Question How can malware remain on PC after I format my HDD?

Strike

New Member
Thread author
Jun 12, 2022
6
How can a virus remain in the system after formatting the whole HDD?
What are the types and how to remove them?
I'm asking because my pc is infected with fully undetectable remote access trojan.
Who remain after re-installation on my operating system.(with media created on clean pc of course)
Every opinion is WELCOME !
THANKS !
 

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
913
Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

To answer your question read about it.

How can malware remain on PC after I format my HDD?

===

For now let see what we can find in your computer.


Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Ensure that you are in an Administrator Account
Double-click to run it. When the tool opens click Yes to disclaimer.
Check the boxes as seen here:
L7kNU5y.jpg

Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
[img=[URL]http://deeprybka.trojaner-board.de/eset/eng/attachlogs.png[/URL]]

Attach the file(s). A 2 Steps process.
Reply to this topic.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach. <- Step 1.
Click Attach this file. <- Step 2.
Click the Add reply button.

Please post the logs for my review.

Let me know what problems persists.

Wait for further instructions

p.s.

The Farbar program is updated often.
If it's identified as suspicious by your Anti-Virus program trust it if Downloaded from the link I provided.
You should restore the program from the Quarantine folder.
<<<>>>
 

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
913
Hi,

I'm not a Linux user so cannot guide you.
However I have found this article on how you can run a .exe file such as the Farbar program.


If you are able to run the Farbar program and post the logs I may be able to help you further.

If you know someone who can show you how the get help from him.
 
  • Like
Reactions: brambedkar59

struppigel

Moderator
Verified
Staff member
Well-known
Apr 9, 2020
561
Moderation notes: I moved the topic from "Windows Malware Removal Help" into the "General Security Discussions" forum so that others can reply to your question.
Reasons:
There is no trained helper for Linux based malware removal in this forum. That means no one here can assist you, but people might still be able to answer to your more general question.
Farbar is not suitable for Linux malware removal, even if it ran, e.g., with Wine, it will look for Windows specific autostart locations which do not exist on Linux.

I will compose a more general answer later today, when I got some more time.
 

Brahman

Level 15
Verified
Top poster
Well-known
Aug 22, 2013
700
How can a virus remain in the system after formatting the whole HDD?
What are the types and how to remove them?
I'm asking because my pc is infected with fully undetectable remote access trojan.
Who remain after re-installation on my operating system.(with media created on clean pc of course)
Every opinion is WELCOME !
THANKS !
What's your distro? How did you know that you have a remote access trojan on your linux distro? Do you have iptables switched on? ( like ubuntu have apps like ufw/gufw as the front end for iptable, which when switched on can block incoming connections not originated from your pc). What router do you have? Most low end internet service provider's supplied routers never gets updated and can become part of botnets. For the sake of safety, disconnect your LAN, switch off all iot devices, switch off your router, if possible reset and update firmware, reset your bios, boot from a dvd (don't use bootable usb) of your preffered linux distro, remove all partitions , recreate all partitions, then install your distro and if possible encrypt your drive ( I would prefer a distro with drive encryption capability, pop os provides an option to encrypt the entire drive), enable the iptable firewall after install. Use nextdns system wide and use TLS Dns encryption ( you can edit "systemd-resolved" file to add ip address for Next dns, information is available on nextdns settings page, you can use "sudo gedit /etc/systemd/resolved.conf" command to get graphical editing of the system file.). You can alternatively use Safing Portmaster to control apps on your linux distro. Connect to the net only after doing these steps.
1.https://www.linux.com/topic/desktop/security-tools-check-viruses-and-malware-linux/
 

The_King

Level 12
Verified
Top poster
Well-known
Aug 2, 2020
534
It is possible that the device firmware is infected with the Malware/RAT.
This is more common if you have purchased a used device rather than new.

You can try dumping the BIOS/firmware and scanning it for malware.

Make sure you are running the latest BIOS/firmware and security updates for all your devices motherboard, router etc.
 

Strike

New Member
Thread author
Jun 12, 2022
6
Guys,sorry for my late reply.
But i had no internet until today ( i think that the RAT have option to stop my internet).
At the moment i use Gentoo.
I know that my pc is infected with RAT,because my pc is doing strange things like example :
-stop my internet
-stop apps
-100 % have and keylogger,because some of my passwords were changed
-sometimes my mouse is moving over my desktop
-my dvd writer just opens without i touch anything
-etc etc

I have tryed to do a low level format and then i flashed my BIOS.
But the virus still remains.
The problem is that all my devices are now hacked ... and even an firewall can't catch them.
What you can suggest me to do?
@The_King how to dump the BIOS/Firmware and where to scan it? THANKS!
 
  • Like
Reactions: BryanB

Kuttz

Level 13
Verified
Top poster
Well-known
May 9, 2015
610
Guys,sorry for my late reply.
But i had no internet until today ( i think that the RAT have option to stop my internet).
At the moment i use Gentoo.
I know that my pc is infected with RAT,because my pc is doing strange things like example :
-stop my internet
-stop apps
-100 % have and keylogger,because some of my passwords were changed
-sometimes my mouse is moving over my desktop
-my dvd writer just opens without i touch anything
-etc etc

I have tryed to do a low level format and then i flashed my BIOS.
But the virus still remains.
The problem is that all my devices are now hacked ... and even an firewall can't catch them.
What you can suggest me to do?
@The_King how to dump the BIOS/Firmware and where to scan it? THANKS!




