Jump to content
zuik

Rescue disk scan erases data on raid 1

Recommended Posts

I Ran the kav_rescue_10 disk with default settings, nothing was found. I then ran a full disk scan of C: drive. After 8 hours, nothing was found, but when I rebooted, the disk data was mostly gone. Windows XP, SP3 with a RAID 1 using intel matrix storage. First it said no NTLDR, so I recovered that using repair mode from the windows install CD, but then I discovered most of the data on the drive was missing. All the data is basically lost. Fortunately this was not my main system and I had a backup copy on a third disk.

 

The rescue disk scan feature will corrupt a Windows RAID 1 setup (ich10r chipset).

Share this post


Link to post

I had a virus that came in through spam email. Kaspersky 2011 detected the virus

and but did not remove (delete) the offending email so I manually deleted it.

 

Kaspersky then reported the virus to be in my Recycle Bin, so I emptied the

Recycle Bin. However, Kaspersky still reported the virus as being in my Recycle

Bin.

 

I finally decided to run the Rescue Disk in hopes that Kaspersky would finally

remove it for good. The Rescue Disk program ran for about 8 hours on my

Win7 x64 RAID1 C: and reported no viruses found.

 

I then tried to reboot, but the Rescue Disk (Linux) shutdown process hung at

umounting file systems with the hard drive light almost solid on.

 

After about 30 minutes I decided that Rescue Disk was helplessly hung and

I forced a power cycle.

 

Upon attempting to reboot the Windows boot loader reported C: as damaged.

Successive attempts to repair did not succeed.

 

Bottom line I lost all of my data since my last backup not due to a virus but

rather the program that was to protect me from viruses.

 

I have a full backup about 3 months old and will have to try to recover from

that image.

 

Very disappointed with Kaspersky at this point.

Share this post


Link to post

Yes, but you forced a power cycle on a RAID array volume. Which by itself is NEVER a good idea.

Edited by Whizard

Share this post


Link to post

sorry you experienced partition corruption.

 

anyhow, have you tried rebuilding the mirror array from the second drive via your RAID controller's firmware during the boot sequence? it may be possible to do so and avoid resorting to the 3 month old backup image if it boots from the restored files that way.

 

once this is done (if it works) I am sure the virus bods on here will help you banish the flagged virus file once and for all.

Edited by antikythera

Share this post


Link to post
sorry you experienced partition corruption.

 

anyhow, have you tried rebuilding the mirror array from the second drive via your RAID controller's firmware during the boot sequence? it may be possible to do so and avoid resorting to the 3 month old backup image if it boots from the restored files that way.

 

once this is done (if it works) I am sure the virus bods on here will help you banish the flagged virus file once and for all.

 

Having experienced this trashing of my RAID array more than once when attempting to use the KIS Rescue Disk, I will never use it again.

 

Having said that, and agreeing with what Whizard said is true about it never being a good idea to force a power cycle on a RAID array... but what is one to do after you leave the machine on for 24 hours and it still doesn't do anything but be hung with the hard drive let on continuously... I have rebuilt my RAID array successfully before as antikythera suggests from the hard drive that still shows as good after the array indicates one of the drives has failed.

 

So his suggestion is really worth a try!!

 

I used to get non-virus related hangs from time to time that eventually I discovered were caused by my humungous InfoSelect files being open the same time as numerous IE7 tabs, and I even changed one of the hard drives a couple of times, before discovering that you really CAN rebuild the array from the 'good' drive and it is not that the other drive has really "failed" in the physical sense the the message makes you believe... it is just the data is no longer identical due to the forced power cycle and abnormal shutdown process.

 

Share this post


Link to post

I'm using Kaspersky Rescue Disk v10.0.23.29. I've used it on my XP machine many times without problem.

 

I used it on a Vista machine. Ran the scan. No malware found.

 

I exited Kasp and I then selected "Restart Computer", at which point linux began to shut down, and the hard drive began grinding a little bit too much. However, after a few minutes, the machine rebooted, at which point I was presented with the lovely "BOOTMGR is missing" error.

 

Further investigation determined that while the partitions were still in place, almost every single damn file and folder on the hard drive was deleted, with the sole exception of the "System Volume Information" directories in each partition and the MountPointManagerRemoteDatabase files within those directories.

 

Unexpected and disappointing, to say the least.

 

Can anyone tell me what happened?

 

Share this post


Link to post

I just wanted to add that the reason this thread appears disjointed is because the moderator merged three separate threads into one.

 

In my first post above, which was initially the start of a different thread, I didn't realize that the problem with data lose was due the RescueDisk's interaction with the RAID.

 

I still need help in how to recover the RAID, if that is possible.

 

Share this post


Link to post

I was using your Kaspersky 10 (fully updated) rescue disk to do a routine scan of my XP SP3 system and several attached drives for viruses etc. The scan was interrupted ( at around 30% I believe) and the system restarted and now the computer will not reboot into Windows. "NTLDR is missing" is the error.

