LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Laptop and Netbook (http://www.linuxquestions.org/questions/linux-laptop-and-netbook-25/)
-   -   Corrupt Partition / MBR Virus / Windows deleted Linux partition? (http://www.linuxquestions.org/questions/linux-laptop-and-netbook-25/corrupt-partition-mbr-virus-windows-deleted-linux-partition-4175454618/)

irish_confetti 03-19-2013 12:08 AM

Corrupt Partition / MBR Virus / Windows deleted Linux partition?
 
I recently ran into something I have never seen before on a friend's machine for whom I am doing a favor. Years ago I installed Ubuntu to dual boot alongside the pre-existing Windows 7 install. The disk looked something like this beforehand (I copied the data into a small spreadsheet) (sector size = 512 bytes):
Code:

Device                Boot        start                end                sectors                id        tpye               
/dev/sda1                63                29366819        29366757        27        unknown       
/dev/sda2        *        29366820        29575664        208845                7        HPFS/NTFS
/dev/sda3                29575665        488395119        458819455        7        HPFS/NTFS
/dev/sda4                0                0                0                        empty

and after I got through with it:
Code:

Device                Boot        start                end                sectors                id        tpye
/dev/sda1                63                29366819        29366757        27        unknown
/dev/sda2        *        29366820        29575664        208845                7        HPFS/NTFS
/dev/sda3                29575665        252814904        223239240        7        HPFS/NTFS
/dev/sda4                252814966        488392064        235577099        5        Extended
/dev/sda5                252814968        485243324        232428357        83        Linux
/dev/sda6                485243388        488392064        3148677                82        Linux / swap

I basically wanted a swap partition, and with only one parition available to me I created 2 logical partitions to accomplish this, thus sda5 and sda6. I'm not certian that was wise in retrospect, but it was years ago, Ubuntu booted and worked fine ever since. I don't recall exactly how I had set up grub. I think I had added a menu item to the Windows boot loader to chain-load grub, and grub in turn loaded Ubuntu, and I had grub in a small .img file in the windows partition root directory sitting alongside the file describing the added menu option to load ubuntu...but my memory is fuzzy right now at 1am if that sounds crazy. I do not recall why Windows claimed sda1, 2, and 3 but I do recall all were in use and I could do nothing about it. One of them was a recovery partition, one perhaps had some utilities, and the largest, sda3 had the installation.

A few days ago I'm told that Windows was showing signs of degredation in performance, and suddenly, Ubuntu could not boot. When I try to boot Ubuntu, grub complains: "no such partition" and drops me into the grub shell. I'm almost 100% confident no updated were applied by Ubuntu recently; whatever happened, happened while using Windows, was caused by a Windows update, or some malware in Windows. But which? But I digress...

The partitions table now looks very odd:
Code:

Disk /dev/sda: 30401 cylinders, 255 heads, 63 sectors/track
Units = sectors of 512 bytes, counting from 0
Device                Boot        start                end                sectors                id        tpye                        Label
/dev/sda1        *        51                50                0                0        empty       
/dev/sda2                63                29366819        29366757        27        Hidden NTFS WinRE        PQSERVICE
/dev/sda3        *        29366820        29575664        208845                7        HPFS/NTFS/exFA                SYSTEM.RESERVED
/dev/sda4                29575665        252814904        223239240        7        HPFS/NTFS/exFAT                Acer

The logical partitions are gone and all the partitions seem to have been shifted in so far as labels are concerned. I have an old copy of the first 63 sectors that I copied with dd for safekeeping (both before and after I mucked with it years ago). GParted shows the same; but also highlighted for me that while it does not even list sda1, sda2, 3 & 4 occupy about 14Gib, 101.98Mib, and 112.33Gib respectively, leaving 112.33Gib unallocated at the end of the disk. I suspect the Ubuntu and swap partition and all files are still there for salvage if I play my cards right.

Anyone ever seen this? Any suggestions for a course of action before I potentially wreck this partition table? What might cause logical partitions to vanish and the other partitions to shif?

I'm tempted to just overwrite with my backup of the MBR and first 63 sectors. Although I just read up a little on extended partitions and I didn't know they're stored in the first sector before the partition they describe, so I don't have a backup copy of the 2 logical partitions, but presumably they still exist and if they don't am I hosed?

Thank you all in advance.

kbp 03-19-2013 07:25 PM

You should probably take a new copy of the boot sector as backup .. then maybe you could try testdisk and see if it can repair the partition table.

EDDY1 03-20-2013 11:51 PM

First of all was wins 7 the original Os or was it an upgrade from winsxp/vista to wins7?
Was this a Wubi install?
I myself would assume that it was originally winsxp, because of the PQ Service partition.
The PQ Service partition & System Reserved partitions are common on Acer Machines. What I find odd about your system is that the MBR is listed as it's own partition. Not only that but starting at 51 & ending at 50.
It seems to me someone started a factory restore.
I say this because Ive done a factory restore on the Acer which is in my signature & I'm presently responding to this post on.
Anyway as long as the that I was restoring to had data on it, it wouldn't complete the transaction.
I would say that you need to fix wins MBR.


All times are GMT -5. The time now is 08:39 PM.