching the drive to the enclosure to see it can then be detected.



#8 Wendi_W

Wendi_W
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:04:55 AM

Posted 22 October 2014 - 10:59 AM

So.....even with all of these "BOOT" files that I have....not even one of them can be reinstalled back on that drive somehow?

#9 JohnC_21

JohnC_21

  • Members
  • 21,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 AM

Posted 22 October 2014 - 12:17 PM

Because the disk is not detected, boot files would not make a difference. The drive should be detected by a linux disk with or without boot files. Only the USB bridge is detected, not the drive itself so it's either a problem with the enclosure which I doubt, or a malfunction of the drive, either internally or with the PCB of the drive.


Edited by JohnC_21, 22 October 2014 - 12:19 PM.


#10 Wendi_W

Wendi_W
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:04:55 AM

Posted 22 October 2014 - 02:58 PM

So...back to what I mentioned earlier about doing the restore of my backup and then swapping out the PCBs...do you think there's a chance that THAT might get it going again???

#11 JohnC_21

JohnC_21

  • Members
  • 21,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 AM

Posted 22 October 2014 - 03:22 PM

What did you use to create the backup file Recovery.DAT? As far as swapping out the PCB's, they would have to have the identical serial number on the PCB. I would only swap the PCB to see if the drive would be functional. If it was a PCB problem, then you would not need to restore the backup. You should be able to access the files on the drive.

 

I would not restore the backup to the drive with the problem. If you want to restore the backup Recovery.DAT, you could do it to the new drive without swapping the PCB's. You would just be looking at the older backup. Does the backup include the OS files or are you saying the backup is only of your data files?

 

What is the OS on the hard drive?


Edited by JohnC_21, 22 October 2014 - 03:22 PM.


#12 Wendi_W

Wendi_W
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:04:55 AM

Posted 22 October 2014 - 05:43 PM

HEY JOHN!!!!! I think I may have found the problem...and it WOULD have been caused by the AVG Driver Update Utility!!!!!!

On 8/28/14 at 14:15:10 I printed out a System Information list of all of the currently installed "System Driver" at some point during one of the updates...or maybe after it...I'm not sure...heck I'm not even sure if that wasn't the day that my computer BSOD'ed!!!!!

Anyway, after your last post...I continued my search for what might be wrong and came across a page listing all of the known drivers.....I'm sure you're familiar with http://www.carrona.org/dvrref.php#A

So, I started comparing my list of system drivers (which is just a pape print out...but it's 10 pages long) and in looking through to see if I had any rogue drivers, I found that almost ALL SYSTEM-CRITICAL DRIVERS are set to "Manual" & "Stopped"....even though most of them were actually set to NOT 'Accept Stop'!!!

Ones that it would HAVE TO HAVE to read that drive....but they would ONLY pertain to THAT drive right? So, like if the IDE SATA drive were set to "Manual" & "Stopped"....wouldn't that cause the exact issue I'm having?

If this could be the case.....is there a way to manually override those values? Or would the drive still be junk?

BTW, I can send you a PDF of this list, if you think it would help...or if you'd just like to investigate it yourself!?!?!?

#13 JohnC_21

JohnC_21

  • Members
  • 21,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 AM

Posted 22 October 2014 - 05:59 PM

I was not familiar with that site but thanks for bringing it to my attention. It's possible that the drive's OS had it's drivers some how stopped or corrupted but here is my thought.

 

If a linux disk could not detect the drive then Windows will not. Linux has the SATA and USB drivers needed to detect your drive. Have you tried replacing the hard drive into the computer it came out of  then booting with a linux disk.

 

First, is the drive detected in BIOS and second is it detected by linux. Boot the PartedMagic disk and open a terminal. Type the following.

lsblk -o name,label,size,fstype,model

It should output every disk and partiitons.

 

For your reference, here are the standard services in Windows 7 and if there are set to manual or auto.



#14 Wendi_W

Wendi_W
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:04:55 AM

Posted 22 October 2014 - 06:42 PM

Thanks for the link to Black Viper...I wasn't familiar with that!!!

When I had the corrupt drive in the ASUS machine it was NOT detected by Linux (I don't think...I was looking under 'Media' and 'Sources' in "File Systems" & "Mount"...nor did I see it in the machine's BIOS...but, again, I really didn't know what I was doing in Linux, nor how most of the programs worked or what the commands were to get any results out of it!

However...I will go ahead and change the drives back out and see if the command you gave me will bring up anything!

Also, think about this...as I mentioned, if I were to just restore last year's backup onto the new matched drive (the Only difference in them is the serial number) wouldn't the computer be running off of the drivers from the 'working' backup...which would stand to reason (maybe even more so if I added a slave jumper to it) that I should be able to see the partitions then????

Furthermore, if I also restored that backup onto the 1 TB drive and used it as the internal drive.... and then changed out the PCB's (so that way the ROM in the new PCB would match what the old one had on it...couldn't that work!?!? Make any sense?!?!?

#15 JohnC_21

JohnC_21

  • Members
  • 21,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 AM

Posted 22 October 2014 - 06:55 PM

If you can keep from swapping PCB's I would because it can be tricky. I have never done it. If you can restore that backup to the new drive and it included the OS then that would be the way to go. What software was used for the backup?

 

If the drive you now have is not detected in BIOS then I would say the drive is dead but a PCB swap may work or it may not. "maybe even more so if I added a slave jumper to it" I am not sure I understand. Are you saying to add the drive that is not detected as a slave?

 

Are you saying you have 3 drives, two 500GB and one 1TB drive? If the two 500GB drives have an exact match for the PCB then swapping PCB's may work if the PCB is the issue.


Edited by JohnC_21, 22 October 2014 - 06:56 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users