Is it safe to re-format an infested drive in a USB enclosure?

cardiac

Platinum Member
Oct 9, 1999
2,082
14
81
I have a problem that I came across that I'm not sure what to do. Neighbors computer became infected with a virus/malware similar to the "Cyber Security" one. Don't remember the name right now. He has AVG/Spybot/Zonealarm set up as security and all are current.

It will not let you open any executable without a window popping up that says "This file is infected" then says to go to their website and pay for a "fix". I tried doing a fresh install, but it even says the XP install disk is infected, which I know it isn't. So, I pulled the HD out and was going to format it in one of my external USB enclosures. Then got to thinking that it might infect my system.

I have the same set up on all of my home systems: AVG/Spybot/Zonealarm.

Can I format the drive (A Hitachi 120gb) via my USB port without worry? Or how would you handle it?

Thanks a bunch, and Happy Thanksgiving!

Bob
 

RebateMonger

Elite Member
Dec 24, 2005
11,586
0
0
If you are doing a fresh install of Windows, you will have the opportunity to re-partition and re-format when you do the installation from the Windows Install CD/DVD. You shouldn't be getting any "This file is infected" messages when booting from an Install CD/DVD.

Yes, it's possible to be infected from a disk in a USB housing. I wouldn't do that unless there are no alternatives. If you must, be sure your PC is well protected with current AV software and be sure that the Microsoft patches from last Fall that disable AutoRun on USB have been installed.
 

cardiac

Platinum Member
Oct 9, 1999
2,082
14
81
Thanks for the reply. I know that I can re-format/re-partition from the XP install disk, it just won't let me get there. First time this has happened in the 22 years I have been doing builds/maintenance for folks.

It is a Dell, and with the XP disk in the CD drive, upon turning the system on, it will not allow you to select F12 for the Boot menu. I cannot access the cd drive with the XP disk in there no matter what. The drive spins up, but it just goes to the Windows boot-up screen. It will not allow a Safe Mode startup, either.

Strangest thing I have seen in years.....

Thanks,

Bob
 

RebateMonger

Elite Member
Dec 24, 2005
11,586
0
0
I recently saw a badly-infected Dell that had the boot order changed so it wouldn't boot to the CD/DVD and the BIOS SYSTEM PASSWORD was locking down everything. Since I was the last person to open the BIOS, I suspect the BIOS was changed and locked by malware. If this is the problem, search Dell's site and you'll find the procedure for unlocking the BIOS so you can change the boot order. A jumper on the MB is involved.
 

cardiac

Platinum Member
Oct 9, 1999
2,082
14
81
Unbelievable how virulent some of the virii out there are.

This one sucks. I have messed with PC's since 1987 and this is the worst virus I have witnessed myself. Since drives are so cheap, I might junk this 120gb and pick him up a 320 or 500gb. It just ain't worth it....I don't know what to do.

Bob
 

Fayd

Diamond Member
Jun 28, 2001
7,970
2
76
www.manwhoring.com
Thanks for the reply. I know that I can re-format/re-partition from the XP install disk, it just won't let me get there. First time this has happened in the 22 years I have been doing builds/maintenance for folks.

It is a Dell, and with the XP disk in the CD drive, upon turning the system on, it will not allow you to select F12 for the Boot menu. I cannot access the cd drive with the XP disk in there no matter what. The drive spins up, but it just goes to the Windows boot-up screen. It will not allow a Safe Mode startup, either.

Strangest thing I have seen in years.....

Thanks,

Bob

boot, enter bios, change boot order to CD.

F12 doesnt always go to boot menu. read the bios prompt.
 

PUN

Golden Member
Dec 5, 1999
1,590
16
81
boot, enter bios, change boot order to CD.

F12 doesnt always go to boot menu. read the bios prompt.

This is easy stuff...wondering why you are sweating over this.

1. Insert the CD and reboot
2. press F1 for bios and change the boot sequence. If you are locked out of bios, manually reset the bios by resetting the pins.
3. upon booting with CD, format and reinstall
 

COPOHawk

Senior member
Mar 3, 2008
282
1
81
I do small business computer consulting for a living...as well as about 20% residential work.

Cardiac: I run into this exact problem around once per week...the answer is simply to take your neighbors drive, attach it to your computer and run a GOOD AV scan on it...as well as Malware Bytes (free version). If you have the time, also run Windows Defender to be sure.

After this is done...reinsert it back into the original computer...turn off system restore and install/scan with Malware Bytes again, as well as Spybot. This *should* solve the problem.

I deal with a LOT of spyware infested computers and in about 85% of the cases...removing the spyware/virus allows Windows to function normally without having to reinstall.

