The How-To Geek Forums Have Migrated to Discourse


How-To Geek Forums / Windows Vista

external hard drive infected with Trojan.dropper and it can't be removed

(45 posts)
  • Started 8 years ago by SarahJames
  • Latest reply from SarahJames
  • Topic Viewed 14583 times

SarahJames
Posts: 6581

Today I visited a friend and helped her with her computer. She also had an external hard drive that was infected with a worm and the computerpeople who had restored her computer about a year ago had put a notice on it and said the worm couldn't be removed.

I took a look today and it is a USB external harddrive of 250 GB, but it shows up as a CD drive of 14 MB and it is read only. Norton indicated it was Trojan.dropper and that Norton needed manual aid to remove the virus, because the file was read only.

I could not access the drive, because it is seen as a CD drive and hence deleting files is not possible.
Is there a way to save this drive? It has only been used for about two months and has been lying around for about a year disconnected for fear of the virus. It's a real shame:(

Thanks!
Sarah.

Posted 8 years ago
Top
 
wallaceb
Posts: 214

i wonder if you try booting into Ubunu or Knoppix

since those are a fully different operating system, the virus might not function, and so you may regain access to the drive

Posted 8 years ago
Top
 
raphoenix
Posts: 14920

SarahJames,

Send me the name of the HD and will try searching for you.

Any other delails might be helpful.

Regards,
Rick P.

Posted 8 years ago
Top
 
jonhill987
Posts: 161

I'm with wallaceb. Find someone who is running Linux and plug the drive in their computer. A .exe file will not run in Linux so their PC will be safe. You will just be able to delete the virus from the disk. I did this when my USB sticks all became infected.

Posted 8 years ago
Top
 
wallaceb
Posts: 214

you should not need to find anyone who already has Linux, you can just get a LIVE CD and boot off that without the need to actually install linux.

Posted 8 years ago
Top
 
whs
Posts: 17584

WuBi would be another alternative. http://www.download.com/Wubi/3.....01841.html

Posted 8 years ago
Top
 
SarahJames
Posts: 6581

@ raphoenix - Let's see what I can find out about it. It's even in the original box ... LOL
Toshiba, 250 GB external USB hard drive, highspeed 7200 rpm, cache 8 MB, USB 2.0
There is software with it for easy backup, Regen for PushButton Backup.
And there is an option for password protection.
I don't know what (if any) software is installed.

@ wallaceb - Where can I find me the LIVE CD?
Or can I use the VistaPE BootCD I made? And in either case don't I risk infecting my own pc? Would be rather inconvenient ... LOL!

Posted 8 years ago
Top
 
SarahJames
Posts: 6581

Found this : https://help.ubuntu.com/community/LiveCD
So I'm downloading the iso right now.

@ whs - LOL you posted while I was writing.

Posted 8 years ago
Top
 
jack7h3r1pp3r
Posts: 2815

i would use a knoppix disro
and do a live boot from a cd

Posted 8 years ago
Top
 
SarahJames
Posts: 6581

@ jack7h3r1pp3r - what is the difference with the ubuntu?
Or maybe I'd better say, what's knoppix disro?

(I'm glad I know what Linux and Ubuntu are, even though I haven't got a clue as to how to work with them ...)

Edit: forget I asked - found this:
http://www.knoppix.net/

Posted 8 years ago
Top
 
SarahJames
Posts: 6581

But anyway - when I boot from a Linux type bootCD, where do I find the commands to get to the external drive and what do I need to do to format the thing?
And would it be possible to safe any data from it? I'm told there were photo's on it she'd like to get back.

Posted 8 years ago
Top
 
SarahJames
Posts: 6581

@ whs - read what it said about WuBi, but I'm not all that interested in Linux. Or should I say, I'm not interested in Linux at all:) Just need it to get this external drive clean, so I think a bootcd is the better option. Just requires a restart. Nothing is added to my system and that's the way I like it, because I won't be using it for anything else.

