LISTSERV - PCBUILD Archives - LISTSERV.ICORS.ORG

PCBUILD Archives

Personal Computer Hardware discussion List

PCBUILD@LISTSERV.ICORS.ORG

	LISTSERV Archives
	PCBUILD Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Computer infection
From:	Donald DeWitt <[log in to unmask]>
Reply To:	Personal Computer Hardware discussion List <[log in to unmask]>
Date:	Tue, 10 Aug 2010 13:43:18 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (111 lines)

Hello everyone

Thanks for all of your suggestions, I read up on all the information I could
find on MBR infections and decided to give it a try.

First thing I did was to remove the Slave Drive (Drive 1) in preparation for
deleting and replacing the MBR files. I put the Windows XP CD in the tray
and after several attempts the computer finally started to read it. It took
several more attempts to get to the repair section. (I would say it took me
about two days trying to accomplish getting this far due to the almost
complete take-over of my computer). Following all the instructions, I chose
the “r” command to set in motion the repair procedure and then I was asked
to type in my password. I never had a password on this computer. Needless to
say I couldn’t proceed any further. Somehow I managed to get into the
Control Panel and disabled everything that looked liked passwords however I
never was able to get the computer to read the CD again.

Went out and purchased a new hard drive (a SATA), install it, reinstalled
the OS and most of the programs including AVG, Superantispyware and
Megabytes anti malware. On the third day into the new hard drive everything
was running as normal and after running numerous scans, I reinstalled the
Slave Drive (a SATA).

After booting up, I noticed in the My Computer window, the Slave Drive was
not listed. Also going into Disk Management, Disk #1 (my slave drive) was
not there. I performed a hard drive diagnostic test and Drive 0 and Drive 1
both passed. Took the drive out and replaced it with a slave from another
computer and it was recognized immediately. This doesn’t look good. All my
files are on that drive. It was in perfect operating condition before the
infection took over.

What are my options now? Can I bring the drive back to life or is it a lost
cause?

Don

On Wed, Aug 4, 2010 at 11:35 AM, John Sproule <[log in to unmask]>wrote:

> As has been suggested a reformat of the drive may be sufficient to
> overwrite the virus, I don't know; however, I would feel confident that
> using a utility to write zeroes to the drive will give you a clean slate to
> work with.  My first choice would be to see if the manufacturer of your
> drive has a diagnostic disk available that includes this capacity to zero
> out the drive.  If by chance they don't, my second choice would be a program
> for erasing hard drives more generally, such as Derek's Boot and Nuke.
>  While this program includes some rather sophisticated routines for making
> multiple passes of writing random data to your drive, all you need is a
> single pass of some simple routine (such as writing zero to every sector).
>  A word of caution, if you have more than one drive installed and you don't
> want to lose data on one of these drives, disconnect the one that you are
> not going to erase.  This way you don't need to worry about erasing the
> wrong the drive.
>
> With regard to your question about whether your secondary drive might also
> be infected, I would think that the same programs that successfully detected
> the infection on your main drive would also be capable of finding a similar
> infection on your secondary drive.
>
> I assume that this second drive is not a bootable drive; so, I would think
> it unlikely that it also has a boot sector virus.
>
> For what it may be worth (since people have already mentioned many
> different antivirus scanners to use) I'll add one more antivirus scanner,
> Hitman Pro 3.5.  This is an online scanner that bills itself as a second
> opinion scanner.  It doesn't do a complete scan of your data, but it
> selectively submits what it thinks might be likely candidates to multiple
> virus scanners.  It impressed me, when it picked up on a root kit that was
> repeatedly re-installing malware that other scanners had attempted to
> remove.  I don't think that I used Hitman Pro to remove the rootkit.  I
> think I just used it to identify the culprit and did somesort of manual
> removal of it.  Sorry, it's been long enough ago that I don't recall those
> details.
>
> John Sproule
>
> -------- Synopsis of the Original Message Below ---------
>
> Date:    Tue, 3 Aug 2010 15:02:07 -0400
>
> From:    Donald DeWitt <[log in to unmask]>
> Subject: Re: Computer infection
>
> You discovered that your hard drive was infected with the Whistler Bootkit,
> but were unsuccessful removing it using MBRCheck.exe.  You asked if it was
> possible to remove this virus from the hard drive, short of tossing it and
> replacing it with a new hard drive.  You wondered whether your secondary
> drive might be infected, as well.
>
>
>                 Visit our website regularly for FAQs,
>              articles, how-to's, tech tips and much more
>                         http://freepctech.com
>

                         PCBUILD's List Owners:
                      Bob Wright<[log in to unmask]>
                        Mark Rode<[log in to unmask]>

ATOM RSS1 RSS2

LISTSERV.ICORS.ORG