hard drive problem

[Guest]

about 6 months ago i installed a new hard drive 160g maxtor,it worked fine
then it was attacked by a virus of some description and it was wiped and
reformatted,in doing so it developed a pop up from messenger service advising
me to get a regedit/program.these pop ups were happening every minute or so.i
did a regestry fix however it is not recognised on reboot.the strange thing
is it can be recognised as a slave when replaced with my old hard drive.
any help would be appreciated
thank you

 

[Brad]

So the sequence was:
1. installed new disk drive
2. months later got a virus
3. was wiped? reformatted? wiping means exactly what? running the write
all 0's to all locations utility? takes many hours?
4. Windows was re installed?
4a which anti virus, anti spyware were installed BEFORE ever going online?
5. message from messenger service saying get some program? did you go to
their website and download something? which website/product name? maybe
this was a trick to upload virus malware to your computer?
6. registry fix? what does this mean?
7. now when you reboot, the operating system is not found? what exact
message appears?
8. install old disk, the new disk as slave appears fine


thats good, what probably happened is your windows install was zapped, most
newer computers will look for a bootable resource and boot it up, since you
didnt say you changed bios settings sounds like windows itself got
corrupted.

steps now are save anything on that new disk, send them to the old disk that
runs windows

do a full wipe, all zeros, format, install windows, install antivirus, etc

set your system not to allow messenger service, it helps to load as much as
possible from cd rom before connecting online, set internet explorer to high
security

 

[Guest]

i would reinstall the hd as the master, then see if the installation can be
repaired with your windows setup cd. if you select new install and you
should get the repair installation option and after it searches your hard
drives.

If this doesnt seem to work then you will have to use the recovery console
and copy some files. Let's see what your results are with the repair....

 

[Ken Blake, MVP]

So the sequence was:
1. installed new disk drive
2. months later got a virus
3. was wiped? reformatted? wiping means exactly what? running the
write all 0's to all locations utility? takes many hours?
4. Windows was re installed?
4a which anti virus, anti spyware were installed BEFORE ever going
online? 5. message from messenger service saying get some program? did
you
go to their website and download something? which website/product
name? maybe this was a trick to upload virus malware to your
computer? 6. registry fix? what does this mean?
7. now when you reboot, the operating system is not found? what exact
message appears?
8. install old disk, the new disk as slave appears fine


thats good, what probably happened is your windows install was
zapped, most newer computers will look for a bootable resource and
boot it up, since you didnt say you changed bios settings sounds like
windows itself got corrupted.

steps now are save anything on that new disk, send them to the old
disk that runs windows

do a full wipe, all zeros,

Although it doesn't hurt to do " full wipe, all zeros," it's entirely
unnecessary and a waste of time. For all practical purposes, just formatting
will accomplish the same thing.

And I wouldn't be so quick to reformat and reinstall. It isn't at all clear
what his problem is, and there may well be a less draconian solution. You
ask good questions in 5, 6, and 7, above. Making recommendations as to how
to proceed before seeing the answers to those questions is premature.

format, install windows, install
antivirus, etc
set your system not to allow messenger service,

If he was getting Messenger Service popups, it was because he was running
without a firewall. There's no reason to turn off Messenger Service, and in
fact it has provided the warning that he was running without firewall
protection.

 

[Brad]

Thanks Ken

Im always happy to learn the best known methods and always welcome
correction.

Formatting vs writing all zeros?

I thought, I assume, Im guessing formatting only writes to some block on the
disk, something thats equal to the start of a sector or something saying the
data is "erased"? But formatting doesnt, Im guessing, actually go to each
and every last bit to write something? does it?

If format actually changed every bit on the disk, wouldnt it take much
longer to complete?

so what Im worried about, total guess and speculation on my part, is that
small enough sized code snippets could be scattered on a disk, written all
over the place so even with losing the partition and format, that physical
data would remain?

it wouldnt be mapped on any file system but wouldnt it be at the same
physical address the disk itself uses in the IDE interface?

so isnt it that only data fragments could be left on a disk thats been
formatted?

and youre right, the questions should have had some test first, is it this?
if so then format it

I thought Microsoft sought to turn messenger service off as part of some
security fix thing?


tia

 

[Ken Blake, MVP]

Thanks Ken

You're welcome. Glad to help.

Im always happy to learn the best known methods and always welcome
correction.

Formatting vs writing all zeros?

I thought, I assume, Im guessing formatting only writes to some block
on the disk, something thats equal to the start of a sector or
something saying the data is "erased"? But formatting doesnt, Im
guessing, actually go to each and every last bit to write something?
does it?

No. But doing that is entirely unnecessary. The only time you might want to
do that is when discarding or giving away a computer--to make it less likely
that someone can access your old data.

If format actually changed every bit on the disk, wouldnt it take much
longer to complete?

Yes.


so what Im worried about, total guess and speculation on my part, is
that small enough sized code snippets could be scattered on a disk,
written all over the place so even with losing the partition and
format, that physical data would remain?

Yes, but it doesn't matter. The only data that matters is that which can be
accessed via the drive's directory structure. With that gone (which the
format does), everything on the data is logically (even if not physically)
gone. Then when you reinstall Windows and start wring to the drive, it will
soon be physically gone also.

it wouldnt be mapped on any file system but wouldnt it be at the same
physical address the disk itself uses in the IDE interface?

Yes, but again, it doesn't matter.

so isnt it that only data fragments could be left on a disk thats been
formatted?

Yes.


and youre right, the questions should have had some test first, is it
this? if so then format it

Sorry, I don't understand this.

I thought Microsoft sought to turn messenger service off as part of
some security fix thing?

Messenger Service can often be useful. For example you can use it to send
messages from one computer on the network to another; I use it for that all
the time. It's not a security risk in itself, although some malware can use
to display popup messages. But as I said, the better solution to that
problem is installing a firewall which will prevent those popups, not
turniong off Messenger Service.

 

[Brad]

You're welcome. Glad to help.






No. But doing that is entirely unnecessary. The only time you might want
to do that is when discarding or giving away a computer--to make it less
likely that someone can access your old data.

Ok but I meant could there be virus fragments in these zones of untouched
disk space? open term, malware, spyware, whatever; Im too concerned
about ABSOLUTE virus/malware eradication, it takes longer but no doubt must
remain. I think some offices will take such a disk and shred it because
there could be some change to disk internals or bios?

Yes, but it doesn't matter. The only data that matters is that which can
be accessed via the drive's directory structure. With that gone (which the
format does), everything on the data is logically (even if not physically)
gone. Then when you reinstall Windows and start wring to the drive, it
will soon be physically gone also.

but if the partition is destroyed, the disk formatted, then that absolutely
prevents a file system from seeing any files at all, period. so windows or
dos files couldnt "see" something out of the FS... but what is really still
there? inquiring minds want to know. I want to know.

Yes, but again, it doesn't matter.




Sorry, I don't understand this.

my post was not well set as a formal test procedure, that costs extra. it
was generalized, I mean I should have asked them to check or test if a
condition was present then take some action

Messenger Service can often be useful. For example you can use it to send
messages from one computer on the network to another; I use it for that
all the time. It's not a security risk in itself, although some malware
can use to display popup messages. But as I said, the better solution to
that problem is installing a firewall which will prevent those popups, not
turniong off Messenger Service.

Right, totally agree. but home users? Ive never used it like this and just
thought some security bulletin told the home user to turn it OFF unless they
knew they needed to use it. its not a security threat, just annoying.

 

[Ken Blake, MVP]

Ok but I meant could there be virus fragments in these zones of
untouched disk space? open term, malware, spyware, whatever; Im
too concerned about ABSOLUTE virus/malware eradication, it takes
longer but no doubt must remain. I think some offices will take
such a disk and shred it because there could be some change to disk
internals or bios?

Yes, there could be malware (virus or other), not just fragments, but entire
malware files. But it doesn't matter at all. They can't run from there and
there can be *no* danger from *anything* in those spaces.

Right, totally agree. but home users?

Sure, home users often have small networks, and use messenger service to
communicate between them. For example, I just returned home from an errand I
had to run. When I looked at my computer, I saw that my wife had sent me a
message about a call I needed to return. She sent it via Messenger Service.

Ive never used it like this
and just thought some security bulletin told the home user to turn it
OFF unless they knew they needed to use it. its not a security
threat, just annoying.

Yes, there are some people who advise turning it off. I disagree, as you
know. don't think it's good advice at all, because it hides the threat
instead of fixing it.. The fix is to run a firewall.