Posted 8 years ago
Top
 
raphoenix
Posts: 14920

SarahJames,

Ask your friend if she remembers "Signing" the drive ??

Edit: I think? the way that works is that encrypts the drive table.
Edit: This is why Norton would see the HD as infected and also why the HD does not report correct size and media format.
Regards,
Rick P.

Posted 8 years ago
Top
 
whs
Posts: 17584

Sarah, I am not really a Linux fan either. But in situations like that it comes in handy. That's why I am trying to at least aquire some very basic knowledge. But you are right. No need to bloat the system with it full time.
Just another thought: If you do anything with this thing on your own system, be careful - as you said, catching something would be rather inconvenient. In that case though you might want to consider running the thing in a Sandbox - like Sandboxie.

Posted 8 years ago
Top
 
jack7h3r1pp3r
Posts: 2815

i think that you should be able to see the external drive when you boot into knoppix and i that is why i suggested that one because it is easy to see hard drives with out having to install the os or use commands i'm not sure about external drives though but i think that you should be able to see them. i will test it later if you haven't already by that time because i have to goto school now so see you later tonight maybe :)

i hope all goes well

Posted 8 years ago
Top
 
ScottW
Posts: 6609

Sarah, this is an interesting discussion. It seems to me that it shouldn't be so difficult to resolve. When you say the external HD is "seen" as a CD drive, where is it seen this way? In Explorer, in Disk Management, in Device Manager?

I would think that if you boot in Safe Mode, the worm would not be able to launch. Then you could look at the drive and see what's up. Is there an autorun.inf file? Delete that and whatever it points to. You could use Disk Management to look at how it's partitioned and mount the partitions to restore data.

If that didn't work, then Vista PE (or Windows RE) should also let you see the partitions. You would have to use diskpart.exe, though.

Posted 8 years ago
Top
 
SarahJames
Posts: 6581

Just a short reply - out househunting today:)

Scott - I plugged it in at my friends PC and could see it in explorer. I ran Norton and selected the drive to be cleaned, but norton can't remove anything, because the drive 'acts' like a cd.
So I tried to delete files manually, but wasn't able to either.
It's not partitioned - or well, just one partition.
Norton made sure the virus didn't spread, but I don't know how much I can do without it triggering to become active ....
Maybe whs' suggestion of sandboxie could help???

Gotta run!
Sarah.

Posted 8 years ago
Top
 
SarahJames
Posts: 6581

Jack, I burned the iso to CD and ran Knoppix, but I can't find anything with it. I just see the contents of the bootCD, but can't find any drives outside it. That's probably just me - not used to Knoppix:)
But that is also why I already gave it a trial run. Just Knoppix, no virushunting yet. LOL

Edit: couldn't get into Vista anymore after running the bootCD. Had to press F10 (when I had my wits about me to think about that one ....) and then I could select where I wanted to boot from, so I set it back to my C drive. Oh, nice such a lovely black screen LOL!

Posted 8 years ago
Top
 
SarahJames
Posts: 6581

LOL - just promoted to moderator, but I'm asking you guys how to fix things - not the other way round!

Because I still have trouble when my PC boots - have to press F10 (and if I'm not fast enough, ctrl+alt+ delete till I get it right) and then choose my C Drive to boot from. I don't see any options to choose this for default, so I have to do it every time and I can't get into my bootmenu either.
How do I get this put back to normal???

Sarah.

Posted 8 years ago
Top
 
abhs94
Posts: 165

Just format the hdd and everything's gonna be ok

Posted 8 years ago
Top
 
Lighthouse
Posts: 13598

What is it trying to boot to/from?

