Virus remains after formatting

karlsnooks · 28 Jul 2012

windude,
Certainly another approach.
DiskPart writes zeros, one pass to all bytes.
Sufficient for everyone except for the FBI and CIA.

bigcitycat · 29 Jul 2012

Maybe the router is compromised. If the win7 disk is clean or maybe a usb or external hard drive. Also could be something in an email or online storage account. Possibly another infected computer on your network. I would log into the router and change the password. Then see if you can update the router. Could also be a false positive too.

zapp22 · 30 Jul 2012

all good suggestions. however I haven't seen that the victim here has actually secure-wiped yet. if not, then it is entirely possible that a scan would pickup an obfuscated infection ... not that hard to do. whether it is 'live' or not is a different question.
secondly - this is stating the obvious I realize - every cleanup I can imagine involves saving off one's valuables, then restoring those valuables. Obviously you would want to save the valuables, SCAN the valuables, and exterminate any that are compromised before restoring.

karlsnooks · 30 Jul 2012

zapp,
a secure wipe is not needed, but what is needed is a wipe, that is, overwriting each and every byte.

icy00 · 30 Jul 2012

Hi Guys
I have also get such a kind of a virus
To wipe it out i filled the bootpartition up to the fat with zeros, there are 62 sectors to overwrite,
i used a utility of Acronis disk partion, thyat boots up the computer with a local windows stored
in this utility.
i
then i put a clean windows without any programs or drivers , installed my virusscanner
deleted the infected files and gone was the virus.

I hope this will help

icy00

karlsnooks · 30 Jul 2012

Icy,
the DISKPART Clean command does this for you and also catches the duplicate copy at the end of the disk.

Win 7 requires NTFS and DiskPart works with NTFS perfectly.

Your virus would have been gone.

F5ing · 31 Jul 2012

karlsnooks said:

Icy,
the DISKPART Clean command does this for you and also catches the duplicate copy at the end of the disk.

Win 7 requires NTFS and DiskPart works with NTFS perfectly.

Your virus would have been gone.

I don't think the DISKPART Clean command cares whether the disk contains NTFS, FAT, FAT32 or any other type of partition that may exist on the disk. For an MBR disk it simply zeroes out the partitioning information and hidden sector information that follows (when using 'Clean', rather than 'Clean All').

The data for each partition remains, including boot records, MFTs, etc. Including any of their mirrors/backups. The data is simply not recognized by the MBR any longer.

icy00 · 01 Aug 2012

Hi Guys

DISKPART is an internal command of the opera

karlsnooks · 01 Aug 2012

icy,
Are you having problems of some kind?
You're posts are not making the greatest amount of sense.

icy00 · 01 Aug 2012

Hi Guys

DISKPART is an internal command of the operating system , this is not working with bootviruses.
Bootvirusses boot before the opperating system boots and they will intercept all calls &
interupts to the disks.
the only method to clean is to boot before the virus boots, then only will these 61 sectors
be overwritten.

icy