I have two computers networked, both running Win98. First computer started
having problems, so I ran my Norton AV (corporate edition) live update, then
scanned. Sure enough it found a virus, the virus name eludes me now, seems
like it was something like w32.kbot@mm.

Anyways, I disconnected the network and continued working for a few minutes,
and I got a blue screen, which is very rare. I pressed "enter" until the
puter finally restarted. As it was restarting it blue screened several more
times, and finally came up "No Operating System Present" I put in my boot
disk, restarted and now can't access any files on the "C" drive, it says it
is not partitioned for fat 32.

I have software that can recover the data from the defunct drive, but what
I'd really like to do is correct the problem and have my drive function
properly again. Actually I'd like to get two drives back as the second
puter even though it scanned virus free, the first time it was restarted the
same problem occurred.

Any direction is greatly appreciated,

Ray

"Ray Carr" <raycarr@valornet.com> wrote:

From the rest of your post, the virus incident and what happened to your drive,
next, is purely coincidental.

From the progressive nature of how the problem evolved, I suspect that the drive
is developing bad sectors and in the process of dying.

Data recovery software is for use on drive that are in perfect technical
condition, with just logical errors. If the drive is dying, as I suspect, then
the cheapest and safest way to recover your data is by cloning the drive with no
delay and work on the clone, not on the bad drive. Time is critical in case the
drive needs cloning, as access may be lost before you can complete anything at
all.

Download RESQ.EXE from http://invircible.com/resq.php, and prepare the RESQ boot
floppy as instructed in the program's welcome message. Boot the PC with the
problem drive in it from the RESQ floppy, and when at the A: prompt, run
RESQDISK /ASSESS. If the problem drive is #2, then add /2 to the command line.
Post the text report file (a:resqdisk.rpt) here, and I'll tell you what your
problem is, and how to fix it.

In case cloning is required, you'll find CloneDisk on the same page as RESQ.

Regards, Zvi
--
NetZ Computing Ltd. ISRAEL http://invircible.com support@resq.co.il
InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities
E-mail sent in reply to this post will not be considered private and
will be answered in the newsgroup. Top posting is not appreciated!

On Thu, 03 Jul 2003 18:44:06 +0300, Zvi Netiv <zvi@invircible.com> wrote:

snip

Given that it's happened to two seperate computers, I doubt it's hardware.
Most likely, the virus payload activated, and wiped the cmos settings, and
possibly the hard drive. There may well have been more then just the
kbot worm.

Ray, Boot from a floppy, and try fdisk /status, to see if it can see
the hard drive. Does it show a partition table at all?

Regards, Dave Hodgins

Dave, when I try to run fdisk it returns "No Fixed Disk Present", when I run
scandisk, it is scanning only a very, very small portion of the hard drive,
as soon as scandisk opens it is completed. Then when you do a full scan of
the disk surface it takes about 2 seconds, and finds no errors.

All my data still remains, I have checked it's integrety using recovery
software, and I'm pretty sure the way this has panned out, that there have
been settings changed by a virus, though maybe not the virus I found.

Thanks for responding, any other suggestions?

Ray



"David W. Hodgins" <dhodgin1661@rogers.com> wrote in message
newsprrqwz5nczpegei@nntp...

On Thu, 3 Jul 2003 13:48:19 -0500, Ray Carr <nospam@spamsucks.com> wrote:

Is that with the /status switch?

Are you loading a ramdrive via your boot floppy, then using "scandisk c:"?
They scan real fast<G>!

Which recovery software? It sounds like it must be bypassing the bios, and
acessing the hd controller directly. If all of the data is there, you're in
luck! Failing to access a good hd via the bios, that is accessible via direct
controller access, suggests to me, that all that's been wiped is your cmos
settings.

Have you checked the cmos settings for the hd (via the bios setup program)?
If present, are the hd setttings correct?

Regards, Dave Hodgins

Dave, thanks again,

"No Fixed Disk Present", when I run scandisk with the /status switch.

The recovery software is GetDataBack for Fat, v2.18, from Runtime Software.
It shows the defunct hard drive in 2 partitions, 1st "Unknown" 2nd Fat32
LBA. I did not have this drive set up in 2 partitions to the best of my
knowledge.

I have not checked my cmos settings, I wouldn't know where to begin, or
what settings were correct.

I have installed a different hard drive on the first puter, it is now
running with
no problems. The new drive is jumpered as a master, the old defunct one is
jumpered as a slave. I'm guessing the cmos settings must be ok if the new
drive works.?.? I still can't access the old drive through windows or dos,
and I even tried to scan it with Norton AV, and it does the same thing I
described scandisk as doing, almost an imediate response, it's like the
virus partitioned a ramdrive and named it C:\

Both defunct hard drives went south the same day, and now respond exactly
the same, so I'm still convinced its not hardware failure.

Again Thanks for your time, have any other ideas....?

Ray



"David W. Hodgins" <dhodgin1661@rogers.com> wrote in message
newsprrq4wovezpegei@nntp...

