Malware Hunting With Free Dos/SPFdisk: Questionable Files and Partition












0















I am trying to track down the location of persistent malware and have found a small partition I am unable to remove along with some files that I can only see when I use SPFdisk (Free Dos). I have included a URL pointing to my Google Drive account where i have stored two photos for visual reference to my questions.



Questions




  1. Can someone please explain the values listed under the columns "Type, Size, Date and Time" of the files autoexec.bat, MENU.bat and choice.exe (all labeled green/blue). Those three files are only appearing when I use this program and the rest can be seen in the root directory at the command line. I would very much like to remove them from my computer along with the fourth file (sigma)ENU.BAT which is also visible in this location only. I do understand that the last mentioned file is/has been deleted (not by me) and I assume the malware is recalling it using the function "undelete" or some similar variation.


  2. The second photo is showing the attributes for 2/2 boot records on a 31Mb partition I can't seem to remove for the life of me. I don't understand the values shown, such as how many FAT copies there are, what the media descriptor is or it's role in the partition scheme, how many sectors per FAT and per Track, the sides per cylinder value, what the extended boot record signature is and what it is used for, the significance of the volume label and physical drive number values (these values seem abnormal) and most importantly, how can the hidden sectors listed be accessed for complete removal?



Due to the size limitation for uploading images, I have provided a URL to my google drive account where they are stored.



Root Dir Photo:
https://drive.google.com/file/d/1s4wcw7v-IH70ZX--jfDd5tiQN4BvlqG3/view?usp=sharingusp=sharing



Boot Record Photo:
https://drive.google.com/file/d/1vdVA_KsSv8iDrr6x8u_Gjl8dR5L1kQ-R/view?usp=sharing






partitioning filesystems malware-removal







share|improve this question




















  • 1





    Aren't you actually looking at your own FreeDOS disk?

    – grawity
    Jan 17 at 5:26











  • I originally thought that is what I was looking at but I don't think that is the case based on the files and the boot sector mentioned.

    – blackpine
    Jan 18 at 13:34
















0















I am trying to track down the location of persistent malware and have found a small partition I am unable to remove along with some files that I can only see when I use SPFdisk (Free Dos). I have included a URL pointing to my Google Drive account where i have stored two photos for visual reference to my questions.



Questions




  1. Can someone please explain the values listed under the columns "Type, Size, Date and Time" of the files autoexec.bat, MENU.bat and choice.exe (all labeled green/blue). Those three files are only appearing when I use this program and the rest can be seen in the root directory at the command line. I would very much like to remove them from my computer along with the fourth file (sigma)ENU.BAT which is also visible in this location only. I do understand that the last mentioned file is/has been deleted (not by me) and I assume the malware is recalling it using the function "undelete" or some similar variation.


  2. The second photo is showing the attributes for 2/2 boot records on a 31Mb partition I can't seem to remove for the life of me. I don't understand the values shown, such as how many FAT copies there are, what the media descriptor is or it's role in the partition scheme, how many sectors per FAT and per Track, the sides per cylinder value, what the extended boot record signature is and what it is used for, the significance of the volume label and physical drive number values (these values seem abnormal) and most importantly, how can the hidden sectors listed be accessed for complete removal?



Due to the size limitation for uploading images, I have provided a URL to my google drive account where they are stored.



Root Dir Photo:
https://drive.google.com/file/d/1s4wcw7v-IH70ZX--jfDd5tiQN4BvlqG3/view?usp=sharingusp=sharing



Boot Record Photo:
https://drive.google.com/file/d/1vdVA_KsSv8iDrr6x8u_Gjl8dR5L1kQ-R/view?usp=sharing






partitioning filesystems malware-removal







share|improve this question




















  • 1





    Aren't you actually looking at your own FreeDOS disk?

    – grawity
    Jan 17 at 5:26











  • I originally thought that is what I was looking at but I don't think that is the case based on the files and the boot sector mentioned.

    – blackpine
    Jan 18 at 13:34














0












0








0








I am trying to track down the location of persistent malware and have found a small partition I am unable to remove along with some files that I can only see when I use SPFdisk (Free Dos). I have included a URL pointing to my Google Drive account where i have stored two photos for visual reference to my questions.



Questions




  1. Can someone please explain the values listed under the columns "Type, Size, Date and Time" of the files autoexec.bat, MENU.bat and choice.exe (all labeled green/blue). Those three files are only appearing when I use this program and the rest can be seen in the root directory at the command line. I would very much like to remove them from my computer along with the fourth file (sigma)ENU.BAT which is also visible in this location only. I do understand that the last mentioned file is/has been deleted (not by me) and I assume the malware is recalling it using the function "undelete" or some similar variation.


  2. The second photo is showing the attributes for 2/2 boot records on a 31Mb partition I can't seem to remove for the life of me. I don't understand the values shown, such as how many FAT copies there are, what the media descriptor is or it's role in the partition scheme, how many sectors per FAT and per Track, the sides per cylinder value, what the extended boot record signature is and what it is used for, the significance of the volume label and physical drive number values (these values seem abnormal) and most importantly, how can the hidden sectors listed be accessed for complete removal?



Due to the size limitation for uploading images, I have provided a URL to my google drive account where they are stored.



Root Dir Photo:
https://drive.google.com/file/d/1s4wcw7v-IH70ZX--jfDd5tiQN4BvlqG3/view?usp=sharingusp=sharing



Boot Record Photo:
https://drive.google.com/file/d/1vdVA_KsSv8iDrr6x8u_Gjl8dR5L1kQ-R/view?usp=sharing






partitioning filesystems malware-removal







share|improve this question
















I am trying to track down the location of persistent malware and have found a small partition I am unable to remove along with some files that I can only see when I use SPFdisk (Free Dos). I have included a URL pointing to my Google Drive account where i have stored two photos for visual reference to my questions.



Questions




  1. Can someone please explain the values listed under the columns "Type, Size, Date and Time" of the files autoexec.bat, MENU.bat and choice.exe (all labeled green/blue). Those three files are only appearing when I use this program and the rest can be seen in the root directory at the command line. I would very much like to remove them from my computer along with the fourth file (sigma)ENU.BAT which is also visible in this location only. I do understand that the last mentioned file is/has been deleted (not by me) and I assume the malware is recalling it using the function "undelete" or some similar variation.


  2. The second photo is showing the attributes for 2/2 boot records on a 31Mb partition I can't seem to remove for the life of me. I don't understand the values shown, such as how many FAT copies there are, what the media descriptor is or it's role in the partition scheme, how many sectors per FAT and per Track, the sides per cylinder value, what the extended boot record signature is and what it is used for, the significance of the volume label and physical drive number values (these values seem abnormal) and most importantly, how can the hidden sectors listed be accessed for complete removal?



Due to the size limitation for uploading images, I have provided a URL to my google drive account where they are stored.



Root Dir Photo:
https://drive.google.com/file/d/1s4wcw7v-IH70ZX--jfDd5tiQN4BvlqG3/view?usp=sharingusp=sharing



Boot Record Photo:
https://drive.google.com/file/d/1vdVA_KsSv8iDrr6x8u_Gjl8dR5L1kQ-R/view?usp=sharing






partitioning filesystems malware-removal




partitioning filesystems malware-removal






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 17 at 3:29







blackpine

















asked Jan 14 at 13:53









blackpineblackpine

144




144








  • 1





    Aren't you actually looking at your own FreeDOS disk?

    – grawity
    Jan 17 at 5:26











  • I originally thought that is what I was looking at but I don't think that is the case based on the files and the boot sector mentioned.

    – blackpine
    Jan 18 at 13:34














  • 1





    Aren't you actually looking at your own FreeDOS disk?

    – grawity
    Jan 17 at 5:26











  • I originally thought that is what I was looking at but I don't think that is the case based on the files and the boot sector mentioned.

    – blackpine
    Jan 18 at 13:34








1




1





Aren't you actually looking at your own FreeDOS disk?

– grawity
Jan 17 at 5:26





Aren't you actually looking at your own FreeDOS disk?

– grawity
Jan 17 at 5:26













I originally thought that is what I was looking at but I don't think that is the case based on the files and the boot sector mentioned.

– blackpine
Jan 18 at 13:34





I originally thought that is what I was looking at but I don't think that is the case based on the files and the boot sector mentioned.

– blackpine
Jan 18 at 13:34










0






active

oldest

votes











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1394135%2fmalware-hunting-with-free-dos-spfdisk-questionable-files-and-partition%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes
















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1394135%2fmalware-hunting-with-free-dos-spfdisk-questionable-files-and-partition%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Plaza Victoria

Image
Plaza Victoria Plaza Victoria en 2017 Otros nombres Plaza de La Victoria Localización El Almendral, Valparaíso, Chile Vías adyacentes Chacabuco, Molina, Plaza Victoria y Edwards Creación 1841 Metro Bellavista Ubicación 33°02′46″S 71°37′11″O  /  -33.04624167, -71.61980833 Coordenadas: 33°02′46″S 71°37′11″O  /  -33.04624167, -71.61980833 [editar datos en Wikidata] La Plaza Victoria , también llamada Plaza de la Victoria , [ 1 ] ​ es una plaza ubicada en el sector El Almendral del plan de la ciudad de Valparaíso, Chile, de importancia patrimonial, que incluye valiosas estatuas y especies vegetales. [ 2 ] ​ La plaza se creó como tal en la primera mitad del siglo XIX, tomando previamente los nombres de Plaza Nueva y Plaza de Orrego . Si bien desde sus inicios tuvo relevancia histórica, no fue sino a partir de fines de los años 1860 cuando comenzó a cobrar mayor importancia y se convirtió en uno de los principales centros sociales de l
Read more

In PowerPoint, is there a keyboard shortcut for bulleted / numbered list?

Image
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 2 OneNote has two useful keyboard shortcuts for bulleted and numbered lists, namely Ctrl + . and Ctrl + - . Is there something similar for PowerPoint where the work with lists is also very common? Haven't found anything here: Use keyboard shortcuts in PowerPoint. keyboard-shortcuts microsoft-powerpoint share | improve this question edited Aug 14 '14 at 14:49 Linger 2,826 10 28 40
Read more

How to put 3 figures in Latex with 2 figures side by side and 1 below these side by side images but in...

Image
1 0 I want to put 3 images in LateX such as 2 figures are side by side horizotally and 3rd figure below these 2 side by side figures but in middle. I have following code: begin{figure}[H] centering begin{minipage}{.5textwidth} centering includegraphics[width=.50linewidth]{Text/Images/Genelec_8010_AP.jpg} captionof{figure}{Genelec 8010 AP} label{fig:Genelec 8010} end{minipage}% begin{minipage}{.5textwidth} centering includegraphics[width=.69linewidth]{Text/Images/Genelec_8020_CPM.jpg} captionof{figure}{Genelec 8020 CPM} label{fig:Genelec 8020} end{minipage}% end{figure} %%Here is my 3rd picture code begin{figure} centering includegraphics[width=5cm]{Text/Images/Genelec_8030_BPM.jpg} caption{Genelec 8030 BPM} label{fig:Genelec 8030} end{figure} I want to ask ho
Read more