It amazes me to see the volume of people that immediately jump to a reinstall of Windows..without understanding or wanting to fix the problem.

HTH...
 

jjmIII

Diamond Member
Mar 13, 2001
8,399
1
81
I do small business computer consulting for a living...as well as about 20% residential work.

Cardiac: I run into this exact problem around once per week...the answer is simply to take your neighbors drive, attach it to your computer and run a GOOD AV scan on it...as well as Malware Bytes (free version). If you have the time, also run Windows Defender to be sure.

After this is done...reinsert it back into the original computer...turn off system restore and install/scan with Malware Bytes again, as well as Spybot. This *should* solve the problem.

I deal with a LOT of spyware infested computers and in about 85% of the cases...removing the spyware/virus allows Windows to function normally without having to reinstall.

It amazes me to see the volume of people that immediately jump to a reinstall of Windows..without understanding or wanting to fix the problem.

HTH...

Yes, yes, and yes! Hang it off another system and scan it. Scanners work better when they are scanning a secondary drive and arn't scanning the boot drive. I agree....Malwarebytes.
 

cardiac

Platinum Member
Oct 9, 1999
2,082
14
81
That is just what I did. I have Avira on one of my network computers and hooked it up in an external enclosure, unhooked the system from the network (Just in case) and ran a thorough scan on it, which it found a ton of crap. Next, went through it with Spybot, then Malware bytes. Installed it back in his system and put Avira on it and did another scan with Avira and Malwarebytes. Everything seems to be working just fine.

Thanks to all for the answers/info. I really appreciate it!!

Bob
 

COPOHawk

Senior member
Mar 3, 2008
282
1
81
I am glad to hear that you were able to get it resolved. The vast majority of nasty stuff out there today is spyware, which is ever-evolving...kind of how viruses were 10 years ago. To clean an infected system, I typically run about 4 anti-spyware programs, plus Hijack this, msconfig, etc to ensure all traces are gone.

Once you get your own process down though...the results are pretty good ;)
 

Gillbot

Lifer
Jan 11, 2001
28,830
17
81
I use a linux rescue disc to handle heavily infested systems. Sometimes, they can be restored, other times you need to nuke the OS but you can salvage their data.
 

TomGriffinII

Junior Member
Aug 14, 2009
9
0
0
Couldn't you simply boot with a DOS disk and run debug, slap together a small assembly program to zero out the MBR and partition tables? I mean BIOS understands one thing int 19h boot. If I remember correctly from my engineering days try this. Boot from a MS-DOS diskette that has debug.exe on it then do the following (without the semicolons those are comments)

Note the xxxx will denote whatever offset the system has delegated as the current code segment (CS register in x86 talk)

A\\>debug (enter)
Code:
-a100
xxxx:0100 MOV AX,301<ENTER> 
xxxx:0103 MOV BX,200<ENTER> 
xxxx:0106 MOV CX,1<ENTER> 
xxxx:0109 MOV DX,80<ENTER> <-- "80" for hd 0, "81" for hd 1 
xxxx:010C INT 13<ENTER> 
xxxx:010E INT 20<ENTER> 
xxxx:0110 <ENTER> <---BLANK LINE - IMPORTANT! 
-G

Program Terminated Normally

This will wipe out the HDD for a fresh format/install. I had a flashback to my days a MicroFirmware working on breaking some silly 515mb hard drive barrier in the Phoenix BIOS upgrade arena.
 
Last edited:

RebateMonger

Elite Member
Dec 24, 2005
11,586
0
0
I use a linux rescue disc to handle heavily infested systems. Sometimes, they can be restored, other times you need to nuke the OS but you can salvage their data.
Yeah, sometimes you can "fix" it, and sometimes not. I didn't want to re-install Windows on the last system I looked at because the accounting software would take hours to re-install. I wish I'd just rebuilt Windows. It's the only way to be sure and at least you know about how long it will take.

I spent two days scanning the hard disk, both attached to another system and in Windows. I ran three boot-level scanners and ran all the tools I had (things like MalwareBytes, HijackThis, ComboFix) and STILL ended up with a persistant malware infection. I probably ran twelve different scanning tools, and none of them found everything. The specific methods mentioned in recent anti-malware forums for this type of infection didn't work for this particular malware version, which was the most advanced I'd run into. Among other things, it'd locked the BIOS, had reset file and folder permissions, and had reset Registry permissions.
 
Last edited:

Gillbot

Lifer
Jan 11, 2001
28,830
17
81
Yeah, sometimes you can "fix" it, and sometimes not. I didn't want to re-install Windows on the last system I looked at because the accounting software would take hours to re-install. I wish I'd just rebuilt Windows. It's the only way to be sure and at least you know about how long it will take.

