Virus attack

Read about more computer repairs>>

Computer Repair E239

Virus Attack

The computer arrived with a failed Windows 98 upgrade in evidence. The owner had decided at long last to back up his work over which many years had been expended. The choice of backup medium was a new CD Rewriter and it had been decided to first upgrade from Windows 95 to 98. When things started to go wrong the computer was brought to me, now a not uncommon occurrence. Trying to do a SETUP from the Windows 98 CD was not easy as the motherboard BIOS did not permit boot up from a CD, and this proved awkward, as the stage at which the failure had occurred was already past the point where the CD MSCDEX is deleted from AUTOEXEC.BAT. Not too much of a problem you may think. Just resurrect the REM'd out line and Bob's your uncle. Not so, this was an old CDROM with a special sound card interface. These usually, but not always transfer across from Win3.1 to Win95 but in my experience rarely travel well from Win95 to Win98. In this case the CDROM was lost, so access to the Win98 disk was also lost. One option was to install the new CD Rewriter but of course this would need to be done in MSDOS as Win98 wasn't up and running and Win95 had bitten the dust. Suddenly, after one flash of the Win98 boot screen, at which the customer got very excited, the computer rebooted and moments later, across the screen was displayed the message, "INSERT BOOT DISK". At first sight, not too serious and after a few moments I inserted a Win98 boot disk but after running FDISK, on a hunch, was rewarded by the information that there was no partition on the hard drive.
At this point I was more than a little concerned. The computer used two drives, one an old 130Mbyte Seagate drive and the other a newish 4.3Gbyte device of the same make. The small drive had very little information on it and hadn't been used as a boot drive; the larger was the main drive containing two FAT16 partitions of roughly equal sizes and one of these was the partition from which the computer booted.
Looking in the computer BIOS I found that the two drives were correctly identified in the Hard Drive Identification section of the CMOS and all through the exercise this worked properly, never misidentifying the two drives.
I asked the customer if it was possible that a virus could have been responsible for what had happened and found that yes, indeed it was, as he was sure his machine had at least one virus. One was a version of KAK and a message would appear during boot up warning of impending trouble. The message read "Not yet!"
At this point I was faced with two alternatives. Give up on the existing data and repartition and reformat the drive, install a fresh copy of Windows 98 and tell the customer to back up his data in future and of course all his work was lost. Option two was to do nothing detrimental to the 4.3G drive. This means do nothing other than to try and read from it and look for some software, which would recover the lost data. Searching the Internet turned up the firm that markets "Partition Magic" and a product called "Lost & Found". A description of the product indicated it was likely to do what was necessary so I downloaded a trial, non-functional copy.
When I tried the program it identified the two drives. The good drive was found correctly as a Seagate 130Mbyte but the other, it said, had a capacity of 131Mbyte having 1000 cylinders, 15 heads and 17 sectors. An E-Mail to Powerquest indicated that their program would not work if the drive information was wrong. Wondering what to do next I decided to run a diagnostic. I had a copy of a Maxtor diagnostic which ran and identified the drive similarly, but this time with lots of detail: Type WT74721A, S/No T687575, Firmware 7.51, Cylinders 9918, Heads 15, Sectors 1087. A lot of detail but nothing like the correct information for a Seagate 4.3G drive. Next I tried a number of Seagate programs accumulated over the past few years from purchases of their products. None of these proved to be of any use. Next I tried a program called "Drivepro", which I bought several years ago. This ran and automatically extracted some data, 477.2Mbyte, 255 Heads, 583 Cylinders, and 63 Sectors. I then selected "Extract lost info" and it revised this to 63 Heads, 3655 Cylinders and 63 Sectors and additionally offered the advice that a virus was probably responsible for cross-linking the master boot area information and suggested running the MBR option. Running the "Drivepro" MBR option offered to replace the MBR, without destroying any data held on the drive. Two options were given: to use FDISK or a special "Micro House" MBR. The FDISK version didn't work so I tried the MH MBR. This appeared to do something but to my dismay an error message was then displayed. Exiting from the program, I again tried Lost & Found. Much to my surprise the program correctly identified the 4.3G drive and after further analysis, and half an hour later, the program displayed a list of potentially recoverable files. These included not only all the working files on the two lost partitions but also lots of deleted files accumulated over the life of the hard drive.
A working copy of Lost & Found was duly purchased and this was run. Naturally, one of the requirements was a medium onto which recovered files could be written. As the missing quantity of data was around 2Gbyte I decided to use a spare 6.4Gbyte hard drive, and as I wished to test the accuracy of the recovered files, I decided to use a working version of Windows 98 for this purpose. Two things were necessary. First I needed a partition into which to install the operating system and secondly a clean partition into which to drop the recovered files. This is necessary as the desired end result was a clone of the original data and this could not be mixed up with the operating system or general data of the computer. After some experimentation I found that I had to make all the partitions FAT16, this being the same as the original 4.3G drive. Using FAT32 for the destination drive resulted in error messages, which led me to believe that things would go wrong. In fact not only did error messages result but also many files were corrupted in the operating system partition, showing up when I ran SCANDISK. After renewing the corrupted Windows system files with SFC and arranging three partitions on the destination drive with Partition Magic, to be FAT16 and about 2Gbyte each, I ran Lost & Found again. This time all went well and the recovered files were written onto the second partition (Drive D). The files had been retrieved in DOS mode and showed the usual truncated form, however Lost & found had created a data record for all the recovered files having their full filenames. Just to be safe, before proceeding, I first copied the contents of Drive D onto the third partition (Drive E) before running the "Lost & Found Refresh" program on Drive D which restored the filenames to the standard long versions used in Windows 98. Running Word 2000 and Adobe PhotoShop showed that all the recovered filed were intact and the customer's years of work were ready for backing up! You can only imagine the relief!
After I'd installed the new CD Rewriter and "Nero Burn", the application that came with the drive, I selected and copied all the important data and this is now held on a CD. The amount of data came to 600Mbyte, a valid reason why the owner had been reluctant to back it up on floppies!