Us mods need help too you know :)

Posted 8 years ago
Top
 
drifta
Posts: 446

i dont kow anyrthing about linux systems so the only suggestion i have is that you connect the HDD to a mac, since the virus wont infect the mac u should be fine.
after connecting the hdd to a mac format the hdd.
where to get a mac from? try the local library, friends comp, etc

dont know about anything else u can do to fix the hdd

Posted 8 years ago
Top
 
SarahJames
Posts: 6581

@ Lighthouse - it wants to boot from the CD drive

Posted 8 years ago
Top
 
Lighthouse
Posts: 13598

Sarah. Can't you get into BIOS and change the boot device. Sorry if you've already mentioned this, but I had to nip out for a couple of hours, and am not upto speed yet. :)

Posted 8 years ago
Top
 
SarahJames
Posts: 6581

That's just it - I can't get into the BIOS!

Posted 8 years ago
Top
 
Lighthouse
Posts: 13598

Ah. So it won't let you in? Or you don't know how to get in on that particular machine?

Posted 8 years ago
Top
 
SarahJames
Posts: 6581

the only thing that works is F10 and then I can choose my c drive, but it won't stick.

What other ways are there to get into the BIOS?

Posted 8 years ago
Top
 
Lighthouse
Posts: 13598

Try "Esc" or maybe "Delete"

Posted 8 years ago
Top
 
SarahJames
Posts: 6581

tried that, but didn't work

Posted 8 years ago
Top
 
Lighthouse
Posts: 13598

You must have a mega quick boot up sequence to have tried them that quick?

Posted 8 years ago
Top
 
SarahJames
Posts: 6581

The only thing I get is a black screen with a white cursorline (can't remember the name .... LOL) and then I have to press ctrl + alt + delete and it restarts and then I've got to be fast and press F10.
If I'm not fast enough I've got to do it again.
When I'm fast enough I get a blue dos screen that gives me the options which drive to choose to boot from and then I'm ok, but it won't stick so next time I restart or start I have to do it all over again.

Posted 8 years ago
Top
 
SarahJames
Posts: 6581

LOL - no I tried the past 5 or 6 times I have booted this thing!

Posted 8 years ago
Top
 
SarahJames
Posts: 6581

Tried everything I could think of and I'm clear out of ideas ...

Posted 8 years ago
Top
 
Lighthouse
Posts: 13598

I'm with you. But um?

Posted 8 years ago
Top
 
SarahJames
Posts: 6581

LOL - I'm already looking forward to my next boot ....
So much so I didn't turn off the computer at all when walking the dogs today ...

Posted 8 years ago
Top
 
SarahJames
Posts: 6581

Is there someone here with knowledge of Knoppix?
I figure if I restart from the Knoppix BootCD maybe I might get into the BIOS.
I remember pressing enter when I started the **** thing which allowed the system to boot from the CD, so the reverse should be possible too.
But I couldn't find my way around Linux at all, so I'd like some advice of where to find what, before I get into rebooting again ...

Posted 8 years ago
Top
 
SarahJames
Posts: 6581

jack7h3r1pp3r - do you know about knoppix??? Are you here?

Posted 8 years ago
Top
 
Dobermann
Posts: 2

Hi Sarah,

I'm new here and was going to ask a question of my own, but then I saw this thread and since it sounded very interesting, I gave it a read.

I am going to ask the obvious..... have you removed the Unix CD from the CD drive?

Also, in Windows have you gone to Start | Right click on My Computer | Properties. Then select Advanced tab, within that Startup and Recovery Settings button. Click Edit to manually edit the start-up file options. From there, remove the references to the Unix OS system. For example, here is my startup file on XPP without dual boot:

[boot loader]
timeout=8
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Notice how under the OS section there is only one listed.

It's been years since I used a flavor of Unix, but as I remember, this is where it also logs the dual boot of your system.

Have a look - and good luck!

Now to post my own question.....

Dobermann

Posted 8 years ago
Top
 
drifta
Posts: 446

@Sarah have u tried F2 to go into boot or F12

Posted 8 years ago
Top
 
SarahJames
Posts: 6581

@ Dobermann - yes, I had removed the CD, LOL!
And it was never a dual boot kind of thing. Just a Live CD to boot from. Normally removing the CD is enough to get back to your system without a problem and no files / entries are written to your normal bootsystem (Vista in my case).

