Twistacatz

Trashed Partition's for no reason... help...

Recommended Posts

Okay this is kind of vague but this is really all I have.

On Monday at work at the end of the day I was online doing my thing as usual when all of sudden a window pops up and says your computer is going to shutdown in one minute, blah blah. Now I have seen this before on infected computers at school I forgot the name of the virus but it was never a big deal. Well upon restarting my computer I get the NO bootable OS error, so I take out the HD and go to the lab to see what’s going on. Well when I start up the computer shows no partition. So I go into disk manager. Guess what? My HD as one huge unallocated piece of stinker. GREAT!

Skip to yesterday I get home and the internet was running real crappy. I do all my routing thought my server so I decide to go ahead and reset it. When everything comes back up, my huge 1TB partition does not show up. So I'm thinking something must be wrong with my array. When I look in the logs no errors nothing. I then go to diskmgmt, one huge unallocated block of nothing.

Now this has happened twice! Different computers, different story’s, same outcome. I'm about to cry, I have no idea what’s going on, ARS please help me.

FYI, My first computer was running 2k, all patched up with up to date anti-virus software, same with the sever but it was running XP.

Share this post


Link to post
Share on other sites
Okay this is kind of vague but this is really all I have.

On Monday at work at the end of the day I was online doing my thing as usual when all of sudden a window pops up and says your computer is going to shutdown in one minute, blah blah. Now I have seen this before on infected computers at school I forgot the name of the virus but it was never a big deal. Well upon restarting my computer I get the NO bootable OS error, so I take out the HD and go to the lab to see what’s going on. Well when I start up the computer shows no partition. So I go into disk manager. Guess what? My HD as one huge unallocated piece of stinker. GREAT!

Skip to yesterday I get home and the internet was running real crappy. I do all my routing thought my server so I decide to go ahead and reset it. When everything comes back up, my huge 1TB partition does not show up. So I'm thinking something must be wrong with my array. When I look in the logs no errors nothing. I then go to diskmgmt, one huge unallocated block of nothing.

Now this has happened twice! Different computers, different story’s, same outcome. I'm about to cry, I have no idea what’s going on, ARS please help me.

FYI, My first computer was running 2k, all patched up with up to date anti-virus software, same with the sever but it was running XP.

209850[/snapback]

Try this..

http://www.cgsecurity.org/index.html?testdisk.html

Tex

Share this post


Link to post
Share on other sites

Thank you for responding. At this point I'm am doing a low level format on all the drives so its to late to use that. But I've seen it to many times and tried so many things I don't know how much that tool would help. Right now what I am really looking for is answers. If someone has ever heard of something like this or experenced it, please drop me some input. Thanks

Share this post


Link to post
Share on other sites

Sounds like a virus that likes to overwrite partition tables - certainly not a new thing, but the polymorphism must be pretty good if it got past your virus scanners. Now you make me worry that I just turned Norton Auto Protect off to try a few things...

MY LARGER QUESTION - you say your 1Tera server also died. Were you running user application code on your server??? Bad practice, especially if the server is Windows. Now it is possible that you lost the original files off your system, and any backups that may have been on the server - both from the same infection. If a server is running Windows, isolate it as much as possible. Do NOT run code (games or anything else) that has not been tested and is secure. Or install the server as a Linux box, just so that a single virus can't wipe out all your data copies at once. Think paranoid...because they really ARE out to get you...

FS

Share this post


Link to post
Share on other sites
But I've seen it to many times and tried so many things I don't know how much that tool would help. Right now what I am really looking for is answers. If someone has ever heard of something like this or experenced it, please drop me some input. Thanks

209877[/snapback]

I have experianced the same thing. Thats why I linked the tool I did. In fact I used the tool I gave you on Tuesday of this week to fix the same problem.

It was the answer you wanted not low level formating the drives. My fix takes 5 minutes. Sorry you didnt like the simple fix.

You tried "so many things I don't know how much that tool would help".

You have not tried the right tool.

Tex

Edited by Tex

Share this post


Link to post
Share on other sites
Sounds like a virus that likes to overwrite partition tables - certainly not a new thing, but the polymorphism must be pretty good if it got past your virus scanners. Now you make me worry that I just turned Norton Auto Protect off to try a few things...

