Junkie infection on laptop
Malcolm Murray
I am helping a user clear up a Junkie infection on their laptop.
The laptop is a dual boot 95 / NT machine, with 3 partitions, one a
NTFS, and the other two are Fat.
I ran the McAfee ERD, it cleaned the boot sector of the infection.
However, the partition info for the partition that held Win95 seems to
have become corrupted. I'm not sure how this became corrupt - whether it
was Junkie, a poor removal, or some other forces of nature.
Running the NT Disk administrator, it shows the three partitions,
however the Win95 one is marked "Unknown". If I make it the active
partition, and reboot, the Win95 splash screen comes up and then
disappears, dumping the user back into dos.
Booting from a Win98 boot disk shows only the third partition, and not
the 95 boot partition.
Is there a way of recovering this partition???
Any help appreciated.
Malcolm.
Nick FitzGerald
> The laptop is a dual boot 95 / NT machine, with 3 partitions, one a
> NTFS, and the other two are Fat.
FAT or FAT32?
Are both these usually visible to NT?
Are they visible to each other?
How do you manage booting between the the partitions and OSes?
> I ran the McAfee ERD, it cleaned the boot sector of the infection.
You mean the MBR -- a rather important distinction here, given how many
boot sectors there are to choose among...
> However, the partition info for the partition that held Win95 seems to
> have become corrupted. I'm not sure how this became corrupt - whether it
> was Junkie, a poor removal, or some other forces of nature.
It may be "normal" depending on how multi-booting among the three OSes is
managed...
> Running the NT Disk administrator, it shows the three partitions,
> however the Win95 one is marked "Unknown". If I make it the active
> partition, and reboot, the Win95 splash screen comes up and then
> disappears, dumping the user back into dos.
Perhaps because COMMAND.COM is still trashed? Is there any error message
when this happens?
> Booting from a Win98 boot disk shows only the third partition, and not
> the 95 boot partition.
If it is not a FAT32 partition and NT doesn't see it as a "known"
partition type, I'd expect Win98 to also not recognize it.
> Is there a way of recovering this partition???
Bound to be -- just don't go fiddling around with it until you are sure
you know what is happening.
> Any help appreciated.
You're welcome. I won't be around much longer tonight though so look for
responses from Bob Green and/or Zvi Netiv -- they are pretty much the boot
problem experts here.
--
Nick FitzGerald
Malcolm Murray
> Malcolm Murray <mal_murray@hotmail_NO_SPAM_.com> wrote:
>
> > The laptop is a dual boot 95 / NT machine, with 3 partitions, one a
> > NTFS, and the other two are Fat.
>
> FAT or FAT32?
I had the laptop dumped on my desk this morning for cleaning - something that
I thought would be easy and was happy to help with... I don't know everything
about the laptop, but I know the basics of how it is set up.
Both partitions are a little over 1Gb. Both are FAT 32 I believe. I havn't
checked the version of Win95, but I believe it's OSR2. Of course if it was
plain 95, they could only be FAT16.
> Are both these usually visible to NT?
The one that is visible, yes. The user uses it as a data storage area. I'm
not sure about the 95 boot one. It should come up as something other than
"unknown" under NT though I thought.
FDisk also has the same issue with not being able to identify the type of
formatting on the partition
> Are they visible to each other?
The third partition is a data directory that is used for both OS's and is
apparently visable to both. The missing partition wouldn't be able to
recognise NTFS, however I thought NT should be able to recognise it..
> How do you manage booting between the the partitions and OSes?
Booting is achieved through the Boot.ini file, (NT startup menu). Option 1 for
NT, Option 2 for NT (VGA) and option 3 for 95.
> > I ran the McAfee ERD, it cleaned the boot sector of the infection.
>
> You mean the MBR -- a rather important distinction here, given how many
> boot sectors there are to choose among...
Yes, the MBR was cleaned. Bad choice of words on my behalf. Infection was
through a floppy disk with it's boot sector infected.
