Virus On External HD

[Firegod]

Hello, I have a virus on a external hard drive that I have been trying to get rid of for some time now.

The external Harddrive is a Maxtor USB HD

The virus seems to be a TrojanOS/Sinowal.N

The virus seems to be located at boot:\Device\Harddisk1\DR11


Ok so here is the full problem, ill try to be as detailed as possible.

I got a virus on my main computer, and it seems that the virus has effected my external HD. I got rid of the virus on my computer, however, it seems that my external is still effected because when I plug the HD into the USB, microsoft windows security essentials tells me there is a threat, and its the TrojanOS/Sinowal.N trying to run. It says the location is at at boot:\Device\Harddisk1\DR11, so that leads me to belive that the virus has taken over the boot sector/corrupted the boot sector of the HD, and isnt allowing it to run.

Now, I have spent many a weeks trying to figure out how to get rid fo the virus and I keep running into the same problem over and over again.

You see, since the virus has taken over the boot log, it seems that windows isnt noticing the HD at all. So when I go to my computer, the Maxtor doesnt show up at all.

Whats funny is that when I go to control panel/system/hardware/device manger/ and click the + sign next to disk drives, i can SEE the maxtor HD....meaning that windows KNOWS its connected, I just cant access it because of the virus.


This is what I HAVE done.


I have tried to run boot antivirus software live avast boot scan, failed
I have tried to uninstal reisntall drivers, failed
I have looked and looked on the internet for a soution, but every solution seems to need me to be able to access my computer, right click on the hd, and run a antivirus software from there....which if i COULD see the HD, i would have done ages ago.


On my travels of the internet, I have seen quite a few boot partrition fixers and such, but they only seem to be for windows itself, NOT for external hard drives.

If anyone has any help that would be great.

 

[Firegod]

Since I have not gotten a responce i decided to do even more loooking on my own.

I found this post, and decided to give it a shot.

Depending on your OS (assuming windows), click the start button, then right-click "computer" or "my computer" and select "manage". On the left side of the pane, look for "disk management", click it. You should see your new disk, most likely Disk 1 (disk 0 should be your OS drive). It should show as "raw". Right click on disk 1 and select "initialize". When finished initializing, right click on the partition you created and select "format".


Since it seems that initializeing doesnt erase the data on the disk, (at least from what I read in other posts)I did this. however, the HD is still not appearing in my computer, but, there is new data on the HD that wasnt there before.

It now shows up as Disk 5, says that the partrition is MBR, but says all the space is unallocated.

I right clicked to create a new patrion on the drive, since it says that it uses unused space to create the drive, again nothing seems to be talking about formating or uninstalling or anything of that sort.

I chose not to format the partition.

It shows up as Disk I on my system.

What scares me now is that when i try to run a scan, it says that no virus is found, but i cant access the information on the drive...looks like I may have lost the info, but I havent formated the device at all...

Guess Ill do more digging.

 

[Firegod]

Ok, so searching more I found this post

I suggest you use partition table doctor.It provides very useful
functions: Backup partition table, Restore partition table, Rebuild
partition table, undelete partition,Fixboot.
please reference : How to Recover Lost or Deleted Partition by
Partition Table Doctor

http://www.ptdd.com/recoverylostpartition.htm

Upon useing this product, I decided to use the Partition recovery. The partition recovery is now looking for partitions on the disk, however, it is also finding files and folders still on the disk itself. So thats pretty cool, it seems that I would be able to recover the information with this product, even if I cant repair the disk partition.

Still doing more research.

 

[house70]

Do you have any data that needs saving on that HDD? The reason i'm asking is that you do not want a resilient virus on the HDD, regardless of what partition tool you use.
If there is data, I would do the following:
-download and burn a bootable ubuntu CD
-reboot from that CD; skip installation and choose to run Ubuntu from the CD.
-once booted, connect the HDD to the system, it should be able to see it's content.
-transfer any files that need to be saved on a different media, like another HDD, CD, etc. Make sure the files transferred are not infected. The virus should not be able to infect the system, because it is running a different OS and it is running it from a CD, not from HDD.
-disconnect the external HDD, that now can be erased.
-reboot into Windows, download and install killdisk (the free version allows you to erase, or "kill" a HDD, restoring it to the factory clean state. It writes zeroes on the HDD surface). Choose to initialize the disk after erasing it, if you want, if not, you can do that from Windows' Disk Manager.
-Put the data back on the HDD.

This way, I would be sure I got rid of any trace of virus, instead of hiding it on some partition.

If no important data on the HDD, I would skip straight to the Killdisk part.

 

[fazers_on_stun]

I think that once you recover as much of the data as you can, you might be able to rewrite the MBR and thus fix the disk so that the OS can see it. From Wiki:

Editing/replacing MBR contentsThough it is possible to manipulate the bytes in the MBR sector directly using various disk editors, there are tools to write fixed sets of functioning code to the MBR. Since MS-DOS 5.0, the DOS-mode program fdisk has included the (undocumented, but widely used) switch /mbr, which will rewrite the MBR code. Under Windows 2000 or later, the Recovery Console can be used to write new MBR code to a hard disk using its fixmbr command. Under Windows Vista and Windows 7, the Recovery Environment can be used to write new MBR code to a hard disk by clicking on Command Prompt and typing bootrec /FixMbr.

Some third-party utilities may also be used for directly editing the contents of partition tables (without requiring any knowledge of hexadecimal or disk/sector editors).

I would be extremely careful however to make sure you select the external drive and not your boot drive ..

 

[Hawkeye22]

Depending on your OS (assuming windows), click the start button, then right-click "computer" or "my computer" and select "manage". On the left side of the pane, look for "disk management", click it. You should see your new disk, most likely Disk 1 (disk 0 should be your OS drive). It should show as "raw". Right click on disk 1 and select "initialize". When finished initializing, right click on the partition you created and select "format".