 

I know this is a very serious error (many times not recoverable...) and as recovering access to this computer is CRITICALLY important, I am hoping to get some input from anyone who may have experience this same issue for the same reason before doing anything.

 

When Googling this error, I see two basic ways to attempt to fix the problem (one where you copy a new NTLDR onto your system and one where you try to repair a corrupted NTLDR).

 

I am afraid that it in this case it might make a difference which one I use and whatever I do I don't want to make the problem worse.

 

If anyone can advise me re: recovering NTLDR and my system following a Kaspersky Rescue Disk 10 abort, I would be most appreciative. Thanks.

 

DB.

 

Share this post


Link to post

I understand boot sector virus removal can cause problems for operating systems located on a RAID drive and leave the system un-bootable.

 

Does anyone know if that could be true of the Kaspersky 10 Rescue Disk?

Share this post


Link to post

I'm in the process of attempting to recover from a RAID 1 config that was wiped out by the Kasp Rescue Disk. When I'm done, or have exhausted all options, I'll report back to this group. It may take a couple days.

Share this post


Link to post

Holy crap, I recovered my data! I was able to grab it off the second drive in the RAID1 config.

 

Once I get my machine fully restored, I'll come back here and relay all the details.

 

 

Share this post


Link to post

I had the same issue and duplicated it to be 100% sure. The kav rescue discs that use linux instead of the older bartpe setup destroy the partitions of vista and windows 7 systems. I tested this on a raid 1 with vista and it wiped everything. I also tested it again able to duplicate the issue. The first time it boots fine and within the kav disc it sees all the data fine. After reboot you get the dreaded non boot disc. Not even the windows OS sees anything on the disc even though the numbers on the disc show that there is some data in it. My take on this is that kaspersky is using a buggy ntfs driver module. Completely f~ed up from kav to release this crap like that. Should have left it using bartpe.

 

edit: expletive obtunded.

Edited by richbuff

Share this post


Link to post

Ran Rescue Disk 10 in a Intel RAID 1 aray. Dell Optiplex 960. No virus on disk before the scan started. Killed data on disk 0 and damages disk 1. Only salvation I found was remove disk 0, boot from Win7 DVD and repair disk1 (took 5 reboots.. have faith) finally got disk 1 running with all data, then rebuilt disk0 from disk 1. Had a customer bring the same issue to me , but he had tried to fix it himself, so I dismissed the problem. This time I did the scan and recovery. 5 hours of my time wasted by this. A Warning would have been REAL nice. THIS PROGRAM IS RAID UNFRIENDLY!!

Edited by ZedFour

Share this post


Link to post

the current beta build 10.0.26.10 is an improvement. The bug I reported below about RAID has been resolved. please take a backup before you try using it though. I cannot guarantee it is fixed for everyone but it certainly behaves on my Nforce 430 onboard RAID setup now.

 

BUG 101720 confirmed as fixed in build 10.0.26.6 - RAID 0/1 contents destroyed on dismounting when using rescue disc from USB thumbdrive

 

http://forum.kaspersky.com/index.php?showt...t&p=1585979

Share this post


Link to post

Hello.

Same thing, but I have a single disk for Win7 and a RAID 1 (intel matrix storage) for data.

The partition on the RAID is empty and some data is missing on the boot one.

 

@ ZedFour

Did you use Windows "Startup Repair", right? Do you think it's usefull on a data disk as well? Did it require 5 reboots or you had to try 5 times? Thx.

 

@Faustie

How did it end? If successfully, could you please post a step-by-step procedure? Thx.

Share this post


Link to post

I recovered my data.

I'm going to tell in the short story and than the long one.

 

Short:

I unplugged the two RAID disks. One had data gone. I attached the other on a different PC as non-boot device. I executed a chkdsk -f (may be I should use a -x as well). Done! I data restored. Then I rebuilt the RAID.

 

Long:

I unplugged the two RAID disks. One had data gone. I attached the other on a different PC as non-boot device. I bought a third hardsik. With "EASEUS Disk Copy" (it's free) I did a copy sector-by-sector; this gave me the ability to have more than one try. Then I used "GetDataBack": my data still there so I saved the most important things. Then I executed a chkdsk -f (may be I should use a -x as well). Data restored. Then I rebuilt the RAID.

 

I'm a Kasperky Antivirus supporter by many years.... I can't believe a mess like this !!!

Share this post


Link to post

I do not know if I should have started a new topic or not- sorry if so, but this seemed like a good place to jump in.

 

Not just RAID- a few months ago, after running a scan and asked to exit, I sat and watched as the screen changed to filenames scrolling rapidly by. This did not look very well, and when it was over, the machine would not boot. "Bad or missing NTLDR". Examining the drive via another machine, I discovered that yes, all the data was gone. I was reluctant to use this tool again, but tried it on a retired machine. Worked fine. And again on several others. I then misplaced the disk.

