Can I get rid of a mystery partition?

papilio

New member
Local time
3:17 AM
Messages
30
Location
Minnesota
I'd been struggling for months to get rid of a malware infection on my Dell XPS 410, I went through the removal drill on 3 different security forums, each time being pronounced clean at the end, and all scans coming up clear -- as they generally had all along. As one forum helper commented, "The symptoms which you describe indicate a significant infection, but I'm not seeing much indication of that in the logs". But the identical problems would always return soon after, even during my several days of total computer "quarantine", the time during which I'd reconnect neither my ethernet cable nor external USB drives, or reinstall any programs.

I ended up buying a new Dell XPS Studio and have at last been again free of these troubles in the month or so since. But wanting still to beat the bugs on the XPS 410 I've kept tinkering with it. I finally noticed something on the 410 when I was running Killdisk on it a couple of days ago. The program shows (besides UBCD showing up as Floppy Drive A) the local partition 80h, which is easily deleted and zero-filled, but unlike any other partition utilities which I've run it also indicates the presence of an 800meg 81h partition (or device) which I've been unable to delete or zero-fill -- trying just gets me locked into a continuous echo of read/write errors. Killdisk always shows the 80h partition with only zero bits all through after it's been run, but the little 81h partition retains its data (whatever it is), formatted in FAT32 (I always format my partitions in NTFS). Even exploring the drive from my Ubuntu installation shows nothing unusual.

A similar partition is not on the new machine, and its presence on the 410 may be just some sort of remnant from the Dell OEM XP Home OS I suppose, from before I tried unsuccessfully to get rid of the problem by installing Windows 7 Premium with a clean install, but it does make me wonder whether this may be where the incredibly persistent bugs may have been residing all this time.

Might this be possible, and any advice on how I could get this partition off the drive?

Thanks,
papilio
.
 
Last edited:

My Computer My Computer

At a glance

Windows 7 x64AMD Phenom II X6 1055T8 GBATI Radeon HD 5870
Computer Manufacturer/Model Number
Dell XPS Studio
OS
Windows 7 x64
CPU
AMD Phenom II X6 1055T
Memory
8 GB
Graphics Card(s)
ATI Radeon HD 5870
Monitor(s) Displays
Dell 2407 WFPUHC
Screen Resolution
1920x1200

My Computer My Computer

At a glance

Systems 1 and 2: Windows 7 Enterprise x64, Wi...System 1: i7 [email protected], System 2: AMD FX-41...System 1: 8GB System 2: 8GBSystem 1: ATI FirePro V4800 System 2: Radeon ...
Computer Manufacturer/Model Number
Dell and Custom
OS
Systems 1 and 2: Windows 7 Enterprise x64, Win 8 Developer
CPU
System 1: i7 [email protected], System 2: AMD FX-4100 Zambezi 3.6G
Motherboard
System 1:Dell 06NWYK System 2: ASUS M5A97 AM3+
Memory
System 1: 8GB System 2: 8GB
Graphics Card(s)
System 1: ATI FirePro V4800 System 2: Radeon HD 6850
Sound Card
System 1: onboard System 2: onboard
Monitor(s) Displays
System1: Viewsonic HDMI 24"
Screen Resolution
System 1: 1920x1080 System 2: 1920x1080
Hard Drives
System 1: Mirrored .5B drives System 2: Seagate Barracuda ST1000DM003 1TB 7200 RPM 64MB Cache SATA 6.0Gb/s
Case
System 1: Dell System 2: Cooler Master
Internet Speed
10 MBPS
Thanks Lemur! I'll check that out right away and post results.
 

My Computer My Computer

At a glance

Windows 7 x64AMD Phenom II X6 1055T8 GBATI Radeon HD 5870
Computer Manufacturer/Model Number
Dell XPS Studio
OS
Windows 7 x64
CPU
AMD Phenom II X6 1055T
Memory
8 GB
Graphics Card(s)
ATI Radeon HD 5870
Monitor(s) Displays
Dell 2407 WFPUHC
Screen Resolution
1920x1200
Sounds like you have an enabled security chip in your system that is setting up the HDD for a lojack install. If rcpnet.exe is running in task manager and the option to disable the security chip isn't present in the security section of BIOS, that would confirm my suspicions. The only way to get rid of it is to flash a new BIOS, zero the entire HDD and reinstall windows.
 
