If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Ruined Boot Partition - F-Prot
My system:
w2k 20 gb ide fat32, NOT NTFS was win98, installed w2k over it, dual boot on the same partition. 1 partition of 20 gb. F-Prot trashed the partition table, worked until reboot, now it shows two paritions of 2 GB each, with the rest unallocated. I need to get it back to one partition (20 GB) without losing all the data. Any assistance is appreciated. |
#3
|
|||
|
|||
This is Bob's brother inlaw. Bob posted my message, which I dictated to my
wife (his sister) over the phone, which she then emailed to him from her work computer, which he then posted here. I've since made *some* "progress", detailed inline below. On Mon, 15 Dec 2003 11:39:29 +0200, Zvi Netiv wrote: (Bob) wrote: My system: w2k 20 gb ide fat32, NOT NTFS was win98, installed w2k over it, dual boot on the same partition. 1 partition of 20 gb. F-Prot trashed the partition table, worked until reboot, now it shows two paritions of 2 GB each, with the rest unallocated. I need to get it back to one partition (20 GB) without losing all the data. Your story doesn't make sense, or you are omitting critical details on what happened. It doesn't make sense to me either, but I assure you it happened! More details follow below. What F-Prot version did you run, for Windows, or for DOS? For Win, not sure of the version, it's on the clobbered drive. It wasn't the actual F-Prot antivirus program. *That* ran fine. The problem was crated by their utility (installed with the antivirus program) that creates a database of changes to files and boot records. The first time I ran it, it said there was no database yet, should it build one. I said sure. It then reported that there was a change to a boot record since the last time the program was run. This set off an alarm in my head. It asked if it should create a backup of the boot record before "fixing" it. I said yes. It wrote a 1K file to a floppy. I do *not* know if it's the right boot record (details below), but that is moot, as there does not seem to be any way to *restore* from that file. Argh. Was F-Prot run after booting to W2K, or Win 98, or to plain DOS? I ran it (their utility, as described above) from within W2K. I later tried their DOS version, booting from a floppy. I could not find any way to restore the boot sector backup file created by their Windows utility. I very much doubt that F-Prot is what messed with the partitions. It was not "F-Prot" the antivirus, but it *was* the little utility installed *with* it. After the 20 GB partition was converted, can you see files and directories in the current 2 GB partitions? If you can, then the damage to the original partition could be substantial, and not worth recovering. OK, here's what I've been able to determine (after installing a new hard drive and putting Win2K on it), after trying the Fixboot and Fixmbr commands from the Recovery Console. After they failed (they *think* they succeeded, but they didn't), I was staring at the output from the Map command, and suddenly it hit me. The IDE drive showed two partitions -- the first was 2 GB FAT, and the second was 2.38 GB (or somesuch unique number) NTFS -- the EXACT same config as my (fortunatly, *not* clobbered) SCSI drive! The F-Prot utility copied the boot record from my SCSI drive over to my IDE drive! For whatever reason, it seems to have been confused by the two controllers, decided that the first disk in each was *the* first disk, then decided that since they were *different*, there was a "problem", which it "repaired". And here I am today... Lastly, was there important data in your 20 GB partition? "Important" barely approaches it. It is the understatement of the epoch. My current plan: I have located an identical model WDC drive to the one in this computer, and ordered it. It should arrive Friday (fingers crossed). This computer (a Dell, which the Michigan schools bought for all the teachers in the state) has one of those accursed "restore discs", which I've finally found a good use for. It's a "ghosted" image -- the same Win98 image used to create the drive before I installed Win2k. I will "ghost" that image to the new drive, and then install Win2K over it. Next, I will create a restore disc (we tore the house apart and *cannot* find the one we made from *this* drive, argh). I will then remove the new drive, install the original drive, insert the Win2K CD in the CD drive, boot from the CD, and tell it to repair the boot sector using the recovery floppy. I *think* that this *should* work. My two fears are that it will either insist on "repairing" one of the two bogus partitions (rather than the physical drive), or, decline