Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Format And Still Infected! Please Help


  • Please log in to reply
12 replies to this topic

#1 7ser

7ser

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 06 November 2007 - 12:40 PM

There are three computers in the house all behind a Linksys firewall and ZA suites for software firewall/antivirus. Infection came from one of the pc's and has spread through all of them. The original infected pc was formated 3 times, two times with Military format on a floppy (I suppose that floppy is infected as well now?). The other pc's have been formated once (long method).

I have an HP XW6200 workstation, and I noticed there is a 8MB partition for the HP DOS OS? Could this be infected?


How do I clean these PC's completly? Thanks in advance, it is greatly appreciated.

Edited by 7ser, 06 November 2007 - 01:47 PM.


BC AdBot (Login to Remove)

 


m

#2 hamluis

hamluis

    Moderator


  • Moderator
  • 54,818 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:01:17 AM

Posted 06 November 2007 - 01:07 PM

Well...cleaning the PCs is only one step. After they are cleaned with some assurance, they need to be protected by safe computing practices which seem to have been missing thus far.

If I had an infected system, I would use online scanning as the tool of choice, assuming that the system boots and connects to the Internet. The key is to use programs that are reliable and current.

http://www.google.com/search?hl=en&q=o...can+for+malware

If the system doesn't boot, then I would remove the hard drive from each infected system...and connect same to a known protected system and then run a reliable, current AV program and probably 2 reliable malware-detection/removal programs (e.g., Windows Defender and AVG Antispyware).

Related background material: http://www.wikihow.com/Thwart-Malware-and-...Internet-Safely

I guess that I'm wondering what "military format" is and why it took 3 times to be unsucccessful. No XP CD?

Louis

#3 Albert Frankenstein

Albert Frankenstein

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA
  • Local time:03:17 AM

Posted 06 November 2007 - 03:08 PM

If by "military format' you mean an overwriting of the hard drive by a program such as KILLDISK, then I don't see how an infection can survive that.

It is possible that the infection is coming from some software or data that is being reinstalled, or is still spreading through your network.

EDIT:

I just reread your post.

and I noticed there is a 8MB partition for the HP DOS OS


Well for the military format to work, the entire hard drive has to be overwritten. All partitions have to be deleted, or merged into one. Then you usually have to repartition the drive using DOS Fdisk. I have included some generic instructions below:

You can run Killdisk to delete everything including any infections. This is a free progam and can be downloaded HERE. Put the program on a floppy disk or a CD. Boot the computer from the disk and run the program at least once.

Then run a DOS disk, such as a Windows 98 start up disk, when the computer boots to DOS, type "C:" (without the quotes), push ENTER. Then type "fdisk" (without the quotes), push ENTER, then just push ENTER at each selection that you are prompted to make (in other words, just accept all defaults). You can download what you need HERE.

Then reboot with your XP CD in the cd drive and reinstall Windows, being sure to choose "Full Format" instead of quick format when prompted.

Be careful about reinstalling your data as it may contain a virus or other malware.

Edited by Albert Frankenstein, 06 November 2007 - 03:13 PM.

ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!


#4 7ser

7ser
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 06 November 2007 - 03:46 PM

Regarding the HP partition, isn't that the blue screen stuff, and DOS. I don't think that is formatable. This is a new system within 3 mo. and this partition was not setup by me, but by HP. Let's say I can get that part of the drive formated isn't that needed. What is that HP partition containing?

#5 CTH_Tom

CTH_Tom

  • Members
  • 295 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 06 November 2007 - 03:48 PM

I would just replace all 3 hard drives in each of the 3 computers.
X

#6 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:03:17 AM

Posted 06 November 2007 - 03:53 PM

Regarding the HP partition, isn't that the blue screen stuff, and DOS. I don't think that is formatable. This is a new system within 3 mo. and this partition was not setup by me, but by HP. Let's say I can get that part of the drive formated isn't that needed. What is that HP partition containing?

I would think that would be the HP recovery partition
http://www.pctechbytes.com/hp-recovery.htm
Mark
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 7ser

7ser
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 06 November 2007 - 03:56 PM

Can a virus/worm infect the recovery partition?

#8 Albert Frankenstein

Albert Frankenstein

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA
  • Local time:03:17 AM

Posted 06 November 2007 - 04:23 PM

A recovery partition is certainly going to be larger than 8 MB.

