Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can I just wipe drive after suspected rootkit, then reinstall OS?


  • Please log in to reply
17 replies to this topic

#1 TechnoMigraine

TechnoMigraine

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 11 August 2012 - 02:01 PM

Trying to figure out what to do. I have a 64bit eMachine desktop, with Windows 7 home on it. I believe it was infected with some kind of rootkit last fall, when it was still practically new. I haven't used it much at all since then, and have kept it totally offline... because I could not find a way to stop remote computers from connecting to it at the time, changing my system settings, disabling my firewall, etc. I tried formatting the C: partition several times. (but not the recovery partition, which has no letter). Once I even used the boot utilities on my XP cd from my previous computer, and just formatted over it. That didn't make the problem go away either.

As it is now, if I try to restore it to the factory state from the recovery partition, the problem re-installs itself right along with the OS. The original recovery disks I created no longer work; if I try to use those, I get an error message, that it's looking for some network drive that's not available. (Sorry, I don't remember the exact error, but it was something like that.) Next, I ordered new disks from the manufacturer, and when I explained what was happening, they told me that I had to "securely wipe" the drive first; something about writing over it with 1's and 0's, and making sure that any malware was really gone, before I could install the new disks they sent. That is, reinstalling the disks alone would not fix the problem.

So, now I'm trying to figure out how to wipe out this drive, re-partition and format it... so I can try to install the new disks the manufacturer sent, so I can start using it again. (The computer I'm using now, is ancient... and about to die) There are so many tools available with this functionality, I'm feeling confused... and really just chicken to attempt anything, unless I'm sure I'm going about this the correct way.

A friend told me to try something called Ultimate Boot CD - it has a million tools on it. I'm having trouble figuring out which tool to use first, as well as finding instructions on how they all work, etc. Before I do anything, I just want to make sure I'm going about this the correct way. If it is a rootkit, will WIPING the drive, and reinstalling the new disks actually take care of the problem? I don't care about saving anything from that computer at this point, so that's not an issue. I'm mostly afraid that if I do something wrong, or if the rootkit won't allow itself to be erased for some reason... that the whole thing might be unbootable if I do something wrong.

Sorry to ask so many questions, but ... the more I try to figure this out myself, the more confused I seem to get. Any help at all would be greatly appreciated. Thanks!

BC AdBot (Login to Remove)

 


#2 SleepyDude

SleepyDude

  • Malware Response Team
  • 3,124 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:05:20 AM

Posted 16 August 2012 - 12:43 PM

Hi,

You can use the tools from the Ultimate Boot CD to erase everything on the HDD and then start clean using the recovery disks you have.

Boot with the Ultimate Boot CD
  • HDD
  • Disk Wiping
  • Active@ Kill Disk Free (Let the computer run until Active Kill Disk opens)
  • Click OK on the information about the free version
  • use the up and down keys to select the HD (1:)
  • press F10 to start the wiping process

When the process ends you can restart the computer replacing first the Utimate Boot CD with the Recovery Disk 1 you have.

Edited by Rui Paz, 16 August 2012 - 12:43 PM.

• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#3 Explicit1

Explicit1

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 16 August 2012 - 01:33 PM

Wiping the hard drive is in option but have you may be able to save the system by creating a thread explaining the problems you are having etc. You say you had or have a rootkit? There are many talented people here and can assist you by running various programs that will tell you exactly what is wrong etc. GMER, tdsskiller & various programs will generate reports to point to the problem and then you can resolve it. I would recommend starting a new thread and asking for help, then follow the directions and guidance of a moderator etc.

Best of Luck! :thumbsup:

#4 TechnoMigraine

TechnoMigraine
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 16 August 2012 - 05:03 PM

What would be the difference between 'Wiping' the computer and 'saving the system'? I mean, wouldn't the manufacturer CD's restore the system back to the way it's supposed to be? It's just that... it was so messed up before, I almost would rather just start over. (As long as wiping it will really get rid of the problem...)

Do you know about how long the wiping process takes? (So I don't panic and think it's stalled out, in case it takes a while...lol.

Thank you!

P.S. After the Wiping process... do I need to recreate the recovery partition and the C: Drive? Or will the Recovery disks do that once I use them to boot it up? (Sorry... still not quite sure how this works.)

Edited by TechnoMigraine, 16 August 2012 - 05:08 PM.