the recovery floppy, after deciding that it was made from a different disk. I've downloaded a utility to edit the disk's ID, in case that problem arises. If all else fails, I downloaded "MBRTool" from http://www.diydatarecovery.nl/~tkuurstra/mbrtool.htm to back up and restore the boot/MBR info. I'll backup from the new drive, and restore to the old one. If my attempt via the recovery console (fixboot, fixmbr) didn't do any *new* damage, I *think* I'll be home free. I know that the machine was running fine for several days *after* the F-Prot utility did it's thing. The problem only manifested itself when I rebooted, when it read the MBR. So I'm pretty confident that the *data* on the drive is OK (if the fixmbr etc. didn't screw it by trying to dump a backup copy of the "repaired" MBR in the middle of the real data, or somesuch.) I'm hoping that if worse comes to worst, any real data loss will be minimal, only affecting one file (hopefully unimportant), or at worst, one dir. I *do* intend to send a epilog to the F-Prot folks when the dust settles. Right now, I don't have email. My email client (old character-mode Eudora Pro) is on the farkled partition, and my spamload is backing up at the ISP. *groan* They tell me I've got a 198MB allocation and it's only at .7% as of yesterday, so hopefully I won't lose any mail thanks to this nightmare. You may try RESQDISK /REBUILD /FAT32, as you have nothing to lose. Reject all found partitions during the ResQdisk run, to restore a single FAT-32 that occupies the entire disk space. If the above procedure doesn't do the trick, then run RESQDISK /ASSESS from the RESQ floppy (leave the floppy write-enabled) and post here the text report A:\RESQDISK.RPT and I'll take it from there. Available from http://invircible.com/resq.php - it's free for the described purpose. Regards, Zvi Any assistance is appreciated. |
#4
|
|||
|
|||
Crosscut wrote:
This is Bob's brother inlaw. Bob posted my message, which I dictated to my wife (his sister) over the phone, which she then emailed to him from her work computer, which he then posted here. I've since made *some* "progress", detailed inline below. On Mon, 15 Dec 2003 11:39:29 +0200, Zvi Netiv wrote: (Bob) wrote: My system: w2k 20 gb ide fat32, NOT NTFS was win98, installed w2k over it, dual boot on the same partition. 1 partition of 20 gb. F-Prot trashed the partition table, worked until reboot, now it shows two paritions of 2 GB each, with the rest unallocated. I need to get it back to one partition (20 GB) without losing all the data. Your story doesn't make sense, or you are omitting critical details on what happened. It doesn't make sense to me either, but I assure you it happened! More details follow below. It didn't just "happen", the damage was caused. See below. What F-Prot version did you run, for Windows, or for DOS? For Win, not sure of the version, it's on the clobbered drive. It wasn't the actual F-Prot antivirus program. *That* ran fine. The problem was crated by their utility (installed with the antivirus program) that creates a database of changes to files and boot records. I don't know of such utility in F-Prot, but if there is one, then avoid it. Explanation below. The first time I ran it, it said there was no database yet, should it build one. I said sure. It then reported that there was a change to a boot record since the last time the program was run. This set off an alarm in my head. It asked if it should create a backup of the boot record before "fixing" it. I said yes. It wrote a 1K file to a floppy. I do *not* know if it's the right boot record (details below), but that is moot, as there does not seem to be any way to *restore* from that file. Argh. Was F-Prot run after booting to W2K, or Win 98, or to plain DOS? I ran it (their utility, as described above) from within W2K. I later tried their DOS version, booting from a floppy. I could not find any way to restore the boot sector backup file created by their Windows utility. I very much doubt that F-Prot is what messed with the partitions. It was not "F-Prot" the antivirus, but it *was* the little utility installed *with* it. There exist a few boot backup and recovery utilities around, although I don't know the particular one that comes with F-Prot. Historically, many of those were made by AV producers, to recover the boot chain (MBR and the start partition boot sector) of a drive when damaged/corrupted by virus. Ironically, this AV boot recovery "feature" is the direct cause to the loss of access to countless drives, while saving close to none. To make it look even worse, such backup is plainly unnecessary to recover (or rebuild) a damaged MBR or boot sector! The champion of that nonsense is Symantec's NAV and you can find tens of my posts where I explain why to avoid that archaic and dangerous stuff. After the 20 GB partition was converted, can you see files and directories in the current 2 GB partitions? If you can, then the damage to the original partition could be substantial, and not worth recovering. OK, here's what I've been able to determine (after installing a new hard drive and putting Win2K on it), after trying the Fixboot and Fixmbr commands from the Recovery Console. Bad move, especially the running of FIXBOOT. The fixing an erroneous FIXMBR is easy to do, but a bad FIXBOOT could be a problem. After they failed (they *think* they succeeded, but they didn't), I was staring at the output from the Map command, and suddenly it hit me. The IDE drive showed two partitions -- the first was 2 GB FAT, and the second was 2.38 GB (or somesuch unique number) NTFS -- the EXACT same config as my (fortunatly, *not* clobbered) SCSI drive! The F-Prot utility copied the boot record from my SCSI drive over to my IDE drive! For whatever reason, it seems to have been confused by the two controllers, decided that the first disk in each was *the* first disk, then decided that since they were *different*, there was a "problem", which it "repaired". The scenario described is the reason for which RESQDISK provides visual feedback to the user, to let you see what you are doing. And here I am today... Lastly, was there important data in your 20 GB partition? "Important" barely approaches it. It is the understatement of the epoch. In which case, what you did so far is bad enough. The important thing now is to not worsen the situation. My current plan: I have located an identical model WDC drive to the one in this computer, and ordered it. It should arrive Friday (fingers crossed). This computer (a Dell, which the Michigan schools bought for all the teachers in the state) has one of those accursed "restore discs", which I've finally found a good use for. It's a "ghosted" image -- the same Win98 image used to create the drive before I installed Win2k. I will "ghost" that image to the new drive, and then install Win2K over it. Next, I will create a restore disc (we tore the house apart and *cannot* find the one we made from *this* drive, argh). I will then remove the new drive, install the original drive, insert the Win2K CD in the CD drive, boot from the CD, and tell it to repair the boot sector using the recovery floppy. You can do that, of course, but it will get you nowhere. Instead, you may clone the damaged drive with sector for sector cloning software (CloneDisk from http://resq.co.il/resq.php is such software) and work then on the clone. Any disk with a capacity larger than 20 GB (like the bad one) will do as target for the cloning process. I *think* that this *should* work. It won't. My two fears are that it will either insist on "repairing" one of the two bogus partitions (rather than the physical drive), or, decline the recovery floppy, after deciding that it was made from a different disk. It will do worse. I've downloaded a utility to edit the disk's ID, in case that problem arises. If all else fails, I downloaded "MBRTool" from http://www.diydatarecovery.nl/~tkuurstra/mbrtool.htm to back up and restore the boot/MBR info. I'll backup from the new drive, and restore to the old one. You are improvising, dangerously. If my attempt via the recovery console (fixboot, fixmbr) didn't do any *new* damage, They did. FIXMBR was the first nail in that coffin, and FIXBOOT stuck it deep in and chopped its head off. I *think* I'll be home free. I know that the machine was running fine for several days *after* the F-Prot utility did it's thing. The problem only manifested itself when I rebooted, when it read the MBR. So I'm pretty confident that the *data* on the drive is OK (if the fixmbr etc. didn't screw it by trying to dump a backup copy of the "repaired" MBR in the middle of the real data, or somesuch.) Worry about what FIXBOOT did, not FIXMBR. I'm hoping that if worse comes to worst, any real data loss will be minimal, only affecting one file (hopefully unimportant), or at worst, one dir. I *do* intend to send a epilog to the F-Prot folks when the dust settles. Right now, I don't have email. My email client (old character-mode Eudora Pro) is on the farkled partition, and my spamload is backing up at the ISP. *groan* They tell me I've got a 198MB allocation and it's only at .7% as of yesterday, so hopefully I won't lose any mail thanks to this nightmare. After having cloned the damaged drive, run the following on the clone: You may try RESQDISK /REBUILD /FAT32, as you have nothing to lose. Reject all found partitions during the ResQdisk run, to restore a single FAT-32 that occupies the entire disk space. If the above procedure doesn't do the trick, then run RESQDISK /ASSESS from the RESQ floppy (leave the floppy write-enabled) and post here the text report A:\RESQDISK.RPT and I'll take it from there. Available from http://invircible.com/resq.php - it's free for the described purpose. If you wish continuing this through e-mail, then use support at resq dot co dot il. Merry Christmas, Zvi -- NetZ Computing Ltd. ISRAEL www.invircible.com www.ivi.co.il (Hebrew) InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities |
#5
|
|||
|
|||
On Thu, 18 Dec 2003 13:08:05 +0200, Zvi Netiv wrote:
Instead, you may clone the damaged drive with sector for sector cloning software (CloneDisk from http://resq.co.il/resq.php is such software) and work then on the clone. Any disk with a capacity larger than 20 GB (like the bad one) will do as target for the cloning process. If you wish continuing this through e-mail, then use support at resq dot co dot il. Zvi, I've replied via a temporary acc't (hotmail), I don't know if you'll see this via your newsreader before you see my email (hotmail sometimes leaves things in the queue for hours!) My question at this point is, does the target disk *absolutely* have to be larger than the source, or, can I use the disk we've ordered, which is the exact same capacity, same make and model? I would like to avoid having to wipe the drive I'm using now (it's larger than the original drive) if I can avoid it, I just spent a day installing and configuring it (firewall, various security downloads, many hours over slow modem, we are not in "broadband country"). Thanks in advance. PS: I downloaded those two files, and noticed this in the CloneDisk pwruser.txt file: ------------------------------- .... License issue date: 14-Nov-2002 Expiration date: 30-Nov-2003 .... ------------------------------- Is there a newer version I should be using? Or should I set the machine's clock back a few weeks? (Or is it necessary to purchase the program?) Is |
#6
|
|||
|
|||
Crosscut wrote:
On Thu, 18 Dec 2003 13:08:05 +0200, Zvi Netiv wrote: Instead, you may clone the damaged drive with sector for sector cloning software (CloneDisk from http://resq.co.il/resq.php is such software) and work then on the clone. Any disk with a capacity larger than 20 GB (like the bad one) will do as target for the cloning process. If you wish continuing this through e-mail, then use support at resq dot co dot il. Zvi, I've replied via a temporary acc't (hotmail), I don't know if you'll see this via your newsreader before you see my email (hotmail sometimes leaves things in the queue for hours!) I got both, no problem. My question at this point is, does the target disk *absolutely* have to be larger than the source, or, can I use the disk we've ordered, which is the exact same capacity, same make and model? The disk you ordered is perfect for destination of the clone. I would like to avoid having to wipe the drive I'm using now (it's larger than the original drive) if I can avoid it, I just spent a day installing and configuring it (firewall, various security downloads, many hours over slow modem, we are not in "broadband country"). Thanks in advance. PS: I downloaded those two files, and noticed this in the CloneDisk pwruser.txt file: ------------------------------- ... License issue date: 14-Nov-2002 Expiration date: 30-Nov-2003 ... ------------------------------- Is there a newer version I should be using? Or should I set the machine's clock back a few weeks? (Or is it necessary to purchase the program?) Thanks for the reminder, I have replaced the CloneDisk package on the site with a newer trial license. The trial license will let you run a "read-only" cloning session only, adequate for testing your cloning setup. You may set the date back for doing the test rather than downloading CloneDisk a second time. For the actual cloning you will have to license the product, from our site. Regards, Zvi -- NetZ Computing Ltd. ISRAEL www.invircible.com www.ivi.co.il (Hebrew) InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Disk Management - New Partition option Greyed Out | Tapas Das | Dell Computers | 3 | March 23rd 05 04:58 PM |
Creating a Dell diagnostic partition on a bare hard drive | Ben Myers | Dell Computers | 13 | March 16th 05 09:53 PM |
Lost Partition | Moir | Storage (alternative) | 3 | October 2nd 03 01:07 AM |
Restoring boot partition after System Commander screwup | doug blaisdell | Storage (alternative) | 1 | August 8th 03 06:04 PM |
Dual Boot, How? | Paul \(Erie\) | General | 1 | June 24th 03 04:36 PM |