Does those symptoms occur when you are not connected to the internet ?
 

jetman

Level 9
Verified
Well-known
Jun 6, 2017
441
If it were me, I would be inclined to physically remove the hard drive and attach it to another computer (perhaps a Windows machine ) as an external drive. I would then reformat the drive using the second computer and run a malware scan on it.

Thats what I would try first personally, although if the firmware of the drive has been compromised, it may be that a more complex solution is needed. Others who are more knowledgeable than me have commented on that approach.

But if this computer is your main device, you might just want to buy a new hard drive. They are cheap enough these days. I‘d seriously consider that option.

Before I did any of the above I would use a clean device (such as a phone) to update the passwords for my email accounts and anything else that might be important. And make sure two factor authentication is switched on. Perhaps ask for replacement payment cards if you have used any on the infected machine.
 
Last edited:

The_King

Level 12
Verified
Top poster
Well-known
Aug 2, 2020
534
@The_King how to dump the BIOS/Firmware and where to scan it? THANKS!
This tutorial should help. There are also some good videos on Youtube if you need more info.
 

Strike

New Member
Thread author
Jun 12, 2022
6
Does those symptoms occur when you are not connected to the internet ?
No,they happen only when my pc is connected to the internet.
Btw,guys with this command (dd if=/dev/sda of=mbr.bin bs=512 count=1) from terminal i was able to save the MBR and scan it here are the results :

I also checked that the firmware of the HDD is actual.
I've done a BIOS flash on the machine and it still remains ....
Just don't know what other can be :D
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,245
@Strike,

There can be several possibilities, for example:
  1. Infected router.
  2. Infected Bios/UEFI.
  3. Infected SPI Flash.
  4. Bad USB.
  5. Another infected computer in the local network.
  6. The infected neighborhood network (Emotet).
  7. Local Hacker.
Points 1,4,5 and 6, 7 can be temporarily prevented by disconnecting the machine from the network for some time and not using external devices. I would also disconnect all internal drives and try to install a new system from the DVD on the completely new hard drive. Next, you should observe the system for a couple of days and scan against malware via Kaspersky Live CD created and updated on some clean machine.
The problems related to points 1, 4, 5, 6, and 7 are other stories.
 

Strike

New Member
Thread author
Jun 12, 2022
6
@Strike,

There can be several possibilities, for example:
  1. Infected router.
  2. Infected Bios/UEFI.
  3. Infected SPI Flash.
  4. Bad USB.
  5. Another infected computer in the local network.
  6. The infected neighborhood network (Emotet).
  7. Local Hacker.
Points 1,4,5 and 6, 7 can be temporarily prevented by disconnecting the machine from the network for some time and not using external devices. I would also disconnect all internal drives and try to install a new system from the DVD on the completely new hard drive. Next, you should observe the system for a couple of days and scan against malware via Kaspersky Live CD created and updated on some clean machine.
The problems related to points 1, 4, 5, 6, and 7 are other stories.
1.I think that the router it isn't infected,because i bought it as new before 1 month.And never entered anywhere the admin panel password.
2.My pc is old and doesn't have a UEFI.
3.That means nothing to me.
4.I always use DVD disks made from clean pc only.
5.BTW all my devices are now hacked with this virus
6.I never open mail attachments/files from untrusted people.
7.This is possible

I will done a scan with Kaspersky Rescue Disk.
And btw i can't afford to buy a new hard disk right now.
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,245
@Strike,

I posted here to show you that your problem can be very complex. I do not think that you can solve it by asking on the forums. There are many possibilities and it would be hard to help you without sitting in front of your computer.
Anyway if you are still motivated, you need to learn more about hacking, router infections/exploits, rootkits, and bootkits. (y)
 

brambedkar59

Level 24
Verified
Top poster
Well-known
Apr 16, 2017
1,354
But i had no internet until today ( i think that the RAT have option to stop my internet).
At the moment i use Gentoo.
I know that my pc is infected with RAT,because my pc is doing strange things like example :
-stop my internet
-stop apps
-100 % have and keylogger,because some of my passwords were changed
-sometimes my mouse is moving over my desktop
-my dvd writer just opens without i touch anything
-etc etc

I have tryed to do a low level format and then i flashed my BIOS.
But the virus still remains.
The problem is that all my devices are now hacked ... and even an firewall can't catch them.
What you can suggest me to do?
Most of these problems can be explained by old hardware, unstable linux distro (when you tweak it too much, it's not as stable anymore, makes the apps/OS crash), bad ISP (internet stops working suddenly and then after few secs it works. This reminds me of my last ISP, it was hell).
Not saying your system is clean but I have seen these things happen on my old desktop, turns out it had faulty power supply, everything including mouse & keyboard would go wonky for a few secs every hour and back to normal. I would take the system to a PC repair shop first just to eliminate the boring stuff out.
Also websites get hacked all the time which might explain why some of your passwords were changed (check your hacked credentials here). This is why 2FA is important, and don't reuse the same password on other websites.
 
Top