Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus/Trojan; computer unbootable, no C:


  • Please log in to reply
53 replies to this topic

#1 RayN81

RayN81

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 30 May 2011 - 02:36 AM

Hi

I appreciate this may not be the right forum to post this thread, but I have been referred here by JSntgRvr, one of your moderators in the Malware forums. He believes it may be more of a software issue.

Basically, I picked up a trojan somewhere. I cannot remember the name, but it started with 'A' and I'm tempted to believe it is Alureon. McAfee picked it up, tried to remove it but failed.Shortly after, icons started disappearing off my Win 7 desktop and I got an error message saying that there is a problem with my IDE/SATA drivers and that I had to reboot. I initially thought this was the symptoms of the Windows Recovery virus, but now I'm thinking its the same trojan.

My pc froze, so I had no choice but to reboot, only to find that my PC is now not bootable. The PC seems to refuse to recognise my hard drive.

I have tried the following, but to no avail:
- I booted from the Windows 7 installation disk to try a repair, but there are no drives detected (ie - no C:), so I can neither repair nor start a fresh installation.
- While in the windows installation, I tried loading drivers from my Motherboard installation disk (nvstor32) and even updated win 7 drivers from the internet, but my HD still refuses to show up.
- I checked my BIOS and saw that my HD is detected but my Primary IDE master and slave are disabled.
- I plugged my HD into a USB adapter and connected it into my laptop and my brother's computer. It recognises that a USB HD has been plugged in but the drive does not show in My Computer. When I right clicked My Computer and selected 'Manage', the drive appears under Disk Management, but shows up as invalid.

I ran some diagnostic tests on my hard disks suggested by JSntgRvr, but the tests were clear - my hard disk was fine, so it's more of the drivers.

Most of the fixes I have read require you to be able to see your C:.

My preference is before nuking my drive or getting a new one is to salvage what I can as I have some documents I worked the day before my computer died that hadn't backed up yet.

I'm at a loss right and would appreciate any help.

Thank you in advance.

BC AdBot (Login to Remove)

 


#2 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:07:50 PM

Posted 30 May 2011 - 02:49 AM

Link to previous topic in MRL forum:
http://www.bleepingcomputer.com/forums/topic398948.html/page__view__findpost__p__2269317
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#3 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:07:50 PM

Posted 30 May 2011 - 02:53 AM

My preference is before nuking my drive or getting a new one is to salvage what I can as I have some documents I worked the day before my computer died that hadn't backed up yet.

You have xPUD on a bootable CD: Use it to copy your data to USB flashdrive or external HDD in preparation to nuke the HDD.

Edit to add >>>

Wipe the hard drive clean: You should then be able to install Windows without a problem.

When you have retrieved all the data that you need and are ready to wipe the WHOLE hard drive clean ....

Boot with the xPUD CD. At the xPUD Desktop, click on Menu > Terminal Emulator (and mouse-click in the terminal window that opens, if necessary), and at the prompt, type in the following command exactly as shown (paying attention to the spaces) and then press the <ENTER> key:

dd if=/dev/zero of=/dev/sda bs=4k conv=notrunc

This command will overwrite the drive with zeroes, and return your hard drive to "as new" condition.

Apart from your hard drive light showing "busy", there will be no indication of anything happening until finished, when you will see output on the terminal screen as follows ...
dd: writing '/dev/sda': No space left on device
followed by some other information.

I have tested on a 2.1GB hard drive and found it to take 17.4 minutes to complete. So, be patient: The time it takes to complete will depend very much on the size of your hard drive. You may wish to leave it run over-night.
(My guess for a 2TB HDD on your system >>> 12 HOURS)

When finished, go to Home > Power Off, and shut down xPUD and the computer, removing the xPUD CD.

Boot to your Windows installation DVD, create a partition on which you wish to install the operating system, format it, and install Windows. Success?

Edited by AustrAlien, 30 May 2011 - 06:20 AM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#4 RayN81

RayN81
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 30 May 2011 - 07:02 AM

Hi AustrAlien

There are 3-4 Partitions on my HDD. I'm not familiar with the file structure in x-PUD; but from what I gather so far, I can only see some files in what I assume was the partition where windows was installed in x-PUD.

Is there any way to access the data in the other partitions?

#5 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:07:50 PM

Posted 30 May 2011 - 07:10 AM

Boot to the xPUD CD > File and expand mnt (click on the little arrow beside mnt).
What do you see listed under mnt?
  • sda1 <<< probably your system partition?
  • sda2
  • sda3
  • sda4
If so, those are all your partitions, and you should be able to access the data in those partitions.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#6 RayN81

RayN81
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 30 May 2011 - 07:20 AM

I see exactly that - sda1 to sda4.

Off the top of my head, i had C:, D:, E:, F; and G: (5 partitions) in my HDD.

In xPUD, sda1 is empty.
Sda2, when expanded, has the folders Boot and System Volume Information (I'm guessing this is the X:).
Sda3 has a windows folder and other familiar folders like "Documents & Settings", "Program Files", etc. I'm guessing this is C:
Sda4 has a folder 'Software', which I had in my E:.

Not everything in my C: or E: can be seen in xPUD. I don't see folders for the rest...

#7 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:07:50 PM

Posted 30 May 2011 - 07:27 AM

That's interesting!

Did you mention any of this in your previous topic? If so, I must have missed it.

Perhaps we should re-assess the situation. Do you have important data on that HDD that you need to retrieve, but can't find using xPUD? We might have to try to recover it using other tools???

