Solved I Believe: Hacked HDD With Completely Hidden Files (Post 2)

January 17, 2014 at 22:27:06
Specs: Windows XP, Intel Quad/4096
Moderator note: This thread is a followup to pepanee earlier thread

So I used a certain data recovery software to find files in my hard disks. This image shows the conclusion of the scan.

Those certain names under "Labels" seemed familiar; they look like Windows XP Installation CDs. Did a little bit of research to actually confirm that. So I used a certain HEX editor and scrolled down to those sectors. Some of those few sectors are empty, so I scrolled down and actually found words like: AMD64, DOCS, I386, ..., SVCPACK, SYSTEM32, etc, which ARE folder names from a Windows XP CD.
Those folders are sitting in a back up hard drive that I cannot view...

I set the option to view hidden files, I don't see them.

I have been defragging my hard disks regularly And doing a free space defrag (clear out anything that is junk that is sitting in the hard disk that is not listed in the MBR.

So I find this very odd.

I'm going to recover one of those partitions if I could, yet why can't I view those partitions in Windows Explorer? How is this possible? How will I be able to delete these partitions that I do not want? Those 'CDs' are hidden on the hard disk. What virus is this?

Help would be much appreciated.

edited by moderator: As noted above and message edited by pepanee

See More: I Believe: Hacked HDD With Completely Hidden Files (Post 2)

Report •

✔ Best Answer
January 18, 2014 at 19:44:40
You're welcome. I'm glad it worked out. As I mentioned above, XP copies the files from the cd to the hard drive and then does the bulk of the installation from those copied files. I don't know how those files would be organized but it makes some sense that they would be copied to the last part of the drive--out of the way of the area at the beginning of the drive where XP is going to be set up.

January 17, 2014 at 22:57:54
I'd say the problem is with your recovery software, not your hard disk.

Report •

January 17, 2014 at 23:03:17
Well, I used a completely different program, from a different company to view the HEX of the hard disk at one of those sectors, scrolled a few sectors down and noticed those folder names, and actually found a lot of file names. ( *.dll, etc). Those are obviously not coincidentally there that never really want to delete themselves. I tried loading up the computer with Ubuntu, and still cannot view those hidden folders/files, or even hidden partitions; I can only view the only partition that I'm using.

To experts, how is this possible? Those partitions are existent, yet unviewable. How come?

Report •

January 17, 2014 at 23:23:02
The NTFS partition that Windows is installed on occupies the whole hard disk. So how is there room for all of those other partitions? The answer, I suspect, is that they are phantoms - artefacts of the recovery software. With a hex editor you see some file names; you're probably looking at a normal directory listing on your hard disk.

Have you examined the partition table with the hex editor. What does that tell you?

Report •

Related Solutions

January 17, 2014 at 23:28:10
Recovery software will show files and folders that have been legitimately deleted. Since deleted files and folders aren't wiped it's not uncommon to find some references to them, especially if you look at the raw space with a hex editor.

The files you want to view may not be hidden, they're just not all there. They're probably just references to files or parts of files.

This 'hard drive that I cannot view', what is its history? Was it formatted to be used as a fresh drive? Did it crash? Why do you think a virus is involved?

Report •

January 17, 2014 at 23:28:34
Oh, I apologize for not mentioning this earlier. This is actually a back up disk that is intended for files that I put on there. It started up from scratch with nothing on it, and I put files on there, like documents, pictures, movies, etc. It is not the hard disk that has Windows XP installed on it. This hard disk was a physical addition to the desktop, completely separate from having a pre-existing Windows XP installation on it or anything. I installed Windows XP from a CD.

Report •

January 17, 2014 at 23:34:01
To daveincaps: This hard disk is new, never had Windows XP installed on it. It is used only for back up purposes. There is no reason for those files to exist on there.
Can you also recommend me a really good program that would actually wipe out all this unnecessary data? Unlike the software that I have used apparently.

Report •

January 17, 2014 at 23:35:03
Again, it depends on the history of that drive. If it was brand new just out of the box it should have just zeros in the data area. If it was used and then formatted a hex editor will find all kinds of stuff on it.