> > However, the partition info for the partition that held Win95 seems to
> > have become corrupted. I'm not sure how this became corrupt - whether it
> > was Junkie, a poor removal, or some other forces of nature.
>
> It may be "normal" depending on how multi-booting among the three OSes is
> managed...
User claims it's not normal. I doubt the user would boot it any other way than
the startup menu.
> Running the NT Disk administrator, it shows the three partitions,
> however the Win95 one is marked "Unknown". If I make it the active
> > partition, and reboot, the Win95 splash screen comes up and then
> > disappears, dumping the user back into dos.
>
> Perhaps because COMMAND.COM is still trashed? Is there any error message
> when this happens?
I don't think command.com is trashed. The user was booting into WinNT at the
time, the bios warned that a virus might be writing to the MBR... user
panicked, and shut the computer down. McAfee also found no infected files...
just the MBR. Of course, it hasn't had a look at the Win95 partition yet
because it can't get to it.
> > Booting from a Win98 boot disk shows only the third partition, and not
> > the 95 boot partition.
>
> If it is not a FAT32 partition and NT doesn't see it as a "known"
> partition type, I'd expect Win98 to also not recognize it.
>
> > Is there a way of recovering this partition???
>
> Bound to be -- just don't go fiddling around with it until you are sure
> you know what is happening.
>
> > Any help appreciated.
>
> You're welcome. I won't be around much longer tonight though so look for
> responses from Bob Green and/or Zvi Netiv -- they are pretty much the boot
> problem experts here.
> --
> Nick FitzGerald
Thanks Nick for your help.
Regards.
Malcolm.
Robert Green
"Malcolm Murray" <mal_murray@hotmail_NO_SPAM_.com> wrote in message
news:3AA36427.197D5BAA@hotmail_NO_SPAM_.com...
> Hi,
>
> I am helping a user clear up a Junkie infection on their laptop.
>
> The laptop is a dual boot 95 / NT machine, with 3 partitions, one a
> NTFS, and the other two are Fat.
>
> I ran the McAfee ERD, it cleaned the boot sector of the infection.
> However, the partition info for the partition that held Win95 seems to
> have become corrupted. I'm not sure how this became corrupt - whether it
> was Junkie, a poor removal, or some other forces of nature.
What happens with Junkie is that it overwrites the original MBR code without
saving a copy of it anywhere, so disinfecting it in the MBR is a matter of
overwriting the virus code with generic MBR code. That process shouldn't
corrupt the partition table.
> Running the NT Disk administrator, it shows the three partitions,
> however the Win95 one is marked "Unknown". If I make it the active
> partition, and reboot, the Win95 splash screen comes up and then
> disappears, dumping the user back into dos.
It goes far enough to load IO.SYS, then.
> Booting from a Win98 boot disk shows only the third partition, and not
> the 95 boot partition.
>
> Is there a way of recovering this partition???
Sure.
Download www.invircible.com/download/resq.exe. Its a self-extracting
archive. The file you want is RESQDISK.EXE. Copy that to your W98 boot disk,
boot the laptop with it, and run RESQDISK.
When the RESQDISK screen comes up press F6, to display a layout of the MBR.
Then press SHIFT+~
to write it to a file. It should create a small text file called
RESQDISK.RPT. Paste that file into a message (don't attach it) and post it
back here.
Then we'll know what's actually in the partition table and we can go from
there. Should be an easy one.
Bob
Zvi Netiv
> Nick FitzGerald wrote:
>
> > Malcolm Murray <mal_murray@hotmail_NO_SPAM_.com> wrote:
> >
> > > The laptop is a dual boot 95 / NT machine, with 3 partitions, one a
> > > NTFS, and the other two are Fat.
> > FAT or FAT32?
> I had the laptop dumped on my desk this morning for cleaning - something that
> I thought would be easy and was happy to help with... I don't know everything
> about the laptop, but I know the basics of how it is set up.
> Both partitions are a little over 1Gb. Both are FAT 32 I believe. I havn't
> checked the version of Win95, but I believe it's OSR2. Of course if it was
> plain 95, they could only be FAT16.
Up to NT 4.0 recognizes only FAT-16 partitions. Win2000, which *is* NT, can
boot of FAT-32 as well.
> > Are both these usually visible to NT?
> The one that is visible, yes. The user uses it as a data storage area. I'm
> not sure about the 95 boot one. It should come up as something other than
> "unknown" under NT though I thought.
> FDisk also has the same issue with not being able to identify the type of
> formatting on the partition
It isn't rare that AV software, NOT the virus, mess up with partition data. Yet
there should be no problem to rebuild the MBR, partition table included, from
scratch, with RESQDISK /REBUILD. Yet before we come to it, I would like to see
a snapshot of the current partition data. It should help giving you
instructions how to restore functionality to all partitions.
Junkie is an easy one to handle, if you know what you are doing. ;)
> > Are they visible to each other?
> The third partition is a data directory that is used for both OS's and is
> apparently visable to both. The missing partition wouldn't be able to
> recognise NTFS, however I thought NT should be able to recognise it..
> > How do you manage booting between the the partitions and OSes?
> Booting is achieved through the Boot.ini file, (NT startup menu). Option 1 for
> NT, Option 2 for NT (VGA) and option 3 for 95.
> > > I ran the McAfee ERD, it cleaned the boot sector of the infection.
> > You mean the MBR -- a rather important distinction here, given how many
> > boot sectors there are to choose among...
> Yes, the MBR was cleaned. Bad choice of words on my behalf. Infection was
> through a floppy disk with it's boot sector infected.
Junkie affects two vital elements: The MBR, and also command.com if they tried
to boot it into Win95 when the MBR was infected.
> > > However, the partition info for the partition that held Win95 seems to
> > > have become corrupted. I'm not sure how this became corrupt - whether it
> > > was Junkie, a poor removal, or some other forces of nature.
Most likely a poor removal.
> > It may be "normal" depending on how multi-booting among the three OSes is
> > managed...
> User claims it's not normal. I doubt the user would boot it any other way than
> the startup menu.
> > Running the NT Disk administrator, it shows the three partitions,
> > however the Win95 one is marked "Unknown". If I make it the active
> > > partition, and reboot, the Win95 splash screen comes up and then
> > > disappears, dumping the user back into dos.
> > Perhaps because COMMAND.COM is still trashed? Is there any error message
> > when this happens?
> I don't think command.com is trashed. The user was booting into WinNT at the
> time, the bios warned that a virus might be writing to the MBR... user
> panicked, and shut the computer down. McAfee also found no infected files...
> just the MBR. Of course, it hasn't had a look at the Win95 partition yet
> because it can't get to it.
Command.com doesn't come in play when booting to NT, only when booting to
Windows 95, and it IS trashed if an attempt to boot to Win95 was made. The boot
sequence on an NT dual boot is as follows: Execute MBR loader, then go to
active partition boot sector and execute its bootstrap loader. In this case the
loader will call NTLDR, which will in turn call the multiboot menu. The
procedure of loading Win 95 (loading IO.SYS, with the MSDOS.SYS settings, and
eventually COMMAND.COM) will only run if booting to Windows 95 is selected.
> > > Booting from a Win98 boot disk shows only the third partition, and not
> > > the 95 boot partition.
How do you know it's the third? If the first two are invisible then the third
should show as first. Get the partition data from RESQDISK and we'll all be
wiser.
> > If it is not a FAT32 partition and NT doesn't see it as a "known"
> > partition type, I'd expect Win98 to also not recognize it.
When checking with RESQDISK, run also the ^F5 test and bring here a snapshot.
The ^F5 test checks the whole drive for existing FAT-16/32.
> > > Is there a way of recovering this partition???
> > Bound to be -- just don't go fiddling around with it until you are sure
> > you know what is happening.