"David W. Hodgins" <dhodgin1661@rogers.com> wrote in message newsprrrd6jbezpegei@nntp...
Here is some (maybe helpful) info I found some time ago....

+++++++++++++++++++

ENTERING CMOS SETUP

F1 during the boot process.
F2 during the boot process.
Esc during the boot process.
Del during the boot process.

Older Systems:

Ctrl + Alt + Esc during the boot process.
Ctrl + Alt + Ins during the boot process.
Ctrl + Alt + Enter during the boot process.
Ctrl + Alt + S during the boot up process.
Page up during the boot process.
Page down during the boot process.

Some older systems such as early 486, 386, 286 Desktop computers
actually required a floppy disk to get into setup, usually refereed to as
a ICU / BBU/ SCU disk, this would have to be obtained through your
computer manufacturer.

Laptop Systems:
==========

While most laptops use one of the above keys to get into CMOS some
older laptops get into CMOS by pressing the F1 / F2 at a flashing block
cursor as the computer is booting up.

Older IBM Systems:

Press and hold both buttons on the mouse as the computer is booting up.

+++++++++++

Hope someone else finds this useful too.

"David W. Hodgins" <dhodgin1661@rogers.com> wrote in message
newsprrrd6jbezpegei@nntp...
My bad, you assumed correctly

I have tried this, but running fdisk /[anything] always returns "No Fixed
Disk"

The data is of far greater value than the actual drive space, hard drives
are realitively cheap these days, and of even more value to me, is not
getting beat by the cockroaches (<----edited version) that write and/or
knowingly distribute viruses.

One of the drives is 2 gig the other is 13
gig. I have searched the web and found some free utilities that can scan
the hd, and recreate the mbr/partition table, the one that seemed the most
promising was Ranish Partition Manager v2.4, but when I ran it all I get is,
"Error
Getting Drive Paramiters"


Happy Independance Day to all of you in the Greatest Country on Earth...

Ray

"Ray Carr" <nospam@spamsucks.com> wrote:
[snip]

FDISK won't run on a disk that isn't recognized.

FDISK won't run on a disk that isn't recognized.

There is no way to format a drive that isn't partitioned, since it isn't
recognized.

Same as above.

Because the drive is dead, kaput, muerto. That was obvious from the fact that
the BIOS recognized the new drive that you attached, which also indicates that
the drive setting in the setup program is on 'AUTO'. The only other possibility
is that the drive is jumpered improperly, which will result in the same. To
discard that possibility, just pull out the master/slave jumper and try, with
the problem drive attached as the only drive connected on the IDE channels.
Disconnect even the CDROM for the test.

If FDISK still complains that there is no fixed disk, then only specialized data
recovery can help here.

Or, if you have another drive of the same make and model, then you can try
swapping the drive's electronics card. In many cases it worked.

I offered you such utility, RESQDISK, and it's free. The point is that it's too
late for RESQDISK now, as it only works on a drive that functions, not on dead
drive corpses. The same applies to all recovery software packages.

Forget the virus theory in your case. What struck you is bad luck, followed
with poor judgement by wasting time on efforts in the wrong direction. You were
also sidetracked.

To your "luck", if you can call it that, Ranish's PM can't harm your data since
the drive isn't accessible anymore. A fundamental rule in data recovery: NEVER
install a boot/partition manager on a drive that has a corrupted or bad
partition table! Nor attempt to reconfigure the drive with FDISK, Partition
Magic, or anything else!

RESQDISK. But it won't help you now, as you have ruined your chances for
do-your-own data recovery. If the data is worth it, then leave it to
professional date recovery, and prepare to pay a substantial sum to recover your
data.

Regards, Zvi
--
NetZ Computing Ltd. ISRAEL http://invircible.com support@resq.co.il
InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities
E-mail sent in reply to this post will not be considered private and
will be answered in the newsgroup. Top posting is not appreciated!

Zvi,

According to the information you provided below the drive can't be dead, as
I have stated several times in previous post, I have recovery software, and
I have checked the inegrity of the data with it, and now, as of this morning
I have recovered all of my wife's school work, documents, spreadsheets, etc.
using the recovery software. So the drive isn't dead? Nor does it appear
to be dying.

I can't forget the theory that has the most logic to it. A network of 2
computers, both end up with the exact same problem within hours of each
other. Neither drive is recongnized, but both drives the data can be
recovered using recovery software. According to your take on it, I have
wasted time and the data can't be recovered without the service of a high
priced expert. Since this is not the case than I must assume that the virus
theory has even more credabilty than before.


Again, you obviously haven't read my previous posts, as I have not ruined my
chances to recover the data myself. Simply recovering files is not my goal,
my goal is to return the drive back to functioning the way it was, with all
of my years of tweaks, settings, and software intact!

Ray

On Fri, 4 Jul 2003 15:35:09 -0500, Ray Carr <nospam@spamsucks.com> wrote:

Zvi appears to have missed the part in your first post, where you said
this had happened to two seperate hard drives, on two separate computers,
and that you were able to read the hd via recovery software.

