Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Malware installed a hidden virtual HD/OS on C: partition

12 Oct 2015   #1
UberGoober

Windows 7 Pro 64 bit
 
 
Malware installed a hidden virtual HD/OS on C: partition

I know this because I did a D-Ban wipe that left about 12 GB of the HDD unaccounted for. I forget which utility allowed me to see X: with a 12 GB VM ...I have never installed a VM or used the feature to mount a DVD, etc. My local tech said he got it off, but it was still there when I booted up with no internet cable.

-I was able to view all the folders in the bad OS, but not to open them all. Those that did open had numerous Powershell scripts, and some folder names appeared to be programs for redirection, rewriting BIOS, copying any CD/DVD you insert, taking over control of all USB functions, changing SATA HDDs to SCSI, keeping an extensive Roaming profile even though I disabled sync years ago, and tons more I can't remember.

-Although the malware shows me screens that look like I am changing settings, they revert immediately upon closing the dialogue box.

-There can be hundreds of users connected to dialup (even though I removed my phone modem card and uninstalled its drivers). Can't remember all the steps through Hades it took to get my broadband set up. I had to enter my TWC master e-mail account password, but the baddies already had it anyway.

-Regardless of the device with which, or location from which, I log onto TWC webmail, it immediately becomes infected. I bought a new laptop, and it got infected the second TWC activated my cable modem; the Remote System has rewritten its firmware. Of course, TWC no-customer-service can't help; it's not their fault for allowing a backdoor into their redirect to start with, right?

Is there any way to clean up this PC, guys?


My System SpecsSystem Spec
.
16 Oct 2015   #2
Laith

Windows 10 Professional x64
 
 

Your best bet is to contact your ISP and let your modem firmware be re-installed.
My System SpecsSystem Spec
17 Oct 2015   #3
UberGoober

Windows 7 Pro 64 bit
 
 

Thanks, Laith.

I did call them, but it's my modem, not TWC's, and they can't (or won't) attempt a firmware fix. The password has been changed by the malware, and several attempts at factory reset have cleared nothing. I downloaded a firmware update on a clean PC, but the malware simply substitutes a Power Shell / XML copy of what it had installed before.

I realize there may be no way to fix this besides adding the expense of monthly modem rent to my bill and buying ANOTHER new PC, but it has been very educational to attempt repairs, and it might help others to continue trying.

Thanks again, Laith.

I'm open to any other suggestions!
My System SpecsSystem Spec
.

17 Oct 2015   #4
Laith

Windows 10 Professional x64
 
 

That malware seems very scary, i would just recommend buying a new router if your ISP can't or doesn't want to fix your firmware.
My System SpecsSystem Spec
18 Oct 2015   #5
UberGoober

Windows 7 Pro 64 bit
 
 

I have to admire these accursed guys for their skill, but I hate their offal!!

A new cable modem would solve one problem, for sure, but I think the hidden XP VM on partition C: would simply reinstall everything and my $ would go down the rat hole.

Any ideas for cleaning off the VM that is "SYSTEM" for the PC? Any way to take control of it?

I've tried Darik's Boot & Nuke; Partition Wizard and PartedMagic, Paragon Adaptive Restore, Macrium Reflect free, AVG Rescue Disk (blocked from running), tried to install Ubuntu (blocked), and the recovery environment on OEM Windows 7 disk (options needed not shown or greyed-out).

By the way, this bad boy included the Help corruption mentioned here - it was done from the VM's remote server.
My System SpecsSystem Spec
18 Oct 2015   #6
Laith

Windows 10 Professional x64
 
 

I'm afraid you might have to buy a new disk, if it doesn't work then the motherboard is next.

Have you tried Kaspersky Rescue disk?
My System SpecsSystem Spec
19 Oct 2015   #7
UberGoober

Windows 7 Pro 64 bit
 
 

Yep, sounds like a money hole, huh? Just a few pieces of info in case someone else might recognize a symptom and immediately stop doing anything important on his machine...

I did use Kaspersky rescue on the brand new laptop when it got infected. K Internet Security came with the bundle. I tried to install it before hooking to the cable modem, but it refused because it wanted to look up the registration I filled out at the store first. Therefore, it got installed the way the malware wanted it - no real operation, just substitute screens to make me think there was (except the scans are way too short to be real).

The Rescue disk was recognized, a copy made, new instructions written into the copy, and a hidden shortcut to the bogus copy added. Then an error box came up and I was forced to reboot, which made only the bogus copy accessible.

Through the printer service, the MW copies and sends "home" every document, e-mail, spreadsheet, etc. on all drives. That includes flash drives, optical drives, USB backup drives, and multiple hard drives and every web page you visit.

I was running a hardened Windows 7, but this MW broke my long, complicated passwords once a backdoor at TWC was exploited.

Here's an example of a bogus program, just for the curious:
Malware installed a hidden virtual HD/OS on C: partition-badfolders.png

Thanks so very much for your time and advice, Laith.


My System SpecsSystem Spec
19 Oct 2015   #8
RolandJS

Windows 7 Professional 64-bit
 
 

...and restoring a OS-partition full-image onto present OS-partition did not help?
My System SpecsSystem Spec
19 Oct 2015   #9
UsernameIssues

W7 Pro SP1 64bit
 
 

There is nothing abnormal about these folders:

My System SpecsSystem Spec
21 Oct 2015   #10
UberGoober

Windows 7 Pro 64 bit
 
 

Quote   Quote: Originally Posted by RolandJS View Post
...and restoring a OS-partition full-image onto present OS-partition did not help?
Thanks for your response, Roland. Great idea! I'll see what happens and let you know.
My System SpecsSystem Spec
Reply

 Malware installed a hidden virtual HD/OS on C: partition




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
all files hidden after malware popup
Hi, My AVG popped up with several malware popups, next minuite all my desktop icons, files and folders have disappeared, includeing the control panel list. i can sill find my files if searching for them so they are still there but hidden I haven't created a backup restore point on this pc :(...
System Security
Format partition C damages the hidden partition?
Table top, Acer brand, Aspire M5700 HDD: 500GB Part: 1. Hidden partition, 20GB, eRecovery 2. Partition C partitioned by Acer, 240GB, OS 3. Partition D partitioned by Acer, 240GB I plan to format both C and D partitions and make 4 partitions. So, check with Acer first. Acer's reply is...
Hardware & Devices
partition table issue - win7 hidden partition formatted
Hi friends. I just encountered a serious issue. I was about to reinstall Win 7. I used a tool in Hiren Boot CD and formatted c:, and then i accidentally formatted the 125MB partition created by win 7. my HDD was partitioned as C, D, E, F. now i can access only C and D, E is shown as RAW...
Installation & Setup
Can I load up my linux partition in Virtual Box or any Virtual Machine
Hi, I am new to virtual machine. I have Windows 7 and Ubuntu dual boot on my single harddisk right now. Windows 7 on sda1, ubuntu on sda2. Just wondering, could I use any virtual machine software, virtualbox or virtual PC or vmware, to run my ubuntu on sda2 under windows 7 or to run my...
Virtualization
how to access hidden virtual partition
I recently performed KillDisk using Win XP Pro and I attempted to delete the entire 1TB HDD. When finished, I noticed that KillDisk successfully deleted 931GB. It did not list the remaining 69GB. I saw elsewhere: Start->Run type: cmd and hit Enter type: diskpart type: list disk type:...
Virtualization


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 13:41.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App