Anyone know if data can be recovered from a crashed hard drive?

[Julie Marie]

Yes, we were both idiots and didn't have our data backed up and now we're paying for our stupidity. 

My hard drive crashed while loading in an updated version of Kaspersky's Anti-Virus.  Yes, the updated version of an anti virus program had a killer virus attached to it.  I've gotten around many viruses but this one was death.

I bought a new hard drive and loaded in Windows XP Pro.  I then tried to create a master-slave setup (I have SATA drives) but when I turned on the computer the virus infected the new hard drive too and I had to reformat the new one to get rid of it.  Like I said, this was a killer virus.

Julie's computer then crashed before I could get mine set up again and load her data onto mine.  Her's just crapped out.  I tried the same master-slave setup to see if I could get any data off the crashed hard drive but the computer couldn't see it.  I ran the repair function on the old drive through the Windows XP CD and ran chkdsk.  It came back that it had one or more unrepairable problems.

We are thinking about taking the drives to a local computer store (Micro Center) and seeing if they can extract the data.  Does anyone know if this could work?  Is there anything else I can try to get the data myself? 

Thanks in advance for any help.

Julie

[Miniar]

Local computer stores can tell you where the best bet is to go to get your data restored. It can cost you a fair bit though.
There are companies that specialize in data recovery.

[sd]

Put the drive in a plastic bag, then place it in the freezer for a bit.  Hook it back up and pray.
This works more times than people think.

If that fails, you have two options.
The first is find an identical drive on Ebay, and swap the boards. If that fails you can try swapping teh drive internals (minus platters of course). I knew a guy who used to do this in a garage and had decent results, though technically you need a clean room or you can't expect the drive to last long. If this fails though, you are pretty much hosed.

The alternative is a data recovery service. This is the more reliable method, however expect several hundred dollars for the charge.


Try the freezer first.

[Ellieka]

Find some one that has a linux system. they can mount the drive in it and extract quite a lot but If the drive is physically damaged its going to be tricky and expensive.

You can do as Miniar suggested. I have done it several times but your going to have a detailed list of the directories or files you want saved before you start because more times then not it's a one shot deal. If you have it done by a data recovery service its going to be very costly.

You can do it yourself but it is a very delicate process. One wrong slip can destroy the platters.

[stacyB]

The linux idea is not a bad approach, but you will need to be able to read NTFS partitions from the linux box. I am guessing the idea with this approach is that the virus will not migrate to the linux volume, but if its x86 code I wouldnt bet on it being a windows only type virus...

Since we are in the same geographical locale, I can suggest some local spots that can tackle this problem, but as has been pointed out, it wont be cheap. I would avoid MicroCenter or GeekSquad or any of those repair places as they will likely do more damage than good...

We often have to deal with the problem for our clients, we typically go directly to the pros like Drive Solutions, etc. Having a virus dormant on the disk is only an issue when trying to mount the drive as an OS recognize storage device... these places actually go down to the bit level to extract the data off the drive.

One more aside -- ignoring cost for a moment, its almost impossible to actually lose data from the platters even in the event of a hard crash. So the obvious moral is if you wanna save it, back it up...

but

...if you dont want it to be retrievable (recoverable by others), use an old fashion method like pencil and paper. 

[tekla]

So the obvious moral is if you wanna save it, back it up... but ...if you dont want it to be retrievable (recoverable by others), use an old fashion method

Yeah, when we switch out hard-drives at work, we take the old ones out and play with them and sledgehammers to ittsy-bittsy tiny pieces.

And yes, taking it to a pro to do is going to cost a couple hundred dollars.  I like using a remote storage deal, just for files and data, and leaving the programs, and only the programs on the machine itself. 

[Lily]

We had a virus on our laptop once that made the laptop not booting. A friend used linux to view the data and copied it to an external hard drive. I had to move the files into new folders in an administrator name cuz the files was protected from the previous account and wouldn't open otherwise with regular accounts. So if you can get into dos, then chances are very good you'll be able to retrieve your data. I wouldn't suggest operating on your hard drive tho.

[Julie Marie]

Put the drive in a plastic bag, then place it in the freezer for a bit.  Hook it back up and pray.
This works more times than people think.

Did the freezer thing with the one drive - no luck.  As far as the drive that's infected, I'm leaving that to the pros.  That virus I got from Kaspersky Anti Virus is death. 

How on earth can a company that sells software protecting you from viruses (KASPERSKY) allow a virus to infect their online upgrade?

Julie

[Ellieka]

Dem compooter bugs is tricksy like that.

The virus creators find all sorts of tricky ways to trick you into downloading them. Often once it downloaded it will first disable any atnivirus and firewall software then it starts munching on you private data and quite often makes your system part of a large Botnet to attack other systems.

I've seen several times where the victim is not to blame but rather the operating System publisher. Unpatched vulnerabilities  can allow an attacker access to your system without you ever doing anything to it.

