PCBUILD Archives

Personal Computer Hardware discussion List

PCBUILD@LISTSERV.ICORS.ORG
Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Computer infection
From:
Donald DeWitt <[log in to unmask]>
Reply To:
Personal Computer Hardware discussion List <[log in to unmask]>
Date:
Thu, 12 Aug 2010 15:10:55 -0400
Content-Type:
text/plain
Parts/Attachments:
text/plain (199 lines) 
Hello everyone,



Following your advice, I downloaded TestDisk, DataRecovery. With this
program I was able to restore the backup partition boot sector on my
disabled slave drive. This is a true miracle program. After a reboot, the
missing drive magically appeared on the My Computer page and also is listed
in the computer management section.



After I exited from the TestDisk program, I rebooted into safe mode and ran
several scans on both drives, C: and F:  with three different scanning
programs. All results came back normal.



Thanks to everyone on PCBuild, I have learned more about my computer in the
past two weeks then I have in the last five years. I not only got my files
back, I also regained the use of my drive.



Many thanks to everyone who took the time to offer your much needed advice;
it is sincerely valued, also to PCBuild for operating such an outstanding
web site.


On Wed, Aug 11, 2010 at 3:27 AM, Kenneth Whyman SC <[log in to unmask]>wrote:

> One tool I use a bunch to salvage data from a hard drive is a little
> adapter kit I bought from Fry's Electronics a few years back. It lets me
> convert just about any hard disk to USB 2.0. Saves me the trouble of
> opening a case every time I need to connect a drive in temporarily. It
> might be worth it to try one out. I spent about $30 for my kit, so they
> aren't very expensive. There's also good software out there for raw
> reading the drive in case the partition table or file allocation tables
> are all scrambled up. They take time to do their thing, but I have
> salvaged some fairly damaged hard disks with tools like that. Hiren's
> Boot CD has several of those tools on board. Be sure to scan anything
> you recover, just for safety's sake. :)
>
> -------- Original Message --------
> Subject: Re: [PCBUILD] Computer infection
> From: Donald DeWitt <[log in to unmask]>
> Date: Tue, August 10, 2010 10:43 am
> To: [log in to unmask]
>
> Hello everyone
>
>
>
> Thanks for all of your suggestions, I read up on all the information I
> could
> find on MBR infections and decided to give it a try.
>
>
>
> First thing I did was to remove the Slave Drive (Drive 1) in preparation
> for
> deleting and replacing the MBR files. I put the Windows XP CD in the
> tray
> and after several attempts the computer finally started to read it. It
> took
> several more attempts to get to the repair section. (I would say it took
> me
> about two days trying to accomplish getting this far due to the almost
> complete take-over of my computer). Following all the instructions, I
> chose
> the “r” command to set in motion the repair procedure and then I was
> asked
> to type in my password. I never had a password on this computer.
> Needless to
> say I couldn’t proceed any further. Somehow I managed to get into the
> Control Panel and disabled everything that looked liked passwords
> however I
> never was able to get the computer to read the CD again.
>
>
>
> Went out and purchased a new hard drive (a SATA), install it,
> reinstalled
> the OS and most of the programs including AVG, Superantispyware and
> Megabytes anti malware. On the third day into the new hard drive
> everything
> was running as normal and after running numerous scans, I reinstalled
> the
> Slave Drive (a SATA).
>
>
>
> After booting up, I noticed in the My Computer window, the Slave Drive
> was
> not listed. Also going into Disk Management, Disk #1 (my slave drive)
> was
> not there. I performed a hard drive diagnostic test and Drive 0 and
> Drive 1
> both passed. Took the drive out and replaced it with a slave from
> another
> computer and it was recognized immediately. This doesn’t look good.
> All my
> files are on that drive. It was in perfect operating condition before
> the
> infection took over.
>
>
>
> What are my options now? Can I bring the drive back to life or is it a
> lost
> cause?
>
>
>
> Don
>
>
> On Wed, Aug 4, 2010 at 11:35 AM, John Sproule
> <[log in to unmask]>wrote:
>
> > As has been suggested a reformat of the drive may be sufficient to
> > overwrite the virus, I don't know; however, I would feel confident that
> > using a utility to write zeroes to the drive will give you a clean slate
> to
> > work with. My first choice would be to see if the manufacturer of your
> > drive has a diagnostic disk available that includes this capacity to zero
> > out the drive. If by chance they don't, my second choice would be a
> program
> > for erasing hard drives more generally, such as Derek's Boot and Nuke.
> > While this program includes some rather sophisticated routines for making
> > multiple passes of writing random data to your drive, all you need is a
> > single pass of some simple routine (such as writing zero to every
> sector).
> > A word of caution, if you have more than one drive installed and you
> don't
> > want to lose data on one of these drives, disconnect the one that you are
> > not going to erase. This way you don't need to worry about erasing the
> > wrong the drive.
> >
> > With regard to your question about whether your secondary drive might
> also
> > be infected, I would think that the same programs that successfully
> detected
> > the infection on your main drive would also be capable of finding a
> similar
> > infection on your secondary drive.
> >
> > I assume that this second drive is not a bootable drive; so, I would
> think
> > it unlikely that it also has a boot sector virus.
> >
> > For what it may be worth (since people have already mentioned many
> > different antivirus scanners to use) I'll add one more antivirus scanner,
> > Hitman Pro 3.5. This is an online scanner that bills itself as a second
> > opinion scanner. It doesn't do a complete scan of your data, but it
> > selectively submits what it thinks might be likely candidates to multiple
> > virus scanners. It impressed me, when it picked up on a root kit that was
> > repeatedly re-installing malware that other scanners had attempted to
> > remove. I don't think that I used Hitman Pro to remove the rootkit. I
> > think I just used it to identify the culprit and did somesort of manual
> > removal of it. Sorry, it's been long enough ago that I don't recall those
> > details.
> >
> > John Sproule
> >
> > -------- Synopsis of the Original Message Below ---------
> >
> > Date: Tue, 3 Aug 2010 15:02:07 -0400
> >
> > From: Donald DeWitt <[log in to unmask]>
> > Subject: Re: Computer infection
> >
> > You discovered that your hard drive was infected with the Whistler
> Bootkit,
> > but were unsuccessful removing it using MBRCheck.exe. You asked if it was
> > possible to remove this virus from the hard drive, short of tossing it
> and
> > replacing it with a new hard drive. You wondered whether your secondary
> > drive might be infected, as well.
> >
> >
> > Visit our website regularly for FAQs,
> > articles, how-to's, tech tips and much more
> > http://freepctech.com
> >
>
>  PCBUILD's List Owners:
>  Bob Wright<[log in to unmask]>
>  Mark Rode<[log in to unmask]>
>
>                  Visit our website regularly for FAQs,
>               articles, how-to's, tech tips and much more
>                          http://freepctech.com
>

            Do you want to signoff PCBUILD or just change to
                    Digest mode - visit our web site:
                   http://freepctech.com/pcbuild.shtml

ATOM RSS1 RSS2