Often computers manufactured by the major companies end up with extra partitions that are small, like you are describing. If you wish to delete the infection by overwriting the drive, then you have to delete the partition and overwrite the entire drive. It is that simple.

I do this multiple times every day.

But of course, the choice is yours. If you do not delete the partition, then it is not possible to delete the entire drive, and if you have a boot sector virus it will survive.

Of course, before doing any of this you need to have your 'ducks in a row'. You must prepare properly. If applicable, you must first burn your recovery CD's. Save your data. Make sure you have your programs and drivers ready to reinstall, etc. Then you will be ready to scrub the computer as I described.

Edited by Albert Frankenstein, 06 November 2007 - 04:25 PM.

ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!


#9 7ser

7ser
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 06 November 2007 - 04:51 PM

Ok, that all makes sense.

Two questions:

The Killdisk you recomended only writes one pass of zeros across, I was told one pass of zeros still leaves you vulnerable for the virus reserecting itself?

Do I need to flash the BIOS?

#10 acklan

acklan

    Bleepin' cat's meow


  • Members
  • 8,529 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Baton Rouge, La.
  • Local time:01:17 AM

Posted 06 November 2007 - 05:30 PM

The Killdisk you recomended only writes one pass of zeros across, I was told one pass of zeros still leaves you vulnerable for the virus reserecting itself?

Hmm.. I do not think that would be possible. By overwriting the data you would change th coding of any virus' that were on the drive. It does not take but changing a few characters to render a program useless and overwriting the drive would change far more than just a few characters in the program(s).
On pass is more than enough to render any malware useless.

Do I need to flash the BIOS?

Unless you are having a hardware issue or have received instruction from tech support to do so it would be better to leave the BIOS alone. One mistake with the BIOS and you end up with a huge door stop.
"2007 & 2008 Windows Shell/User Award"

#11 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:03:17 AM

Posted 06 November 2007 - 05:32 PM

A recovery partition is certainly going to be larger than 8 MB.

Often computers manufactured by the major companies end up with extra partitions that are small, like you are describing. If you wish to delete the infection by overwriting the drive, then you have to delete the partition and overwrite the entire drive. It is that simple.

I do this multiple times every day.

But of course, the choice is yours. If you do not delete the partition, then it is not possible to delete the entire drive, and if you have a boot sector virus it will survive.

Of course, before doing any of this you need to have your 'ducks in a row'. You must prepare properly. If applicable, you must first burn your recovery CD's. Save your data. Make sure you have your programs and drivers ready to reinstall, etc. Then you will be ready to scrub the computer as I described.

Could this be why?
ttp://www.engadget.com/2005/08/03/hp-settles-hidden-partition-suit/
Mark
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#12 Albert Frankenstein

Albert Frankenstein

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA
  • Local time:03:17 AM

Posted 06 November 2007 - 05:43 PM

Could this be why?

Don't know, but it is an interesting read. Lawsuits are nothing new to large computer manufacturers.

HP (and others) do not include recovery disks mainly to save money. It never ceases to amaze me how the customer can cry ignorance about this, and win in court. Read the manual. It is all in there, ya know? That being said, I think it would be best for the customer for the major manufacturers to include disks, I mean we are probably talking about a dollar or two at the most in terms of cost for them, not to mention that the customer would end up with a little larger usable space on their hard drives.

BTW, the free KILLDISK can only do one pass. You must purchase the program if you wish to run more passes, such as 7 for the 'military format'. What that will do for you is make all data unrecoverable. One pass will render all malware dead, but theoretically data can still be recovered if someone is motivated enough. Even after 7 passes the CIA can recover data at the atomic level. Amazing.
ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!


#13 acklan

acklan

    Bleepin' cat's meow


  • Members
  • 8,529 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Baton Rouge, La.
  • Local time:01:17 AM

Posted 06 November 2007 - 06:49 PM

The ultimate Wipe is a Gutman Wipe. That would be 38 passes. Only the "Black helicopter paranoid" bunch require such a wipe.
Look into Darik's Nuke and Boot if you feel you need more than a Quick Wipe (A single pass) to clean your drive.
I still believe a single pass will be more than enough. IMO
"2007 & 2008 Windows Shell/User Award"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users