transferring files from infected drive.

[Joseph O'Brien]

Hello, everyone. I have a computer that has been infected with a virus/
worm/trojan/whatever. I'm not completely sure which one, but my
computer does the automatic shutdown thing (initiated by NT Authority
\System).

I think I have the virus cleaned off, but the OS has been damaged. Can
someone who knows advise me on the plan below?

1) Remove suspect drive from PC. Replace with a new, store-bought
drive.
2) Install clean OS, updates programs, virus scan, etc.
3) Re-attach suspect drive as slave.
4) Copy necessary files over from suspect drive, leaving out Program
Files and anything in ~\Local Settings.

I do have backups, but they are most likely infected as well. I was
thinking that it might be easier to just pull the files directly off
the suspect drive, rather than transfer them to an external drive.
However, I want to be sure that whatever was on the suspect drive
doesn't "jump ship" to the good drive. I assume that, as long as the
MBR of the new drive is clean, and as long as I don't open an
executable that contains the virus, then I should be OK.

Is this a correct assumption?

Thanks.
Joseph

 

[HeyBub]

Hello, everyone. I have a computer that has been infected with a
virus/ worm/trojan/whatever. I'm not completely sure which one, but my
computer does the automatic shutdown thing (initiated by NT Authority
\System).

I think I have the virus cleaned off, but the OS has been damaged. Can
someone who knows advise me on the plan below?

1) Remove suspect drive from PC. Replace with a new, store-bought
drive.
2) Install clean OS, updates programs, virus scan, etc.
3) Re-attach suspect drive as slave.
4) Copy necessary files over from suspect drive, leaving out Program
Files and anything in ~\Local Settings.

I do have backups, but they are most likely infected as well. I was
thinking that it might be easier to just pull the files directly off
the suspect drive, rather than transfer them to an external drive.
However, I want to be sure that whatever was on the suspect drive
doesn't "jump ship" to the good drive. I assume that, as long as the
MBR of the new drive is clean, and as long as I don't open an
executable that contains the virus, then I should be OK.

Is this a correct assumption?

Possibly not. For example, I don't think virus detectors will catch the
movement of a virus via a COPY command. Further, virus vectors include stuff
other than EXE files. They're found in DOC files, JAVA applets,
god-knows-what.

I'd hit the "infected" drive with every malware sanitizer I could find
before I moved anything to the new drive.

 

[Guest]

Hello, everyone. I have a computer that has been infected with a virus/
worm/trojan/whatever. I'm not completely sure which one, but my
computer does the automatic shutdown thing (initiated by NT Authority
\System).

I think I have the virus cleaned off, but the OS has been damaged. Can
someone who knows advise me on the plan below?

1) Remove suspect drive from PC. Replace with a new, store-bought
drive.
2) Install clean OS, updates programs, virus scan, etc.
3) Re-attach suspect drive as slave.
4) Copy necessary files over from suspect drive, leaving out Program
Files and anything in ~\Local Settings.

I do have backups, but they are most likely infected as well. I was
thinking that it might be easier to just pull the files directly off
the suspect drive, rather than transfer them to an external drive.
However, I want to be sure that whatever was on the suspect drive
doesn't "jump ship" to the good drive. I assume that, as long as the
MBR of the new drive is clean, and as long as I don't open an
executable that contains the virus, then I should be OK.

Is this a correct assumption?

Thanks.
Joseph

Hi Joseph,
I will scan this Hard drive/System from more than one vendor for both
Viruses and malware.
Then Hook this Hard Drive in another machine as Slave ( you will find a
diagram on the HDD on how to make this), Copy the Data into its own Folders,
say JoesData = the name of the folder and copy it to the Desktop.
Take back the damaged HDD to its case and perform your clean installation,
when you performed a successful installation of the Operating System Don't
connect to the Internet Yet install the Anti-Virus you have and an
anti-malware program then try to establish a connection to the internet (Set
up your Network), Update the AV,Anti-Malware and the System till SP2 pack,
then Copy the Folder on a Removable CD/DVD and Copy the Data to the desired
location (you can scan it first before open it or execute any file/Folder.
You can find detailed instructions here:
http://michaelstevenstech.com/cleanxpinstall.html
HTH.
nass

 

[Pegasus \(MVP\)]

Hello, everyone. I have a computer that has been infected with a virus/
worm/trojan/whatever. I'm not completely sure which one, but my
computer does the automatic shutdown thing (initiated by NT Authority
\System).

I think I have the virus cleaned off, but the OS has been damaged. Can
someone who knows advise me on the plan below?

1) Remove suspect drive from PC. Replace with a new, store-bought
drive.
2) Install clean OS, updates programs, virus scan, etc.
3) Re-attach suspect drive as slave.
4) Copy necessary files over from suspect drive, leaving out Program
Files and anything in ~\Local Settings.

I do have backups, but they are most likely infected as well. I was
thinking that it might be easier to just pull the files directly off
the suspect drive, rather than transfer them to an external drive.
However, I want to be sure that whatever was on the suspect drive
doesn't "jump ship" to the good drive. I assume that, as long as the
MBR of the new drive is clean, and as long as I don't open an
executable that contains the virus, then I should be OK.

Is this a correct assumption?

Thanks.
Joseph

There is not much I can add to the replies you received
from the other respondents but I wonder what's happened
to the noble art of backing up important files at regular
intervals, eg. once a week? Next time you might not be
so lucky - your disk might become unreadable.

 

[Joseph O'Brien]

There is not much I can add to the replies you received
from the other respondents but I wonder what's happened
to the noble art of backing up important files at regular
intervals, eg. once a week? Next time you might not be
so lucky - your disk might become unreadable.- Hide quoted text -

- Show quoted text -

I actually have a few pretty good backups. Problem is, I don't trust
them. This is a long story, so I won't go into it, but I suspect that
this malware has been "hiding" latent on the drive for a while (maybe
as a rootkit?). I could restore the files from the backup, but I just
think it would be easier to go straight to the source and get the most
recent files, rather than worrying about restoring incremental
backups, etc. The data's there, and I could restore files from it if I
had to. You have a good point, though.

Thanks everyone.

Joseph