Question

Locked

Can malwares spread beyond partition and reduce partition sizes?

By Healer ·
I have a computer with 2 hard disks. One hard disk has only a Windows 7 partition. The other one has multiple partitions with multiple Windows operating systems, i.e. Windows 2003, Windows 7, Windows Vista and Windows 2008.

All of sudden, all Windows operating systems except the Windows 2003, on this computer on both hard disks, reported the sizes of all partitions reduced from 20GB and 90GB to 500MB. So some partitions have run out of space. The Windows Explorers and top part of the Computer Management all make such mistakes. The bottom part of the Computer Management reports correctly. Booting from an install disk, the report of the disk sizes on the GUI is still wrong. However, checking with the diskpart command on its command prompt they are all correct. Chkdsk doesn't find any problem. However Windows 7 partition cannot disable any service or startup item while running normal mode. The sfc /scannow would not run. Nevetheless running in safe mode all the operating systems report everything correctly. Windows 2003 operating system always reports correct partition sizes.

On the latest operating systems, it is not only reporting problem. I can't do anything because there is allegedly no free space left. Some programme would not run. Internet is okay.

I wonder if malware can wreak such havoc on multiple partitions on two different hard disks at the same time.

This conversation is currently closed to new comments.

16 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Yep.

by seanferd In reply to Can malwares spread beyon ...

Partitions are of no consequence unless the partition isn't writable from the infected system. Windows malware would be unlikely to copy itself to, or modify, an ext2 filesystem partition. But partitions and drives aren't boundaries to malware, any more than they are boundaries to the operating systems. (Note that Vista and later do use a different NTFS than XP and earlier, so XP can't read a 7 partition, but 7 can read an XP partition.)

But sure, malware can hide itself and misrepresent the partition size, modify and hide in the boot loader, etc.

In fact, I've seen just this sort of thing reported, although the lost space was not that great, and only noticed in a partition editor.

Of course, this does not discount other causes for the problem.

Get yourself some bootable offline AV/malware removal CDs and a bootable offline partition editor (e.g., GParted) and have at it. It would be best to back up your data to another drive(s), again with the OS offline, then wipe with DBAN and repartition and install. Any utility Linux distro will have the ability to access your files as well as having GParted installed, e.g., Knoppix.

Collapse -

Reponse To Answer

by Healer In reply to Yep.

But how do the malware get across the partition boundary? While I boot up one operating system, I don't normally access partitions of other operating systems except the two partitions of data and images. I believe this is the usual behaviour of everybody.

Collapse -

Reponse To Answer

by Healer In reply to Yep.

I did try Some bootable offline AV/malware CDs. I have tried Dr. Web CureIt! and Spybot. It took more than 15 hours to scan the two hard disks but the problems remain. Now I have posted the problem to http://www.bleepingcomputer.com/forums/topic430981.html/page__p__2498501__fromsearch__1#entry2498501 and patiently wait.

I shall re-install if need be. I am just curious what malware that powerful doing such things on the computer.

When I tried the ubuntu I could find the drive in question and the drive hadn't be mounted. I forgot how to access the underlying Windows systems and the peripheral drives. Please jog my memory if you remember. I am downloading the Knoppix and the process seems to be very slow.

I do have a copy of DBAN. I don't remember if I can limit it to certain paritions that DBAN works on. Does it have to work on the hard disk?

Collapse -

Can you not see or read/write to the other partitions?

by seanferd In reply to Can malwares spread beyon ...

I can't imagine why not, except if one of the older Windows can't read a newer Windows FS for some reason. It doesn't really matter if you would choose to look at the other partitions or not. It's just disk space. (In fact, I think I may be wrong about XP not being able to access Vista or 7 formatted partitions.)

But this is exactly the sort of thing that MBR rootkits and friends do - access stuff that maybe you can't even access, like System Volume Information or other stuff directly on the disk, disregarding the protected mode OS. It will infect system recovery, recovery partitions, anything. And an OS partition without that OS running is even more vulnerable.

If your problem is malware, it could be a confused TDL rootkit that is repeatedly creating new partitions for itself at the end of each of your partitions.

But it is rather pointless to discuss the possible cause when you could be testing by looking at this with a partition manager or scanning for malware - or even running the drive vendor's diagnostic. You will fix the problem or gain further information by doing these things.

Best of luck with this.

Collapse -

Reponse To Answer

by Healer In reply to Can you not see or read/w ...

You reckon the drive vendor's diagnostic could fix the problem, dont't you? I have doing a lot of virus scans already. Now most-used Windows system partition seems to get much worse. The screen turns black. The operating system has become de-activated.

All along the diskpart and PowerShell and part of Computer Management report correct partition sizes.

Collapse -

If you can see it,

by RaymondJM4 In reply to Can malwares spread beyon ...

If you can see the other partitions from the OS infected, then so can the infection. Malware is just running code, it has access to more than you, once it gets passed your security. I've never seen anything like that myself but I would believe that it could exist. If it's infected on the partition/MBR level, then you will need to debug the drive or run secure erase.

Try what Seanferd says above FIRST

Collapse -

Reponse To Answer

by Healer In reply to If you can see it,

What do you mean by debugging the drive? I don't think the drive has hardware fault because the Windows 2003 server is still working all right.

Collapse -

Can malwares spread beyond partition and reduce partition sizes?

by atsmar In reply to Can malwares spread beyon ...

Absolutely. "Seanferd" is right. Malware can and will infect your partiions and the archive rendering any chance of restoring to nil. Always run you Anti-virus and at least two or three different malware removers. My favorites are Avast Antivirus Free, MalwareBytes, Spybot Search & Destroy and SuperAntiSpyware. When i work on badly infected computers i will take out the big gun-ComboFix. Please use this one with caution.

Collapse -

Reponse To Answer

by Healer In reply to Can malwares spread beyon ...

Unfortunately ComboFix does not work on x64 systems.

Collapse -

Paging FIle

by databaseben In reply to Can malwares spread beyon ...

I'd bet that your virtual memory / page file is out of whack.

my suggestion is to dedicate 1 little partition for the page file's and custom set the virtual memory for all the o.s.'s to target that one partition.

Back to Hardware Forum
16 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums