Malware Hunting With Free Dos/SPFdisk: Questionable Files and Partition
I am trying to track down the location of persistent malware and have found a small partition I am unable to remove along with some files that I can only see when I use SPFdisk (Free Dos). I have included a URL pointing to my Google Drive account where i have stored two photos for visual reference to my questions.
Questions
Can someone please explain the values listed under the columns "Type, Size, Date and Time" of the files autoexec.bat, MENU.bat and choice.exe (all labeled green/blue). Those three files are only appearing when I use this program and the rest can be seen in the root directory at the command line. I would very much like to remove them from my computer along with the fourth file (sigma)ENU.BAT which is also visible in this location only. I do understand that the last mentioned file is/has been deleted (not by me) and I assume the malware is recalling it using the function "undelete" or some similar variation.
The second photo is showing the attributes for 2/2 boot records on a 31Mb partition I can't seem to remove for the life of me. I don't understand the values shown, such as how many FAT copies there are, what the media descriptor is or it's role in the partition scheme, how many sectors per FAT and per Track, the sides per cylinder value, what the extended boot record signature is and what it is used for, the significance of the volume label and physical drive number values (these values seem abnormal) and most importantly, how can the hidden sectors listed be accessed for complete removal?
Due to the size limitation for uploading images, I have provided a URL to my google drive account where they are stored.
Root Dir Photo:
https://drive.google.com/file/d/1s4wcw7v-IH70ZX--jfDd5tiQN4BvlqG3/view?usp=sharingusp=sharing
Boot Record Photo:
https://drive.google.com/file/d/1vdVA_KsSv8iDrr6x8u_Gjl8dR5L1kQ-R/view?usp=sharing
partitioning filesystems malware-removal
asked Jan 14 at 13:53
blackpineblackpine
144
add a comment |
I am trying to track down the location of persistent malware and have found a small partition I am unable to remove along with some files that I can only see when I use SPFdisk (Free Dos). I have included a URL pointing to my Google Drive account where i have stored two photos for visual reference to my questions.
Questions
Can someone please explain the values listed under the columns "Type, Size, Date and Time" of the files autoexec.bat, MENU.bat and choice.exe (all labeled green/blue). Those three files are only appearing when I use this program and the rest can be seen in the root directory at the command line. I would very much like to remove them from my computer along with the fourth file (sigma)ENU.BAT which is also visible in this location only. I do understand that the last mentioned file is/has been deleted (not by me) and I assume the malware is recalling it using the function "undelete" or some similar variation.
The second photo is showing the attributes for 2/2 boot records on a 31Mb partition I can't seem to remove for the life of me. I don't understand the values shown, such as how many FAT copies there are, what the media descriptor is or it's role in the partition scheme, how many sectors per FAT and per Track, the sides per cylinder value, what the extended boot record signature is and what it is used for, the significance of the volume label and physical drive number values (these values seem abnormal) and most importantly, how can the hidden sectors listed be accessed for complete removal?
Due to the size limitation for uploading images, I have provided a URL to my google drive account where they are stored.
Root Dir Photo:
https://drive.google.com/file/d/1s4wcw7v-IH70ZX--jfDd5tiQN4BvlqG3/view?usp=sharingusp=sharing
Boot Record Photo:
https://drive.google.com/file/d/1vdVA_KsSv8iDrr6x8u_Gjl8dR5L1kQ-R/view?usp=sharing
partitioning filesystems malware-removal
asked Jan 14 at 13:53
blackpineblackpine
144
1
Aren't you actually looking at your own FreeDOS disk?
– grawity
Jan 17 at 5:26
I originally thought that is what I was looking at but I don't think that is the case based on the files and the boot sector mentioned.
– blackpine
Jan 18 at 13:34
add a comment |
I am trying to track down the location of persistent malware and have found a small partition I am unable to remove along with some files that I can only see when I use SPFdisk (Free Dos). I have included a URL pointing to my Google Drive account where i have stored two photos for visual reference to my questions.
Questions
Can someone please explain the values listed under the columns "Type, Size, Date and Time" of the files autoexec.bat, MENU.bat and choice.exe (all labeled green/blue). Those three files are only appearing when I use this program and the rest can be seen in the root directory at the command line. I would very much like to remove them from my computer along with the fourth file (sigma)ENU.BAT which is also visible in this location only. I do understand that the last mentioned file is/has been deleted (not by me) and I assume the malware is recalling it using the function "undelete" or some similar variation.
The second photo is showing the attributes for 2/2 boot records on a 31Mb partition I can't seem to remove for the life of me. I don't understand the values shown, such as how many FAT copies there are, what the media descriptor is or it's role in the partition scheme, how many sectors per FAT and per Track, the sides per cylinder value, what the extended boot record signature is and what it is used for, the significance of the volume label and physical drive number values (these values seem abnormal) and most importantly, how can the hidden sectors listed be accessed for complete removal?
Due to the size limitation for uploading images, I have provided a URL to my google drive account where they are stored.
Root Dir Photo:
https://drive.google.com/file/d/1s4wcw7v-IH70ZX--jfDd5tiQN4BvlqG3/view?usp=sharingusp=sharing
Boot Record Photo:
https://drive.google.com/file/d/1vdVA_KsSv8iDrr6x8u_Gjl8dR5L1kQ-R/view?usp=sharing
partitioning filesystems malware-removal
asked Jan 14 at 13:53
blackpineblackpine
144
I am trying to track down the location of persistent malware and have found a small partition I am unable to remove along with some files that I can only see when I use SPFdisk (Free Dos). I have included a URL pointing to my Google Drive account where i have stored two photos for visual reference to my questions.
Questions
Can someone please explain the values listed under the columns "Type, Size, Date and Time" of the files autoexec.bat, MENU.bat and choice.exe (all labeled green/blue). Those three files are only appearing when I use this program and the rest can be seen in the root directory at the command line. I would very much like to remove them from my computer along with the fourth file (sigma)ENU.BAT which is also visible in this location only. I do understand that the last mentioned file is/has been deleted (not by me) and I assume the malware is recalling it using the function "undelete" or some similar variation.
The second photo is showing the attributes for 2/2 boot records on a 31Mb partition I can't seem to remove for the life of me. I don't understand the values shown, such as how many FAT copies there are, what the media descriptor is or it's role in the partition scheme, how many sectors per FAT and per Track, the sides per cylinder value, what the extended boot record signature is and what it is used for, the significance of the volume label and physical drive number values (these values seem abnormal) and most importantly, how can the hidden sectors listed be accessed for complete removal?
Due to the size limitation for uploading images, I have provided a URL to my google drive account where they are stored.
Root Dir Photo:
https://drive.google.com/file/d/1s4wcw7v-IH70ZX--jfDd5tiQN4BvlqG3/view?usp=sharingusp=sharing
Boot Record Photo:
https://drive.google.com/file/d/1vdVA_KsSv8iDrr6x8u_Gjl8dR5L1kQ-R/view?usp=sharing
partitioning filesystems malware-removal
partitioning filesystems malware-removal
asked Jan 14 at 13:53
blackpineblackpine
144
asked Jan 14 at 13:53
blackpineblackpine
144
edited Jan 17 at 3:29
blackpine
asked Jan 14 at 13:53
blackpineblackpine
144
asked Jan 14 at 13:53
blackpineblackpine
144
asked Jan 14 at 13:53
blackpineblackpine
144
144
1
Aren't you actually looking at your own FreeDOS disk?
– grawity
Jan 17 at 5:26
I originally thought that is what I was looking at but I don't think that is the case based on the files and the boot sector mentioned.
– blackpine
Jan 18 at 13:34
add a comment |
1
Aren't you actually looking at your own FreeDOS disk?
– grawity
Jan 17 at 5:26
I originally thought that is what I was looking at but I don't think that is the case based on the files and the boot sector mentioned.
– blackpine
Jan 18 at 13:34
1
1
Aren't you actually looking at your own FreeDOS disk?
– grawity
Jan 17 at 5:26
Aren't you actually looking at your own FreeDOS disk?
– grawity
Jan 17 at 5:26
I originally thought that is what I was looking at but I don't think that is the case based on the files and the boot sector mentioned.
– blackpine
Jan 18 at 13:34
I originally thought that is what I was looking at but I don't think that is the case based on the files and the boot sector mentioned.
– blackpine
Jan 18 at 13:34
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1394135%2fmalware-hunting-with-free-dos-spfdisk-questionable-files-and-partition%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1394135%2fmalware-hunting-with-free-dos-spfdisk-questionable-files-and-partition%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Aren't you actually looking at your own FreeDOS disk?
– grawity
Jan 17 at 5:26
I originally thought that is what I was looking at but I don't think that is the case based on the files and the boot sector mentioned.
– blackpine
Jan 18 at 13:34