That’s what it sounds like to me, but how the hell do I detect it. All of my computers have Norton with the latest updates. I cleared the CMOS in case it was a MB virus, I don’t know what else to do.

MY LARGER QUESTION - you say your 1Tera server also died. Were you running user application code on your server??? Bad practice, especially if the server is Windows. Now it is possible that you lost the original files off your system, and any backups that may have been on the server - both from the same infection. If a server is running Windows, isolate it as much as possible. Do NOT run code (games or anything else) that has not been tested and is secure. Or install the server as a Linux box, just so that a single virus can't wipe out all your data copies at once. Think paranoid...because they really ARE out to get you...

The raid just has mp3's and movies, and other misc stuff like that. I'm sure all my files are cool. The only data I was running off of it was emule temp files.

Tex, I didn't mean to dismiss your solution man, it could have worked. But right now I’m past the lost data. I need to know what causes this and how to stop it. What have you found?

Share this post


Link to post
Share on other sites
The raid just has mp3's and movies, and other misc stuff like that. I'm sure all my files are cool. The only data I was running off of it was emule temp files.

209981[/snapback]

I may be an old fart, but I don't consider ANY sytem running or accessed by P2P secure...

FS

Share this post


Link to post
Share on other sites
I may be an old fart, but I don't consider ANY sytem running or accessed by P2P secure...

The first computer it happend to was at my job. My computer at work is super locked down and I don't do much with it. Like I said I need to know the real cuase. and I'm not quite ready to blame it on emule (a app that I have ran for 4 years non stop 24/7).

Edited by Twistacatz

Share this post


Link to post
Share on other sites

P2P programs are one of the most surefire ways to install malware on a Windows machine. These apps are a malware writers dream. I mean you have millions of people naively downloading random, foreign, untested binary code right through their firewalls past everything, and then they execute it of their own free will!

You really should try and avoid them.

I would say that it was only a matter of time. Incidentally, you have probably run a great deal of malicious codes. Most of the nastier stuff is by design unnoticeable.

Share this post


Link to post
Share on other sites

If you are saying that not a single disk, file, CD, emailed attachment or thumb drive was ever shared between your work system and your home system - then I am stumped. The possibility of you getting hit by the same virus on two unconnected machines in the same week is pretty slim, especially as it hasn't seemed to have happend to anyone else on this board recently, or that you know (meaning there isn't a new outbreak that is sweeping the net).

With all of the wonderful diagnostic data that you have given us (no logs, hex dumps, etc.), your insistance that you "need to find the real cause" is almost ridiculous. From what, Sherlock? You destroyed the evidence when you formatted!!! Do you know that there is a guy on this board (one of several, actually) who is so tech that he can reverse engineer the control firmware and error correction code for dead drives, and posts his results here? But what can any of us tell you from...well, nothing, really.

And yes, most people on this board know emule. And YOU don't seem to know that modern worm writers can push code through most open P2P programs...the fact that it hasn't happened in 4 years means nothing other than someone has a new push method, or you finally got unlucky.

Just a few links of worms and P2P:

http://www.viruslist.com/en/virusesdescrib...53311928&page=1

http://www.wormblog.com/2005/03/a_first_look_at.html

You might notice that the SECOND worm on the first link propogates via edonkey networks, as do several others. If someone changes the payload to be a polymorphic partition-table destroying virus...you have your symptoms.

But if you are resolute that you have NEVER shared media or attachments between the systems, then all we can attribute it to would be sunspots (not active, I checked) or your magnetic personality.

FS

Edited by Future Shock

Share this post


Link to post
Share on other sites
  If you are saying that not a single disk, file, CD, emailed attachment or thumb drive was ever shared between your work system and your home system - then I am stumped. The possibility of you getting hit by the same virus on two unconnected machines in the same week is pretty slim, especially as it hasn't seemed to have happend to anyone else on this board recently, or that you know (meaning there isn't a new outbreak that is sweeping the net).

I can say that I have shared some files between the computers which could have caused an infection.

