HD boot error, need help to recover data

[byebyedata]

Here is the full story.

Some how my Paypal was breached and two things were purchased on ebay. I assumed this was due to some malware or virus I acquired. I noticed on the computer that I was unable to go to google or ebay and that Excel files would not open without giving some macro error. I ran Malwarebytes and it found a bunch of things, I don't recall what and now the log files are corrupted and make no sense when I open the text file. My files were still available and could access and open them as far as I looked as I was dealing with the other parts of this issue.

The system is Windows XP Pro 64 bit and has a 1TB SATA drive with two partions, a 500GB SATA drive single partition, and an 160GB IDE drive single partion. OS is on the first partition of the 1TB drive.

I installed Eset Nod32 and set it to run on all drives and left it over night. I woke up and it seems to have rebooted and now said BOOTMGR missing. I ran bootcfg /list and it said there was no boot.ini. I did a bootcfg /rebuild to make a new one. That did not solve the issue. I ran fixboot then ran fixmbr. Once it had the new boot.ini I then got ntldr missing so I replaced that and then ntdetect.com when it said it was missing. Then it said Hal.dll was missing or corrupt. Replaced Hal.dll in both system32 and syswow64 and it still persists with missing Hal.dll.

But the biggest problem is that somehow between running the AV and doing the above all my files on the 500GB and second partition on the 1TB are gone along with what looks like only the My Documents files on the first partition but other folders in C:\ are still there, and mostly My Documents in the 160GB and perhaps other are gone. These files appear gone in the recovery console in a PE that I used from Hirens Boot CD, and when putting the drives in another computer.

At this point I am not as concerned with it booting, I can reformat if needed, I just need to get my data back. I would be nice to know how to fix this issue by my data is of paramount importance. Having done any and all of the above procedures on different computers over the years I have never had any drive show it as completely blank or show missing file from particular locations.

How or what caused my data to get lost? More importantly how would I best go about getting it back as I hope that it is not truly gone. Is it a MBR issue, a partition table, virus or what would cause this and how to fix it? What software would you recommend for this situation?

Any help you can give to help resolve this issue is greatly appreciated.

 

[rclarke250]

Easeus I've had good results from both the free ware versions of data and partition recovery from here. Also others on here say that Getdataback is good, but I have never tried it.

 

[byebyedata]

Thanks for the suggestions I will look at them.

Am I right to think that data recovery is the only solution at this point, or is there some easier fix for the issue?

 

[byebyedata]

Is there any harm in hooking the bad drives up to another computer and running the recovery software?


I read that many of the software say they are not destructive to the drive. Is that true or is there some writing, etc. to the drive that occurs during the recovery process that the software uses that further corrupts the drive?

I do not have other hard drives that are big enough to image them to so I would need to go get some. However, I do have another computer that has enough space on its drive for the 500GB. Can I make an image of the drive and put it on that computer and run the recovery software on the image file? Or does the software only work on a physical drive and not an image file of the drive?


Thanks

 

[rclarke250]

Nope, that is the preferred method. And it will only work on the original drive as far as partition recovery goes, never tried it on the file recovery, if it was a bit for bit copy, it should work, but from just a standard image not sure.

 

[byebyedata]

I connected the 1TB and ran Ontrack Easy Recovery on the 2nd partition, which just had data on it, while scanning the dialog box said it has found files but when it finished there was nothing. I do not know if I have some settings wrong or why that occurred. So I decided to try Easeus Data Recovery Wizard on that 2nd partition. It found the files fine while names and directory structure correct. As far as I can tell it got most everything.

So then I connected the 500GB drive, which was also only data, ran Easeus, and it worked well again. Finding files with names and directory structure.

The problem lies in the scan of the 1st partition of the 1TB where the OS resided. The Easeus scan marks files as lost or deleted. What it shows for the files that I recovered from the 500GB and the 2nd partition were lost files. On the 1st partition the scan turned up most things but they were marked as deleted. It could not get the directory structure and many files were only found RAW. As I cannot not remember the complete directory structure I am unsure it got everything.

I mainly am concerned about the My Doc's, as you could imagine, because for some reason it seems to get things that were not in that particular folder much better. Why would that partition be any worse than the other two. Should I try another program to see if it can do a better job on that partition? What other techniques would you employ on the OS partition?

Thanks again, I appreciate it

 

[rclarke250]

You can try to recover the partition I tried it once on a laptop hard drive from a rental store, and recovered 13 past partitions, and was able to recover back to the 7th, and restore it to a booting system, and then I could go in and look at the files, which I might add, scared the crap out of me, and how easy it would be for someone to steal data from a formatted but not secure erased hard drive. The hdd might be weak or damaged, were you running any encryption on the OS partition? Although getdataback is a paid package, it does allow you to run a free scan to see if it will be able to recover what you want. here

 

[byebyedata]

I don't fully understand why there are so many partitions like that, I was choosing the first one when I used the manually select option and 3 others, as 4 was the limit. The older ones did not seem to yield any additional data that the main 1st one did not have.

The hard drives are as far as I can tell in fine physical shape as there were no preceding signs only the original event that I mentioned. No encryption software was used. As I said originally the files were all there before I ran the Nod32 scan and it did not reboot so I am speculating that there was some sort of virus header or something tagged on all My Doc's files that Nod32 then erased, but that is obviously a wild guess.

Right now I am running a scan and making an image with r-studio, if that does yield better results I will try the getdataback as you suggested. I hope that one can get my My Doc's back as it was so that I do not have to construct from raw data.

 

[byebyedata]

Using r-studio I got a better directory structure in the My Documents folder. Most things are there and I think the others are in the raw files.

Even before this occurred after I ran Malwarebyte and let it do its thing I could not open the Excel files. The same problem exists in addition to other types of files being corrupt but with proper names and reasonable file sizes.

Are there any recommendations for software to repair corrupt files, mainly Excel, Word, PDF, JPEG, Publisher?

As it seems different software gives rather different results I will next try the getdataback after some work on trying to repair the corruption in the files.

 

[byebyedata]

Having tried a few different softwares I am getting the general idea that most of my data on C: is corrupted or the file types I mentioned above. They all seem to see what is there it is just that what is there once recovered is not usable. As such I don't see there being any other software that somehow find a non-corrupt version.

I am trying to piece together in my mind where the corruption could have occurred. I know before the crash but after Malwarebytes I was unable to open excel files but I did not check the other types as I probably should have.

I think I am going to concentrate my efforts now on trying to figure how to un-corrupt the files if that is all possible. I am not against hex editing if there is a way to fix them. Then rebuilding the files from the locations that were good.

So are there any suggestions about fixing corrupt files? Most are beyond the standard software available that claims will fix corrupt files. Looking at the Excel files they have OLE header and OLE header structure corruption and I can imagine the same goes for the other MS Office types. Not sure what is wrong with the PDF's, TXT or JPGs.

Any thoughts on this next part of the puzzle?

Thanks again.

 

[kdanik]

I had a similar problem, but I did not format a disk wanted to break it apart and all the information left. It was mostly important documents, so I had to restore them. After a long search for a solution on the Internet I found a program hetman recovery. I not an expert in computers, but light interface of program helped me to find and to recover documents very easy. Also as my hard drive didn`t work in normal way this software load this files on usb drive. You can find this software at this link

http://hetmanrecovery.com/

Good luck

 

[phi6]

Doing trial and error on different recovery software could lead you to permanent date loss. In your case you might try to consult a professional data recovery service provider which could help you point the right direction to recover your important data from your hard drive. There are plenty of those data recovery services in the web like werecoverdata.com who offers no charges if they were unable to help you recover your data. Good luck.