Two Dead Hard Drives: Virus/Trojan?

J

J. Eric Durbin

Here's my situation:

I've had my XP x64 installation up-and-running since May. About a week
ago, I experienced a brief freeze and had to do a hard boot. The
machine ran fine for another day or so then froze again. Rebooted and
got a "Machine_Check" blue screen error indicating a hardware problem.
After that it would not boot. It would post, taking a longer time to
recogize the IDE drive but it did recognize it, but XP x64 would no
longer start up.

I figured I had a bad hard drive, so I ordered a new one (Western
Digital WD2000JB, same as before), removed the old drive, installed
the new, reinstalled XP x64 and all was well.

Perhaps foolishly, I thought I would try to save the few files off the
old drive, if possible, that I hadn't backed up, so I installed the
old drive as a slave and booted up. The old drive appeared as drive: E
ans displayed all my old files and directories. Tried to copy a
directory over to the new drive, but it froze during the copy
requiring a hard boot.

Now the new drive is displaying the same behaviour as the old one. It
goes through post and dies as soon as XP x64 should start up.

I even tried running from the XP x64 installation disk, but that won't
run either. So no repair install possible.

That's what makes me think I may have had a virus or trojan on the old
drive and by installing it as a slave and trying to transfer files,
transfered the virus/trojan to the new drive.

Another factoid, the affected machine was and is on a local network
and none of the other machines has been affected (yet).

THis is the set up

MSI K8N Neo2 Platinum
AMD Athlon XP 64 3000+
Western Digital WD2000JB 200Gb hard drive(s)
Cosair Value Select DDR 3200 2x512Mb
Sony DRU510a DVD/CD
Nvidia GeForce 6200
Samsung 930b LCD


All mobo, video, sound drivers were up to date as of yesterday from
the respective websites. PC is behind a router. XP Firewall was ON.
Nod32 antivirus installed and definitions up-to-date. Adaware and
Spybot installed, only Adaware scan run because I only got the machine
up again yesterday.

Now XP x64 is relatively new, but I suppose someone could have written
a virus trojan for it by now. But could it be something else? How
could hooking the bad drive up as a slave to the good new drive cause
the new drive to start acting the same way if it wasn't a virus?

Any ideas will really be appreciated.
 
Y

Yousuf Khan

J. Eric Durbin said:
Perhaps foolishly, I thought I would try to save the few files off the
old drive, if possible, that I hadn't backed up, so I installed the
old drive as a slave and booted up. The old drive appeared as drive: E
ans displayed all my old files and directories. Tried to copy a
directory over to the new drive, but it froze during the copy
requiring a hard boot.

Now the new drive is displaying the same behaviour as the old one. It
goes through post and dies as soon as XP x64 should start up.

I even tried running from the XP x64 installation disk, but that won't
run either. So no repair install possible.

That's what makes me think I may have had a virus or trojan on the old
drive and by installing it as a slave and trying to transfer files,
transfered the virus/trojan to the new drive.

It sounds to me like you're either having problems with the power supply
(i.e. it's just not producing enough power on one of its voltage rails),
or your motherboard's IDE interface has died.

BTW, do you have a hardware RAID controller in that motherboard? If so,
was its RAID features turned on and were you using it at the time?
George MacDonald was complaining the other day about how Nforce 4's with
the onboard RAID were flakey when using the RAID.

Yousuf Khan
 
J

J. Eric Durbin

It sounds to me like you're either having problems with the power supply
(i.e. it's just not producing enough power on one of its voltage rails),
or your motherboard's IDE interface has died.

BTW, do you have a hardware RAID controller in that motherboard? If so,
was its RAID features turned on and were you using it at the time?
George MacDonald was complaining the other day about how Nforce 4's with
the onboard RAID were flakey when using the RAID.

No RAID and the Neo2 Platinum is Nforce 3.

It's got an Antec Neo Power 480 and I'm admittedly novice enough not
to be confident about diagnosing PSU problems and don't have another
to swap in.

You are the 3rd person mentioning the possiblility of IDE controller
problems. I wonder if I have enough evidence to RMA the board to MSI?
 
J

J. Eric Durbin

It sounds to me like you're either having problems with the power supply
(i.e. it's just not producing enough power on one of its voltage rails),
or your motherboard's IDE interface has died.

I just recalled a bit of data, after the first freeze on the original
hard drive, I fired up Everest which provides SMART data and as far as
I could tell, it indicated no problems with that drive.

Of course, I don't believe it indicated any problems with the IDE
controller either but the fact that SMART saw the drive as good
perhaps is more evidence pointing to the IDE controller.
 