 

So today I decided to download and run it on another one, but while installing it I noticed at a certain point the display looked really odd, a band of smeared colors at the top of the screen. Instinct said stop, but I ran it anyway. This is a machine the owner had given up as hopelessly infected and ready for a reinstall, so I figured, go for it. It detected and deleted a few things.. when it was done, I exited the program, and instead of the usual dismounting process, I once again saw those colors and it hung. Uh-oh. And after that, the machine now bluescreens at any type of boot. I yanked the drive and fortunately all the data is still there, but I am a little curious and concerned about what looked like a promising repair tool now seems to be a bigger threat than what I was actually looking for. I am concerned about ever using it again. BTW, one machine was an Asus, the other a Dell- both XP Pro, fairly standard 2 - 3 yr. old hardware

Edited by palealien

Share this post


Link to post

Forgot to toggle the notification box- sorry! But I'd like to know if I will be able to trust 10 again, or what extenuating circumstances have caused this. I do not plan to use the rescue disk until some sort of explanation comes forth.

Edited by palealien

Share this post


Link to post

I ran into this problem on a Dell XPS 400 with SATA RAID 1 (Intel Matrix Controller) running XP Media Center Edition, and here is how I was able to recover.

 

1. Removed both drives.

2. Mounted drive 0 in an external USB enclosure and booted into GPartEd (available on Ultimate Boot CD and elsewhere).

3. Tried to view disk contents to no avail.

4. Mounted drive 2 in an external USB enclosure and booted into GPartEd.

5. Viewed disk and verified contents were visible.

6. Used Partition Image tool to back up partitions (optional step).

7. Connected drive 2 back to SATA connector (port 0 this time) and verified I could boot to Windows.

8. Mounted drive 0 in an external USB enclosure and used one of the GPartEd tools to erase MBR and related data (without doing this the array controller insisted on trying to boot from this, the corrupt drive when both drives were attached).

9. Connected drive 0 back to SATA port 2.

10. Booted to Windows and used Intel Array Console to rebuild array.

 

 

Share this post


Link to post

Very similar issue as "Too Bad", but slightly faster recovery.

After running Kaspersky Resue Disk 10, I was not able to boot due to NTLDR missing.

 

1. Unplugged Drive 0

2. Boot successful with just drive 2 / Port 2.

3. Unplug Drive 2 and plug in Drive 0.

4. Boot with UBCD4Win and Run GParted (or PartedMagic, can't remember which)

5. delete Partition info

6. Plug both drives in and reboot to windows.

7. Intel Matrix Storage console rebuilds array.

8. Smile and have a beer.

 

Thanks for the help.

Hope this helps someone else.

 

Share this post


Link to post
Very similar issue as "Too Bad", but slightly faster recovery.

After running Kaspersky Resue Disk 10, I was not able to boot due to NTLDR missing.

 

1. Unplugged Drive 0

2. Boot successful with just drive 2 / Port 2.

3. Unplug Drive 2 and plug in Drive 0.

4. Boot with UBCD4Win and Run GParted (or PartedMagic, can't remember which)

5. delete Partition info

6. Plug both drives in and reboot to windows.

7. Intel Matrix Storage console rebuilds array.

8. Smile and have a beer.

 

Thanks for the help.

Hope this helps someone else.

 

 

What would really help someone else is if Kaspersky fixed the issue. Three years of being broken and not being fixed is not acceptable! How many people, who aren't knowledgeable enough to recover, have had their systems destroyed by something called Rescue?

Edited by glennr

Share this post


Link to post

I have to confirm this annoying problem. Very sorry since I only had good experiences with KAV so far. I first ran into the problem on an XW4400 workstation scanning just the SSD system disk. The data intel raid (1) broke (one disk offline and one disk un-membered itself) and I didn't realize it was KAV. I also had to check an XW8600 that then had both it's Intel data raids (1) in Offline status!

 

The first problem was solved by:

1. Connecting the offline member to the former other disks port. This brought back the disk as a member and the data in W7.

2. Cleared the other one and after reconnecting the original ports it rebuilded everything as expected.

 

The second time I decided to:

1. Shut down and boot up into the RAIDs bios with 2 disks connected to the other member's Port.

2. Shut down and boot up into the RAIDs bios with all member's ports now cross wired. All came online, the RAIDs marked degraded.

3. Shut down and boot up with the original wiring. Everything was online again and booting into W7 the RAIDs went into rebuild state again.

 

Something in the OS (Linux distro?) startup of KAV rescue 10 definitely screws up the info for the Intel Raid controller. I decided to leave this message for people to not panic like I would have in the early years. Usually after software's glitch and the panic I'd have to find myself to be the one who'd lost ALL the data. So: don't panic! YES, the KAV disk can be the cause but your (software) RAIDs can be saved. :dash1:

Share this post


Link to post

I had the same thing happen when I recently ran the BitDefender Rescue CD on a Dell Studio XPS 8100. It erased the first raid array that pointed to a different partition where the Windows boot files are. Kaspersky is not the only one with a problem.

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.