Guest Joseph O'Brien Posted July 31, 2007 Posted July 31, 2007 Hello, everyone. I have a computer that has been infected with a virus/ worm/trojan/whatever. I'm not completely sure which one, but my computer does the automatic shutdown thing (initiated by NT Authority \System). I think I have the virus cleaned off, but the OS has been damaged. Can someone who knows advise me on the plan below? 1) Remove suspect drive from PC. Replace with a new, store-bought drive. 2) Install clean OS, updates programs, virus scan, etc. 3) Re-attach suspect drive as slave. 4) Copy necessary files over from suspect drive, leaving out Program Files and anything in ~\Local Settings. I do have backups, but they are most likely infected as well. I was thinking that it might be easier to just pull the files directly off the suspect drive, rather than transfer them to an external drive. However, I want to be sure that whatever was on the suspect drive doesn't "jump ship" to the good drive. I assume that, as long as the MBR of the new drive is clean, and as long as I don't open an executable that contains the virus, then I should be OK. Is this a correct assumption? Thanks. Joseph
Guest HeyBub Posted July 31, 2007 Posted July 31, 2007 Re: transferring files from infected drive. Joseph O'Brien wrote: > Hello, everyone. I have a computer that has been infected with a > virus/ worm/trojan/whatever. I'm not completely sure which one, but my > computer does the automatic shutdown thing (initiated by NT Authority > \System). > > I think I have the virus cleaned off, but the OS has been damaged. Can > someone who knows advise me on the plan below? > > 1) Remove suspect drive from PC. Replace with a new, store-bought > drive. > 2) Install clean OS, updates programs, virus scan, etc. > 3) Re-attach suspect drive as slave. > 4) Copy necessary files over from suspect drive, leaving out Program > Files and anything in ~\Local Settings. > > I do have backups, but they are most likely infected as well. I was > thinking that it might be easier to just pull the files directly off > the suspect drive, rather than transfer them to an external drive. > However, I want to be sure that whatever was on the suspect drive > doesn't "jump ship" to the good drive. I assume that, as long as the > MBR of the new drive is clean, and as long as I don't open an > executable that contains the virus, then I should be OK. > > Is this a correct assumption? Possibly not. For example, I don't think virus detectors will catch the movement of a virus via a COPY command. Further, virus vectors include stuff other than EXE files. They're found in DOC files, JAVA applets, god-knows-what. I'd hit the "infected" drive with every malware sanitizer I could find before I moved anything to the new drive.
Guest nass Posted July 31, 2007 Posted July 31, 2007 RE: transferring files from infected drive. "Joseph O'Brien" wrote: > Hello, everyone. I have a computer that has been infected with a virus/ > worm/trojan/whatever. I'm not completely sure which one, but my > computer does the automatic shutdown thing (initiated by NT Authority > \System). > > I think I have the virus cleaned off, but the OS has been damaged. Can > someone who knows advise me on the plan below? > > 1) Remove suspect drive from PC. Replace with a new, store-bought > drive. > 2) Install clean OS, updates programs, virus scan, etc. > 3) Re-attach suspect drive as slave. > 4) Copy necessary files over from suspect drive, leaving out Program > Files and anything in ~\Local Settings. > > I do have backups, but they are most likely infected as well. I was > thinking that it might be easier to just pull the files directly off > the suspect drive, rather than transfer them to an external drive. > However, I want to be sure that whatever was on the suspect drive > doesn't "jump ship" to the good drive. I assume that, as long as the > MBR of the new drive is clean, and as long as I don't open an > executable that contains the virus, then I should be OK. > > Is this a correct assumption? > > Thanks. > Joseph Hi Joseph, I will scan this Hard drive/System from more than one vendor for both Viruses and malware. Then Hook this Hard Drive in another machine as Slave ( you will find a diagram on the HDD on how to make this), Copy the Data into its own Folders, say JoesData = the name of the folder and copy it to the Desktop. Take back the damaged HDD to its case and perform your clean installation, when you performed a successful installation of the Operating System Don't connect to the Internet Yet install the Anti-Virus you have and an anti-malware program then try to establish a connection to the internet (Set up your Network), Update the AV,Anti-Malware and the System till SP2 pack, then Copy the Folder on a Removable CD/DVD and Copy the Data to the desired location (you can scan it first before open it or execute any file/Folder. You can find detailed instructions here: http://michaelstevenstech.com/cleanxpinstall.html HTH. nass
