Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#372737 - 23/04/2020 21:10 Hard Drive Partitions
tanstaafl.
carpal tunnel

Registered: 08/07/1999
Posts: 5539
Loc: Ajijic, Mexico
I have an old 300GB hard drive that I am using as a clone destination for my SSD system drive. I am not satisfied with the partitioning on this drive, and am not smart enough to figure out how to change it. At one time I had the idea that I would have two partitions for the clone, to be alternated each time I ran the cloning program. That turned out to be somewhat overkill and more complicated than I wanted.

Below is a screenshot of Windows 10 Disk Management, showing all the partitions in the computer. Disk 4 is the clone destination, with the two partitions and the Recovery partition.


1) What is the 470 MB Recovery Partition partition on the system drive (Disk 0)? I notice the same thing on Disk 4.

2) What is the System Reserved partition on the system drive?

3) If I decide to get red of the "Y" partition and extend the "X" partition to use the former "Y" space... how would I do that?

To the bet of my knowledge, I have no partition management tools other than what is provided in Windows 10.

tanstaafl.





Attachments
Partitions.png


_________________________
"There Ain't No Such Thing As A Free Lunch"

Top
#372738 - 24/04/2020 03:02 Re: Hard Drive Partitions [Re: tanstaafl.]
Shonky
pooh-bah

Registered: 12/01/2002
Posts: 2009
Loc: Brisbane, Australia
The recovery partition would have been created by a windows installer.

Possibly you installed windows onto the 111.33GB X: partition once. Usually it puts the recovery partition after the install partition like on Disk 0 which is has your boot partition.

If Disk 4 was just (re)added then that recovery partiion is fair game to delete.

To consolidate X: Y: and the Disk 4 recovery, just right click on each one and select "Delete Volume". That would be the easiest way. You technically could delete Y: and Recovery and then extend X: (with extra tools) but the easiest way if it's empty is to just delete them all and create one new big one. If X: or Y: has files on it you need to keep, just move them off to one of your other devices temporarily. Once they're all deleted, just right click on the empty space to create a new volume.

The system reserved partiion is something to do with Windows and/or may be a factory install partition on a name brand computer like a Dell or somilar.
_________________________
Christian
#40104192 120Gb (no longer in my E36 M3, won't fit the E46 M3)

Top
#372740 - 24/04/2020 19:08 Re: Hard Drive Partitions [Re: Shonky]
tanstaafl.
carpal tunnel

Registered: 08/07/1999
Posts: 5539
Loc: Ajijic, Mexico
Christian, I had already tried that. When I delete either of those partitions, they turn into "Unallocated Space", and if I then right-click that, there is no option to delete. If I try to extend the X partition, it won't let me extend past the original 111 GB and the other two partitions just sit there.

But I've changed my mind, I want to keep both X and Y partitions as they are. Because...

I did something stupid and helped my wife. She had an email from a trusted friend, one of many emails over the years. It had an attachment that wouldn't open on her iPad. I said forward the email to me, and I'll get the attachment for you.

The attachment was a .zip file, I unzipped it, and it pretty much wrecked my computer. I didn't realize this until after I had made a clone backup of my system drive. So the clone is wrecked too.

My Gmail is hardest hit, to the point of being unusable. It might take up to a minute to load, there can be a 5-10 second delay from when keys are pressed until they appear on the screen, if I try and attach a file it crashes Firefox.

MalwareBytes finds and quarantines four items each time I run it -- and they immediately reappear and get quarantined again even if I run the MalwareBytes program back to back. (see the picture below, the results of three scans run today)

It has been suggested that the malware is using my computer to mine for bitcoins. This would fit the symptoms. Gmail and YouTube are hardest hit. I can stream a video, but it might take 30-40 seconds to load and begin playing. Gmail is virtually unusable. Even the empeg bbs is difficult, sometimes the screen will freeze but continue to store keystrokes in some buffer and then catch up with the typing 10 seconds later. Similar things happen with MS-Word and Excel.

One other thing is different. Every once in a while I get a dark blue box that flashes on the screen for about a tenth of a second, it says (I think) "Windows Powershell"

Do you have any recommendations or advice on how I can pursue this matter? With the lockdown, my resources are limited. My go-to guy at the computer store is not available, the store is closed, his cell phone is shut off, I hope he is OK.

tanstaafl.

ps: That VBA script you wrote for me years ago to reformat the comments in Excel is still working flawlessly. I wrote a macro for my programmable keyboard that allows me to copy a synopsis from Calibre and post it in the Excel index file as a comment and reformat it all with a single keystroke. Thank you!

db


Attachments
Malware.png


_________________________
"There Ain't No Such Thing As A Free Lunch"

Top
#372741 - 24/04/2020 22:33 Re: Hard Drive Partitions [Re: tanstaafl.]
Attack
addict

Registered: 01/03/2002
Posts: 598
Loc: Florida
Eset and Kaspersky both have bootable images that can be used to clean a system. I would run both since one might find something the other missed. You could also remove the drive and scan it with MalwareBytes from another machine.