With all of the wonderful diagnostic data that you have given us (no logs, hex dumps, etc.), your insistance that you "need to find the real cause" is almost ridiculous. From what, Sherlock? You destroyed the evidence when you formatted!!! Do you know that there is a guy on this board (one of several, actually) who is so tech that he can reverse engineer the control firmware and error correction code for dead drives, and posts his results here? But what can any of us tell you from...well, nothing, really.

I feel what your saying but even if I had not started doing what I am doing now I wouldn't know what kind of information I could give you. Please let me know any information that would help, and I will tell you with the quickness.

And yes, most people on this board know emule. And YOU don't seem to know that modern worm writers can push code through most open P2P programs...the fact that it hasn't happened in 4 years means nothing other than someone has a new push method, or you finally got unlucky.

When I asked you about eMule it was not meant to be sarcastic, a lot of people don't know about eMule and that's why I asked. I'm also pretty sure you can't push anything through most p2p clients. What the user can do is download the worm thinking its another file and execute it thus causing an infection. I'm almost positive that eMule does not push down anything malicious. And I'm very cautious about what I download and execute.

Just a few links of worms and P2P:

http://www.viruslist.com/en/virusesdescrib...53311928&page=1

http://www.wormblog.com/2005/03/a_first_look_at.html

You might notice that the SECOND worm on the first link propogates via edonkey networks, as do several others. If someone changes the payload to be a polymorphic partition-table destroying virus...you have your symptoms.

Thanks for the links, I checked them out and none of the symptoms match the problems that I am having. I guess someone could change one of the worms, but even so it should be documented somewhere and I've been having this problem for a while. So even thought this could be the cause I am almost positive it is not. But lets say it is, beyond Norton what can I do?

I'm all ears and your help and time is super appreciated it FS (and anyone else who can help).

Share this post


Link to post
Share on other sites
And yes, most people on this board know emule. And YOU don't seem to know that modern worm writers can push code through most open P2P programs...the fact that it hasn't happened in 4 years means nothing other than someone has a new push method, or you finally got unlucky.

When I asked you about eMule it was not meant to be sarcastic, a lot of people don't know about eMule and that's why I asked. I'm also pretty sure you can't push anything through most p2p clients. What the user can do is download the worm thinking its another file and execute it thus causing an infection. I'm almost positive that eMule does not push down anything malicious. And I'm very cautious about what I download and execute.

210110[/snapback]

I don't think you understand the security implications. I'm not talking about running an executable. If there is an exploit in a music player that you use, or an exploit in a library that the player links to then any specially-engineered music file you play could execute code on your computer. The same is true for a video player and everyone of its codecs. Do you remember the exploit in the windows library responsible for *.gif files? There are tons of applications and libraries on your system, many of which are not designed with security in mind because they aren't exposed to the internet, but P2P programs expose these vulnerabilities to malicious coders by offering an avenue for specially engineered datafiles to be loaded into local memory.

Loading anything into memory on a Windows system can potentially result in malicious code being executed because Windows doesn't randomize memory addresses. Even the NX bit on highend AMD and Intel processors combined with OS support doesn't protect against these attacks entirely.

Incidentally, Future Shock's main point was that, since you formatted the disks, all the information is gone, so you can't figure out what happened anymore. From your description however, it was clearly some sort of malware. Just be glad it was of the prank sort and not the for-profit sort.

Share this post


Link to post
Share on other sites

Even if thats so, I need to know what it is. This process keeps happening over and over again. So in a month I will be right back to square one. So at the point when my HD is wiped again what kind of information would you need to help?

Share this post


Link to post
Share on other sites
Even if thats so, I need to know what it is. This process keeps happening over and over again. So in a month I will be right back to square one. So at the point when my HD is wiped again what kind of information would you need to help?

210118[/snapback]

Wait, you mean this has happened before? It's happening regularly?

It still sounds to me like a security problem. Update Windows, run a firewall as well as malware scans, have a virus scan, and, most importantly, practice skeptical computing --you know the usual.

Share this post


Link to post
Share on other sites

Some more detailed system stats may be helpful, especially what IDE controller you are using. Whatever the case, if you want to isolate the problem, DO NOT FORMAT ANYTHING. Also, if you want people to help, do not offend people.