Sounds like you have an enabled security chip in your system that is setting up the HDD for a lojack install. If rcpnet.exe is running in task manager and the option to disable the security chip isn't present in the security section of BIOS, that would confirm my suspicions. The only way to get rid of it is to flash a new BIOS, zero the entire HDD and reinstall windows.

Hi MadTown. That was one of the options suggested for 81h (the bios part). At first I thought it might be a rootkit.
 

My Computer My Computer

At a glance

Systems 1 and 2: Windows 7 Enterprise x64, Wi...System 1: i7 [email protected], System 2: AMD FX-41...System 1: 8GB System 2: 8GBSystem 1: ATI FirePro V4800 System 2: Radeon ...
Computer Manufacturer/Model Number
Dell and Custom
OS
Systems 1 and 2: Windows 7 Enterprise x64, Win 8 Developer
CPU
System 1: i7 [email protected], System 2: AMD FX-4100 Zambezi 3.6G
Motherboard
System 1:Dell 06NWYK System 2: ASUS M5A97 AM3+
Memory
System 1: 8GB System 2: 8GB
Graphics Card(s)
System 1: ATI FirePro V4800 System 2: Radeon HD 6850
Sound Card
System 1: onboard System 2: onboard
Monitor(s) Displays
System1: Viewsonic HDMI 24"
Screen Resolution
System 1: 1920x1080 System 2: 1920x1080
Hard Drives
System 1: Mirrored .5B drives System 2: Seagate Barracuda ST1000DM003 1TB 7200 RPM 64MB Cache SATA 6.0Gb/s
Case
System 1: Dell System 2: Cooler Master
Internet Speed
10 MBPS
The good news is, if my suspicions are correct, it's not malicious, even though there's no way to get rid of it short of reflashing the bios and wiping the HDD
 
Thanks again everyone! I first wanted to make a custom Ubuntu live CD with Remastersys (more useful I think and a bit quicker than ghosting with Clonezilla). I had installed Win7 on Ubuntu with Virtualbox last week, but have so far had trouble getting it to work correctly, so right now I'm zeroing out the 500gig HDD and will then do another clean install of Win7, then try the options so far suggested.

There's probably a quicker way, but I'm still a noob with Ubuntu.

Also, I know that I could get instructions for flashing the BIOS by googling, but to be quicker could anyone describe the procedure for me? Thanks.
 
Last edited:

My Computer My Computer

At a glance

Windows 7 x64AMD Phenom II X6 1055T8 GBATI Radeon HD 5870
Computer Manufacturer/Model Number
Dell XPS Studio
OS
Windows 7 x64
CPU
AMD Phenom II X6 1055T
Memory
8 GB
Graphics Card(s)
ATI Radeon HD 5870
Monitor(s) Displays
Dell 2407 WFPUHC
Screen Resolution
1920x1200
It may not be possible to reflash the bios yourself. Dell is particularly anal about locking down otherwise adjustable BIOS settings, and the application to flash the bios that is available from dell support will only work if it hasn't been updated. The currently available updated bios version is 2.5.3, so if a different BIOS version appears at POST you should be able to update it...

Flashing the bios on an XPS 410, (and most other older Dells), is a matter of downloading the update, setting it to run in compatibility mode for windows vista, and running it as an administrator. I've done it dozens of times without a hitch. The main thing to remember is run the bios flash on a freshly installed OS with no antivirus or other security software installed, and make sure there are no other running applications before you start.

However, don't do it unless the problem reappears after zeroing the HDD and reinstalling windows andyou've checked that one or both of the other symptoms are present (rcpnet.exe in task manager and/or an unchangable or missing setting for the security chip) Otherwise you're wasting your time on something that won't solve the problem.
 
How about hooking the hard drive up to another system and deleting the partition/formatting from there?

Would that work?
 

My Computer My Computer

At a glance

7
OS
7
How about hooking the hard drive up to another system and deleting the partition/formatting from there?

Would that work?

Not if it's a hard drive bios. Nor would you want to.
 

My Computer My Computer

At a glance

Systems 1 and 2: Windows 7 Enterprise x64, Wi...System 1: i7 [email protected], System 2: AMD FX-41...System 1: 8GB System 2: 8GBSystem 1: ATI FirePro V4800 System 2: Radeon ...
Computer Manufacturer/Model Number
Dell and Custom
OS
Systems 1 and 2: Windows 7 Enterprise x64, Win 8 Developer
CPU
System 1: i7 [email protected], System 2: AMD FX-4100 Zambezi 3.6G
Motherboard
System 1:Dell 06NWYK System 2: ASUS M5A97 AM3+
Memory
System 1: 8GB System 2: 8GB
Graphics Card(s)
System 1: ATI FirePro V4800 System 2: Radeon HD 6850
Sound Card
System 1: onboard System 2: onboard
Monitor(s) Displays
System1: Viewsonic HDMI 24"
Screen Resolution
System 1: 1920x1080 System 2: 1920x1080
Hard Drives
System 1: Mirrored .5B drives System 2: Seagate Barracuda ST1000DM003 1TB 7200 RPM 64MB Cache SATA 6.0Gb/s
Case
System 1: Dell System 2: Cooler Master
Internet Speed
10 MBPS
There's a utility that can clear hidden sectors in a HDD and reset the entire drive to factory default, but as far as I know, it's not possible to reallocate hidden sectors to a mounted HDD in the first place, which eliminates any known malware as the cause, however if the problem is what I think it is, not even throwing away the "infected" HDD and replacing it with a new one will solve the problem
 

My Computer My Computer

At a glance

MS Windows 7 Ultimate SP1 64-bitAMD A10-4600M6.00 GB Dual-Channel DDR3 @ 798MHz (11-11-12-28)AMD Radeon HD 7660G
Computer Manufacturer/Model Number
Toshiba Satellite S875D-S7239 laptop
OS
MS Windows 7 Ultimate SP1 64-bit
CPU
AMD A10-4600M
Motherboard
AMD Pumori (Socket FT1)
Memory
6.00 GB Dual-Channel DDR3 @ 798MHz (11-11-12-28)
Graphics Card(s)
AMD Radeon HD 7660G
Sound Card
High Definition Audio Device
Monitor(s) Displays
Generic PnP Monitor (1600x900@60Hz)
Screen Resolution
1600x900@60Hz
Hard Drives
SSD 119GB Corsair CSSD-V128GB2 ATA Device
Keyboard
Standard PS/2 Keyboard
Mouse
HP Wireless Optical Mobile Mouse Model FHA-3410
Internet Speed
What the local pub, local coffee shop offers.
Other Info
Optical Drive:MATSHITA BD-CMB UJ160B ATA Device


Also have an Asus ha1002xp netbook with Win 7 Ultimate installed.
Thanks madtownidiot, I'd heard the same about Dell and their BIOS fixations -- I suppose the reason I'd never even taken the time to learn how, though for the most part I'm very comfortable working with a PC's hardware and software infrastructures. And thanks also for taking the time to look up the current Dell version, yes mine is current.

Nothing appears suspicious in BIOS Security, though there may be some customary settings not even shown which I wouldn't know to be missing.

Admin Password -- Not set
System Password -- Not set
Password changes -- Unlocked
Execute disable -- On

All factory defaults.

But an option to actually disable the security -- no, not if I'm understanding you correctly.

I do know that these settings are as they've been since the machine was new, and not the least trouble for years. Process rcpnet.exe is not listed on Task Manager nor any of Sysinternals apps, and I'm not (yet at least) finding it in any computer searches, all files set to shown.

I must say, I feel at last vindicated by your saying that, at least going by your best suspicions, replacing the HDD would likely not fix the problem. Not that I know terribly much about it, but all of my efforts at fixing the thing had pretty much led me to the same conclusion -- despite having been told by the security experts on those forums that "of course it would, otherwise you're just chasing ghosts". It seems that it's only scans and logs which concern them ... though to be fair they're only looking for malware, when evidently this may turn out to be at least partly hardware-related.

One comment though I have on your last post (may be relevant or not), there are more than enough persistent symptoms of malicious activity to pretty well convince me that it's not solely in the hardware, after a few days anyway as the problems inevitably become more pronounced. Not meaning to imply that I've accepted that as a fact, just wanted to run it by you. Anyway, at last I'm getting some good info, from all of you. Thank you.

So the old 410 is all reset with a clean Windows 7 install and ready for running the gauntlet of all of your suggestions in the morning. Too early to tell of course whether or not it will begin clearly showing signs of being up to its old tricks, though I can say already that it's not running like a clean install on a zeroed-out HDD. This will be very interesting.
 
Last edited:

My Computer My Computer

At a glance

Windows 7 x64AMD Phenom II X6 1055T8 GBATI Radeon HD 5870
Computer Manufacturer/Model Number
Dell XPS Studio
OS
Windows 7 x64
CPU
AMD Phenom II X6 1055T
Memory
8 GB
Graphics Card(s)
ATI Radeon HD 5870
Monitor(s) Displays
Dell 2407 WFPUHC
Screen Resolution
1920x1200
however if the problem is what I think it is, not even throwing away the "infected" HDD and replacing it with a new one will solve the problem
Thanks for the info on this subject madtownidiot as I've never come across it before. :)
 

My Computer My Computer

At a glance

7
OS
7
What would be missing is a computrace setting.. if it's no longer visible, that means the computrace chip has been permanently activated and can't be disabled. It's not malicious, and can be isolated with a good firewall. however, if reflashing the BIOS doesn't clear it and deactivate the module, there is no known way to get rid of it. In dealing with primarily laptops, I've only seen this one other time and it turned out the laptop was stolen... not saying that's the case with your computer by any means, because accidentally activating the security chip while playing with bios settings is a non-reversable mistake...
 
karlsnooks, thank you for the link, I did give it a shot, but just as madtownidiot has been saying it didn't bring back the missing setting.


Lemur, thanks, that's a great freeware utility! Unfortunately, just as with all of the other HDD utils which I've used except for Killdisk 81h did not show up.

Though this appears to be a lost cause, out of curiosity I'd be very interested in a link to where you found such info as "All sorts of information on 81h, and all conflicting." Or if it was through googling, what did you enter as your search query? Merely 81h didn't bring up anything which I'd call illuminating.


And thanks Jaxryley, I have used GParted previously to search the disk, no indication of 81h there either.


madtownidiot, thank you so much for all of your help.
Just to be certain that I've followed you correctly ...

> I have the current BIOS, so it cannot be flashed (at least until a new one comes out, if one does -- as I'm sure you know this one is quite old).
> No malware is capable of infecting the 81h hidden sector.

Could you describe for me the symptoms of having this problem with the machine?
Also, as it's not malicious, what the advantage would be of dealing with it via my firewall, and if you think that doing so would help could you point me to a link with instructions for doing this?


I'm currently using Webroot as my primary realtime and on-demand scanner, in my experience it detects far more malware than anything else which I've tried and so far none of them have appeared to be false positives. (When every other scan had shown the system as clean, TEMS did repeatedly report finding evidence of high-risk malicious activity in the memory heap which was quite possibly that of my culprit(s), but of course that's not much help in actually finding the malware -- though I am aware that TEMS can in some cases be prone to false positives.)

