Drive problem

[KenK]

Suddenly I can't open any of the directories in my external backup drive
with my Total Commander file manager. Other drives work normally. In My
Computer the dirctories open but are empty!

The only file in the root is ok,

Guesses?

TIA

 

[Paul]

Suddenly I can't open any of the directories in my external backup drive
with my Total Commander file manager. Other drives work normally. In My
Computer the dirctories open but are empty!

The only file in the root is ok,

Guesses?

TIA

Viewed from TestDisk ?

http://www.cgsecurity.org/wiki/TestDisk_Step_By_Step

There is a capability in there, once you navigate the
weird interface, to list files on a partition.

http://www.cgsecurity.org/mw/images/List_files.gif

Do *not* accept the new MBR and write it back. That
function is only for cases, where you know what the
disk configuration is, you know there is a definite
problem, you've reviewed the new computed MBR and it
makes sense. For example, when I used it, TestDisk
computed a new MBR and partition table, and did not
notice that the computed partitions overlapped (a no-no).

But that utility is just fine for a quick look, such as
this job.

If you're in a panic, and don't know what key to press,
the key combination <control-C> will exit the program.

*******

You can also review the partition, using a Linux LiveCD.

The reason that is recommended, is Linux does not respect
permissions on the FAT32 or NTFS partitions, so any file
present, will be visible.

The only time you have to watch it, when using Linux,
is if opening perhaps a Windows 7 or Windows 8 System
Volume Information folder. If you make changes in there
from Linux, the system might not boot.

If you know how, it would be safer to mount read only, such as

sudo mount -t ntfs -o ro /dev/sda1 /media/WINXP

When run in read-only mode, that would reduce the chances
of causing damage, if you were working on a Windows 7 or 8 partition.
There is more to setting up than that, and I'm only pointing our
the existence of a "-o ro" capability, for making a mount
read-only.

So, from Linux, again, you can verify the files are there.

*******

Some malware can hide files on a system, by changing things like
the hidden bit. The "unhide.exe" by Grinler, can make some guesses
as to what should be hidden, and what should not be hidden,
and undo what a malware might have done.

http://www.bleepingcomputer.com/for...-a-introduction-as-to-what-this-program-does/

That's not a "hammer". But if you have evidence that just the
hidden bit is set on all the files (by using some other
means to list the folder), then that is an option.

At this point, you're more in the discovery phase.

Is my partition completely ruined ? Did I lose the MFT ?
Was the MFT overwritten ? Did someone reformat my partition on me ?
There are data recovery tools, scavengers you can use, in that
case.

If, on the other hand, TestDisk, or having a look with Linux, shows
the files are all there, then it could just be a "hidden" bit problem
of some sort.

*******

Scavenger programs are not magic. If the files are fragmented,
a scavenger can't bolt them together again. You can try this
one, which scans for file headers it recognizes. But the
files would likely arrive in poor shape, if copied to another
disk this way. (I tested this on an image file, and it worked fine,
but then, the file was not fragmented. I deleted the file, and this
was able to recover it. A pretty easy test case, and not really
a good test.)

http://www.cgsecurity.org/wiki/PhotoRec

The other freebie, for NTFS, is DriveRescue. This site used to have it,
but this site is gone.

http://www.pricelesswarehome.org/WoundedMoon/win32/driverescue19d.html

You can try here, no guarantees.

http://web.archive.org/web/20070101070056/http://www.woundedmoon.org/win32/driverescue19d.html

driverescue19d.zip 1,007,764 bytes
MD5SUM = 63b7e1e8b1701593d5f52c7927d01558

You don't want to do in-place repairs on a dodgy disk, without
some kind of backup of the sectors. So running CHKDSK, would
not be my first priority. First you need to understand a little
better, just what broke. And files magically hiding themselves,
that sounds like malware, rather than the $MFT up and disappearing.

Any utility, that copies the data from the damaged partition, to
another disk, stands a better chance of not making things worse.

HTH,
Paul

 

[VanguardLH]

Suddenly I can't open any of the directories in my external backup drive
with my Total Commander file manager. Other drives work normally. In My
Computer the dirctories open but are empty!

The only file in the root is ok,

Guesses?