Case in point: Take a new system and install Windows XP (prior to Service Pack 2) on it with no antivirus. Then connect it to the internet and just wait. With in hours the system will be compromised and infected.

[Julie Marie]

Seems on my drive (the one with the virus) the master boot record has been damaged.  Before that happened I was able to boot up but within a minute or so I'd get the blue screen saying that there was a problem with klif.sys, a file loaded in by the Kaspersky Anti-Virus program.

The other drive, the one I froze, seems to be gone.  It's about five years old.

Thank you all for your help.

Julie

[Sarah Louise]

DriveSavers (800-440-1904) has recovered damaged drives for me in the past.

Sarah L.

[fluffy jorgen]

In future, buy upgrades and Anti- viruses in computer shops, not online. It is not that they allow these viruses to be attached, it is that the viruses have found a way in without the company realizing. Report it to them?

Others have already given advice about recovering the hard drive. The freezer one seems a tad unethical but I will try it myself if worst comes to the worst.

[myles]

I sent mine to my brother he worked on it for a few weeks (yes weeks) when this happened and almost nothing was retrieved. The next step was to send it somewhere with more sophisticated equipment but I did not want to shell out $1000, through his work he had some basic recover stuff but not as advances as what someone like  DriveSavers have. Also I got my virus from a computer shop (it was in Cambodia though).
Myles

[Flan]

A quick and dirty fix for a non-hardware problem with WinXP is to do a "Repair" install using an install disc that doesn't re-image the hard drive, I'm not sure how effective it would be aginst a virus laden drive, but it beats calling a place like Kroll Ontrack. (cost wise)

[tekla]

What's the first rule of fight club?  Don't talk about fight club.

What's the first rule of computers?  Back up your work.
What's the second rule?  Back-up the backup.
What's the third rule?  Media is cheep,  So backup the backup of the backup.

[sd]

The dead drive can be saved by pros.

The non-dead could be fixed by slaving the drive and deleting the Kapersky file and then using a fix mbr command with a Windows disk.

[Julie Marie]

The dead drive can be saved by pros.

The non-dead could be fixed by slaving the drive and deleting the Kaspersky file and then using a fix mbr command with a Windows disk.

How do you slave a drive with SATA?  I bought a new SATA drive and loaded in Windows XP Pro.  Then I shutdown the computer and connected the infected drive.  It took a long time to load then when it tried to open Windows I got the blue screen.  After I disconnected the infected drive I tried to reboot the new drive but it too went to the blue screen.  It seemed the virus got onto the new drive.

I reformatted the new drive and reloaded Windows and it works fine but I'm afraid to connect the old drive again.  Is there a way to isolate the infected drive so it can't infect the new drive?

Julie

[Sandy]

How do you slave a drive with SATA?  I bought a new SATA drive and loaded in Windows XP Pro.  Then I shutdown the computer and connected the infected drive.  It took a long time to load then when it tried to open Windows I got the blue screen.  After I disconnected the infected drive I tried to reboot the new drive but it too went to the blue screen.  It seemed the virus got onto the new drive.

I reformatted the new drive and reloaded Windows and it works fine but I'm afraid to connect the old drive again.  Is there a way to isolate the infected drive so it can't infect the new drive?

Julie

<geekspeak>

Technically, you don't "slave" a drive using SATA the same way you would using IDE.  You specify in the bios the drive you wish to boot off of.  In this case it would be the freshly reformatted/reloaded windows drive.

You can connect the second / infested drive to either socket.  Just make sure to get to the bios prompt before it attempts to boot.

What "should" happen once the bios has been properly set is that the uninfested drive would boot into Windows and automatically mount the other drive as a secondary drive.

Once Windows boots, it will attempt to inspect the drive for an autostart file as if it were a CD.  You may notice a "Searching..." window pop up as it attempts to scan the drive.  You can cancel close this window.

If the infested drive has only had the MBR and Kaspersky file trashed, then it should mount correctly and be viewed through explorer.  You may then pull data at your leisure.

FOR THE LOVE OF GOD! DO NOT ATTEMPT TO START OR COPY ANY PROGRAMS THAT MAY RESIDE ON THE INFECTED DRIVE!!!

Data may be trashed by a belligerent virus and you may lose pictures, data files, excel spreadsheets, ...etc.  So inspect the data you find be prepared for the worst.

Once you have copied the data from the infested drive, then reformat it to protect yourself from future problems.

An additional way to mount the drive is to get an external SATA enclosure that is firewire or USB 2.0 connected.  That way you could mount/unmount the drive after the clean windows is booted and dismount it when you are done.  You could also keep the drive in a safe place for further recovery efforts.

</geekspeak>

-Sandy

[Susan]

Sometimes turning the old drive upside down will enable you to get the material off of it. But that doesn't always work. Also for bad mbr sometimes you can do fdisk /mbr but you do that at your own risk...

[Sandy]

Sometimes turning the old drive upside down will enable you to get the material off of it. But that doesn't always work.

Doesn't the data fall off? 

That is what the bit bucket is for.

-Sandy(old geekess)