I've just taken a quick glance at the webpage for GetDataBack. If you
have purchased the software, it looks like it should have options for
recovering the mbr.

Don't take this the wrong way, but did you actually try entering fdisk /mbr?
The (undocumented) /mbr option must be specified on the command line, and
will overwrite the mbr of the first master drive.

Have you run the setup program to see what it currently has for the
drive paramters in the cmos?

"David W. Hodgins" <dhodgin1661@rogers.com> wrote in message
newsprruvrzkkzpegei@nntp...
I don't recall seeing recovering the mbr as one of the options, guess I need
to take a better look...I did purchase the software through my job, to
recover some files one of the girls in the office deleted by accident.

Yes I have tried running fdisk /mbr and got the "No Fixed Disk"

I have not done this because I wouldn't know what to look for. If there are
specific parameters to look for, please tell me what they are, and I can
report what I find back.

Ray

On Sat, 5 Jul 2003 18:28:23 -0500, Ray Carr <nospam@spamsucks.com> wrote:
If you can tell me which bios (and version) you have, I can probably
find documentation to help step you through it. For the setting of
the drive paramaters, it's usually pretty intuitive, and will ask
you to confirm that you really really really want to make the changes,
before updating the cmos.

One possibility why it would work with a new drive, but not the old drive,
is that the old drive doesn't respond to the auto detect by the bios. If
that's the case, the parms will have to be set via the setup program.

Regards, Dave Hodgins

I have not tried for that reason, but I have lugged them all our house while
trying different things, and even one of them to a friends house, always the
same result...

"FromTheRafters" <!0000@nomad.fake> wrote in message
news:vgeqj94cfj97d@corp.supernews.com...

American Megatrends
Bios Version 1.00.04 CS1T

Ray

"David W. Hodgins" <dhodgin1661@rogers.com> wrote in message
newsprru4y6d6zpegei@nntp...

"Ray Carr" <nospam@spamsucks.com> wrote:

That's good news (that you recovered your wife's data), but then, the
information you posted about testing the BIOS settings by installing another
drive, and the way you performed the FDISK test are erratic and misleading.

The fact that recovery software could access the drive through direct port
access proves one of two things: That the drive is fine but you failed to set
it in the BIOS, or that it has an exceptional problem that will let access it
through ports, but fail through BIOS access (interrupt 13h). It's the first
time that I hear

In the previous case, you can fix it simply by resetting the drive to be
recognized in the setup. Most chances that you wouldn't need recovery software
if you could do that. In the latter, the drive is unusable as the BIOS doesn't
recognize it and it can't be accessed by ordinary software.

[snip]

Or, you did the same mistake on both machines, like unintentionally changing the
drive settings to 'none', or running the same corrupted software on both, that
changed the content of the CMOS and resulted in the same.

Get the drive recognized in the BIOS, run RESQDISK /REBUILD (add /FAT32 if you
know that the first partition was FAT-32) and it should resume functioning. If
you can't make the BIOS recognize the drive, then no voodoo can return that
drive to normal operation.

Just to satisfy my curiosity, what OS version and FDISK did you use in your
tests? What boot disk that you use?

Regards, Zvi
--
NetZ Computing Ltd. ISRAEL http://invircible.com support@resq.co.il
InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities
E-mail sent in reply to this post will not be considered private and
will be answered in the newsgroup. Top posting is not appreciated!

"David W. Hodgins" <dhodgin1661@rogers.com> wrote:
I read Ray's first post and responded to. I only attributed different
credibility to his various statements than that you gave. The problem is that
Ray's posts are so full of inconsistencies that you don't really know which part
to discard and which one to accept.

GetDataBack works on the same principles as EasyRecovery, R-Studio and half a
dozen of other data recovery packages. All are READ-ONLY and work on the
principle of establishing a virtual FAT and root directory in memory (for FAT
file system), to read the files of the drive. Here is what GetDataBack write on
their page:

It won't rebuild the MBR, and isn't meant to. Besides, GetDataBack depends on
the drive being recognized in the BIOS.

What does this tell you?

FDISK /MBR will do nothing if the BIOS doesn't recognize the drive. FDISK, in
DOS mode, depends entirely on interrupt 13 to read / write the MBR and if it
says "no fixed disk", then it means that int 13 returns an error on attempting
to read sector 0/0/1 of drive 80h. In other words, no drive 80h is present in
the equipment list.

Only if the BIOS recognizes the drive. FDISK with no matter what switch is the
ultimate test whether the drive is recognized or not, regardless of the MBR
content. The MBR could be blank, still FDISK wouldn't return the "no fixed
disk" message if the drive is recognized.

The CMOS will show 'none' in the following cases: If the drive is attached to
an ATA controller card, or if it's a SCSI.

The drive being recognized is the direction to go, everything else is pursuing a
wild goose chase.

Regards, Zvi
--
NetZ Computing Ltd. ISRAEL http://invircible.com support@resq.co.il
InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities
E-mail sent in reply to this post will not be considered private and
will be answered in the newsgroup. Top posting is not appreciated!