LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-17-2013, 01:20 AM   #1
EDDY1
LQ Addict
 
Registered: Mar 2010
Location: Oakland,Ca
Distribution: wins7, Debian wheezy
Posts: 6,838

Rep: Reputation: 649Reputation: 649Reputation: 649Reputation: 649Reputation: 649Reputation: 649
Would like to wipe hdd due to MBR virus


The hdd is a windows drive that recently contracted the Alureon virus, although I've effectively removed virus I'm still skeptical.
What I have done:
Ran AV from live-cd, to get rid of infection
I reinstalled wins to another drive. Copied important data to new install.
What I plan to do:
Wipe drive
Transfer new OS to clean drive, using clonezilla.
My question would be should I wipe the whole drive or just MBR?
I have found this tutorial
http://how-to.wikia.com/wiki/How_to_...clean_in_Linux
The drive that I have is 750 Gigs do any of the commands from tutorial have to be altered?
I mean other than the device names.
And believe me I know it's not wins forum, but I want to do this with tools from my debian usb drive instead of downloading & burning a cd that will only be used today.
 
Old 04-17-2013, 01:34 AM   #2
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 8,475

Rep: Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424
if you plan to reinstall/clone os you only need to destroy the MBR. the dd command should work.
moving files from the infected os still can be dangerous.
 
1 members found this post helpful.
Old 04-17-2013, 01:36 AM   #3
guyonearth
Member
 
Registered: Jun 2012
Location: USA
Distribution: Ubuntu
Posts: 414

Rep: Reputation: 82
Simply overwriting the MBR would prevent the rootkit from running and allow removal. Bootrec can do that. Alureon may create copies of the MBR that are infected as well. If you wanted to be double sure you'd have to do a low-level format of the drive.
 
1 members found this post helpful.
Old 04-17-2013, 01:41 AM   #4
EDDY1
LQ Addict
 
Registered: Mar 2010
Location: Oakland,Ca
Distribution: wins7, Debian wheezy
Posts: 6,838

Original Poster
Rep: Reputation: 649Reputation: 649Reputation: 649Reputation: 649Reputation: 649Reputation: 649
Quote:
if you plan to reinstall/clone os you only need to destroy the MBR. the dd command should work.
moving files from the infected os still can be dangerous.
Yes it can be but I really believe that the virus was removed on old hdd & have already copied files to the new & have not found any traces of virus, not even on old drive.
The thing is I was trying to be as thorough as possible with the exception of have computer owner lose important docs or pics. Also I used my personal 1TB drive to accomplish this now I need to transfer new OS to old drive.
 
Old 04-17-2013, 01:43 AM   #5
EDDY1
LQ Addict
 
Registered: Mar 2010
Location: Oakland,Ca
Distribution: wins7, Debian wheezy
Posts: 6,838

Original Poster
Rep: Reputation: 649Reputation: 649Reputation: 649Reputation: 649Reputation: 649Reputation: 649
Quote:
Originally Posted by guyonearth View Post
Simply overwriting the MBR would prevent the rootkit from running and allow removal. Bootrec can do that. Alureon may create copies of the MBR that are infected as well. If you wanted to be double sure you'd have to do a low-level format of the drive.
So I should probably just wipe the whole drive, then?
 
Old 04-17-2013, 01:50 AM   #6
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 8,475

Rep: Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424
Quote:
Originally Posted by EDDY1 View Post
So I should probably just wipe the whole drive, then?
no, I do not think so. Actually I do not think you can do a low level format and also any code stored on that drive will be dead, unusable if you destroy MBR and reinstall a new os. Probably you will not be able to infect with that code even if you wanted to use that virus again.
 
Old 04-17-2013, 01:52 AM   #7
konsolebox
Senior Member
 
Registered: Oct 2005
Distribution: Gentoo, Slackware, LFS
Posts: 2,248
Blog Entries: 8

Rep: Reputation: 235Reputation: 235Reputation: 235
I doubt that it was even necessary to reinstall a new OS but since you already did that, for the old drive (patition) you had that you would like to wipe out and clone the new OS into, I think you could just continue the transfer or cloning. At least just be sure that among the files that you had transferred, nothing is infected, at least with executable ones. And I don't think it would be necessary to wipe the target drive (that is, dd with zeros) as creating a new filesystem to it would just be the same. But to make sure, at least do some dd with the first parts (dd if=/dev/zero of=/dev/partition bs=1M count=1), then continue with the cloning or creation of the new filesystem.

As for your MBR, are you using grub, or a windows loader? If grub, I think reinstalling grub to it would be enough. And probably same to windows with fixmbr. Sometimes the setup disk automatically repairs it if it sees it as invalid, like if it sees the boot loader instructions or signatures in the MBR is not of windows.

Last edited by konsolebox; 04-17-2013 at 02:03 AM.
 
Old 04-17-2013, 02:03 AM   #8
EDDY1
LQ Addict
 
Registered: Mar 2010
Location: Oakland,Ca
Distribution: wins7, Debian wheezy
Posts: 6,838

Original Poster
Rep: Reputation: 649Reputation: 649Reputation: 649Reputation: 649Reputation: 649Reputation: 649
I just checked the drive with smartmon it shows 5 bad sectors, don't know if it's virus related though.
 
Old 04-17-2013, 02:07 AM   #9
konsolebox
Senior Member
 
Registered: Oct 2005
Distribution: Gentoo, Slackware, LFS
Posts: 2,248
Blog Entries: 8

Rep: Reputation: 235Reputation: 235Reputation: 235
Quote:
Originally Posted by EDDY1 View Post
I just checked the drive with smartmon it shows 5 bad sectors, don't know if it's virus related though.
Those are not virus related and probably hardware related, unless they were marked as bad in the filesystem. You could reset them I think if the result showed by smartmon was actually based from the flags and not from an actual test, or error detection from the hardware.

Edit: If that is true then I don't think you could use dd to copy an image to a part of the disc where the bad sectors are found.

Last edited by konsolebox; 04-17-2013 at 02:09 AM.
 
Old 04-17-2013, 02:18 AM   #10
EDDY1
LQ Addict
 
Registered: Mar 2010
Location: Oakland,Ca
Distribution: wins7, Debian wheezy
Posts: 6,838

Original Poster
Rep: Reputation: 649Reputation: 649Reputation: 649Reputation: 649Reputation: 649Reputation: 649
It was showing when I opened disk utility & after test still there.
So zeroing drive will not work?
 
Old 04-17-2013, 02:31 AM   #11
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 8,475

Rep: Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424
zeroing the whole drive will work, just it is unnecessary. will not fix bad sectors. furthermore you would better not use that drive any more.
 
Old 04-17-2013, 02:34 AM   #12
EDDY1
LQ Addict
 
Registered: Mar 2010
Location: Oakland,Ca
Distribution: wins7, Debian wheezy
Posts: 6,838

Original Poster
Rep: Reputation: 649Reputation: 649Reputation: 649Reputation: 649Reputation: 649Reputation: 649
Looks like they need new drive, only lasted 2 1/2 years. wonder if warranty is still on it.
 
Old 04-17-2013, 02:35 AM   #13
konsolebox
Senior Member
 
Registered: Oct 2005
Distribution: Gentoo, Slackware, LFS
Posts: 2,248
Blog Entries: 8

Rep: Reputation: 235Reputation: 235Reputation: 235
Quote:
Originally Posted by EDDY1 View Post
It was showing when I opened disk utility & after test still there.
So zeroing drive will not work?
I'm not sure how zeroing the drive would help, but if you're going to create a new filesystem, make sure that the tool would check it so that it could mark which sectors are unusable.
 
Old 04-17-2013, 02:37 AM   #14
konsolebox
Senior Member
 
Registered: Oct 2005
Distribution: Gentoo, Slackware, LFS
Posts: 2,248
Blog Entries: 8

Rep: Reputation: 235Reputation: 235Reputation: 235
Quote:
Originally Posted by EDDY1 View Post
Looks like they need new drive, only lasted 2 1/2 years. wonder if warranty is still on it.
If it's just 5 bad sectors then I think the drive is still usable. Just backup your important files in reasonable intervals.
 
Old 04-17-2013, 04:30 AM   #15
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 2,300

Rep: Reputation: 816Reputation: 816Reputation: 816Reputation: 816Reputation: 816Reputation: 816Reputation: 816
Given the current low cost of HDs if there's any doubt about a drive, toss it. From previous (painful experience) any bad sectors are just warnings of more to come.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Looking for program to wipe HDD and reformat jacatone Linux - Software 5 02-12-2008 08:28 AM
Want to wipe my HDD clean jacatone Linux - Software 4 05-01-2007 12:07 PM
How can I wipe the MBR clean and remove GRUB stevod333 Linux - General 7 04-03-2006 10:51 AM
should i wipe my mbr? bandofmercy Linux - Newbie 6 09-27-2004 12:14 AM
how to wipe MBR on slave drive from windows? Ebenonce Linux - Newbie 9 08-16-2004 03:57 AM


All times are GMT -5. The time now is 07:49 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration