1 (edited by gedakc 2016-05-04 22:06:02)

Topic: [closed] Malicious split-off from system-partition, BlackSOD

Recently I had, after booting Win7 and giving my log-in password, a fully black screen. This seemed to me the now in discussion "Black Screen Of Death" (with Windows).

Previously I had been using uTorrent in the newest version. After and during torrenting I found my system very sluggish and my firewall (Comodo) was "stalled" (I have now a suspection about the new uTorrent safety).

I decided to run eScan (a CD-Win-bootable virus-scanner), it stated with a checkdisk which ran very quick, so unreadable, however I thought to seen more info than normally with a chkdsk. It did not find any problem.
I think that after this the BlackSOD was present (I am not sure about that).
After that I ran BitDefender (a CD-Linux-bootable virus scanner). It did find 2 items (minor) however it did not solve my problem.

Then I started my USB-bootable GParted (the previous version).

It started and found that my original system partition was now split into a first very small bootable partition (~1-2 MB), the remains of my system-partition now had the "name2" (not bootable), the data-partition seemed as earlier (so not changed).
I am absolutely sure that I did not create this split-off small partition myself.
Probably the Win7 booting till the log-in-screen was in the small partition, the rest of the booting (after giving the login-password) was probably in the 2-nd partition. So this is probably why the booting halted after giving the login, with a black screen.

Probably if I could have joined the split-off partition with the rest of the system partition, the booting would have run normally again ??!!

However there is some extra info against this solution.
Initially I deleted the small bootable partition and flagged the remaining original system partition as bootable (at that time I did not realize that this small partition had a part of the original systems-files). Booting then failed totally.

Then I tried to boot again from my USB-bootable-GParted.
To my horror and disbelief it failed to boot, later I found that the USB-stick was "not formatted" so the bootable GParted had been destroyed, probably when I was connected at the first session when I deleted the small split-off-partition.

I then took an older rescue-CD (so no USB-with-write-access), with an older version of GParted. It booted ok and started GParted ok.
I deleted also the remaining system-partition, recreated a new partition (for re-installing Win7) and formatted it in a row with every system possible (ext2, ext3, xfs, .....) , then ntfs as last. This in the hope to destroy any possible malware in the MFT-area.

I then started my USB-bootable Win7-install.
To my disbelieve it reported errors in the install-files on the USB-stick.
I messed then around, rebooted a few times, restored the BIOS to original, and finally surprisingly the install seemed to run as it should.

I think a very nasty malware was present, which was aware that I was attacking with tools (GParted and reinstall the OS) to remove the malware-structure.

So my question is if you can incorporate to join 2 partitions without data-loss.
So that a malicious split (system)-partition can be restored to the previous original.

And can you make the partition check that the above malicious situation is detected and repaired.
I must however admit that if the above is really the result of very sneaky malware, probably this situation is too much for GParted.

Best Regards
Jan O


Re: [closed] Malicious split-off from system-partition, BlackSOD

joopie wrote:

So my question is if you can incorporate to join 2 partitions without data-loss.
So that a malicious split (system)-partition can be restored to the previous original.

GParted does not support merging partitions.  It is possible that your system originally had two partitions and that the first partition was hidden.  To split a partition requires a significant amount of work, especially when the contents are preserved.

Before re-installing the operating system, you might want to visit the disk drive manufacturer's web site and download hard drive testing software so that you can test your hard drive for errors.