Jump to content

Virus persists through Format

Helepolis
By Helepolis
in Troubleshooting
 Share
Go to solution Solved by GoodBytes,

So... I have never run into this before, but I'm suspecting "the crap" is actually tied to his Microsoft account. I suspect this because the one time it did work, I just threw together a dummy account/email while he was out of the room and everything ran fine, even after a few restarts. Logging him in his own account loads "the crap" and then results in the crash and missing sys32 file. This explains why it wouldn't recur in some situations as I would get him to log into his own account.

 

How would I go about remedying this?

When you install Windows 8, it asks you if you want to port the backup/sync account from a system. Listed are the current system, and any other Windows 8 system using the same account (say: laptop, or tablet running Windows 8).

It is important to select that you want to start fresh and not sync old settings.

 

Windows 8 by default syncs:

 -> OneDrive folder

 -> Windows end-user GUI level settings

 -> Themes

 -> IE (It's like Chrome or Firefox sync. It will sync addons, bookmarks, open tabs, and history)

 -> Wireless Passwords used

 -> Apps installs, and purchases, including in-app purchases

 -> Accessibility options

 -> System Language settings

 

Under PC Settings > OneDrive > Sync Settings, you can customize what you want to sync or not, and if you want to make a backup of settings online (for re-installs or transfer of systems)

 

Sorry for not catching your thread before. I was particularly busy with school.

Posted

So my brother recently got his replacement SSD from Adata. I setup a fresh USB drive with windows 8.1 so I could install windows for him. After going through the format and installation, I went to IE to download chrome... The browser is crammed full of crap, ads, stuff trying to download, and loading "astromedia". Immediately my assumption is Adata sent a refurb drive without properly validating it. No other drives were connected during this installation, and this only occurs when installing on the Adata replacement drive. I've tried using the long format option and even deleting the entire volume, and still it persists during a fresh windows 8.1 installation.

 

Is there anything I can do or are we going to have to yell at Adata for failing their refurb validation process?

Link to comment
https://linustechtips.com/topic/231435-virus-persists-through-format/
Share on other sites
Link to post
Share on other sites
Posted

It might not be the SSD but the BIOS. There is no way to know the PC is safe anymore, neither the SSD.

Flashing SSD requires a clean PC to flash it from, but there's no telling if the SSD will infect the new machine. Neither can you flash the BIOS if the virus is in there and know for sure it hasn't jumped to other firmwares on other devices.

 

Are you sure it's that PC, and not a virus on the network changing traffic around, adding ads?

 

Your best bet? Use a disposable machine to reflash the SSD's firmware, and reflash the MoBo off of a USB drive (With the BIOS firmware downloaded on a different PC, preferably a different network.)

Link to post
Share on other sites
Posted

or could it be windows 8.1 unattended and integrated with some piece of spyware or adware, toolbar or something...

 

Is all the crap in Chome? If so, its probably set up to sync the crapware extensions when he signs into Chrome....

These two are good points. I know the astromenda adware and it's not as advanced as getting into the BIOS / SSD firmware. (Unless something's helping it)

It might be some Cloud Sync thing getting the (crapware) extensions that astromenda adds back onto the system, or indeed an unclean installation medium of windows. Are you using an official ISO?

Link to post
Share on other sites
Posted
  • Author

Is all the crap in Chome? If so, its probably set up to sync the crapware extensions when he signs into Chrome....

 

EDIT: don't yell at Adata, that's a good way to not get a replacement. As someone who works Retail at a computer store, I can tell you fist hand, that yelling at the person who is trying to help you, will not help you if you piss them off.

 

I was saying that figuratively, was referring to something more along the lines of "This happened, please fix".

 

No, none of this crap is in chrome, without doing anything else other than start IE for the first time, you're flooded with crap.

 

or could it be windows 8.1 unattended and integrated with some piece of spyware or adware, toolbar or something...

 

The ISO I was using was direct from MS(benefits of being being a CIS student). I have since tried installing it on other machines with different drives (coincidentally similar Adata drives) and have not been able to reproduce this.

 

It might not be the SSD but the BIOS. There is no way to know the PC is safe anymore, neither the SSD.

Flashing SSD requires a clean PC to flash it from, but there's no telling if the SSD will infect the new machine. Neither can you flash the BIOS if the virus is in there and know for sure it hasn't jumped to other firmwares on other devices.

 

Are you sure it's that PC, and not a virus on the network changing traffic around, adding ads?

 

Your best bet? Use a disposable machine to reflash the SSD's firmware, and reflash the MoBo off of a USB drive (With the BIOS firmware downloaded on a different PC, preferably a different network.)

 

Definitely not BIOS, using multiple dummy machines, the only way I've been able to reproduce this is when using the Adata drive in question. The computer originally intended for the drive had a BIOS flash a day prior directly from ASrock (970 extreme 3) so, it seems even more unlikely.

 

try flashing the firmware

on the ssd

 

Never thought about flashing.

Link to post
Share on other sites
Posted

I was saying that figuratively, was referring to something more along the lines of "This happened, please fix".

 

No, none of this crap is in chrome, without doing anything else other than start IE for the first time, you're flooded with crap.

 

 

The ISO I was using was direct from MS(benefits of being being a CIS student). I have since tried installing it on other machines with different drives (coincidentally similar Adata drives) and have not been able to reproduce this.

 

 

Definitely not BIOS, using multiple dummy machines, the only way I've been able to reproduce this is when using the Adata drive in question. The computer originally intended for the drive had a BIOS flash a day prior directly from ASrock (970 extreme 3) so, it seems even more unlikely.