TIA

In a command shell, can you use the 'cd' command to navigate into the
folder and then use the 'attrib' command to see the attributes on all
files and subfolders? The 'dir' might not work if the files were
marked with the hidden attribute. Some malware will do this,
especially ransomware. First they wander through every folder they
find on every drive. Then they set the hidden attribute on the files.
Most then encrypt the files (other than the OS files since they want
you to run the OS to run their ransomware) so you can no longer access
them even if you remove the easily change hidden file attribute. You
then have to pay them the ransom for them to give you the decrypt key
to regain access to your files.

If you can see the files using the 'attrib' command then you'll have
to remove the hidden attribute from those files.

<drive:>
cd \
attrib * /s

That should work to remove the hidden attrib from the current or
default folder and all subfolders for all files within them. First
check if its is the hidden attribute that is hiding all the files you
expect to be there. If not, the malware may be more pernicious in
installing a driver that masks out the files from the file table or
insert a handler in the file I/O stack to intercept system API calls
to those paths to pretend there is nothing there. This more intrusive
malware leaves something behind. The ransomware that I mentioned
above might not be on your host anymore. Once it sets the hidden
attribute on the files (and for the worse ones also encrypts them)
then that malware doesn't need to be on your host anymore. It did its
damage so it can remove itself.

What file system is used on the USB-attached external hard disk?
FAT32 or NTFS? If NTFS, the problem could be with permissions.

Since you call it a backup drive, what backup program are you using to
deposit the backup files to that external drive?

 

[VanguardLH]

<drive:>
cd \
attrib * /s

Make that:

attrib * /s /d

so folders are processed as well as files (if needing to unhide the
files and folders is the cause of your problem).

 

[RJK]

Viewed from TestDisk ?

http://www.cgsecurity.org/wiki/TestDisk_Step_By_Step

There is a capability in there, once you navigate the
weird interface, to list files on a partition.

http://www.cgsecurity.org/mw/images/List_files.gif

Do *not* accept the new MBR and write it back. That
function is only for cases, where you know what the
disk configuration is, you know there is a definite
problem, you've reviewed the new computed MBR and it
makes sense. For example, when I used it, TestDisk
computed a new MBR and partition table, and did not
notice that the computed partitions overlapped (a no-no).

But that utility is just fine for a quick look, such as
this job.

If you're in a panic, and don't know what key to press,
the key combination <control-C> will exit the program.

*******

You can also review the partition, using a Linux LiveCD.

The reason that is recommended, is Linux does not respect
permissions on the FAT32 or NTFS partitions, so any file
present, will be visible.

The only time you have to watch it, when using Linux,
is if opening perhaps a Windows 7 or Windows 8 System
Volume Information folder. If you make changes in there
from Linux, the system might not boot.

If you know how, it would be safer to mount read only, such as

sudo mount -t ntfs -o ro /dev/sda1 /media/WINXP

When run in read-only mode, that would reduce the chances
of causing damage, if you were working on a Windows 7 or 8 partition.
There is more to setting up than that, and I'm only pointing our
the existence of a "-o ro" capability, for making a mount
read-only.

So, from Linux, again, you can verify the files are there.

*******

Some malware can hide files on a system, by changing things like
the hidden bit. The "unhide.exe" by Grinler, can make some guesses
as to what should be hidden, and what should not be hidden,
and undo what a malware might have done.

http://www.bleepingcomputer.com/for...-a-introduction-as-to-what-this-program-does/

That's not a "hammer". But if you have evidence that just the
hidden bit is set on all the files (by using some other
means to list the folder), then that is an option.

At this point, you're more in the discovery phase.

Is my partition completely ruined ? Did I lose the MFT ?
Was the MFT overwritten ? Did someone reformat my partition on me ?
There are data recovery tools, scavengers you can use, in that
case.

If, on the other hand, TestDisk, or having a look with Linux, shows
the files are all there, then it could just be a "hidden" bit problem
of some sort.