On a clean computer I would follow these instructions

https://support.eset.com/en/kb3509-how-do-i-use-eset-sysrescue-live-to-clean-my-computer

https://www.howtogeek.com/howto/36403/ho...ur-infected-pc/


This might be a newer version of the bootable image than is linked in Kaspersky article. https://usa.kaspersky.com/downloads/thank-you/free-rescue-disk
_________________________
Chad

Top
#372742 - 25/04/2020 02:33 Re: Hard Drive Partitions [Re: tanstaafl.]
Shonky
pooh-bah

Registered: 12/01/2002
Posts: 2009
Loc: Brisbane, Australia
Bugger. I had a bunch of stuff written and closed the window trying something.

The Unallocated space is what you want. You delete all 3 partitions and they will join in to one big contiguous space. Then right click and create new volume.

Most "decent" malware will resurrect itself and have multiple copies hence the 4 copies of the same file you found. If you delete one, it just gets restored from one of the others.

I do think it would be possible to get rid of from Windows, but it's been a while since I had to remove this sort of stuff from a PC.

My steps in rough order would be
1) Try and remove it manually but that will require some experimentation finding which bits to kill or remove first. Your scans don't show it killing applications. You really need to get the running applications stopped or they'll just fix any other deletions/changes you make.

2) Try and identify it exactly and then look for a specific guide to remove it.

3) Try windows 10 safe mode. That might be enough to prevent it running after booting. You really need it to not run when starting. Then do a scan and clean.

4) Boot with an offline scan like those linked above. That should be able to clean enough.
_________________________
Christian
#40104192 120Gb (no longer in my E36 M3, won't fit the E46 M3)

Top
#372748 - 25/04/2020 22:46 Re: Hard Drive Partitions [Re: tanstaafl.]
Shonky
pooh-bah

Registered: 12/01/2002
Posts: 2009
Loc: Brisbane, Australia
Also I just stumbled across an option in Windows 10 that's new to me.

Open "Virus and threat detection". Not sure how to click to it these days (?!?!) but type "Virus" after pressing the windows start button/icon.

Then select Scan Options followed by "Windows Defender OFfline scan".

That might help with the problems above and I'd probably try that first of all.
_________________________
Christian
#40104192 120Gb (no longer in my E36 M3, won't fit the E46 M3)

Top
#372749 - 26/04/2020 02:09 Re: Hard Drive Partitions [Re: Shonky]
tanstaafl.
carpal tunnel

Registered: 08/07/1999
Posts: 5539
Loc: Ajijic, Mexico
Originally Posted By: Shonky
Then select Scan Options followed by "Windows Defender OFfline scan".
That worked... up to a point.

Whatever this is, it is absolutely hard-wired to prevent my Gmail from uploading an attachment. I was a little bit surprised that it let me attach this:

tanstaafl.


Attachments
Wiindows Threat Protection.png


_________________________
"There Ain't No Such Thing As A Free Lunch"

Top
#372758 - 27/04/2020 03:20 Re: Hard Drive Partitions [Re: tanstaafl.]
Shonky
pooh-bah

Registered: 12/01/2002
Posts: 2009
Loc: Brisbane, Australia
It's somewhat unlikely it's directly/intentionally preventing you sending an attachment via Gmail (i.e. uploading a file through a web browser).

It's quite possible it's set some registry entries/group policies to prevent you running the offline scan.

Try safe mode if you can.
_________________________
Christian
#40104192 120Gb (no longer in my E36 M3, won't fit the E46 M3)

Top
#372772 - 28/04/2020 20:48 Re: Hard Drive Partitions [Re: Shonky]
tanstaafl.
carpal tunnel

Registered: 08/07/1999
Posts: 5539
Loc: Ajijic, Mexico
Well, this is weird.

The first picture is a screenshot at 9:30 this morning, showing the results of the two previous scans. The same four files and registry keys as usual, one from the scheduled 2:20am scan, and the other from the 9:30am manual scan.

The second picture is for a scan I just made because I was suspicious, the computer suddenly seemed to be running better than it had been. I had done nothing but look at my favorite porn uhh, information sites on YouTube and I was impressed at how much worse the situation had become than even my Henny Penny the Sky Is Falling rants had predicted.

What could account for this turnaround? Will it be permanent? Do I need to do anything other than give myself a dope slap for being so careless in the first place?

First thing I am doing is cloning my (hopefully clean) system drive!

Curiouser and curiouser. And my name isn't even Alice.

tanstaafl.


Attachments
Malware Files 2.png

Malware Files 3.png


_________________________
"There Ain't No Such Thing As A Free Lunch"

Top
#372773 - 29/04/2020 02:08 Re: Hard Drive Partitions [Re: tanstaafl.]
Shonky
pooh-bah

Registered: 12/01/2002
Posts: 2009
Loc: Brisbane, Australia
I'd do a full scan in Windows Defender again. Maybe something you've done has killed it enough and prevented it from reinstalling itself. If you're still getting the registry keys in particular then it's still installing itself again and therefore not completely gone.

Have you looked at the actual file it's installed in "C:\windows\system32...". It appears it's creating new folders with a new GUID each time (GUID is the globally unique identifier - basically a big random hex number) with the file in them. The file name probably changes each time too.

I'd also try a few other online scanners (i.e. download and run an scanner directly) and preferably also at least one that you run offline from a bootdisk.

Unfortunately I'd be somewhat untrusting of that Windows installation unless I really knew what the malware did to install and where it installed itself.

In your case I would believe the positive hits before I believed the negative hits like your second screenshot.
_________________________
Christian
#40104192 120Gb (no longer in my E36 M3, won't fit the E46 M3)

Top