Let me know. It's just about my bed time for tonight, so I will be leaving shortly and will have to continue this tomorrow.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#8 RayN81

RayN81
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 30 May 2011 - 07:35 AM

No, I didn't mention it - the question never came up and I didn't think too much it then (and now) as I'm not entirely sure what I'm supposed to see on xPUD to begin with.

And yes, I have some documents on my computer that's supposed to be in My Documents and other drives.

JSntgRvr got me to use a program that was able to read the partitions and the drive names while inspecting the HDD, so I'm sure the data can be accessed... I just don't know how.

#9 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:07:50 PM

Posted 30 May 2011 - 07:59 AM

I'm not entirely sure what I'm supposed to see on xPUD to begin with.

You should be able to browse your HDD/partitions and see all your folders and documents. If you can't, something is wrong.

JSntgRvr got me to use a program that was able to read the partitions and the drive names while inspecting the HDD

Yes, that was TestDisk (using xPUD again).

We are going to have to investigate further. If you have data that is important and you wish to retrieve it, then we need to re-assess the situation and see what can be done, and what can be retrieved.

That's a job for tomorrow for me. Until then ...

One last thought for tonight: It may be worth trying a more sophisticated version of linux to see whether that can read your HDD any better than xPUD. These boot and run from the CD, just like xPUD: DO NOT INSTALL to the hard drive.

A couple of suggestions:

Puppy Linux <<< download size 128MM

Ubuntu <<< download size nearly 700MB

If you download and install ImgBurn and choose "Write image file to disc" to burn the downloaded .ISO files to CD, you can't go wrong with creating a CD that will boot successfully. Again, you should be able to browse your partitions and see all your folders and files using those systems, and to copy your data to an external drive/flashdrive. They are much more user friendly than xPUD.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#10 RayN81

RayN81
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 30 May 2011 - 08:37 AM

You should be able to browse your HDD/partitions and see all your folders and documents. If you can't, something is wrong.

Thanks AustrAlien for that! All this while, I was looking under the general "My Documents" folder which was empty. Didn't think much of it as I thought it was just system files that would show. Following your comment, I browsed further into Users/<Username>/My documents, and was able to retrieve some of my work documents there.

I've got all I need from my C:. There are still other data on other partitions that aren't showing.

EDIT:
I'll get both Ubuntu and Puppy Linux and give them a go when the downloads are done and see how that goes.

Thanks so much once again! So far, you (and of course JSntgRvr) have saved me from having to rewrite two 15-20 page reports.

Edited by RayN81, 30 May 2011 - 08:45 AM.


#11 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:07:50 PM

Posted 30 May 2011 - 04:04 PM

Please post a link to this topic in your thread with JS, so that he is aware of what is going on here.

Thanks.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#12 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:07:50 PM

Posted 30 May 2011 - 05:42 PM

Ray,

I'll post these thoughts now, to give you some time to get some new hardware organised if you choose to do so.

A big lesson to be learned here, is that it is not wise to have everything on one gigantic (2TB) HDD.

I will make the following suggestion to you, moving forward:
At the very least, have your Windows system on one HDD, and constantly backup your data to a second separate HDD.
To go one step further, as well as the above, image your entire system HDD to a remote (external) HDD on a regular basis.
Those steps are the very least you should do in an attempt to safeguard your data and your system, enabling you to recover from any unforeseen event in a relatively short time frame and without great inconvenience.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#13 RayN81

RayN81
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 30 May 2011 - 05:48 PM

Please post a link to this topic in your thread with JS, so that he is aware of what is going on here.


Done.

I've run both Ubuntu and Puppy Linux, and like xPUD, they are only able to view 4 drives - sda1 to sda4. Ubuntu is the clearest - it gives the names of the drives:

sda1 = my floppy (my A:)
sda2 = system reserve (my X:, I presume)
sda3 = Carpathia (my C:)
sda4 = Andorra (my D:)

I initially thought sda4 was my E: because there was a 'Software' folder in it. My brother just told me he saved a bunch of drivers there a while ago when he was using my PC.

So, my E: to G: are missing.

#14 RayN81

RayN81
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 30 May 2011 - 05:51 PM

Ray,

I'll post these thoughts now, to give you some time to get some new hardware organised if you choose to do so.

A big lesson to be learned here, is that it is not wise to have everything on one gigantic (2TB) HDD.

I will make the following suggestion to you, moving forward:
At the very least, have your Windows system on one HDD, and constantly backup your data to a second separate HDD.
To go one step further, as well as the above, image your entire system HDD to a remote (external) HDD on a regular basis.
Those steps are the very least you should do in an attempt to safeguard your data and your system, enabling you to recover from any unforeseen event in a relatively short time frame and without great inconvenience.

I've learnt my lesson, AustrAlien. I have a 160gb HDD with me which I intend to save Windows in going forward and everything else in my 2TB drive.

#15 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:07:50 PM

Posted 30 May 2011 - 06:38 PM

What you are reporting is strange and unusual .... and of course interesting.

In xPUD and Puppy, the naming of more than one hard drive or device goes like this:
  • sda <<< where sda is the first HDD
  • sdb
  • sdc ...
The floppy will be fd0 ...
The optical drive with the boot disk in it, sr0

For partitions on a hard drive (let's use sda in your case):
  • sda1 <<< where sda1 is the first partition on the sda HDD, and we should expect to see your WINDOWS system there! (unless there is a very good reason for it not being there)
  • sda2
  • sda3
  • sda4
  • sda5
You have said previously that you would expect to see 5 partitions on your one HDD: Does that remain the case?
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users