Y

Yousuf Khan

J. Eric Durbin said:
I just recalled a bit of data, after the first freeze on the original
hard drive, I fired up Everest which provides SMART data and as far as
I could tell, it indicated no problems with that drive.

Of course, I don't believe it indicated any problems with the IDE
controller either but the fact that SMART saw the drive as good
perhaps is more evidence pointing to the IDE controller.

The next thing you should try is out different IDE cables. If you have
two cables in the system already, possibly try to swap the two cables
with each other. This will eliminate all remaining points of failure as
the reason for the problem.

Yousuf Khan
 
W

Wes Newell

You are the 3rd person mentioning the possiblility of IDE controller
problems. I wonder if I have enough evidence to RMA the board to MSI?

No. Download the diagnostic tools from the drive manufacturer and run
them. Might also try a live Linux cd like Knoppix and see how it runs.
Memtest CD, etc.
 
U

Unk

The next thing you should try is out different IDE cables. If you have
two cables in the system already, possibly try to swap the two cables
with each other. This will eliminate all remaining points of failure as
the reason for the problem.

Yousuf Khan

And go to your motherboard's web site to see if there is a
temperature/voltage program, or download Motherboard Monitor. Install and
run and make sure you're getting at least 4.75 volts or more out on the 5
+volt output constantly, especially when the hard drive is working. I
wasted money on a new hard drive that was locking up when it was actually
the new super dooper Antec power supply that was only putting out 4.60
volts instead of 5. Bought a PC Power and Cooling.
 
E

ElJerid

J. Eric Durbin said:
Here's my situation:

I've had my XP x64 installation up-and-running since May. About a week
ago, I experienced a brief freeze and had to do a hard boot. The
machine ran fine for another day or so then froze again. Rebooted and
got a "Machine_Check" blue screen error indicating a hardware problem.
After that it would not boot. It would post, taking a longer time to
recogize the IDE drive but it did recognize it, but XP x64 would no
longer start up.

I figured I had a bad hard drive, so I ordered a new one (Western
Digital WD2000JB, same as before), removed the old drive, installed
the new, reinstalled XP x64 and all was well.

Perhaps foolishly, I thought I would try to save the few files off the
old drive, if possible, that I hadn't backed up, so I installed the
old drive as a slave and booted up. The old drive appeared as drive: E
ans displayed all my old files and directories. Tried to copy a
directory over to the new drive, but it froze during the copy
requiring a hard boot.

Now the new drive is displaying the same behaviour as the old one. It
goes through post and dies as soon as XP x64 should start up.

I even tried running from the XP x64 installation disk, but that won't
run either. So no repair install possible.

That's what makes me think I may have had a virus or trojan on the old
drive and by installing it as a slave and trying to transfer files,
transfered the virus/trojan to the new drive.

Another factoid, the affected machine was and is on a local network
and none of the other machines has been affected (yet).

THis is the set up

MSI K8N Neo2 Platinum
AMD Athlon XP 64 3000+
Western Digital WD2000JB 200Gb hard drive(s)
Cosair Value Select DDR 3200 2x512Mb
Sony DRU510a DVD/CD
Nvidia GeForce 6200
Samsung 930b LCD


All mobo, video, sound drivers were up to date as of yesterday from
the respective websites. PC is behind a router. XP Firewall was ON.
Nod32 antivirus installed and definitions up-to-date. Adaware and
Spybot installed, only Adaware scan run because I only got the machine
up again yesterday.

Now XP x64 is relatively new, but I suppose someone could have written
a virus trojan for it by now. But could it be something else? How
could hooking the bad drive up as a slave to the good new drive cause
the new drive to start acting the same way if it wasn't a virus?

Any ideas will really be appreciated.

One of my customers had a similar problem, however with Win 98SE. He
followed the same repair process as you did, replacing the HD, and tried to
copy the old one to the new one, again with the same result of system crash.
In his case, the problem was a virus (don't remember which one) that
destroyed the MBR from both disks. To solve his problem, he had to boot from
an AV CD and remove the virus. After that he could perform a mbr repair and
restart his system normally. No reinstall of Windows or programs was
necessary.
 
K

kony

One of my customers had a similar problem, however with Win 98SE. He
followed the same repair process as you did, replacing the HD, and tried to
copy the old one to the new one, again with the same result of system crash.
In his case, the problem was a virus (don't remember which one) that
destroyed the MBR from both disks. To solve his problem, he had to boot from
an AV CD and remove the virus. After that he could perform a mbr repair and
restart his system normally. No reinstall of Windows or programs was
necessary.


Wouldn't booting from floppy (to avoid the virus loading)
then FDISK/mbr have done the trick?
 
J

Jared Richardson

I had this problem last month. One box kept telling me drives were dead.
They'd hang, spin down, spin back up... crazy stuff. I lost a decent amount
of data. After the fourth drive, I got suspicious of the box. :)

Since this type of problem can be caused by a bad power supply, I swapped
out the power supply. No change.

Then I swapped out the memory, etc, through every component in the system
except the motherboard. I even put the drives on a PCI based disk
controller.

In my case, swapping the video card seems to have restored my system to rock
solid status. I've never heard of that being a problem for anyone else, but
I pass it along to you because our problems sound so similar.

Jared
http://jaredrichardson.net
 
S

Spajky

One of my customers had a similar problem, however with Win 98SE. He
followed the same repair process as you did, replacing the HD, and tried to
copy the old one to the new one, again with the same result of system crash.
In his case, the problem was a virus (don't remember which one) that
destroyed the MBR from both disks. To solve his problem, he had to boot from
an AV CD and remove the virus. After that he could perform a mbr repair and
restart his system normally.

I had similar as last experience a year ago: NOD32 only found
not defined exactly "something" suspicious if run only in deep
heuristic mode & looked like false alarm, but could not desinfect the
drive. That happend to me after connecting as second drive some other
given for free one to be scanned against viruses. The MBR virus/trojan
had a delayed effect on my system (time bomb & few boots!) & was
moving itself around (thru INT routines & Bios calls!!!) as soon the
infected drive was not disabled in Bios (enabled & was recognized at
boot!) even before OS even tried to load!!!
I "tested" that virus how it works few times (since luckily i
usually keep updated full sistem back_ups on CDs), since first after
brief period totally screwed my system partition & than even stopped @
well known "Verifying DMI..." & PC could not be revived ...
The only thing helped (tried a bunch of well known procedures
that did NOT work-was damn well writen one!) is that I "ZAP"-ed both
drives & than installed standard MBR code using "MBRwork", both
embeded with my MicroW9x bootable from CD & No-HD capable
rescue OS of 4,3MB DL at the end here:
http://users.volja.net/image/Files/ResQsys.htm :)

LOL, that first infected HD was taken out of disassembled
older "problematic" with all kind of strange problems PC (because no
one could fix it!), so parts of it were given of it around for free ..
:)) ... I believe that PC had only one problem (that one described!)
...
 
J

J. Eric Durbin

Here's my situation:

I've had my XP x64 installation up-and-running since May. About a week
ago, I experienced a brief freeze and had to do a hard boot. The
machine ran fine for another day or so then froze again. Rebooted and
got a "Machine_Check" blue screen error indicating a hardware problem.
After that it would not boot. It would post, taking a longer time to
recogize the IDE drive but it did recognize it, but XP x64 would no
longer start up.

For those who might be curious about how this turned out...

It appears that those who thought the motherboard (specifically a
faulty IDE controller) was the culprit appear to have been correct.

After testing and swapping in memory from other machines, swapping
CD/DVD drives, changing cables, swapping video cards, and buying a new
PC Power and Cooling PSU, the symptoms remained. So, I purchased an
ASRock 939DUAL-SATA2 as an inexpensive alternative to the MSI Neo2
Platinum, and installed it.

As it turned out, I had a second problem. When trying to re-install XP
x64, the installation would fail due to corrupt files. It turns out
the installation disk had been scratched at some point. A new OEM disk
arrived today and installation completed without problems.

So it appears that the MSI board will be RMA'ed and hopefully used for
a future machine.
 
K

kony

For those who might be curious about how this turned out...

It appears that those who thought the motherboard (specifically a
faulty IDE controller) was the culprit appear to have been correct.

After testing and swapping in memory from other machines, swapping
CD/DVD drives, changing cables, swapping video cards, and buying a new
PC Power and Cooling PSU, the symptoms remained. So, I purchased an
ASRock 939DUAL-SATA2 as an inexpensive alternative to the MSI Neo2
Platinum, and installed it.

As it turned out, I had a second problem. When trying to re-install XP
x64, the installation would fail due to corrupt files. It turns out
the installation disk had been scratched at some point. A new OEM disk
arrived today and installation completed without problems.

So it appears that the MSI board will be RMA'ed and hopefully used for
a future machine.

Glad you got it sorted out, but replacing an entire
motherboard doesn't exactly isolate the ATA controller.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads


Top