Two Dead Hard Drives: Virus/Trojan?

On Wed, 7 Dec 2005 14:48:41 -0800, "JAD"
wrote:

[combining both posts]

can you try the drive in a different machine?

At the moment I have the visceral fear of putting either of these
drives in any other machine until I'm sure they are not the culprit.
I've got one PC left I could test on but if that goes, I'm down to the
laptop.

I have had optical drives misbehave when the PSU was marginal, although I
have never ran across this same thing (that I know of) when its come to hard
drives but I figure its possible.

The PSU is a 6 month-old Antec Neo Power 480, not to say something
couldn't go wrong with it but it's should be pretty reliable.
Consensus seems to be forming for a bad IDE controller and someone
else brought up the damage power outages can cause even when you're
behind a UPS. I live up in the mountains served by Pakistani Gas and
Electric (PG&E) and power outages are a way of life up here in the
Appalachia of the Pacific.

oh and what ANTI virus are you running?

NOD32 for x64, all definitions up-to-date as of yesterday.

J. Eric Durbin wrote:

On Wed, 07 Dec 2005 16:14:07 -0500, Jim wrote:

J. Eric Durbin wrote:
Here's my situation:

Now XP x64 is relatively new, but I suppose someone could have
written a virus trojan for it by now. But could it be something
else? How could hooking the bad drive up as a slave to the good
new drive cause the new drive to start acting the same way if it
wasn't a virus?

Any ideas will really be appreciated.

Borrow a KNOPPIX disc, boot to it and report back the results.

I forgot to mention that I actually tried that with the first
drive. Both Knoppix and Damn Small Linux started the boot process
showing the Penguin logo but failed immediately.

Did you mention Linux in your original post?

The only time I've ever had to reformat my whole disk since learning
how to use disk managers was when trying to dual-boot with Linux.

Take other drives out of a testbed system. Put only this
drive in that system. Run manufacturer's diagnostic
(available for free on his web site) for that disk drive. IOW
separate the problem into a software or hardware domain.
Diagnostic tests execute without any OS or other software
problems to influence the test.

Your symptoms do indeed sound like malware. But that is
only speculation. First establish what is and is not working
- eliminate speculation. Will the hard drive (especially when
heated with a hairdryer on high) work for all manufacturer
diagnostics? If so, then move on to other potential reasons
for failure.

BTW, you need not read those files using Windows. There are
even programs that may read NTFS filesystem data files using
DOS.

Obviously you want to learn why the problem exists because
it may also exist now on other drives. But that means first
establishing what is working properly - to reduce a list of
suspects - by breaking the problem down into parts and then
analyzing but one part at a time.

BTW, is power supply a reason for failure? A 3.5 digit
multimeter could have answered that question in but minutes.
Again, an example of conclusively eliminating potential
suspects so to move on to the real problem.

"J. Eric Durbin" wrote:
At the moment I have the visceral fear of putting either of these
drives in any other machine until I'm sure they are not the culprit.
I've got one PC left I could test on but if that goes, I'm down to the
laptop.

I have had optical drives misbehave when the PSU was marginal, although I
have never ran across this same thing (that I know of) when its come to hard
drives but I figure its possible.

The PSU is a 6 month-old Antec Neo Power 480, not to say something
couldn't go wrong with it but it's should be pretty reliable.
Consensus seems to be forming for a bad IDE controller and someone
else brought up the damage power outages can cause even when you're
behind a UPS. I live up in the mountains served by Pakistani Gas and
Electric (PG&E) and power outages are a way of life up here in the
Appalachia of the Pacific.

oh and what ANTI virus are you running?

NOD32 for x64, all definitions up-to-date as of yesterday.

On Wed, 07 Dec 2005 18:37:00 -0500, w_tom wrote:

Take other drives out of a testbed system. Put only this
drive in that system. Run manufacturer's diagnostic
(available for free on his web site) for that disk drive. IOW
separate the problem into a software or hardware domain.
Diagnostic tests execute without any OS or other software
problems to influence the test.