If it previously had an xp installation on it, well yeah, you install from the cd but the installation process copies what it needs from the cd and completes the install with the files it's copied. So there could very well be xp installation files on it. The same is true for the SP updates

Report •

January 17, 2014 at 23:38:37
To dave: Okay thanks for the information. I don't remember this hard disk was used as a local disk (with Windows installed on it), yet I want to completely clear out all that unnecessary data. What can you recommend for me to use to clear all that, since I do not need it. Thanks for the help.

Report •

January 17, 2014 at 23:44:01
Once again, what does the partition table tell you? Recovery software looks for anything that might once have been a partition but it will come up with a lot of nonsense. The partition table tells you what partitions now exist on the disk. As the partitions you show add up to more than twice the size of the disk they can't all actually be there.

The labels you are showing are what I would expect from a disk pulled from a corporate computer. Are you sure that you bought it brand new, in sealed packaging, from the manufacturer or a reputable retailer. Or is it a "new" disk bought from eBay or similar?

Report •

January 17, 2014 at 23:45:29
Any software that writes zeros to the entire drive and is compatible with the drive would work. There may be a utility for that on the drive manufacturer's site. 'Killdisk' used to be popular but I've never used it. You can google it. Other wiping software should show up too. They still have a site and probably have software compatible with your drive.

There is something called 'low level formatting' which has come to mean 'zero fill' but technically it's not. Anyway, it's not advisable to do an actual low level format on the drive. So avoid that type of software unless you're sure it's really just a 'zero fill'.

Report •

January 17, 2014 at 23:49:43
Okay so I'm understanding that after I recover the partition table, I can fix that somehow so I can actually clear out all that junk information that I don't need. What software can I use to view the partition table then delete all that extra non-sense by replaying it all with zeros?

And this hard disk has been used only within this household. It's possible that it has been used as a main hard disk with Windows XP installed on it... yet we can keep the past as the past. I just want to wipe it completely clean with only the physical files that are on it and empty space for everything else.

Report •

January 17, 2014 at 23:59:18
Again, there is nothing to fix in the partition table as far as I can see. You can use your hex editor to examine it (it is located in sector 0). But I would avoid making any changes unless you really understand partition tables and how they work.

If you're worried about this phantom data then use one of they many available disk wiping programs and then partition and format the disk anew. (This will delete any data.)

Also, I would recommend that you forget about recovery software and hex editors. They can be useful tools in the hands of an expert, but you have to understand what they are telling you.

Report •

January 18, 2014 at 00:09:04
Here's an image of the fist and second sectors:

What's with the serial number sitting there in that first sector? kinda odd...

I want to delete those corrupt partition; I want to wipe that out; spring cleaning you know?

Report •

January 18, 2014 at 00:38:14
As I mentioned in # 10, use a zero fill utility to wipe it. Here's a google search:

Here's killdisk:

There's going to be stuff outside the normal data area that won't be touched so don't be alarmed if your hex editor still shows something at the 'front' of the drive.

Report •

January 18, 2014 at 00:48:39
That sector looks familiar. I realize now that all this was comprehensively thrashed out in a previous thread. I'm not going through it again. Do as DAVE suggests and wipe your disk. And stop using hex editors - it will only end in tears.

Report •

January 18, 2014 at 15:56:17
Okay, so I did download Active Kill Disk and wiped out the hard disks, and now it doesn't show those 'Windows XP CDs' in the disks when I run that test (like shown in the first picture). Just to clear a certain confusion from earlier that was mentioned in this thread, those folders and the file names that I found are actually from a Windows XP CD file names, not from a Windows XP installation. (Since when I tried recovering one of those selections, it looked exactly like the folders and filenames in the Windows XP CD. Let's go more in depth: There was no "WINDOWS" folder, no "Documents And Settings" folder, no "Program Files" folder, etc, hence 'twas not a Windows XP Installation sitting on the hard disk.) That's what made me suspicious about these last sectors in the hard disk.

I checked the disk in a HEX editor and scrolled around those last sectors, now it is all 00.s

Thanks for the help.

Report •

January 18, 2014 at 19:44:40
✔ Best Answer
You're welcome. I'm glad it worked out. As I mentioned above, XP copies the files from the cd to the hard drive and then does the bulk of the installation from those copied files. I don't know how those files would be organized but it makes some sense that they would be copied to the last part of the drive--out of the way of the area at the beginning of the drive where XP is going to be set up.

Report •

Ask Question