|We had a customer bring in a PC infected with a rootkit, MBR virus, and a myriad of malware. After cleaning the drive, we found the data was totally inaccessible. Windows XP and Windows 7 both reported the drive type as RAW (drive was originally NTFS-Windows XP Home). |
Using a disk editor I looked at Sector 0 of the drive, as well as the first sector of the former NTFS partition. Both were gibberish. I tried fixmbr, fixboot, mbrfix, all the normal Windows tools. None of these worked. I tried several tools that claimed to be able to recover problems like this. None of them worked (including the one that ended up working).
In retrospect, probably any of the packaged (non-Windows) tools I tried (Partition Magic, Partition Tools, and other similar programs) would probably have worked had I tried this. All of these tools have a "partition recovery" feature. Running these natively wouldn't work - they all saw the RAW partition as a "real" partition. I presume for all they knew, the RAW partition was as it was supposed to be. These tools and wizards were built to recover deleted partitions and put them back like they were before they were deleted.
I was ready to format the drive and reinstall Windows, when I had a thought - what if I actually deleted the RAW partition? At this point, I had nothing to lose - I was gonna format it anyhow right? So I deleted the RAW partition. Afterward, I told the tool I was using (which happened to be Partition Tool free edition (http://partition-tool.com/personal.htm), but as I mentioned, most-likely Partition Manager or other similar tools would have done the same thing), to recover the deleted partition. I kind of expected it to put it back as a RAW partition. To my surprise (and utter delight) it recovered the partition as NTFS! All the user's data and programs were there, intact and working (which was good because he has some archaic programs on there that I don't think can be obtained anymore.)
I wouldn't probably recommend this as a first choice unless you know you have a good copy of your data. It worked for me when nothing else would. And I was ready to format/reinstall, so there was nothing to lose at this point.
Hope this helps someone.
CSI Computer Service