Since it seems that initializeing doesnt erase the data on the disk, (at least from what I read in other posts)I did this. however, the HD is still not appearing in my computer, but, there is new data on the HD that wasnt there before.

It now shows up as Disk 5, says that the partrition is MBR, but says all the space is unallocated.

I right clicked to create a new patrion on the drive, since it says that it uses unused space to create the drive, again nothing seems to be talking about formating or uninstalling or anything of that sort.

I chose not to format the partition.

It shows up as Disk I on my system.

What scares me now is that when i try to run a scan, it says that no virus is found, but i cant access the information on the drive...looks like I may have lost the info, but I havent formated the device at all...

Guess Ill do more digging.

Ummm, initialising a disk will most likely destroy data on the drive, especially since you created new partitions on the drive.

 

[Firegod]

Ok so after useing the partion recovery, it does seem that the information is still on the harddrive, however the specific softeware that I installed only allows me to retreive 1gb of the information for free.....there is WAY more information on this drive that i want to retrive...

Is there any other way to access the information?

 

[Firegod]

Do you have any data that needs saving on that HDD? The reason i'm asking is that you do not want a resilient virus on the HDD, regardless of what partition tool you use.
If there is data, I would do the following:
-download and burn a bootable ubuntu CD
-reboot from that CD; skip installation and choose to run Ubuntu from the CD.
-once booted, connect the HDD to the system, it should be able to see it's content.
-transfer any files that need to be saved on a different media, like another HDD, CD, etc. Make sure the files transferred are not infected. The virus should not be able to infect the system, because it is running a different OS and it is running it from a CD, not from HDD.
-disconnect the external HDD, that now can be erased.
-reboot into Windows, download and install killdisk (the free version allows you to erase, or "kill" a HDD, restoring it to the factory clean state. It writes zeroes on the HDD surface). Choose to initialize the disk after erasing it, if you want, if not, you can do that from Windows' Disk Manager.
-Put the data back on the HDD.

This way, I would be sure I got rid of any trace of virus, instead of hiding it on some partition.

If no important data on the HDD, I would skip straight to the Killdisk part.

I have heard of Ubuntu before, I guess I should try it, however, I dont know how I would be able to check to see if there is a virus on the system.

There is no way for me to scan the harddrive for the virus.

I was just going to download it all to my harddrive, then when one of my anti virus sofwares picked up the virus, then it would deleate it lol.

 

[house70]

You already know what files are infected and where they are located. Save your personal files that you know already are clean, and skip the one(s) that you know are infected. Your personal photos, documents, music that you created/saved before are safe; files that you know you didn't add, or files that have unknown names are unsafe and, besides, they are useless, since you did not need them in the first place. The files that you need to double-check (ones that you are not sure about) you can open within Ubuntu; that OS will not get infected, since it is on a CD (hence write-protected) and it is a different OS, hence immune to the virus.
That's the beauty of using a "foreign" OS, the virus does not recognize it.
So, you just open your files one by one, like pictures or documents or music or whatever you know you saved in the past, make sure they're what you know they are, and save them. The rest... will be obliterated by killdisk.

 

[Firegod]

You already know what files are infected and where they are located. Save your personal files that you know already are clean, and skip the one(s) that you know are infected. Your personal photos, documents, music that you created/saved before are safe; files that you know you didn't add, or files that have unknown names are unsafe and, besides, they are useless, since you did not need them in the first place. The files that you need to double-check (ones that you are not sure about) you can open within Ubuntu; that OS will not get infected, since it is on a CD (hence write-protected) and it is a different OS, hence immune to the virus.
That's the beauty of using a "foreign" OS, the virus does not recognize it.
So, you just open your files one by one, like pictures or documents or music or whatever you know you saved in the past, make sure they're what you know they are, and save them. The rest... will be obliterated by killdisk.

Well like i said before, the problem that I ran into is that the program that I was useing didnt allow me to get but 1gb of data and there was much more.

I found a program called TestDisk, Im useing that program to take the information off the disk, however, it doesnt allow me to choose, at least not at the moment.

When its done finding all the data on the disk and I will find out if it will go down each one 1 by 1 or if it will just move them.

If it just moves them all.....well I guess ill have to deal with the virus somehow lol.

 

[johnnyq1233]

Initializing a drive that was once working and now not working is the worst thing you could do, as it (windows) will treat it like a new drive and creat a new Master Boot Record (MBR) and to use the drive you will have to format the partition.
I have my anti-virus set up to delete any file that can't be cleaned as it is easier to replace the file than risk it infecting the entire network.
Also, when downloading my practice is to scan everything before acsessing it for the first time.
I'm not sure but you might try CCLEANER and see if it can scan the hard drive.....just a thoght...
JQ

 

[Firegod]

Initializing a drive that was once working and now not working is the worst thing you could do, as it (windows) will treat it like a new drive and creat a new Master Boot Record (MBR) and to use the drive you will have to format the partition.
I have my anti-virus set up to delete any file that can't be cleaned as it is easier to replace the file than risk it infecting the entire network.
Also, when downloading my practice is to scan everything before acsessing it for the first time.
I'm not sure but you might try CCLEANER and see if it can scan the hard drive.....just a thoght...
JQ

Yea i found that out after i did it lol.

I used a program that allowed me to recover the items on the drive, then i reformated the drive and now im looking over the material.

I did learn one thing though, initializing the drive did stop the virus from running, which allowed me to run a program on it, where if I didnt initialize the drive, i wouldnt have been able to see it.

Thanks everyone for the help.

 

[Firegod]

Best answer selected by Firegod.

 

[Mousemonkey]

This topic has been closed by Mousemonkey