#5 Explicit1

Explicit1

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 16 August 2012 - 06:41 PM

When you say restore, that is saying to keep all files (data) and repair the operating system. To wipe the hard drive (format) is to have a clean slate that you then need to reinstall the operating system onto. There is different types of formatting, quick format, low level - high level etc. If you do not have any data on the system now to keep then it is up to you to format and re-install. This site likes for the users to get advice from the moderators or advisors and not standard users like me. The time to format depends on the type and size of drive etc. It is a fairly fast process (minutes). The lengthy part is re-installing the operating system and making sure you have all the drivers from the manufacturer for the motherboard and devices etc. When you re-install you will have to boot from CD from the BIOS in order to load the operating system etc. It will create the primary partition C: etc. Remember when you format you will lose everything, that is why I recommended you start a new thread and fix the infection with a moderator but it is up to you. :thumbup2:

#6 TechnoMigraine

TechnoMigraine
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 16 August 2012 - 09:20 PM

Well, I don't really have anything left on there that I need to save... going to try following Rui's instructions. Please leave this thread here, I'll let you know how it goes. Thanks again!

#7 TechnoMigraine

TechnoMigraine
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 16 August 2012 - 09:50 PM

I'm confused already... no specific reference to HD (1:).

I'm skipping the Floppy Disk 0 part, but this is what the rest looks like:

(80h)
--> Unallocated
--> PQSERVICE (1:)
--> Unallocated
--> eMachines (2:)
--> Unallocated

-------

Looking closer at the details of these (strange) partitions...

The first unallocated:
Is active: no
Is primary: yes
Partition table: 0
First Sector 63
Total sectors: 1985
Bytes Per Sector: 512
Total Size 992.5 KB

PQSERVICE (1:)
Is active: no
Drive Name: 1:
File System: NTFS
Volume Label: PQSERVICE
Serial number: 50D2-CAA66
Total sectors: 25165816
Bytes per cluster: 4096
Total size: 12 GB
(9.072 GB Used/ 2.928 GB free)

*I think this might be is the 'recovery partition' but not exactly sure.

The second unallocated:
Is active: No
Is primary: Yes
Partition table: 0
First sector 25167872
Total sectors 5983
Bytes per sector: 512
Total Size 2.921 MB

eMachines (2:)
Is active: Yes
Drive name: 2:
File system: NTFS
Volume label: eMachines
serial number: 08A8-C39F
Total sectors: 1225087824
Bytes per cluster: 4096
Total size 584.2 GB
(23.59 GB Used/ 560.6 GB Free)

The last unallocated one:
Is active: no
Is Primary: Yes
Partition table: 0
First sector: 1250261680
Total sectors: 2048
Bytes per sector: 512
Total size 1.00 MB

----------

Not doing anything yet, but if I highlighted the (80h) in the beginning, and pressed F10... would that just write zero's over the entire contents of the drive? Is that what I want to do, or... are 'PQSERVICE (1:)' and 'eMachines (2:) the actual partitions that I should be wiping separately?
Why is there unallocated space showing up between these partitions? Is that normal?

#8 Explicit1

Explicit1

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 17 August 2012 - 12:00 AM

The areas that say unallocated are wasted space that is not allocated. You have two hard drives installed. Drive 1 is the restore partition/drive 1 and is only 12 gigs. The Emachine2 drive is the 584gig hard drive. Usually when doing a restore it is from this PQSERVICE (1:) partition. You should create a thread in a windows 7 area and a moderator can assist in better details. Windows 7 has the option to be installed with or without the restore option. You will need to tell it where to install the restore partition and where to install the operating system. Hope that makes sense for you. I am not sure what disks you have, if they are the full version windows 7 disks or restore disks from emachine. If restore disks, it may point to the PQSERVICE (1:) partition and if it is formatted it will not be there. It appears you haven't formatted anything yet.

#9 TechnoMigraine

TechnoMigraine
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 17 August 2012 - 12:43 AM

Correct. I haven't formatted anything yet. The disks I have came from the eMachine manufacturer. They sent 4 disks: one System, Recovery 1 & 2, and a Language disk.

In device manager, there is only one physical disk drive listed...
"WDC WD64 00AAKS-22A7B SCSI Disk Device"

I'll take your advice and ask for help in the Window's 7 forum. Part of my trouble is, I've always dealt with 98 or XP - Windows 7 is really unfamiliar to me, which has not helped. lol. Thanks again...:)

#10 Explicit1

Explicit1

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 17 August 2012 - 09:37 AM

Go to view in the device manager and SHOW HIDDEN DEVICES, you should then see it. You have 2 serial numbers so that would be two pieces of hardware and they are both showing the sizes 12gig and 584 gig etc.