> > > Any help appreciated.
> > You're welcome. I won't be around much longer tonight though so look for
> > responses from Bob Green and/or Zvi Netiv -- they are pretty much the boot
> > problem experts here.
Thanks Nick. :)
Cheers, Zvi
--
NetZ Computing Ltd. ISRAEL http://invircible.com sup...@resq.co.il
InVircible Anti-Virus Software, ResQdisk and Data Recovery Utilities
E-mail sent in reply to this post will not be considered private and
may be answered in the newsgroup.
Zvi Netiv
RESQDISK should be able to recover all three partitions, provided you didn't
mess too much with disk repair utilities, or with AV software.
Do as instructed by Robert Green and post here the RESQDISK snapshot of your
partition data. A *copy* to my e-mail would be in order.
Regards, Zvi
Malcolm Murray
Robert Green wrote:
> <snipped>
> Download www.invircible.com/download/resq.exe. Its a self-extracting
> archive. The file you want is RESQDISK.EXE. Copy that to your W98 boot disk,
> boot the laptop with it, and run RESQDISK.
>
> When the RESQDISK screen comes up press F6, to display a layout of the MBR.
> Then press SHIFT+~
> to write it to a file. It should create a small text file called
> RESQDISK.RPT. Paste that file into a message (don't attach it) and post it
> back here.
>
> Then we'll know what's actually in the partition table and we can go from
> there. Should be an easy one.
>
> Bob
This may come out a little messy from the cut and paste .... but I'm definately
not going to post any binaries ;)
NetZ ResQdisk report created on 6 Mar. 2001 11:21
Sentry *************************************** CHS mode W9x
******************* * R e s Q d i s k 7.02r * ********************
* Disaster Prevention and Recovery *
Disk * * Copyright (c) '90-01 NetZ Computing * SeeThru *
Data F5 * * Virus Control, Disk & Data Recovery * ON F9 *
********* *************************************** *********
AltHelp *
*********
^2:FAT-16*
******************** Partition Table Layout **********************
* *
* Partition Starting Ending Reserved Total *
* Boot Type Head Cyl. Sec. Head Cyl. Sec. Sectors Sectors *
* 22 1 0 1 127 12 63 63 104769 *
* Yes 7 0 13 1 127 317 63 104832 2459520 *
* 27 0 318 1 127 622 63 2564352 2459520 *
* 5 0 623 1 127 991 63 5023872 2975616 *
* *
******* Press Alt+B to see as boot sector, Alt+M to edit *********
Disk 1, Master Partition Sector, F6 for Layout
Starting from the top... Partition 1 I'd forgotten about. appears to be a Dos
6.x partition. If made active, starts "Loading MS-DOS" and hangs.
Partition 2 - This is the NTFS one
Partition 3 - Fat16 ... The one I can't see
Partition 4 - Fat 16 again ... The data volume that can be seen by NT (and
supposedly 95)
NetZ ResQdisk report created on 6 Mar. 2001 11:56
Sentry *************************************** CHS mode W9x
******************* * R e s Q d i s k 7.02r * ********************
* Disaster Prevention and Recovery *
Disk * * Copyright (c) '90-01 NetZ Computing * SeeThru *
Data F5 * * Virus Control, Disk & Data Recovery * ON F9 *
********* *************************************** *********
AltHelp *
*********
^2:FAT-16*
CHS address: Cyl 0 Head 0 Sector 1 *********
*********************** Setup Diagnostics ************************
* Disk Type: TOSHIBA MK4006MAV *
* BIOS IDE/LBA data *
* Number of Heads: 128 16 *
* Number of Cylinders: 993 7944 *
* Sectors per Track: 63 63 *
* Disk Capacity in Mbytes: 3909 3909 *
* IDE Access Time: 5 msec *
* Total sectors on drive: 8007552 *
******* Use Space to toggle between IDE and Ext.BIOS mode ********
Disk 1, Master Partition Sector, F6 for Layout
Once again, thanks for any info that will help me get 95 up and running again..