Offtopic - I used to have a Dobermann years ago. Lovely dogs and very photogenic (unlike my current black bunch ...)

@ drifta - that's how I got in this morning > read on :)

@ Lighthouse - F11 got me into the BIOS, but because of the wireless keyboard I have to be very, very, vééérrry fast otherwise it won't get acknowleged in time and I have to start all over again.
My default startup was USB, CD, HDD. Looked ok, so I set to optimized defaults, because I didn't know what to change.
That didn't help at all.
So I set it to safety defaults. Didn't help either.
Then I replaced the USB with my HDD and voila I got in in a breeze.
I'll go back there next boot, because I want to try if it works CD first and then HDD.
I had such trouble getting in this morning that I think it's the USB boot option that gives the problem.
No idea as to why, but when I put in my VistaPE CD it also didn't boot and neither would the Knoppix CD.
I guess it tries the USB device and when no boot item is found it stops there.
I didn't have a look at the BIOS before all this, but my guess is the USB wasn't set as boot device when I got the PC and it somehow got changed, causing my trouble.

But I shouldn't go all happy yet - can do that after my next boot and I know for sure things are back to normal again LOL.

A very cheerful Sarah on a very windy and rainy sundaymorning;-D

Posted 8 years ago
Top
 
SarahJames
Posts: 6581

Edit: now that my system is back to normal again I still have to take a look at that external HDD and remove the virus ...

Knoppix is not my first choice as a means to get there (now wonder why that should be ...),
so would it be safe to do it from the VistaPE bootCD?
And how do I get the antivirus program on the bootCD up to date? Strong antivirusprotection seems a requirement here, don't you think? LOL

That's one thing I don't understand about Live CD's - where do they write their data to?
Not to the CD - that's impossible.
To my HDD? But when I remove the bootCD I don't see a single trace of it and I've read topics that it is a good idea to start from a bootCD if you had a systemcrash and you want to save your data to USB / external drive etc. before doing a restore, because when you use the bootCD no data get's overwritten on your original system.
So how does this work?
(Ok not a need to know part of getting the virus off the external drive, I'm just being curious)

Sarah.

Posted 8 years ago
Top
 
whs
Posts: 17584

Sarah, maybe this helps. http://en.wikipedia.org/wiki/Live_CD

Posted 8 years ago
Top
 
SarahJames
Posts: 6581

Hi Guys,

Today I finally go round to formatting the external drive.
So far it looks good.

It is divided into two parts (I'm working on the laptop btw, not on my own computer). Drive H, which I formatted and it looks good.
But there is also a drive G, which is called Password, about 15 MB in size and it acts like a CD.
I tried formatting it in cmd, since in Computer> Beheren (Management?) there was no option to format.

When in cmd I get this:

In general: I need to add the name Password or it won't work to start with.
And then it starts, but stops because 'the drive is writeprotected'.

But AVG clearly indicates the virus is on this drive, I think it is vital I clean this thing up.

Any suggestions?

Posted 8 years ago
Top
 
SarahJames
Posts: 6581

LOL - I'm not really sure what I did and if it is a problem or that it actually solved my problem.
When I rightclicked G and selected Properties, at first I checked if there were new drivers.
There were no new drivers.
I also had the option to select to remove the drive, which I did andnow the whole drive G is gone, but H works all right (not sure what will happen after a reboot ...).

When on H I can select to get G back, but I thought maybe this will enable me to leave H on and not having to worry the laptop get's infected. True?

I'll leave the external drive disconnected, till I've heard from you:)

Cheers,
Sarah.

Posted 8 years ago
Top
 
SarahJames
Posts: 6581

Posted 8 years ago
Top
 



Topic Closed

This topic has been closed to new replies.