 

[Brad]

Yes, there could be malware (virus or other), not just fragments, but
entire malware files. But it doesn't matter at all. They can't run from
there and there can be *no* danger from *anything* in those spaces.

But if a program had access to the IDE disk interface it could force reads
from specific addresses, which as I vaguely recall uses some logical block
addressing, independent of any file system.

so no file system could run any code in those spaces, but I can force a disk
to seek at any LBA address I can dream up and read whats there, so it seems
to me in a lightly sustainable paranoia that some program could generate
seeks in certain locations, if it was always every nth offset?

malware loads some data, emails some and puts some in packets with LBA
offsets, user detects virus and formats, new virus comes along and reads
specific LBAs once again? still there.

Ive got no clue what stats are for virus infestation and what actions are
done and what re infestation precent is, if you do? Im interested to study
it

iow, 200 samples of some list of viruses, remedial action: none, delete
files, format, military wipe, shred disk
and what the results were

I dont know how likely it is, just know format doesnt zap everything, and
low level IDE can read any location, so assume the worst

The fix is to run a firewall.

100 percent agree

 

[Ken Blake, MVP]

But if a program had access to the IDE disk interface it could force
reads from specific addresses, which as I vaguely recall uses some
logical block addressing, independent of any file system.

A malware program would have no idea where to look for such fragments.
Besides, any such fragments would quickly be overwritten. And if you had a
malware program that could find such fragments, it wouldn't need to, since
it could far more easily incorporate that code within itself.

so no file system could run any code in those spaces, but I can force
a disk to seek at any LBA address I can dream up and read whats
there, so it seems to me in a lightly sustainable paranoia that some
program could generate seeks in certain locations, if it was always
every nth offset?

In this case, I think "paranoia" is the right word. You are worrying about
something that just doesn't exist in the real world. But if you want to
zero-fill your drive, as I said earlier, go ahead--it won't hurt you. But it
*is* a waste of time and effort if you are reformatting and reinstalling
Windows.

 

[Brad]

A malware program would have no idea where to look for such fragments.
Besides, any such fragments would quickly be overwritten. And if you had a
malware program that could find such fragments, it wouldn't need to, since
it could far more easily incorporate that code within itself.

A sophistacated malware program could expect to search exact spots on the
disk mapped physically with low level IDE interface routines even without
any file system, a malware program could find data by scanning for a
keyword

is this what they do now? I dont know

In this case, I think "paranoia" is the right word. You are worrying about
something that just doesn't exist in the real world. But if you want to
zero-fill your drive, as I said earlier, go ahead--it won't hurt you. But
it *is* a waste of time and effort if you are reformatting and
reinstalling Windows.

well this is getting into fine detail of the possible versus the impossible.
Military applications dont like to mess around when there is a small chance
like this. So its a choice of do you want to spend the extra time to write
zeros?

Any other advantage to this? well perhaps the disk health monitor can take
advantage of the all zeros operation to flag any bad sectors

If I offered this to customers I would strongly suggest the extra time (12
hours?) to zero it out. This might seem reflexively A.R. but let people
decide. I couldnt say its an absolute waste of time, thats not accurate,
it might be not worth the extra effort, lots of work for a small return? it
might be 96% un necessary, if its n > 0 potentially beneficial? then thats
what it is.

Painting racing stripes on the disk drive? that would be 0 percent
beneficial to the disk operation

so writing all zeros may help the disk health system and extend the
usefulness of it. Im glad to hear that you only recommend formatting, Ive
done just the format to some disks and they are ok

 

[Ken Blake, MVP]

A sophistacated malware program could expect to search exact spots on
the disk mapped physically with low level IDE interface routines even
without any file system, a malware program could find data by
scanning for a keyword

As I said, nobody would write such a program. It would be a very foolish way
to do it. Why would a program want to look on the drive for fragments of
malware (which it probably wouldn't find, because it had already been
overwritten) when instead it could could itself contain the very code it's
searching for? This makes absolutely no sense.

is this what they do now? I dont know

No, they don't. Malware writers are much too clever to do something so
foolish. There are far more insidious things they can do.

At any rate, I'm done with this thread. I have no more to say without
repeating myself. Feel free to believe whatever you want.