Mystery 3MB Partition still showing after full disk wipe

Hi TVeblen, I'm sorry I didn't respond to your original post. I've run Clean All in Diskpart a few times now, but it didn't have any effect on the partition, I'm afraid.

The more trouble I have removing this partition, the more convinced I become it's part of a rootkit.

I am surprised to learn that HDAT2 did not find anything.

The only thing left for you to try is to use Atola's HDD Capacity Restore Tool - my post #9 - hooking up the HDD onto a 32bit system.

(If you have no means to do it, you may seek help from a neighbourhood computer shop to do it for you.)

I've got current and ample knowledge on what you are trying to get rid of. It's the almost impossible to actually impossible to get rid of bootkit originally made by the NSA that's written outside of the writable area of the disk that's why you can't delete it. I'm a little rusty but if memory serves correctly its built by the hard drive firmware rootkit that is the real "kit" involved here. Basically you erase it when you format that drive but as soon as the write heads are done cleaning or binary writing the disks depending on which format version you go with, the firmware malware hijacks the drive and rebuilds it. That folder called unattend is the innocent name for the house that holds the malicious base level payload. Once an os is booted that partition hooks the os in one of a few ways depending on windows version in your case it's for sure from xp and eventually gets itself kernal level access at least and has instructions to get the rest of whichever exploit was intended from a remote server.. meet EQUATIONDRUG and GRAYFISH... they can be modified but on a base level drug writes into the firmware of the drive and grayfish is the 3mb little bastard it creates with those steel hooks it likes to stab into your digital realm maintaining persistence on it's own i.e. unattended by any human presence.

Actually I think depending on the drive brand and setup in some cases it's actually written on the disk outside of the user level write head operating distance. Most would call it the service area or manufacturer only area and essentially the write heads are overextended to write the payload using parameters normally only accessible by the factory. My guess is the jumper setting labeled factory use is what enables that function and true low level formatting and that jumper can be selected via electricity no physical object needed.. when . P.s. doesn't mean the nsa put it on your drive. Hackers got their hands on the code when kaspersky went public with it and there is an associated worm that lives to find other systems to infect autonomously