But as Webroot's firewall was less than impressive that's been disabled and I'm using ZA for my firewall instead, which I very much like. It has so far proven to be the most effective of those I've tried, together with my Belkin wired router, at keeping things out. My problem, malware-wise, primarily seems to have been difficulty keeping things in, not calling home and perhaps holding ports open for their cracker parents. This though would be malware which has yet to be detected by any scan (except possibly TEMS), so I'd pretty much assumed it to be a very good rootkit (as Lemur initially suspected) -- one somehow capable even of surviving zeroed HDDs and clean installs. My assumption of its being the same malware always returning is due, first of all, to the fact that malicious activity inevitably shows up again after each clean install during the period which, as I've mentioned, my machine has been quarantined from outside influence, and secondly, the symptoms of malicious activity strongly appear to be identical each time.

And madtownidiot, love your signature -- I whole-heartedly agree, with great annoyance.
 
Last edited:

My Computer My Computer

At a glance

Windows 7 x64AMD Phenom II X6 1055T8 GBATI Radeon HD 5870
Computer Manufacturer/Model Number
Dell XPS Studio
OS
Windows 7 x64
CPU
AMD Phenom II X6 1055T
Memory
8 GB
Graphics Card(s)
ATI Radeon HD 5870
Monitor(s) Displays
Dell 2407 WFPUHC
Screen Resolution
1920x1200
Still not absolutely positive you have the problem I think you do, but if you have an activated security chip in your computer.. it will do pretty much as you described.. create a hidden partition in your system for the purpose of downloading and reinstalling Lojack.. even if it has never been installed ..
In addition:
In task manager there will usually be a process called rpcnet.exe and in services will be a "persistence module" which can't be stopped or disabled, which serves to reinstall the antitheft software in the case of hdd formatting, or replacement.

On further reading, Reflashing the bios would not have even worked. Your computer model# wasn't listed in the computrace website but that really doesn't mean much because Dell sometimes installs whatever parts will fit, including motherboards when the specified component isn't available.. and the xps 410 has an identical motherboard to several other models that were listed

There's really no way to get rid of it.

What I would recommend
Replace Zonealarm with comodo,
If you don't have the rpcnet process, look for a persistence module in the services tab. Right click on it, select go to process(es) and locate any files that are highlighted except for servicehost. then set the firewall to block all connections from those processes, and mark them as untrusted. That will at least keep it isolated. There isn't anything more you can do.
 
I like Zonealarm but I like Comodo too, so I'll happily make the switch you recommend, on both computers.

Considering the absence of the computrace setting in the BIOS (even if not inherent on the XPS 410), plus other factors which you say seem to fit, yours is definitely the best diagnosis which anyone has yet suggested in all this time. I may also have found something similar to what you read ...

On the Computrace site:

"BIOS persistence is the most comprehensive option, defeating virtually every action that could remove the Application Agent from a device including if the BIOS is flashed, if the device is reimaged, or if the hard drive is replaced."

You'd hardly believe how relevant this sounds.


It's been nearly six months that I've been putting so much energy into attempting to clean this PC, time to call it quits! I really love the 410, it's served me extremely well. The new computer is not so good in fit and finish but hopefully that's just cosmetic. In any case, as long as the 410 is not my primary PC, I can live with its problems.


I can't believe how difficult and long it's taken to finally get truly sound and very knowledgeable advice and information, so thank you all very much!

papilio
.
 
Last edited:

My Computer My Computer

At a glance

Windows 7 x64AMD Phenom II X6 1055T8 GBATI Radeon HD 5870
Computer Manufacturer/Model Number
Dell XPS Studio
OS
Windows 7 x64
CPU
AMD Phenom II X6 1055T
Memory
8 GB
Graphics Card(s)
ATI Radeon HD 5870
Monitor(s) Displays
Dell 2407 WFPUHC
Screen Resolution
1920x1200
I found this, which may be a more effective way of dealing with it. The more research I do on this, the more annoyed it makes me that Dell and other computer companies foist this on unsuspecting customers.. some computers models don't have the option to not include lojack in at least a trial form.
 
Back
Top