I spent two days scanning the hard disk, both attached to another system and in Windows. I ran three boot-level scanners and ran all the tools I had (things like MalwareBytes, HijackThis, ComboFix) and STILL ended up with a persistant malware infection. I probably ran twelve different scanning tools, and none of them found everything. The specific methods mentioned in recent anti-malware forums for this type of infection didn't work for this particular malware version, which was the most advanced I'd run into.

I always ghost it before just to be safe anyway, but Linux is usually the best option.
 

cardiac

Platinum Member
Oct 9, 1999
2,082
14
81
I run Ubuntu 9.10 on one of my systems and hooking it in there and re-partitioning would have been an easy option also...

Thanks,

Bob
 

Golgatha

Lifer
Jul 18, 2003
12,392
1,057
126
I am glad to hear that you were able to get it resolved. The vast majority of nasty stuff out there today is spyware, which is ever-evolving...kind of how viruses were 10 years ago. To clean an infected system, I typically run about 4 anti-spyware programs, plus Hijack this, msconfig, etc to ensure all traces are gone.

Once you get your own process down though...the results are pretty good ;)

I'd say 90% of the time you'll save time by just reinstalling the OS after making an image of the current HDD. By making the image first, you can ensure any forgotten files lost by doing the OS reinstall can be recovered, and it is typically quicker than running all those anti-crapware programs, which may or may not solve the problem in the first place.
 

Gillbot

Lifer
Jan 11, 2001
28,830
17
81
I'd say 90% of the time you'll save time by just reinstalling the OS after making an image of the current HDD. By making the image first, you can ensure any forgotten files lost by doing the OS reinstall can be recovered, and it is typically quicker than running all those anti-crapware programs, which may or may not solve the problem in the first place.

99.9% of the time, this is what I do. It's easier and the most effective way.
 

citan x

Member
Oct 6, 2005
139
1
81
All I know is that running all those anti-virus, anti-spyware programs take forever to run.

Also, if you disable auto-run, hooking up the drive via USB should be safe.
 

COPOHawk

Senior member
Mar 3, 2008
282
1
81
I'd say 90&#37; of the time you'll save time by just reinstalling the OS after making an image of the current HDD. By making the image first, you can ensure any forgotten files lost by doing the OS reinstall can be recovered, and it is typically quicker than running all those anti-crapware programs, which may or may not solve the problem in the first place.

Obviously you have had some issues with fixing spyware/virus issues. Frankly, since not all AV or AS programs are created equal...it depends on which ones you have had issues with. Don't be disillusioned because there isn't a "silver bullet" piece of software yet...there may never be one due to the rate of innovation with spyware programmers.

Also, I use enterprise AV products like Symantec or Mcafee to scan with as well. I have never had good luck personally with Avast, AVG, or even the consumer level AV stuff from Trend Micro, Symantec or McAfee.

Plus...programs like Hijack This are invaluable for the tough fixes.

To be fair to your point...I don't sit there and watch the scans, I usually am doing other work. Maybe your approach is quicker for your own system, or another basic system. However, almost all of the computers I work on have a LOT of software programs, files, settings, etc that would need to be re-done. Shoot...just the Windows Updates takes a while these days :)
 
Last edited:

Cr0nJ0b

Golden Member
Apr 13, 2004
1,141
29
91
meettomy.site
Couldn't you simply boot with a DOS disk and run debug, slap together a small assembly program to zero out the MBR and partition tables? I mean BIOS understands one thing int 19h boot. If I remember correctly from my engineering days try this. Boot from a MS-DOS diskette that has debug.exe on it then do the following (without the semicolons those are comments)

Note the xxxx will denote whatever offset the system has delegated as the current code segment (CS register in x86 talk)

A\\>debug (enter)
Code:
-a100
xxxx:0100 MOV AX,301<ENTER> 
xxxx:0103 MOV BX,200<ENTER> 
xxxx:0106 MOV CX,1<ENTER> 
xxxx:0109 MOV DX,80<ENTER> <-- "80" for hd 0, "81" for hd 1 
xxxx:010C INT 13<ENTER> 
xxxx:010E INT 20<ENTER> 
xxxx:0110 <ENTER> <---BLANK LINE - IMPORTANT! 
-G

Program Terminated Normally

This will wipe out the HDD for a fresh format/install. I had a flashback to my days a MicroFirmware working on breaking some silly 515mb hard drive barrier in the Phoenix BIOS upgrade arena.

hmm, that sounds much easier than using a format command.