*******

Scavenger programs are not magic. If the files are fragmented,
a scavenger can't bolt them together again. You can try this
one, which scans for file headers it recognizes. But the
files would likely arrive in poor shape, if copied to another
disk this way. (I tested this on an image file, and it worked fine,
but then, the file was not fragmented. I deleted the file, and this
was able to recover it. A pretty easy test case, and not really
a good test.)

http://www.cgsecurity.org/wiki/PhotoRec

The other freebie, for NTFS, is DriveRescue. This site used to have it,
but this site is gone.

http://www.pricelesswarehome.org/WoundedMoon/win32/driverescue19d.html

You can try here, no guarantees.

http://web.archive.org/web/20070101070056/http://www.woundedmoon.org/win32/driverescue19d.html

driverescue19d.zip 1,007,764 bytes
MD5SUM = 63b7e1e8b1701593d5f52c7927d01558

You don't want to do in-place repairs on a dodgy disk, without
some kind of backup of the sectors. So running CHKDSK, would
not be my first priority. First you need to understand a little
better, just what broke. And files magically hiding themselves,
that sounds like malware, rather than the $MFT up and disappearing.

Any utility, that copies the data from the damaged partition, to
another disk, stands a better chance of not making things worse.

HTH,
Paul

Or, for a possible easy option ...but, has to be paid for :-(
.... Steve Gibsons' Spinrite 6
There must be some very clever algorithms/repair scripts in it - I've booted
machines that presented black screen / vanished partitions, in the past and,
it brought'em back to life every time.
https://www.grc.com/intro.htm

regards, Richard

 

[KenK]

Or, for a possible easy option ...but, has to be paid for :-(
... Steve Gibsons' Spinrite 6
There must be some very clever algorithms/repair scripts in it - I've
booted machines that presented black screen / vanished partitions, in
the past and, it brought'em back to life every time.
https://www.grc.com/intro.htm

regards, Richard

I was shutting down and didn't have time to do any checking yesterday.

This morning drive running fine. All directories work normally. Ran
chkdsk /f and it found no problems.

Will try Spinrite later

<sigh>

???

TIA

 

[KenK]

In a command shell, can you use the 'cd' command to navigate into the
folder and then use the 'attrib' command to see the attributes on all
files and subfolders? The 'dir' might not work if the files were
marked with the hidden attribute. Some malware will do this,
especially ransomware. First they wander through every folder they
find on every drive. Then they set the hidden attribute on the files.
Most then encrypt the files (other than the OS files since they want
you to run the OS to run their ransomware) so you can no longer access
them even if you remove the easily change hidden file attribute. You
then have to pay them the ransom for them to give you the decrypt key
to regain access to your files.

If you can see the files using the 'attrib' command then you'll have
to remove the hidden attribute from those files.

<drive:>
cd \
attrib * /s

That should work to remove the hidden attrib from the current or
default folder and all subfolders for all files within them. First
check if its is the hidden attribute that is hiding all the files you
expect to be there. If not, the malware may be more pernicious in
installing a driver that masks out the files from the file table or
insert a handler in the file I/O stack to intercept system API calls
to those paths to pretend there is nothing there. This more intrusive
malware leaves something behind. The ransomware that I mentioned
above might not be on your host anymore. Once it sets the hidden
attribute on the files (and for the worse ones also encrypts them)
then that malware doesn't need to be on your host anymore. It did its
damage so it can remove itself.

Ran Kaspersky Security update and drive scan this morning as always.
Nothing found.

I was shutting down and didn't have time to do any checking yesterday.

This morning drive running fine. All directories work normally. Ran
chkdsk /f and it found no problems.

Will try Spinrite later

<sigh>

???

What file system is used on the USB-attached external hard disk?
FAT32 or NTFS? If NTFS, the problem could be with permissions.
NTSF

Since you call it a backup drive, what backup program are you using to
deposit the backup files to that external drive?

NTbackup. Actually, I do the backup to a second internal drive and copy
the backup file to K, the drive I'm having the problem with.

 

[VanguardLH]

Ran Kaspersky Security update and drive scan this morning as always.
Nothing found.

I was shutting down and didn't have time to do any checking yesterday.

This morning drive running fine. All directories work normally. Ran
chkdsk /f and it found no problems.

Will try Spinrite later

Neither an anti-malware scanner or disk checker will alert on file
attributes, like files having the hidden file attribute enabled. They
wouldn't know if you, malware, a tweaker, security software, or
something else set the hidden file attribute. The OS itself sets that
attribute on some files. As I mentioned, once the malware is done
setting the hidden file attribute (and optionally encrypt files) it is
no longer needed and can delete itself. It only had to get loaded
into memory in order to run and once done the loader is superfluous
and a hazard to the malware author because it could be detected later.

Malware (ransomware) that sets the hidden file attribute and possibly
encrypts the files is only one possibility. Another touched on by
other respondents is that your drive may be going bad. Something that
was not mentioned, and because this is an external drive (but you
didn't say how it is connected to your computer), is that the drive
was not logically connected at the time. If it is a USB-attached
external drive, did you check the statuses of devices listed in the
Safely Remove USB hardware wizard (a tray icon when there are
connected devices)? If it isn't connected then you cannot see it.

While you said "suddenly", that doesn't tell us if the external drive
was working for a long time and then stopped working or if you just
started using this external drive. If you just recently took a hard
disk and put it into an external enclosure or bought an external drive
(you never gave any hardware specifics), it could be the logic in the
interface for that external case is not working reliably. I've had
USB drive cases from Vantec that worked very well. I've had them from
Rosewill that not only were flaky in operation (the device kept
cycling between connect and disconnect states) but also ruined the
hard disk so it could no longer be physically accessed. If the USB
drive case doesn't have its own external power supply (and it's
working okay since sometimes its converter goes bad) then the drive
has to suck power out of the USB port. There is only 2.5W of power
(0.5A x 5V) available at one USB port and why some external USB drives
have a Y split at the non-drive end of the USB cable to plug into 2
USB ports at the computer because 2.5W might not be enough power to
spin up the drive (startup surge current is higher than operational
current draw). If you're not connecting to a powered computer USB
port then you need to use a powered USB hub and not a passive one for
a non-selfpowered USB external drive case. Specifics of your hardware
for the external drive and to where you are connecting it were never
revealed.

 

[KenK]

Neither an anti-malware scanner or disk checker will alert on file
attributes, like files having the hidden file attribute enabled. They
wouldn't know if you, malware, a tweaker, security software, or
something else set the hidden file attribute. The OS itself sets that
attribute on some files. As I mentioned, once the malware is done
setting the hidden file attribute (and optionally encrypt files) it is
no longer needed and can delete itself. It only had to get loaded
into memory in order to run and once done the loader is superfluous
and a hazard to the malware author because it could be detected later.

Seems unlikely since drive works today having made no repairs to it or my
system.

Malware (ransomware) that sets the hidden file attribute and possibly
encrypts the files is only one possibility. Another touched on by
other respondents is that your drive may be going bad.

Only used a few months.

Something that
was not mentioned, and because this is an external drive (but you
didn't say how it is connected to your computer), is that the drive
was not logically connected at the time. If it is a USB-attached
external drive,

Yes, USB adaptor - IDE, like system internal drives.

did you check the statuses of devices listed in the
Safely Remove USB hardware wizard (a tray icon when there are
connected devices)? If it isn't connected then you cannot see it.

As I said, it is now working normally.

While you said "suddenly", that doesn't tell us if the external drive
was working for a long time and then stopped working or if you just
started using this external drive.

Used for several months. No previous problems. Fastest drive in the system.
According to my records installed 12/9/12.

If you just recently took a hard
disk and put it into an external enclosure or bought an external drive
(you never gave any hardware specifics), it could be the logic in the
interface for that external case is not working reliably.

Possibly. Adaptor purchased from Cyberguys. However, workd fine for months
previously.

I've had
USB drive cases from Vantec that worked very well.

This is a Vantec.

I've had them from
Rosewill that not only were flaky in operation (the device kept
cycling between connect and disconnect states) but also ruined the
hard disk so it could no longer be physically accessed. If the USB
drive case doesn't have its own external power supply (and it's
working okay since sometimes its converter goes bad) then the drive
has to suck power out of the USB port. There is only 2.5W of power
(0.5A x 5V) available at one USB port and why some external USB drives
have a Y split at the non-drive end of the USB cable to plug into 2
USB ports at the computer because 2.5W might not be enough power to
spin up the drive (startup surge current is higher than operational
current draw). If you're not connecting to a powered computer USB
port then you need to use a powered USB hub

Yes. That's what I'm using.