I got hit with some sort of Trojian a few weeks ago. It looks like it deleted my partition, or possibly worse.

After running a scan disk, "Some" files came back, but no folders returned. What files I can see are not anywhere near the 151 gigs the drive shows it is full with. They are just files that were on the drive and not in folders originally.

I have 2 drives, the C drive was for windows, and the D drive was for all my files.

I got the computer to boot and run by wiping the C drive with a format and reinstalling windows, but the E drive I want to try and recover all the data, so formating it is out of the question.

I have hundreds of family photos, 15 years of Kung Fu research files, videos, thousands of E-mails and many other things i don't want to loose.

The drive is a WD 250 gig. When I check the properties, it shows 151 gigs used, and about 80.9 gigs free, which is roughly what I had before I lost the data.


The ironic thing is I was trying to back up this drive to a 500 Gig USB drive when the Trojian hit.

This PC is not connected to the internet, and i think the trojain got on it from a download originally done by my laptop. The file was then transfered to the desktop via a DVD I burned it to.

Since it is not connected to the internet, the anti virus was very outdated. I think it was dormant when i down loaded it, and was activated when the file was viewed prior to my attempt to do the back up.

Around that time the anti virus on my laptop caught several Trojians, and the fire wall had blocked several attack attempts, so I am sure the issue is due to the desktop's antivirus not having been updated due to a lack of internet connection (since the Laptop is fine).

I have an ultimate boot CD, but I don't really know how to use it.

Can anyone help me out with this? Maybe recommend recovery software, or someone who would know how to recover the data files without breaking my piggy bank?

I got hit with some sort of Trojian a few weeks ago. It looks like it deleted my partition, or possibly worse....

A couple of weeks ago?
Enh!

Since your system indicates that the bulk of the material is "still there", it sounds a bit more like "something" messed with your MFT (Master File Table).
The only thing I've been using recently that should do it is the Glary Utilities, a free download from CNET, version 2.7.0.286 (listed as 2.7.268) which has an Undelete function.

If that doesn't do the trick, then there are loads of freebie utilities at:
http://www.hiren.info/pages/bootcd

Haven't needed them, although I did download a CD-worth some time back.

The major problem you might run into, even if you make the recovery, is with the file-names, since they've probably been butchered in the loss.... so you'll get the data back but need to figure out what the hell each file actually is!

Sorry you didn't do that back-up sooner.

Come to think of it, the HiRen stuff should "do better" at all that low-level recovery.... but I haven't had to use any of it.

Now that I've been thinking about it a bit, there's supposed to a second copy of the MFT... probably near "the end" of the drive space.
I think that most of the utilities for such recoveries first go to that copy to start the recovery process.
If you're still not able to get anywhere with any of the utilities, the "court of last resort" is a disk editor, which enables you to "get down and dirty" and "do it yourself" on a file-by-file or even byte-by-byte basis........ not something I'd want to do, but there are folks who make a living doing "stuff like that".

I like that!
From now on that's how I will refer to "Lil'Rikki."
"I have a Trojan on my Hard Drive, baby!
Now let's do the Nasty!":D

Have you considered biting the bullet and buying Kaspersky's anti-virus stuff...runs about $70. It can clean up most everything - especially if you can install it on the boot drive anyway. It is not uncommon for some virus stuff to be loaded in the boot sector. For those, Kaspersky let's you boot into safe mode and do removal. I had a friends's system that was massively infected. It got one that was masquerading as a Windows Anti-virus system. It prevented the control panel, add/remove programs, and even the home page from working. With Kaspersky, it took about 5 or 6 times of running it and getting things to remove one at a time. There were finally something like 35 viruses...all from unsafe use of MySpace...

the last few were boot sector problems and had to be done by running the tool in safe mode...several times.

I followed it up by doing a sweep of the registry for things I KNEW should not be there. All in all, it took about 30 hours to get rid of them. The only real thing we lost was an active desktop file that got pulled into the mix.

Some if not many Trojans are 2 parters or more. they install and sit there doing nothing until you get the trigger...which can be as simple as a downloaded file or another trojan virus. One of the nastier ones has 2 parts...either part by itself is nothing. Both on one hard drive...and your system is toast.

I am not too concerned about removing the trojan, as Norton found it on my laptop and got rid of it. I just need to connnect the desktop to the internet to run a live update.

The problem is the damage is done. Removing it now won't help. I have to find a way to recover the data.

One or two options :

http://www.ctunion.com/node/38

If your PC can see the drive...but not use it :

"The next step I took was to pop another separate hard drive into the server. I then installed a new copy of windows 2000 server. This could have been 2000 professional, or windows XP. Basically we just want an Operating system that has the ability to read NTFS file system. The idea being that we boot to the new OS, and then run the windows checkdisk on the old partition and try to repair the corrupted MFT file. If all goes well there, we should then be able to boot into the server and life should be good."

Another :

Download Recover My Files from www.recovermyfiles.com and try a Fast Format Recover of the physical drive. If it works you should have all your files and folders back in less than 1 hour. (not sure of the tool...but what the heck...)

Or :

http://forums.techguy.org/hardware/730938-western-digital-500gb-external-corrupt.html

Free recovery applications:

Diskinternals Recovery Boot CD
Smart Data Recovery
Recover Files
Recuva
Restoration
Free Undelete (NTFS only)
Softperfect File Recovery
ADRC Data Recovery Tools
Undelete Plus
Data Recovery
PCI File Recovery
DriveRescue
Ultimate Data Recovery
Disk Investigator

Commercial:

O&O Disk Recovery
Paragon Mount Everything (Mounts any file system, CD/DVD burning, File Manager, Partitioner)
GetDataBack (For FAT or NTFS)
Ontrack EasyRecovery Pro
File Scavenger
Recover My Files
RecoverPlus Pro
Zero Assumption Recovery
Active@ File Recovery
Final Recovery
Recover4All Professional
Easeus Data Recovery Wizard
NTFS Recovery
__________________

I downloaded the "Recover my files" program and i am running it right now.

It seems to have found all my JPEGs so far, which is good as they are years worth of my daughter's competitions, graduations birthdays and other family occasions.

I won't know for sure till it is done running though. If those are all I get though, I will be thankful for that.

So far it's been running about 2 hours and it says it has found 6613 files, and 95000 O/S items.