Malcolm.
Zvi Netiv
> From: "Mal Murray"
> To: z...@invircible.com
> Subject: Re: Junkie infection on laptop
> Date: Tue, 06 Mar 2001 00:38:10
> Zvi,
> Apologies for not posting this as well to the newsgroup ... with the demise
> of Deja, and the fact that I am at work, I have no way of posting to the
> newsgroup. I will post it later tonite when I get home.
As per the disclaimer in my 'Usenet signature', your e-mail is answered from the
newsgroup, sparing you the post.
> F6 gives the following:
> NetZ ResQdisk report created on 6 Mar. 2001 11:21
>
> Sentry *************************************** CHS mode W9x
> ******************* * R e s Q d i s k 7.02r * ***************
> * Disaster Prevention and Recovery *
> Disk * * Copyright (c) '90-01 NetZ Computing * SeeThru *
> Data F5 * * Virus Control, Disk & Data Recovery * ON F9 *
> ********* *************************************** *********
The "sentry" label, top left, indicates that you only extracted the RESQDISK
program to floppy. Extract the whole RESQ.EXE archive to floppy as it also
contains a free license template. Without it, the corrective routines of
RESQDISK are disabled, and you will need them to recover the partitions.
> ******************** Partition Table Layout **********************
> * *
> * Partition Starting Ending Reserved Total *
> * Boot Type Head Cyl. Sec. Head Cyl. Sec. Sectors Sectors *
> * 22 1 0 1 127 12 63 63 104769 *
> * Yes 7 0 13 1 127 317 63 104832 2459520 *
> * 27 0 318 1 127 622 63 2564352 2459520 *
> * 5 0 623 1 127 991 63 5023872 2975616 *
> * *
> ******* Press Alt+B to see as boot sector, Alt+M to edit *********
> Disk 1, Master Partition Sector, F6 for Layout
The above table is a real mess. What it looks like is the work of Partition
Magic, possibly used in an attempt to recover the partitions. Also seems that
PM aborted before completing its "re partitioning" and left the drive in limbo.
At the risk of repeating myself, I wrote "RESQDISK should be able to recover all
three partitions, provided you didn't mess too much with disk repair utilities,
or with AV software".
> F5 gives the following:
> NetZ ResQdisk report created on 6 Mar. 2001 11:56
There is no need to initialize a new RESQDISK report file with every snapshot,
you can take as many as you wish in a single, or multiple sessions, and they
will append to the existing file, till it exceeds 32 kbytes in size.
> *********************** Setup Diagnostics ************************
> * Disk Type: TOSHIBA MK4006MAV *
> * BIOS IDE/LBA data *
> * Number of Heads: 128 16 *
> * Number of Cylinders: 993 7944 *
> * Sectors per Track: 63 63 *
> * Disk Capacity in Mbytes: 3909 3909 *
> * IDE Access Time: 5 msec *
> * Total sectors on drive: 8007552 *
> ******* Use Space to toggle between IDE and Ext.BIOS mode ********
> Disk 1, Master Partition Sector, F6 for Layout
What worries about the above partition data is that when you sum the four
partitions total sectors, you get a figure which is scarringly close to the
total sectors reported by the hardware (IDE/LBA data). Which means that the
partitions created by PM probably overwrote vital parts of the original ones.
Rests to see what's left intact. In my previous message I asked you to run a
^F5 test with RESQDISK, to seek for file allocation tables that survived the
massacre. Please run the test now and take a snapshot of every set before it
scrolls out of the window (a FAT report in RESQDISK normally consists of three
lines, the CHS address of the first and second FAT copy in any given partition,
and the number of sectors per FAT copy, in that set).
Also, please run a RESQDISK ^F4 test. It will search the whole drive for
existing partition sectors and display their content. Take a snapshot of every
part-table that RESQDISK finds.
Post the report here, or e-mail it to me and I will follow up in the group.
With the ^F4/^F5 data, I should be able to tell what partition(s) can be
recovered. As a first guess seems that the higher partitions (from translated
LBA cylinder 318) could be recovered, while the first partition seems lost (it
was split into two partitions by the PM reallocation, and overwritten).
Nick FitzGerald
<<snip>>
> > > You're welcome. I won't be around much longer tonight though so look
for
> > > responses from Bob Green and/or Zvi Netiv -- they are pretty much the
boot
> > > problem experts here.
>
> Thanks Nick. :)
Hey -- much as we have and/or do disagree about many things, credit
where it's due!
--
Nick FitzGerald
Robert Green
"Malcolm Murray" <mal_murray@hotmail_NO_SPAM_.com> wrote in message
>
>
> Robert Green wrote:
>
> > <snipped>
> > Download www.invircible.com/download/resq.exe. Its a self-extracting
> > archive. The file you want is RESQDISK.EXE. Copy that to your W98 boot
disk,
> > boot the laptop with it, and run RESQDISK.
> >
> > When the RESQDISK screen comes up press F6, to display a layout of the
MBR.
> > Then press SHIFT+~
> > to write it to a file. It should create a small text file called
> > RESQDISK.RPT. Paste that file into a message (don't attach it) and post
it
> > back here.
> >
> > Then we'll know what's actually in the partition table and we can go
from
> > there. Should be an easy one.
> >
> > Bob
>
> This may come out a little messy from the cut and paste .... but I'm
definately
> not going to post any binaries ;)
I can read it :-).
> * *
> * Partition Starting Ending Reserved Total *
> * Boot Type Head Cyl. Sec. Head Cyl. Sec. Sectors Sectors *
> * 22 1 0 1 127 12 63 63 104769 *
> * Yes 7 0 13 1 127 317 63 104832 2459520 *
> * 27 0 318 1 127 622 63 2564352 2459520 *
> * 5 0 623 1 127 991 63 5023872 2975616 *
> * *
Partiton 1 is a hidden type 6 partition.
Partition 2 is NTFS
Partiton 3 is a hidden type B (FAT32)
Partition 4 is an extended patition
(The multi-booter hides paritions by ORing the original parition type with
10h.)
So, I think the MBR survived the disinfection OK. Everything in the table
looks consistent.
Parition 3 will be the Win95 one.
A corrupted COMMAND.COM will probably be what is causing the problem.
> Starting from the top... Partition 1 I'd forgotten about. appears to be a
Dos
> 6.x partition. If made active, starts "Loading MS-DOS" and hangs.
Could be infections in that partition also.
> Partition 2 - This is the NTFS one
> Partition 3 - Fat16 ... The one I can't see
Are you sure? Seems to be a FAT32.
> Partition 4 - Fat 16 again ... The data volume that can be seen by NT (and
> supposedly 95)
Right. That one should be OK.
To fix this, you will have to reset those hidden partition type to the
normal ones, so you can get into the partitions.
It may be possible to do that from the NT disk administrator, but I'm not
sure exactly how to do it. Maybe somebody knows? Jump in, if you do.
Otherwise, you can do it with a disk sector editor (Resqdisk has a partition
table edit function, but it is not enabled in the evaluation version).
You want to change just 2 bytes in the partition table. At offset 1C2h,
change 16 to 06. At offset 1E2h change
1B to 0B. Then save the changes.
Now reboot from your WIN98 boot disk and you should see all of the
partitions. On the Win95 partition there are two copies of COMMAND.COM, one
in the root and one in the Windows directory. Use the McAfee EBD to sort out
which one of those is infected and replace it with the one that is clean. On
the DOS 6 partition you might to want to scan with the EBD, as its possibly
also infected.
When done with this, reverse the change you made to the MBR, then reboot and
test things out. (Don't boot from the HDD until you have changed the
partition types back to what they were).
If you need more detailed instructions for doing the sector editing, you can
email me.