I have heard of people who've had the Nvidia IDE drivers (on Nforce 4 anyway), possibly in relation to the Nvidia firewall kill the boot sector. Perhaps this is your problem?

Share this post


Link to post
Share on other sites

When I get home I will give as much info as possible. But like I said before, this has happened on 3 different computers with all different parts. So I'm not so sure it’s a MB issue. I never meant to offend anyone I just said I did not think the solution someone had offered would help and someone took offence. But I AM VERY SORRY EVERYONE.

I tried testdisk and it was unable to find any partitions..

What kind of info would help?

Thank you everyone!

Share this post


Link to post
Share on other sites

Okay so here is everything that has happened up to now: Since my first post, my 1TB raid has gone down twice more. My system disk that is in the same computer has had the same thing happen to it twice. My main computer which I did not describe in the in the first post had it happen to it soon after my other computers and it has happened once more since then.

Like I described earlier ether one of two things well happen right before a failure. The first thing that could happen is, some of the directories well disappear or they well not open and an error something along the lines of "File or directory is corrupted and unreadable" well pop up. After a quick reboot everything well be gone, disk manager well show the hard drive or array as unallocated space. The second thing that can happen is I'll just come home and see my computer at the boot screen that says it can not find a OS which yields the same result: unallocated space on my HD.

Now the three different computers it happened on all have different hardware:

My Computer at work is a standard Compaq DeskPro EN.

My Server at home consists of:

Tyan Tiger S2468

2X1200MP AMD MP

6 x 200GB Seagate 7000.7

30GB Seagate HD

3Ware Escalade 7506-8

430W Antec True Power

2 x 256 2100 ECC DDR Crucial

ATI 7000

And nics and a USB/FireWire card.

WIN XP SP2

My Main box:

AMD 64 2800+

1 Gig DDR Crucial 3200

20GB Maxtor HD

6800 XFX

MSI K8T NEO-FSR

420W PSU (forgot the brand)

WIN XP SP2

I have Symantec Antivirus on all of these computers with the latest updates. (If everything is up to date shouldn’t my Virus scanner pick something up if it was a virus or worm?) I have all the latest updates for windows on all of these computers. I am using the windows firewall with all the defaults. The computers well go bad at different times, it could really happen any day there has been no consistency. To battle this problem I had to buy 3 external 200GB HD's which I use to do most of my backing up with using Retrospect. I also image the computers every week so that when a failure occurs I can bring them back up without having to re-build them every time. And besides that I'm not really sure what else to do. Having to re-build the drives every month is starting to become a real chore and headache. All of the drives that have been infected have been rebuilt besides the one that I kept that was destroyed last week in hope that you guys might be able to help me diagnose the problem. If there is anything information I can provide please let me know. As I said above I tried using Testdisk on the HD and was unsuccessful. Thanks in advance guys.

Share this post


Link to post
Share on other sites

If possible, try another controller, other cables and maybe another PSU. I've had similar problems in the past. One time my PSU was overloaded and often made some of the drives disconnect, which on a few occations trashed the filetable. More recently I've had the partitiontables on four drives regularly crapping out. The were all connected to the same controller and another controller seems to have helped. I've also heard of faulty cables causing the filetable to be damaged in some cases.

I know the probability of these things happening to both your home and work computers at almost the same time is extremely small... but nevertheless it might be worth a shot.

Finally... whenever it happens, you should try a restore program to restore the contents of the disk. I've had good experiences with "Restorer2000" and "GetDataBack for NTFS", but the both require another harddrive to restore to. It might even work after a format (although I'm not sure now that you've lowlevel formatted the drive.

Good luck

/Martin

Share this post


Link to post
Share on other sites

I just read your last post. Sounds more like a malware problem. Maybe one or more of the programs you usually install is infected by malware. Try moving all of it to a drive you can disconnect before reinstalling windows. You should even disconnect all other computers on the network (and the computer itself untill a firewall is up and running). After than you should only install from original CD/DVD or download again (and ONLY from trusted sources, like the company website). Before reconnecting everything again, you should make sure to have fully updated anti virus and a properly configured firewall installed. Use that computer to scan everything on the devices you disconnected.

You could also try the first suggestions I made - just to be sure.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now