Guest Pegasus \(MVP\) Posted July 31, 2007 Posted July 31, 2007 Re: transferring files from infected drive. "Joseph O'Brien" <obrien1984@hotmail.com> wrote in message news:1185894430.142692.256190@r34g2000hsd.googlegroups.com... > Hello, everyone. I have a computer that has been infected with a virus/ > worm/trojan/whatever. I'm not completely sure which one, but my > computer does the automatic shutdown thing (initiated by NT Authority > \System). > > I think I have the virus cleaned off, but the OS has been damaged. Can > someone who knows advise me on the plan below? > > 1) Remove suspect drive from PC. Replace with a new, store-bought > drive. > 2) Install clean OS, updates programs, virus scan, etc. > 3) Re-attach suspect drive as slave. > 4) Copy necessary files over from suspect drive, leaving out Program > Files and anything in ~\Local Settings. > > I do have backups, but they are most likely infected as well. I was > thinking that it might be easier to just pull the files directly off > the suspect drive, rather than transfer them to an external drive. > However, I want to be sure that whatever was on the suspect drive > doesn't "jump ship" to the good drive. I assume that, as long as the > MBR of the new drive is clean, and as long as I don't open an > executable that contains the virus, then I should be OK. > > Is this a correct assumption? > > Thanks. > Joseph > There is not much I can add to the replies you received from the other respondents but I wonder what's happened to the noble art of backing up important files at regular intervals, eg. once a week? Next time you might not be so lucky - your disk might become unreadable.
Guest Joseph O'Brien Posted July 31, 2007 Posted July 31, 2007 Re: transferring files from infected drive. On Jul 31, 12:40 pm, "Pegasus \(MVP\)" <I....@fly.com> wrote: > "Joseph O'Brien" <obrien1...@hotmail.com> wrote in message > > news:1185894430.142692.256190@r34g2000hsd.googlegroups.com... > > > > > > > Hello, everyone. I have a computer that has been infected with a virus/ > > worm/trojan/whatever. I'm not completely sure which one, but my > > computer does the automatic shutdown thing (initiated by NT Authority > > \System). > > > I think I have the virus cleaned off, but the OS has been damaged. Can > > someone who knows advise me on the plan below? > > > 1) Remove suspect drive from PC. Replace with a new, store-bought > > drive. > > 2) Install clean OS, updates programs, virus scan, etc. > > 3) Re-attach suspect drive as slave. > > 4) Copy necessary files over from suspect drive, leaving out Program > > Files and anything in ~\Local Settings. > > > I do have backups, but they are most likely infected as well. I was > > thinking that it might be easier to just pull the files directly off > > the suspect drive, rather than transfer them to an external drive. > > However, I want to be sure that whatever was on the suspect drive > > doesn't "jump ship" to the good drive. I assume that, as long as the > > MBR of the new drive is clean, and as long as I don't open an > > executable that contains the virus, then I should be OK. > > > Is this a correct assumption? > > > Thanks. > > Joseph > > There is not much I can add to the replies you received > from the other respondents but I wonder what's happened > to the noble art of backing up important files at regular > intervals, eg. once a week? Next time you might not be > so lucky - your disk might become unreadable.- Hide quoted text - > > - Show quoted text - I actually have a few pretty good backups. Problem is, I don't trust them. This is a long story, so I won't go into it, but I suspect that this malware has been "hiding" latent on the drive for a while (maybe as a rootkit?). I could restore the files from the backup, but I just think it would be easier to go straight to the source and get the most recent files, rather than worrying about restoring incremental backups, etc. The data's there, and I could restore files from it if I had to. You have a good point, though. Thanks everyone. Joseph
Recommended Posts