Your symptoms do indeed sound like malware. But that is
only speculation. First establish what is and is not working
- eliminate speculation. Will the hard drive (especially when
heated with a hairdryer on high) work for all manufacturer
diagnostics? If so, then move on to other potential reasons
for failure.

BTW, you need not read those files using Windows. There are
even programs that may read NTFS filesystem data files using
DOS.

Obviously you want to learn why the problem exists because
it may also exist now on other drives. But that means first
establishing what is working properly - to reduce a list of
suspects - by breaking the problem down into parts and then
analyzing but one part at a time.

BTW, is power supply a reason for failure? A 3.5 digit
multimeter could have answered that question in but minutes.
Again, an example of conclusively eliminating potential
suspects so to move on to the real problem.

Some good tips, of course, a good learning experience I should go
ahead and take advantage of. Testing the electrical aspects of systems
is one area I have been gingerly and slowly learning more about having
avoided getting educated about it fot too long.

One thought, the Antec Neo Power 480 is one the modular cabling units
with multiple Molex connectors. Would be worth testing various cable
and connector combinations or is the problem more likely in the unit
itself?

J. Eric Durbin wrote:

Here's my situation:

I've had my XP x64 installation up-and-running since May. About a week
ago, I experienced a brief freeze and had to do a hard boot. The
machine ran fine for another day or so then froze again. Rebooted and
got a "Machine_Check" blue screen error indicating a hardware problem.
After that it would not boot. It would post, taking a longer time to
recogize the IDE drive but it did recognize it, but XP x64 would no
longer start up.

I'd say it's either a hardware problem or a corrupted hard drive but the
'slow to recognize' comment, by which I presume you mean the BIOS is slow
to see it, does suggest it's hardware and most likely the hard drive.


I figured I had a bad hard drive, so I ordered a new one (Western
Digital WD2000JB, same as before), removed the old drive, installed
the new, reinstalled XP x64 and all was well.

Would tend to support the bad hard drive theory.

Perhaps foolishly, I thought I would try to save the few files off the
old drive, if possible, that I hadn't backed up, so I installed the
old drive as a slave and booted up.

Did you also change the Western Digital Master jumper, on the new drive, to
be Master WITH slave when you added the second drive back in?

Western Digital drives have *two* settings for 'master'; one without slave
(single drive) and master with slave.

Or do you have them set for cable select?

The old drive appeared as drive: E
ans displayed all my old files and directories.

So far, so good.

Tried to copy a
directory over to the new drive, but it froze during the copy
requiring a hard boot.

The problem here is, *why* did it freeze up? Master drive not jumpered
correctly (see above)? Bad data on the slave drive? Defective slave drive
hanging the IDE channel just like it did when it was the only one?


Now the new drive is displaying the same behaviour as the old one. It
goes through post and dies as soon as XP x64 should start up.

While it might be 'the same behavior' but your description is not exactly
the same. For one, you don't mention the BIOS being 'slow to see it'.

Is the original 'bad' drive still in the system when this happens? Because,
if it's causing things to hang then it'll still be causing things to hang
whether it's 'master' or not.


I even tried running from the XP x64 installation disk, but that won't
run either. So no repair install possible.

Old drive still in the machine?

I can't think of any way that an infection on the hard drives, regardless,
could prevent an install CD from loading/running, depending on what you
mean by "won't run." Doesn't boot? Gets X% through the install and then
does, what?


That's what makes me think I may have had a virus or trojan on the old
drive and by installing it as a slave and trying to transfer files,
transfered the virus/trojan to the new drive.

I think it's more likely that the second drive being defective caused
problems rather than an infection, even if there is an infection, because
simply copying infected files should not 'run' the virus, or whatever, and
without being 'run' a virus can't infect anything.

You don't say what you copied, nor how, and that could be a problem as
well. For example, if you decided to do something like a global copy of
your user folder from the old machine to the new one, as in \documents and
settings\user to the same folder on the new one, then you would have over
written application data and user configurations on the new one with data
that doesn't necessarily match any more, which could create all kinds of
problems.


Another factoid, the affected machine was and is on a local network
and none of the other machines has been affected (yet).

Well, if it was a virus/trojan, or some other network transmitted
infection, then it would, most likely, have spread to the other machines
almost instantly from the original infection unless you have protective
blocking measures on those machines that you didn't on that one.


THis is the set up

MSI K8N Neo2 Platinum
AMD Athlon XP 64 3000+
Western Digital WD2000JB 200Gb hard drive(s)
Cosair Value Select DDR 3200 2x512Mb
Sony DRU510a DVD/CD
Nvidia GeForce 6200
Samsung 930b LCD


All mobo, video, sound drivers were up to date as of yesterday from
the respective websites. PC is behind a router. XP Firewall was ON.
Nod32 antivirus installed and definitions up-to-date. Adaware and
Spybot installed, only Adaware scan run because I only got the machine
up again yesterday.

Now XP x64 is relatively new, but I suppose someone could have written
a virus trojan for it by now. But could it be something else? How
could hooking the bad drive up as a slave to the good new drive cause
the new drive to start acting the same way if it wasn't a virus?

By corrupting the data on it or by being in the machine and hanging the IDE
channel just like it did when it was 'master'.

Btw, I've seen loose power connectors cause problems like that. They seem
to be good, and may even 'feel' good when inserted, but if one of the power
pins isn't making tight enough contact it can cause the drive to glitch and
hang. And I've seen that as either the PSU molex pins being wallowed out
for some reason, bad crimp of the wire into the molex pin (I've seen some
even eventually just fall out of the pin), and cracked trace/solder joint
on the hard drive PCB going to the power connector.


Any ideas will really be appreciated.

On Wed, 07 Dec 2005 20:24:21 -0600, David Maynard
wrote:

J. Eric Durbin wrote:

Here's my situation:

I've had my XP x64 installation up-and-running since May. About a week
ago, I experienced a brief freeze and had to do a hard boot. The
machine ran fine for another day or so then froze again. Rebooted and
got a "Machine_Check" blue screen error indicating a hardware problem.
After that it would not boot. It would post, taking a longer time to
recogize the IDE drive but it did recognize it, but XP x64 would no
longer start up.

I'd say it's either a hardware problem or a corrupted hard drive but the
'slow to recognize' comment, by which I presume you mean the BIOS is slow
to see it, does suggest it's hardware and most likely the hard drive.

Yes, during post the pause occurred while the message "Detecting IDE
Master" was displayed.

I figured I had a bad hard drive, so I ordered a new one (Western
Digital WD2000JB, same as before), removed the old drive, installed
the new, reinstalled XP x64 and all was well.

Would tend to support the bad hard drive theory.

Perhaps foolishly, I thought I would try to save the few files off the
old drive, if possible, that I hadn't backed up, so I installed the
old drive as a slave and booted up.

Did you also change the Western Digital Master jumper, on the new drive, to
be Master WITH slave when you added the second drive back in?

Western Digital drives have *two* settings for 'master'; one without slave
(single drive) and master with slave.

Or do you have them set for cable select?

Both were set to cable select.

The old drive appeared as drive: E
ans displayed all my old files and directories.

So far, so good.

Tried to copy a
directory over to the new drive, but it froze during the copy
requiring a hard boot.

The problem here is, *why* did it freeze up? Master drive not jumpered
correctly (see above)? Bad data on the slave drive? Defective slave drive
hanging the IDE channel just like it did when it was the only one?

The behavior was exactly like that when the defective drive was the
Master Drive, and the only drive installed.

Now the new drive is displaying the same behaviour as the old one. It
goes through post and dies as soon as XP x64 should start up.

While it might be 'the same behavior' but your description is not exactly
the same. For one, you don't mention the BIOS being 'slow to see it'.

Correct, the pause at "Detecting IDE Master" was not as long when the
new drive was the only drive, nor when the old "defective drive" was
installed as slave.

Is the original 'bad' drive still in the system when this happens? Because,
if it's causing things to hang then it'll still be causing things to hang
whether it's 'master' or not.

After the first bad bood with both drives installed, I removed the
defective drive", shut down, and booted with only the new, previously
working drive as master. The PC would no longer boot. The post
messages proceeded sucessfully through RAM check, IDE Master check,
and on to "Boot from CD" "Press any key to Boot from CD". After that,
whether pressing a key to boot from CD or allowing the process to
continue to boot from the hard drive, the result was a blank screen
and no boot.

I even tried running from the XP x64 installation disk, but that won't
run either. So no repair install possible.

Old drive still in the machine?

No. Removed.

I can't think of any way that an infection on the hard drives, regardless,
could prevent an install CD from loading/running, depending on what you
mean by "won't run." Doesn't boot? Gets X% through the install and then
does, what?

After the normal post messages, I get the "Press any key to post from
CD" message. Pressage a key with the Windows XP x64 cd in the drive I
get the "Inspecting your hardware...:" message then it freezes. No
apparent activity from the CD drive.

You don't say what you copied, nor how, and that could be a problem as
well. For example, if you decided to do something like a global copy of
your user folder from the old machine to the new one, as in \documents and
settings\user to the same folder on the new one, then you would have over
written application data and user configurations on the new one with data
that doesn't necessarily match any more, which could create all kinds of
problems.

When I installed the "defective drive" as the slave drive and
rebooted, all was normal and the "defective drive" appeared as drive:E
in File Explorer. I clicked on E: and got a list of the directories on
the "defective drive". Feeling confident, I tried copying a directory
from the "defective drive" to the new drive. It was not a Documents
and Settings directory. Rather it contained some downloaded files,
zips and executables. A dialog box appeared "copying e:directory to
c:directory with estimated time fluctuating between 136 minutes and
200 minutes.

The process froze, and the PC was frozen, no CTRL-DEL, no Task Mgr,
hard boot was the only option.


Now XP x64 is relatively new, but I suppose someone could have written
a virus trojan for it by now. But could it be something else? How
could hooking the bad drive up as a slave to the good new drive cause
the new drive to start acting the same way if it wasn't a virus?

By corrupting the data on it or by being in the machine and hanging the IDE
channel just like it did when it was 'master'.

The data I was copying was simply zip files, PDFs, and some
installation .exes downloaded from reputable sites.

Btw, I've seen loose power connectors cause problems like that. They seem
to be good, and may even 'feel' good when inserted, but if one of the power
pins isn't making tight enough contact it can cause the drive to glitch and
hang. And I've seen that as either the PSU molex pins being wallowed out
for some reason, bad crimp of the wire into the molex pin (I've seen some
even eventually just fall out of the pin), and cracked trace/solder joint
on the hard drive PCB going to the power connector.

I have the Antec Neo Power 480. It's one of the modular cable PSUs so
I'm going to try swapping cables and using different Molex connectors
to see if that makes a difference.

Thanks for the advice.

Also try replacing the ide cables as i have had a few brand new that are
duds.

In article ,
lid says...
On Wed, 07 Dec 2005 20:24:21 -0600, David Maynard
wrote:

J. Eric Durbin wrote:


When I installed the "defective drive" as the slave drive and
rebooted, all was normal and the "defective drive" appeared as drive:E
in File Explorer. I clicked on E: and got a list of the directories on
the "defective drive". Feeling confident, I tried copying a directory
from the "defective drive" to the new drive. It was not a Documents
and Settings directory. Rather it contained some downloaded files,
zips and executables. A dialog box appeared "copying e:directory to
c:directory with estimated time fluctuating between 136 minutes and
200 minutes.

The process froze, and the PC was frozen, no CTRL-DEL, no Task Mgr,
hard boot was the only option.


Now XP x64 is relatively new, but I suppose someone could have written
a virus trojan for it by now. But could it be something else? How
could hooking the bad drive up as a slave to the good new drive cause
the new drive to start acting the same way if it wasn't a virus?

By corrupting the data on it or by being in the machine and hanging the IDE
channel just like it did when it was 'master'.

The data I was copying was simply zip files, PDFs, and some
installation .exes downloaded from reputable sites.

Btw, I've seen loose power connectors cause problems like that. They seem
to be good, and may even 'feel' good when inserted, but if one of the power
pins isn't making tight enough contact it can cause the drive to glitch and
hang. And I've seen that as either the PSU molex pins being wallowed out
for some reason, bad crimp of the wire into the molex pin (I've seen some
even eventually just fall out of the pin), and cracked trace/solder joint
on the hard drive PCB going to the power connector.

I have the Antec Neo Power 480. It's one of the modular cable PSUs so
I'm going to try swapping cables and using different Molex connectors
to see if that makes a difference.


I've seen a failing psu completely hose an XP install when another HD
was plugged in, in order to copy files, requiring a complete re-install
of XP. Also this particular machine would sometimes fail to see the HD,
fail to run the cd or dvd drive. Sometimes the machine would work fine,
sometimes it wouldn't start. Sometimes it would lock up the HD once in
windows. After replacing the PSU the computer worked fine and still is.


--
Pete Ives
Remove All_stRESS before sending me an email

Learn from failures that so many suffered in GM products.
GM designs by cutting costs instead of engineering specs
(which is why GM products cost more to build than equivalent
Mercedes products). GM used cheap connectors. As a result,
owners suffered what appeared to be a computer failure. When
the cheap connector was broken, then remade - to replace the
$400 computer - then cheap connector contacts were cleaned;
worked proplery again. Computer replacement (cleaning cheap
connector contacts) making it only appear as if the original
and fully functional computer had failed.

If using cheap extender cables, well, even Molex specs for
those connectors don't permit two wires inside one crimp. IOW
some extender cables are built by violating what the connector
manufacturer (ie Molex) intended.

Antec tends to adhere to engineering concepts. They don't
save a few pennies (like GM did) by compromising engineering
standards. Each connector wire from an Antec supply meets
other wires at a large solder connection on PC board inside
power supply. IOW properly engineered.

Provided above are reasons and examples why Antec connectors
should not be problematic and why you might verify other
extender cables.

But having said this, and since testing electrical always
requires (at minimum) a 3.5 digit multimeter, then a best way
to test a cable would be where disk drive connector is
soldered to disk drive computer board. Any problematic
connector (or wire) may appear as a lower voltage number on
meter.

"J. Eric Durbin" wrote:
Some good tips, of course, a good learning experience I should go
ahead and take advantage of. Testing the electrical aspects of systems
is one area I have been gingerly and slowly learning more about having
avoided getting educated about it fot too long.

One thought, the Antec Neo Power 480 is one the modular cabling units
with multiple Molex connectors. Would be worth testing various cable
and connector combinations or is the problem more likely in the unit
itself?

Proper use of a 3.5 digit multimeter would have identified
this 'power supply created' failure before it occurred.
Requires only minutes and no hardware changes. Meter verifies
the 'foundation' upon which a computer system is constructed.

Meanwhile, incorrect jumper settings would be obvious up
front. A disk drive with misconfigured jumpers would simply
be rejected - probably not even be seen - by the computer.
Either jumpers are correct and disk is located the first time,
OR jumpers are incorrect and nothing will make disk drive
access possible. Misconfigured jumpers will not cause
intermittent operation.

Peter wrote:
I've seen a failing psu completely hose an XP install when another HD
was plugged in, in order to copy files, requiring a complete re-install
of XP. Also this particular machine would sometimes fail to see the
HD, fail to run the cd or dvd drive. Sometimes the machine would work
fine, sometimes it wouldn't start. Sometimes it would lock up the HD
once in windows. After replacing the PSU the computer worked fine and
still is.