 

 

Never thought about flashing.

Well, it's clear in that case! Indeed try to do a full wipe using a low-level (zerofilling) tool. Then just to be sure, reflash its firmware. (Although I do think it's just the MBR that's infected, so any tool that can delete the MBR to bring the disk back to uninitialized state should work)

(bootrec /fixmbr can fix the the MBR, but if the virus is active, it'll just reinstall itself.)

 

EDIT: There's a tool to check for infected MBR's here

Link to post
Share on other sites
Posted
  • Author

Could you post a screenshot of the IE window?

 Unfortunately no, the computer hangs and goes to a crawl before crashing. Just imagine a typical browser full of crapware, whilst apps are suddenly being installed to your desktop, that is what's happening. Upon reboot it will complain a file in the sys32 folder is missing. This has happened multiple times, each after a fresh install. Funnily enough, even after formatting the drive and NOT installing windows you're given this same screen.

Link to post
Share on other sites
Posted

 Unfortunately no, the computer hangs and goes to a crawl before crashing. Just imagine a typical browser full of crapware, whilst apps are suddenly being installed to your desktop, that is what's happening. Upon reboot it will complain a file in the sys32 folder is missing. This has happened multiple times, each after a fresh install. Funnily enough, even after formatting the drive and NOT installing windows you're given this same screen.

That's a typical MBR issue right there. You may format the volume the MBR points to, but that doesn't mean there's no data on the disk. The partition Table is still there.

Link to post
Share on other sites
Posted
  • Author

That's a typical MBR issue right there. You may format the volume the MBR points to, but that doesn't mean there's no data on the disk. The partition Table is still there.

 

Even after leaving the drive an uninitialized state? Weird, somehow never ran into that before, and I've worked with lot's of computers.

Link to post
Share on other sites
Posted

Even after leaving the drive an uninitialized state? Weird, somehow never ran into that before, and I've worked with lot's of computers.

 

I assumed that 

Upon reboot it will complain a file in the sys32 folder is missing. This has happened multiple times, each after a fresh install.

 was what it's done since you got it, which would point to an incomplete wipe/MBR infection. But I read that wrong.

Link to post
Share on other sites
Posted
  • Author

Update!

 

I re did the motherboard firmware, still the same result.

 

I tried updating the firmware(900 series) but the firmware version was not listed in any of the packages...(27712)

 

Tried a 3rd party formatting tool and all seems well so far. Will update if that changes.

Link to post
Share on other sites
Posted
  • Author

So... I have never run into this before, but I'm suspecting "the crap" is actually tied to his Microsoft account. I suspect this because the one time it did work, I just threw together a dummy account/email while he was out of the room and everything ran fine, even after a few restarts. Logging him in his own account loads "the crap" and then results in the crash and missing sys32 file. This explains why it wouldn't recur in some situations as I would get him to log into his own account.

 

How would I go about remedying this?

Link to post
Share on other sites
Posted
  • Solution

So... I have never run into this before, but I'm suspecting "the crap" is actually tied to his Microsoft account. I suspect this because the one time it did work, I just threw together a dummy account/email while he was out of the room and everything ran fine, even after a few restarts. Logging him in his own account loads "the crap" and then results in the crash and missing sys32 file. This explains why it wouldn't recur in some situations as I would get him to log into his own account.

 

How would I go about remedying this?

When you install Windows 8, it asks you if you want to port the backup/sync account from a system. Listed are the current system, and any other Windows 8 system using the same account (say: laptop, or tablet running Windows 8).

It is important to select that you want to start fresh and not sync old settings.

 

Windows 8 by default syncs:

 -> OneDrive folder

 -> Windows end-user GUI level settings

 -> Themes

 -> IE (It's like Chrome or Firefox sync. It will sync addons, bookmarks, open tabs, and history)

 -> Wireless Passwords used

 -> Apps installs, and purchases, including in-app purchases

 -> Accessibility options

 -> System Language settings

 

Under PC Settings > OneDrive > Sync Settings, you can customize what you want to sync or not, and if you want to make a backup of settings online (for re-installs or transfer of systems)

 

Sorry for not catching your thread before. I was particularly busy with school.

Link to post
Share on other sites
Posted

astromedia is weird..  when i built my brother-in-laws computer with all brand new hardware, it came on there with my windows installation(which i had used before with no issue) i had to manually get rid of it. you might be able to simply uninstall it from control panel(may show up as astromenda), and then change your IE settings. i also had to scrub it from my registry and temp folders. its just crapware not really too hard to get rid of.  something like pc-decrapifier might even get rid of it

How do Reavers clean their spears?

|Specs in profile|

The Wheel of Time turns, and Ages come and pass, leaving memories that become legend. Legend fades to myth, and even myth is long forgotten when the Age that gave it birth comes again.

Link to post
Share on other sites
Posted

So my brother recently got his replacement SSD from Adata. I setup a fresh USB drive with windows 8.1 so I could install windows for him. After going through the format and installation, I went to IE to download chrome... The browser is crammed full of crap, ads, stuff trying to download, and loading "astromedia". Immediately my assumption is Adata sent a refurb drive without properly validating it. No other drives were connected during this installation, and this only occurs when installing on the Adata replacement drive. I've tried using the long format option and even deleting the entire volume, and still it persists during a fresh windows 8.1 installation.

 

Is there anything I can do or are we going to have to yell at Adata for failing their refurb validation process?

Hey! use DBAN, it worked with me. DBAN will completely erase your ssd, making it just like when you bought it.

Check this tutorial :)https://www.youtube.com/watch?v=OfICZMMr0JM

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Troubleshooting

×