Bob
Robert Green
"Zvi Netiv" <z...@invircible.com> wrote in message
news:2E1E68476AB1CBB5.B6D16B58...@lp.airnews.net...
> Malcolm Murray <mal_murray@hotmail_NO_SPAM_.com> wrote:
> The "sentry" label, top left, indicates that you only extracted the
RESQDISK
> program to floppy. Extract the whole RESQ.EXE archive to floppy as it
also
> contains a free license template. Without it, the corrective routines of
> RESQDISK are disabled, and you will need them to recover the partitions.
My fault. He just did it per my instructions.
One of us is seriously misinterpreting this one. I take the 22 (16h) and 27
(1Bh) part types to be hiding by the NT boot manager.
Bob
.
S. Widlake
Malcolm Murray <mal_murray@hotmail_NO_SPAM_.com> writes:
>Hi,
Heiya,
>I am helping a user clear up a Junkie infection on their laptop.
Oh dear...
... From what you write below, you should probably have left it
well alone...
>The laptop is a dual boot 95 / NT machine, with 3 partitions, one a
>NTFS, and the other two are Fat.
... Which would be fine... with an NTFS boot capability.
... And then it's backup time...
... The infected MBR, by an uninfected DOS diskette...
[ So that you can 'have another go' - if a failure
with whatever you try occurs. This is important;
but so seldom done <!> ;-]
... And the rest by; whatever... and checked with DOS.
>I ran the McAfee ERD, it cleaned the boot sector of the infection.
>However, the partition info for the partition that held Win95 seems
>to have become corrupted.
... This is what AVSW can - and sometimes does - do...
... But most probably not in this case.
... It was almost certainly squrewed, well, before you
even touched it.
>I'm not sure how this became corrupt - whether it was Junkie, a poor
>removal, or some other forces of nature.
Well, having removed Junkie without being certain says
a hole lot.
>Running the NT Disk administrator, it shows the three partitions,
>however the Win95 one is marked "Unknown". If I make it the active
>partition, and reboot, the Win95 splash screen comes up and then
>disappears, dumping the user back into dos.
Then it's damaged... but not by Junkie.
>Booting from a Win98 boot disk shows only the third partition, and
>not the 95 boot partition.
Then it's damaged... but not by Junkie.
>Is there a way of recovering this partition???
You're now into a data recovery situation; NOT a virus situation.
>Any help appreciated.
Doubt it.
I'd say they had already squrewed it for themselves...
>Malcolm.
... and either: carefully examined their things before
disinfection or run away as soon as they came along...
You're in a no win situation and 'shouldve'...
Guud luuk; you'll need it,
S.CHnappers ;-)
- ruleoneequalsdonoharmandyoushouldvenotedthatbut
-- -
.sig II - Found and Restored...
Zvi Netiv
> "Zvi Netiv" <z...@invircible.com> wrote in message
> > > ******************** Partition Table Layout
> > > * Partition Starting Ending Reserved Total
> > > * Boot Type Head Cyl. Sec. Head Cyl. Sec. Sectors Sectors
> > > * 22 1 0 1 127 12 63 63 104769
> > > * Yes 7 0 13 1 127 317 63 104832 2459520
> > > * 27 0 318 1 127 622 63 2564352 2459520
> > > * 5 0 623 1 127 991 63 5023872 2975616
> > > ******* Press Alt+B to see as boot sector, Alt+M to edit
> > > Disk 1, Master Partition Sector, F6 for Layout
> > The above table is a real mess. What it looks like is the work of Partition
> > Magic, possibly used in an attempt to recover the partitions. Also seems that
> > PM aborted before completing its "re partitioning" and left the drive in limbo.
> One of us is seriously misinterpreting this one. I take the 22 (16h) and 27
> (1Bh) part types to be hiding by the NT boot manager.
Your interpretation is definitely a possibility. The ^F4 test (search for
extended partitions) and ^F5 (search for existing FAT) should confirm it.
I would then expect that the first partition (the type 22 one) is set as the
active one.