Re: something messed up my partition table. Can I get it back?
Spongebob wrote:
>
> I've been have a large amount of problems recently, and my system is
> rapidly degrading. I'd like to try an save my data.
>
> I have a dual-boot windows/linux machine. Windows and linux share the same
> drive. (I'm trying to change that right now. I hope it isn't too late.)
> Something very bad happened to windows. I think it may be some sort of
> virus or malicious coding. It could be a hardware problem too.
>
> The partition problems began after I added a drive, partitioned it, and
> then formatted it in windows. After rebooting, the boot loader (grub)
> bombed with a message about the wrong type (Error 27 I think). Using a
> rescue disk to get me back into linux, I found that the partition table of
> my first drive was altered. Everything was the same except that the type
> for the linux root partition was set to 0x93 instead of 0x83. I hadn't done
> anything to this drive. I thought that maybe I made an error somewhere, so
> I went into cfdisk and changed the type back to 0x83. Reboot. Everything's
> fine.
>
> Now I reboot again and go into windows to make sure that works correctly.
> Everything okay. Reboot. Grub doesn't work again. Use the rescue disk to
> get into linux again. Look at the partitioning. The linux partition has
> been set to 0x93 again. But also, 2 adjoining windows partitions have been
> merged. I used to have hda5 & hda6 as vfats. Now I have a primary hda2
> instead that's the size of those two partitions together. My swap partition
> is also changed to 0x92.
>
> Is there a backup copy of the partition table stored somewhere? It seems
> there should be one. If so, how do I restore it?
>
> Also, is this a familiar problem? The linux partition was changed to 0x93
> twice in a row. That doesn't seem to be random. Especially taken together
> with the swap file being altered to 0x92. In both, the upper nibble has
> been incremented. The other altered/merged partition (which used to be 2
> vfats) has become 0x1f. 0x93 is Aoemeba filesystem type according to
> cfdisk1, 0xf1 isn't defined, and 0x92 isn't defined either.
>
> The linux and swap partitions were hidden from windows by grub. The others
> were windows partitions.
>
> Does this sound like a virus? Or a bad controller or disk? Virus scanning
> hasn't turned up anything other than that the partition table has been
> changed.
It sounds a lot more like those partitions are getting "hidden", even
though doing that makes no sense at all for Linux partitions. Here's
what I mean:
Most boot managers (including Grub) and partition managers will hide a
partition by setting bit 5 of the partition type byte to 1. So your type
83h Linux partition would become 93h, and your swap would go from 82h to
92h. Also, your extended partition (hda2) would go from 0Fh to 1Fh,
which would make it no longer appear as an extended partition to Linux
or Windows - which would explain why your 2 logical partitions (hda5,
hda6) appeared to merge into one partition.
There's no need to "hide" Linux partitions. Windows will not see them
regardless of whether you hide them or not. You must be doing this in
Grub, so I'd take a look at your Grub config file at
/boot/grub/menu.lst.
Tom
Reply to: