Can't seem to completely clean HDD

I have a hard drive I can't seem to wipe clean.

I have a 320gig HDD from a laptop I'm going to put in a case and make it into a portable drive.

To start I used Acronis to delete the 3 partitions. Then I created 1 partition and used the whole 320gigs. Then I formatted the drive. Then I rebooted and was going to run Easy Recovery Pro's Disk Diagnostics to make sure the hard drive was in good condition but when I opened ERP (easy recovery pro) I got a pop up from Microsoft Security Essentials that tells me I'm infected:
TrojanOS/Alureon.A
boot:\device\harddisk3\DR3\(MR)
I have 4 HDD's on this PC and according to Microsoft's Disk Management the one I'm working on is Disk 3

Every time I let MSSE clean it, then it says it needs to reboot so I do that. Then after rebooting if I run either Acronis or ERP I get the pop up from MSSE all over again and the info is the same:
TrojanOS/Alureon.A
boot:\device\harddisk3\DR3\(MR)

I've scanned the drive with malwarebyte, superantispyware and a few others but they all come up clean and say 0 files and folders scanned so I'm at a loss. somehow this is very hidden.

If I disconnect the hard drive I can run Acronis and Easy Recovery Pro and no pop up from MSSE but as soon as I put the drive back in, Microsoft Security Essentials tells me I'm infected. But the drive is clean, empty, formatted, no files, no folders, how can this be?

I heard there is a hidden partition on all hard drives where information for the BIOS is stored. It tells the BIOS the drive info (size, sectors and so on) and bad sector info and where the S.M.A.R.T. info is kept. Could the virus be there?

Anyone ever hear of anything like this?

 

Maybe, go back to basics and use the HD manufacturer's utility to write zeros to the drive. Just pick the manufacturer, download the utility and select the option to Write Zeros to the drive. Couldn't hurt.

http://www.tacktech.com/display.cfm?ttid=287

 

Thanks, I like that idea, but when looked at the page you linked me to I got this:
Toshiba does not provide diagnostic tools for hard drives, currently.

Of course, my drive is a Toshiba.

This is a perfectly good 320gb drive, well, except for the malware.

I just tested it again in my work PC, booted it up and MSSE poped up and said I'm infected. Also, I lost my internet and not the usual proxy redirect, just no network at all. Again, Microsoft Security Essentials said I must reboot to finish cleaning it so I shut the PC of, removed the drive and started it up and everything is fine, network and internet all there, no pop ups from MSSE. This happens everytime. If I don't remove the drive, leave it in and reboot, MSSE say's it cleaned it, but a few minutes later the pop up telling me I'm infected comes back and my network is down again. Take the drive out and everything's OK again. So I know there is something hidden somewhere on the drive.

Somehow, I need to clean that thing, I don't want to trash it if I don't have to.

 

ccleaner comes with a drive wiping solution now,i would give that a go, it takes quite awhile to run depending on how many passes you want it to take.

http://www.piriform.com/ you will find the cleaner here.

 

Hi

The only drive wipe utilities (other than the manufacturer's low level format utility) that I've heard works to remove EVERYTHING are DBAN (free) or Active@ KillDisk (free or paid versions available). I suggest you try one of them... just be SURE to select the correct drive to erase!

 

For your information:

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:DOS/Alureon.A

 

Here is some additional information on this rootkit infector. If you do decide to use tddskiller, make sure you are deleting it from the external drive and not from your system drive. If it is located on the system drive, unlikely, backup your data first before cleaning. Zeroing out the external drive as posted by @sach2 should also clean it.

http://deletemalware.blogspot.com/2010/03/tdss-alureon-tidserv-tdl3-removal.html

 

Hello,
Halo, looks like he went over to the Malware forum yesterday.

http://forums.majorgeeks.com/showthread.php?p=1558701

 

I just tried something.
I started the PC and after it booted I got the pop up from MSSE telling me I'm infected. I used Microsoft's disk management and deleted the partition. Then I clicked the button on MSSE to clean the infection but it errored out, couldn't find the path or something like that. So I thought great, it's gone.
I rebooted and a few minutes after it's booted there was the MSSE pop up again. This time I unplugged the drive (it's on a e-sata so I can plug it in and out while Windows is running) and the infection was gone, MSSE went from read to green. So it is definitely on that drive.

I have the retail but I downloaded it and didn't order the disc, I figured I didn't need it, I'm sure the download is the exact same as the disc.

As far as malware, as I mentioned before, if I take the disc out my PC There is no infection. This only happens when the hard drive in question is connected to the computer. And as I mentioned I ran the scans on this disc. The results are all the same, no infection found and it'll say 0 files scanned 0 folders scanned, cause there are no files or folders on that drive.

The only program that shows this infection is Microsoft Security Essentials and that is only when this disc is in the PC. Disc out, no infections, disc in, pop ups from MSSE.

The disc is a 320gig laptop HDD that I got from a customer. He came in with a heavely infected laptop and wanted a larger drive so I got him a 750 gig WD HDD and kept the 320. I was going to try and clean his PC but he said he wanted to start over so I got off easy and just backed up his data then installed Windows and drivers.

I do this for a living, I own a computer repair shop (yes, I paid for Acronis as well as other software/tools, I'm licensed and insured and pay taxes, gotta keep it all legal). I do not come to the forums when I'm working on a customers PC, or I at least don't ask for help, I just research. I've been doing computer repair and networking for 11 years now but the last 3 or 4 years it's all turned to removing malware. I usually can figure out things like this, if I can't get it, Google usually does. Google is a heck of a tool but this one is beyond me and I found nothing like it on Google.

The reason I'm here now is because this is my drive, not a customers (any more) and I don't want to trash it. It would make a nice portable drive with a $10 case from Newegg

I'm going to try the steps you said tonight. I'm building a PC for a customer right now, as soon as I have windows on it I'll try what you said and if I wipe the wrong drive it'll be no big deal, I'll just reinstall it.

Thank you for the help so far, I'll be back tomorrow with my results (maybe tonight).

BUT, if anyone has any other ideas between now and then, please post them. I appreciate all help/advice.

Yea, but I wasn't getting any help there.... I think this is more of a hardware issue as I don't care about data, I just want the drive wiped clean, completely clean.

 

As mcsmc suggested, try a low-level format. HDD-low-level-format (freeware)

http://hddguru.com/software/2006.04.12-HDD-Low-Level-Format-Tool/

 

That I can do right now. I thought about that earlier then started reading about it. What I read is that you can't do a low lever format on modern drives. You can only do low-level zero-fill and you need a program designed specifically for the drive you have. I got that info here

I guess that was bad info because the page you sent me to says it'll work on my drive (sata and toshiba). I'll try it. If I have to trash the disc I'm not out anything but if it works I'll have a place to back up all my music (.flac) files.

 

You're just doing a low-level format so tgell's utility should be fine. I'm fairly sure Seagate's utility works on any brand. And, this page says Hitachi's tool should be fine for Toshiba.

I think most of the brand specific warnings are about trying to diagnose and fix problems with the drive not particularly about doing the low level format.

 

I think Tgells suggestion of a MBR infection is very plausible and definitely the most likely cause. But just to be sure we cover all the possibilities, there's one other thing to consider.

After you've reformatted and reinstalled Windows it's normal to go about installing all your personal software - your anti virus of choice, the drivers for your karaoke machine, Barbie's Adventures etc. You have to rule out the possibility that one of those isn't the source of the malware and that you're not simply reinfecting yourself each time you reinstall.

Of course it doesn't need to be from installing software. I'm specifically remembering a situation where someone actually had an infection on the Autorun file of their flash drive (the first and only time I've ever encountered it). Each time they put it in their PC they'd reinfect themselves. Also, since you're computer-friendly, perhaps your routinely giving write-access to this PCs root folder so you can change files from your laptop, and so on.


As far as the Toshiba HDD problem goes, I've used one of the generic HDD tools on the UBCD for a Toshiba drive before. I don't remember the name of it, but it was one that didn't have a HDD manufacturer in parentheses.

 

I agree.
I'm doing it now. It was hard to hit the OK button when it was warning me that there is no way to recover the data once you start. I must have checked the disk 20 times, I have customers PC backups, about 1.5tb of customers files on 5 drives and one of those is a 320gig but I only have one toshiba drive so finally I did it.
I hope it works. I'll post the results later, it's about 1/4 of the way done now.

 

The low level format worked! I would have done that a while ago but I read that stupid web page that said not to do it unless you had the software that was meant for the drive.

Thanks to mcsmc for mentioning it again and thank you tgell for the link. I used that app and it worked.

I've removed a lot of malware from a lot of computers, but I've never seen anything like this. How could the MBR still be there and infected when I wiped out all the partitions with Acorins, then made a new partition, formated it, then wiped out that partition with MS's disk management. Then, with no partitions at all, no drive showing up in explorer or MS's disk management, MSSE still found the infection.

Thank you to everyone for helping. Now I can go to Newegg and order a SATA to USB 2.0 Ext. Enclosure.

If you read back you'll see that this wasn't my hard drive. I already deleted all partitions and formatted a new one and the infection was still there.

I also posted that I'm turning this drive into a portable drive, not putting windows (or any OS) on here. Also, the drive was a customers, I don't want the data that was on here, not mine.

 

Glad to hear to you finally got if fixed. MBR rootkits hide themselves by encryption and kernel drivers. If you tried to format from within Windows Disk Managment, it is possible that the rootkit would protect itself from deletion by format. Maybe somebody on the forum can offer some other insight.

 

That would be nice.

If I have a customer ring in a PC with this, I would like to know how to remove it without formatting. Although, I wonder if a good rootkit scanner like GMER or Prevx would have worked if this was a normal boot drive. I think my trouble came from the fact that I removed the OS and was trying to clean it as an external/addon drive.

 

The Malware guys use RootRepeal - might be a handy addition to your toolbox.

 

Thank you, the more tools the better.

 

I don't have a firm understanding of the MBR and the new GUID/GPT HD partitioning schemes. But just a little information to help understand why deleting all partitions didn't fix the problem.

My vague understanding is that the MBR contains the partition table and basic boot information about where to find the physical location of the active partition. So you could empty the partition table with Acronis but the MBR itself is not cleared and remains with the boot instructions and (any potential virus).

On Vista/Win7 disks it gets even more complicated with an apparent fake MBR that is meant to keep utilities like fdisk from messing with the real boot sector information. http://emdadblog.blogspot.com/2010/07/deferences-between-master-boot-record.html

So, in both types of partitioned HDs simply deleting the partitions does not completely clear the MBR/GPT area it only removes the partition table information. I know this is not a great explanation but it gives you a sense that partition table is included in the MBR but not the entire MBR.

 

Here's a good visualization of the layout of the hard drive:
http://en.wikipedia.org/wiki/File:GUID_Partition_Table_Scheme.svg

Files are in the Partition section and when you delete one it still exists on the hard drive but it's just no longer referenced - just like if a phone owner goes exdirectory their name and number is removed from the phone book, but you could still call them if you knew their number. Likewise when you delete a partition everything on it stays the same, only the partition table is changed. In both cases deleting goes very quickly.

Zeroing out is different. If you have program that allows you to 'shred' your files, 'permanently delete' etc, then the contents of the file is rewritten as a string of bit zeros as well as the reference to the file being deleted. The same thing is true of the partition if you zero out the hard drive - it'll write zeros to each block. In both cases zeroing out is far slower than deleting.

One of the things the MBR does is it states what point of the hard drive the operating system begins. This is what allows a normal booting hard drive to load an O/S after passing the BIOS. This is also how an MBR virus operates. The MBR virus puts the malicious code in the section that the MBR points to.

Now, your antivirus works by scanning for any telltale signs of viruses and then exploring any red flags in closer detail. In normal situations this means checking for a particular filename in a particular folder, checking the file size of a particular file and so on. It also thoroughly scans the critical sections - the active processes, the start up list, and the HDD boot code.

Combine all this together and you can see how your situation played out. Having deleting the files and the partition, much of the hard drive was no longer referenced but still sat there. The only thing that was still referenced was the MBR virus, which was referenced to by the MBR (something left untouched). When your antivirus ran it, among other things, scanned the HDD boot code for each hard drive, and determined this one was infected. After you ultimately did a low-level format by zeroing out the partitions, the MBR now pointed to a string of zeros just as it would on a brand new hard drive.

Here's a couple of interesting facts relating to all this.
1. Even if you had a million viruses on that hard drive, then deleted the partition, the antivirus would have only found the MBR virus. That's because without anything pointing to the rest of the hard drive, anything else there would just be floating on a sea of gibberish. It's also why an antivirus won't detect a virus after you removed an infected program from the recycled bin, and yet the virus would still exist on disk.
2. If your hard drive develops faults then the diagnostics utility from the manufacturer (although not Toshiba!) is able to bypass the bad blocks by having each section that references that bad block reference a different space instead. You can think of that like the index of a book in which some of the pages have been torn out - the utility updates the index and changes the page numbers of the book such that the missing page is excluded from the index. So what happens if the fault is in the MBR itself? That's one place that can't sustain bad blocks and it's time to RMA.

 

Thanks sach2 and 94dgrif, that did help. I knew bits and pieces of what was said but never had a good picture of how it worked. Using Acronis True Image I would notice that there was the choice for backing up partitions and the MBR, like it was a seperate thing. Now I have a pretty good picture of what is happening on the disk. I really appreciate all the info.