Hello,

I've been thinking about this as a last resort, and I am leaning towards it. But before I do so, I was thinking the following:

I'm thinking about getting a second hard drive in the system. What I want to do is, remove the infected hard drive from the computer, put in the new one as a primary, update it to the latest and greatest in software. Once that is done, I'm thinking about putting in the infected hard drive as a secondary, transfer what I hope are the clean files I need, then reformat said infected drive.

Is that a feasible idea?

Thanks for all help and guidance!

Paul

I would clean up the current drive first by running your updated AV, antimalware and a online scan or two- before you remove it. This way it will hopefully be clean when you attach it back as the secondary drive. Why? because some virus should they be on the infected drive can infect the new one. You want to make sure the infected one is cleaned up first before attaching it and transferring files to a new install.
I have no idea what kind of malware your talking about either when you say its infected which could change the way I would suggest somebody proceed with doing this.

Thanks shelf life for your reply.

I have no idea what it is, well, I shouldn't say that. Spybot detects it as "Win32.Iroffer.af" and seems to remove it, but the file that it removes is a 0 kbyte file. All the major commercial products -- whether AV, or Spyware, or Malware removers -- don't seem to remove or detect it. I've tried just about everything under the sun: Norton's, Eset, BitDefender, Kapersky, Malwarebytes, Trojan Hunter, Hijack This, Super Spyware Killer -- all to no avail.

There are a few antirootkit removers (UnHackMe, Gmer, Sophos, etc.) that detect something, but being the novice that I am, I have no clue if I should remove what is found or if it's a false positive.

I did originally reformat the hard drive, but during the process, it asked if I wanted to include a couple of sectors. I thought those sectors might have been important, and didn't include them in the reformatting process. Looking back on things now, I wish I had, as the hard drive is still infected...at least I'm pretty sure it is.

So my thought process is to remove the infected hard drive, install the new one and load it with XP, have it completely updated with the current security updates, etc., and also install an AV (probably Eset) and antispyware program. I figure once I get that done, the system "should" be protected, and in which case I would reinstall the said infected drive as a slave, transfer all the important files over to the new drive, then reformat the slave drive.

That's what I am thinking. Is that a safe route? Thanks again for your reply! :thanks:

It could be a false positive, the fact that you ran several other tools and they came up empty is certainly a good thing, hard to beleive it would escape all the others. Maybe its a corrupt file.
You think the drive is infected because you reformated and Spybot still finds Win32.Irofer.af?
I assume the drive is connected now? Why dont you run chkdsk (http://www.hard-drive-help.com/chkdsk.html) on it, then rerun Spybot.

Well, just did a chkdsk, and nothing "bad" came up.

Am currently running Spybot, and it found Win32.Iroffer.af at: C:\\Windows\Client (SBI $E19E27B1) Data. :mad: :banghead:

It also found FakeBill.CourtCologne at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Image File Execution Options\explorer.exe :slap:

I'm not surprised by Win32.Iroffer.af, but am with the new trojan, or whatever it is.

Like I said, Spybot detects it, whatever it may be, but this rootkit seems to evade deletion.

That's why I was wondering if my "plan" to reformat this hard drive after I get a new one, and after I transfer "important" files will work...

Thanks again shelf life!

Can you locate the file (C:\\Windows\Client (SBI $E19E27B1) Data) in question using explorer? (If its a folder open it up and pick out a few files to upload) If so we can upload so it can get checked out by a dozen or so scanners. If this a 0kb folder with nothing in it I wouldnt worry about it.
You may have to do this first to show all files:

FOr XP: on the desktop double click my computer,at the top click on> tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok.

If you find it you can try uploading it here (http://www.virustotal.com/)

shelf life,

Well, I configured the hidden files on XP SP3 just like you posted, but that "client" file doesn't come up unless Spybot detects it.

Of course, now I get the "FakeBill.Cologne" malware all the time now...even after Spybot detects it, and "eliminates" it. :slap:

And to make matters interesting, PREVX 3.0, detects that I have a "mcf45.dll" malware at c:\windows\system32\. :slap:

So...back to the original premise...would it be advisable to 1) remove this current hard drive, 2) buy a new one, install XP, and have the system completely updated with new security software, and 3) put this infected hard drive in and make it a slave to transfer all "relevant" files and then 4) format the infected drive?

Once again, thanks for your help shelf life. :bigthumb:

Can you find the mcf45.dll in the system32 dir. You can upload it to virustotal.
Based on the tools you have run its just looks like some stray false positives are showing up.

Once again, thanks shelf life. Here are the results from VirusTotal:

Antivirus Version Last Update Result
AhnLab-V3 2011.01.18.00 2011.01.17 -
AntiVir 7.11.2.0 2011.01.26 -
Antiy-AVL 2.0.3.7 2011.01.26 -
Avast 4.8.1351.0 2011.01.27 -
Avast5 5.0.677.0 2011.01.27 -
AVG 10.0.0.1190 2011.01.26 -
BitDefender 7.2 2011.01.26 -
CAT-QuickHeal 11.00 2011.01.25 -
ClamAV 0.96.4.0 2011.01.26 -
Commtouch 5.2.11.5 2011.01.26 W32/Damaged_File.gen!Eldorado
Comodo 7513 2011.01.26 Heur.Corrupt.PE
DrWeb 5.0.2.03300 2011.01.26 -
Emsisoft 5.1.0.1 2011.01.26 -
eSafe 7.0.17.0 2011.01.24 -
eTrust-Vet 36.1.8121 2011.01.26 -
F-Prot 4.6.2.117 2011.01.26 W32/Damaged_File.gen!Eldorado
F-Secure 9.0.16160.0 2011.01.27 -
Fortinet 4.2.254.0 2011.01.26 -
GData 21 2011.01.27 -
Ikarus T3.1.1.97.0 2011.01.26 -
Jiangmin 13.0.900 2011.01.26 -
K7AntiVirus 9.78.3650 2011.01.26 -
Kaspersky 7.0.0.125 2011.01.26 -
McAfee 5.400.0.1158 2011.01.27 Corrupt-AG!3D5B6B061EE2
McAfee-GW-Edition 2010.1C 2011.01.26 -
Microsoft 1.6502 2011.01.26 -
NOD32 5822 2011.01.26 -
Norman 6.06.12 2011.01.26 -
nProtect 2011-01-18.01 2011.01.18 -
Panda 10.0.3.5 2011.01.26 -
PCTools 7.0.3.5 2011.01.26 -
Prevx 3.0 2011.01.27 -
Rising 23.42.02.03 2011.01.26 [Suspicious]
Sophos 4.61.0 2011.01.26 -
SUPERAntiSpyware 4.40.0.1006 2011.01.26 -
Symantec 20101.3.0.103 2011.01.27 -
TheHacker 6.7.0.1.120 2011.01.26 W32/Behav-Heuristic-CorruptFile-EP
TrendMicro 9.120.0.1004 2011.01.26 -
TrendMicro-HouseCall 9.120.0.1004 2011.01.26 -
VBA32 3.12.14.3 2011.01.26 -
VIPRE 8209 2011.01.27 -
ViRobot 2011.1.26.4276 2011.01.26 -
VirusBuster 13.6.166.0 2011.01.26 -

Additional informationShow all
MD5 : 3d5b6b061ee2e34a0cd0714d5964cf41
SHA1 : f87bacf389cea160ce4cb2164ea06df173cb8ca0
SHA256: 390b350fb8a17c8bcbf25c975cd891133f3115989745b4cb5bb9c8bfefa34b77
ssdeep: 1536:K0Jw8MeC7iLoqCjX0bZmHU23DuYqYsU+4:K03MeMiekbnCaZU+4
File size : 74703 bytes
First seen: 2011-01-27 00:09:34
Last seen : 2011-01-27 00:09:34
TrID:
Win16/32 Executable Delphi generic (34.0%)
Generic Win/DOS Executable (32.9%)
DOS Executable Generic (32.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x1EF001
timedatestamp....: 0x2A425E19 (Fri Jun 19 22:22:17 1992)
machinetype......: 0x14c (I386)

[[ 10 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
CODE, 0x1000, 0x17C000, 0x8B000, 7.83, 6134bd675d3ecbd8ef769750c1c929e6
DATA, 0x17D000, 0xF000, 0x7200, 0.00, d41d8cd98f00b204e9800998ecf8427e
BSS, 0x18C000, 0x5000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
.idata, 0x191000, 0x4000, 0x1600, 0.00, d41d8cd98f00b204e9800998ecf8427e
.tls, 0x195000, 0x1000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
.rdata, 0x196000, 0x1000, 0x200, 0.00, d41d8cd98f00b204e9800998ecf8427e
.reloc, 0x197000, 0x19000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
.rsrc, 0x1B0000, 0x3F000, 0x11600, 0.00, d41d8cd98f00b204e9800998ecf8427e
.aspack, 0x1EF000, 0xA000, 0xA000, 0.00, d41d8cd98f00b204e9800998ecf8427e
.adata, 0x1F9000, 0x1000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e

ExifTool:
file metadata
CodeSize: 1554432
EntryPoint: 0x1ef001
FileSize: 73 kB
FileType: Win32 EXE
ImageVersion: 0.0
InitializedDataSize: 432128
LinkerVersion: 2.25
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 4.0
PEType: PE32
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 1992:06:20 00:22:17+02:00
UninitializedDataSize: 0
Warning: Error processing PE data dictionary

If you can translate this into English, that would be awesome. :bigthumb:

Looks more corrupted than anything else. I wouldnt worry about it. Dont forget to visit Windows Update after the new install. Like you said: have it all updated with AV and a few antimalware apps before attaching the secondary drive.


transfer all "relevant" files
This would only have to be content you created like pictures, videos, documents etc. Things that would be lost once you reformat the secondary drive.
If you have any software that requires license keys etc you may have to get them off the drive in case you need them for a reinstall on the new drive.

Windows supports a lot of hardware 'out of the box', but you may have to reinstall a driver or two yourself. You have a copy of Windows and not a reinstall disk? If its a reinstall disk you got with the machine then I would check the computer vendors website and make sure it can be used to install XP to a new HD. Most vendors have good guides, FAQ's etc.
I dont know if you have done this before or not so I may be telling you what you already know.

shelf life,

Once again, thank you for taking the time to decipher my computer problems. You are a God send! :angel::bigthumb: