Virus (From WinPC) Trashed Hard Drives - HELP!

Discussion in 'Mac Pro' started by MacWynn, Jan 24, 2011.

  1. MacWynn macrumors newbie

    Joined:
    May 6, 2010
    #1
    Hello all....

    Well I have tried tons of things and now turn to the greater Interweb for help, although it maynot be a situation that can be helped. Through a series of "perfect storm" type situations where a network reconfiguration was underway leaving the wireless network open, and a rogue PC laptop I was "helping" a friend with, something VERY bad happened on our Mac network.

    LONG story short, the Vista laptop was infected with a nasty piece of malware, and unbeknownst to me the machine had previously (2 years ago) been on our network. When it booted I assumed it was isolated and it wasn't, and blah blah longer story truncated.... it....

    DELETED ALL DRIVES ON THE NETWORK THAT WEREN'T SYSTEM DISKS.

    ouch.

    So basically from what I can tell it reformatted (or more likely scrambled the file tables) these drives, and the best I have been able to do is get back a bunch of fairly useless files using Data Recovery 3. The files ar either junk or some JPG's and Quicktime movies, but far less than is needed.

    Last thing I have tried in the MANY Windows, Mac, and Linux tools I have tested with is testdisk by Christophe Grenier, and the error I am getting on the drive is as follows, and I am unsure what to do with this info.

    check_FAT: Unusual media descriptor (0xf0!=0xf8)
    Warning: Incorrect number of heads/cylinder 16 (FAT) != 1 (HD)
    Warning: Incorrect number of sectors per track 32 (FAT) != 1 (HD)
    EFI System 40 409639 409600 [EFI]
    Mac HFS 409640 2930014983 2929605344

    It's a 1.5tb drive, and if I could get just this one back it would be half the battle. It was an HFS+ Mac Extended Journaled drive, and I am running an advanced testdisk scan on another drive (3+ days in and still not done on a 2Tb drive! Ow) but if there is a way I can tell this drive it is what it is, and not what this malware said it was, I think all the data is still there. It simply doesn't habve the table in any kind of shape to undelete or rebuild it as far as my knowledge goes. Which has been greatly enhanced in the last week of dealing with this but far from "expert."

    If anyone has any solutions or suggestions I would absolutely love to hear from anyone who won't tell me I am stupid for having that system in our office to begin with. That much I already know, and I would fire myself if I could. ;)

    Thanks in advance for all helpful help.

    MacWynn
     
  2. gglockner macrumors 6502

    gglockner

    Joined:
    Nov 25, 2007
    Location:
    Bellevue, WA
    #2
    I'm going to take a guess here, but it's unlikely that a Windows machine could do anything to the partition table of a drive on a Mac that's shared via CIFS/SMB. However, it could certainly delete files.

    If you have backups, now is the time to use them. If not, your best option is to cry, then go to an expert in Mac HFS+ data recovery. Do not use the disks until you do, since any other activity on the disks could delete the very files you want to restore.
     
  3. MacWynn thread starter macrumors newbie

    Joined:
    May 6, 2010
    #3
    Thanks for the help

    Yes, I have tried many many options and nothing will give me anything back more than some images and even those are fairly useless without proper filenames, etc.

    As for the sharing, the drives were setup insecurely as it relates to proper settings overall. My bad for sure, but I thought my network was secure, and for the most part it was, with a major exception that caused everything else to fail security wise.

    Harsh lesson to learn, and I will from now on not do anything less than 110% security and sharing wise. It's not as much my fault as whoever wrote this thing and let it loose, but it might as well be.

    Thanks....

    P.S. The backups were hit too. From now on they go totally offline and get hooked up religiously once a week.


    MW
     
  4. goMac macrumors 603

    Joined:
    Apr 15, 2004
    #4
    Your drive is not a FAT formatted drive, it's HFS. Make sure you're using HFS compatible drive utilities.

    Also, you can't reformat or scramble file tables over the network. Network sharing protocols don't even have the capability to do this. Something seems very funny about this. It's possible that something else is going on that just happens to be a coincidence with your friends PC being on the network.
     
  5. Cindori macrumors 68040

    Cindori

    Joined:
    Jan 17, 2008
    Location:
    Sweden
    #5
    it's also unlikely for a windows virus to delete files on a hfs drive, because windows does not have hfs file system support.
     
  6. ActionableMango macrumors 604

    ActionableMango

    Joined:
    Sep 21, 2010
    #6
    Yes, something doesn't sound right about this.

    What is the malware called? Maybe a better understanding of what happened can be reached if you look it up.
     

Share This Page