Good Luck! :thumbsup:

#11 SleepyDude

SleepyDude

  • Malware Response Team
  • 3,124 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:05:20 AM

Posted 17 August 2012 - 10:11 AM

I'm confused already... no specific reference to HD (1:).

I'm skipping the Floppy Disk 0 part, but this is what the rest looks like:

(80h)
--> Unallocated
--> PQSERVICE (1:)
--> Unallocated
--> eMachines (2:)
--> Unallocated

-------

Looking closer at the details of these (strange) partitions...

The first unallocated:
Is active: no
Is primary: yes
Partition table: 0
First Sector 63
Total sectors: 1985
Bytes Per Sector: 512
Total Size 992.5 KB

PQSERVICE (1:)
Is active: no
Drive Name: 1:
File System: NTFS
Volume Label: PQSERVICE
Serial number: 50D2-CAA66
Total sectors: 25165816
Bytes per cluster: 4096
Total size: 12 GB
(9.072 GB Used/ 2.928 GB free)

*I think this might be is the 'recovery partition' but not exactly sure.

The second unallocated:
Is active: No
Is primary: Yes
Partition table: 0
First sector 25167872
Total sectors 5983
Bytes per sector: 512
Total Size 2.921 MB

eMachines (2:)
Is active: Yes
Drive name: 2:
File system: NTFS
Volume label: eMachines
serial number: 08A8-C39F
Total sectors: 1225087824
Bytes per cluster: 4096
Total size 584.2 GB
(23.59 GB Used/ 560.6 GB Free)

The last unallocated one:
Is active: no
Is Primary: Yes
Partition table: 0
First sector: 1250261680
Total sectors: 2048
Bytes per sector: 512
Total size 1.00 MB

----------

Not doing anything yet, but if I highlighted the (80h) in the beginning, and pressed F10... would that just write zero's over the entire contents of the drive? Is that what I want to do, or... are 'PQSERVICE (1:)' and 'eMachines (2:) the actual partitions that I should be wiping separately?
Why is there unallocated space showing up between these partitions? Is that normal?


Hi,

You have one HDD with several partitions, the PQSERVICE its the recovery partition but like you said its probably infected.
Because you don't need to save anything the best option is to highlighted the (80h) in the beginning, and pressed F10 this will wipe everything and then you can start fresh using the Recovery Disks you have.

Don't worry the Recovery Disks will put the computer on the same stage when you start it for the first time, the recovery partition will be recreated again.

The wiping process should take some time because the disk is big 640GB, the program will show you a process indicator giving the information if its working or not.

Trying to clean the system is another option but you can't be 100% sure its really clean due to all the changes malware can do, also from your first post I couldn't understand if the computer is booting ok to Windows 7 or not.

Edited by Rui Paz, 17 August 2012 - 10:12 AM.

• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#12 Explicit1

Explicit1

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 17 August 2012 - 10:52 AM

Thanks for jumping in Rui Paz. You are correct. When it shows VOLUME SERIAL it is the partition (unique) serial number. There is only 1 drive.

#13 Explicit1

Explicit1

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 17 August 2012 - 10:54 AM

Best of luck... :thumbup2:

Edited by Explicit1, 17 August 2012 - 10:54 AM.


#14 TechnoMigraine

TechnoMigraine
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 17 August 2012 - 11:41 AM

Morning... sorry I fell asleep. The 'Dinosaur' pc that I've been using to get online, is going to die soon. I can't shut it down now, because when I do... it makes me re-activate windows, over and over again. lol.

As for the PC I'm trying to fix:
Went to Device Manager, showed hidden devices... and still, only one drive listed. It's written on the side of the tower, there's one "640 GB" HDD. The "PQSERVICE" partition is what's messing me up, I've never worked with one that has a recovery partition like this.

The infected PC is booting up just fine... but it's seriously messed up and I've kept it offline since last fall. I still haven't used the Ultimate Boot disk to do anything, except to just look... but if I can highlight the (80h) and hit F!0, that simplifies things a bit. Maybe I won't bother them at the Windows 7 forum just yet...

Thank you so much for helping me, I'll let you know how it goes....

#15 TechnoMigraine

TechnoMigraine
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 17 August 2012 - 11:55 AM

Update, I'm trying it.... One pass zero's, it's still at 0% progress. Will let you know when it's done. Thanks so much for the help... I'm feeling much less confused than I was. lol.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users