Solved

Files disappeared from flash memory ... virus behaviour

Posted on 2011-02-11
14
564 Views
Last Modified: 2012-05-11
Dear Experts,

I have a flash memory with more than 1.3 GB of data. suddenly all files on the flash memory have disappeared!! I display hidden and system files but no files appeared.
 Files in the flash memory
I checked the size of the data on the flash memory and it shows as below:
 Data size on flash
This problem happened with me in before by a virus and files was recovered by running the following command:
 
attrib -r -s -h H: /s /d

Open in new window


This time it is not working with me, it seemed the virus gets stronger and it is not detected and it's effect is not recovered.
I also tried to recover the files using Files Recovery programs, but does not work. The OS dealing with these files as existing files, but can't display them!! I think something wrong with the FAT table.

please any help in this issue.

Regards,
Anas
0
Comment
Question by:ashunnag
  • 5
  • 5
  • 2
  • +1
14 Comments
 
LVL 17

Expert Comment

by:houssam_ballout
ID: 34873953
DID you try it on another computer?
0
 
LVL 47

Expert Comment

by:dbrunton
ID: 34874034
Try data recovery tools.

GetDataBack http://www.runtime.org/data-recovery-software.htm

Free to try.  If it sees the files you pay for the full functions.  

But do this on a machine that does not have viruses.
0
 
LVL 6

Author Comment

by:ashunnag
ID: 34874998
@houssam: yes I tried them on other PCs, but looks like FAT table corrupted on the desk.

@dbrunton: tried this but looks like recovering old deleted files not the one existing on it. the problem is that it is recognizing these files as deleted files, it recognise them as existing files but can't view them.

any help?
0
 
LVL 17

Expert Comment

by:houssam_ballout
ID: 34875010
so, the full version I think will let you view them...
0
 
LVL 47

Expert Comment

by:dbrunton
ID: 34875673
So try Recuva http://www.piriform.com/recuva/download and see what it can do.
0
 
LVL 6

Author Comment

by:ashunnag
ID: 34877250
No luck still the same.
did anyone know how I can read the content of FAT table?
0
 
LVL 47

Expert Comment

by:dbrunton
ID: 34878529
You could try TestDisk.

TestDisk http://www.cgsecurity.org/wiki/TestDisk

Tutorial http://www.cgsecurity.org/wiki/TestDisk_Step_By_Step

But if GetDataBack and Recuva aren't seeing anything you have serious problems.  Also look at Photorec http://www.cgsecurity.org/wiki/PhotoRec
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 11

Expert Comment

by:ocanada_techguy
ID: 34880028
What does it look like under Disk Management?
0
 
LVL 6

Author Comment

by:ashunnag
ID: 34881423
It looks as I have more sophisticated problem. I can't format the flash mem. now :(
0
 
LVL 47

Accepted Solution

by:
dbrunton earned 250 total points
ID: 34881458
That seems like faulty memory.  But if you could format it then you'd wipe out anything that was there.
0
 
LVL 6

Author Comment

by:ashunnag
ID: 34881465
yes I am thinking to format it then use data recovery tool to get as much of data back. but looks like wouldn't be formated.
How I can format it? in windows it says "Format can't be completed"
0
 
LVL 47

Expert Comment

by:dbrunton
ID: 34881472
Formatting will only make the problem worse.

Two methods

http://www.ehow.com/how_2006214_format-flash-drive.html
http://www.quickonlinetips.com/archives/2005/08/fix-format-usb-flash-drives/

But if you've tried and are getting that error the disk is bad.
0
 
LVL 11

Assisted Solution

by:ocanada_techguy
ocanada_techguy earned 250 total points
ID: 34884045
This could also be if the flash stick had encryption.  Depending on the OS version(s) used with it, you ought to have been prompted to "save" the encryption key when set-up.  After that, on that box it works seamlessly... but... try to mess with it on a box that does not have the encryption key and it seems like the stick is much smaller or non-existant as the area with the content is completely hidden.  It really sounds like that is your problem.  Do you recall at all anything about this stick offering to password protect back when you first used it?

With hard disk, failing to do the "safely remove" before unplugging can result in corruption, and while flash sticks are somewhat less vulnerable, sometimes a machine could have a badly written driver that does too much caching fail to write out to the drive without a "safe to remove" triggering it.  Normally Windows is supposed to detect whether the drive is removable and then adjust the behaviour accordingly, but XP is infamous for defaulting to caching for performance as default whereas Vista/7 default to optimized for safe removal.

You are correct that it's not out of the question that a malicious virus could try to corrupt a flash drive.  How many different machines have you connected it to, and have you checked all those machines to see if they have active up-to-date anti-virus and scanned with it?
0
 
LVL 6

Author Comment

by:ashunnag
ID: 34887045
looks like the flash memory is corrupted ... anyway, thanks all for assistance.

Regards,
Anas
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
Ok I have been working on this for some time having learned and gained certification in XenDesktop 4 along came version 5 which was released last month. Since then I have been working to deploy XenDesktop 5 in a small environment with only 2 virt…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now