Virus surviving reinstall please help

Status
Not open for further replies.

sonicboom282

Estimable
Oct 9, 2014
9
0
4,510
Hello, I am in desperate need of assistance. Any help you can give me I would be so grateful for.

So it all started when Avast picked up a virus in my app data temporary burn folder, called the desktop.ini.
After a quick bit of research I found out that this can be an indication of ransomware.

I quickly acted quarantining the files, then turning off my computer and unplugging my secondary and tertiary drives. I then immediately reinstalled Windows 10, updated it, and it appears the viruses are still there. They appear to be both in the .Old Windows installation, and the new Windows installation. This would seem to show that the virus is still active and capable of moving around the drive. I have no idea if the secondary and tertiary drives are uninfected or not, I can't plug them into anything to find out without risking whatever I plug them into. I just have to run on the assumption that the virus only infected the primary system drive for now.

I am unsure how to continue. If I reinstall Windows 10 it will simply remain in the .old installation.
How can I safely wipe this drive to use it as my new system drive, without having to plug it into something and potentially risk or endanger that system?

I'm really stressed and concerned. This is the worst infection I've ever suffered from. Any help is greatly appreciated.
 
Solution
reinstall no, again, no, you need a clean install

remember that a virus is just a file that does something you don't want and also can put registry ntries, that is why you need to get rid of the install and the users folder, only save personal files and add them after you install windows, updates and antivirus, that way of some surprise was in downloads folder or my documents folder will be found and nuked easily, after you install a clean version of windows

the other hard disks you mention, keep them unplugged same applies for the backup we are telloing you to do, add it when you know your system has all updates, a good antivirus and a malwarebytes install helping catch any surprise you got there

the key here is save files and then...

atljsf

Estimable
Jun 17, 2015
256
1
5,210
reinstall keeps the old files, the virus is still there of course

what you need to do is take the important files from the hard disk you have installed windows and when you are sure you savd what you really need like desktop files, my documents, downloads, images and that sort of stuff, i would format that hard disk

then install windows, install updates, antivirus, malwarebytes and then copy back the backup of files you did

reinstall will keep all your old files, including temp files and viruses on the appdata that could exist, so a clean start is necessary here
 

USAFRet

Illustrious
Moderator
You need to do a full wipe of all existing partitions during this reinstall.
Doing this will result in no 'windows.old', or anything else from the original install.

Save anything that is known not infected, off to another drive.
Boot from your install media
When it asks 'where' to install, select Custom.
You'll be presented with a list of all existing partitions
Select each, and DELETE
Leaving one large blank space.
Let Windows install to that, creating what it needs
 

sonicboom282

Estimable
Oct 9, 2014
9
0
4,510
I have read that this doesn't actually delete the files in said partitions however, it just destroys the file system. How can I wipe this drive entirely before I do the reinstall?
 

USAFRet

Illustrious
Moderator


Deleting the partitions during the install will ensure that this virus is actually gone.
It will not survive this, if you do it correctly.

And doesn't matter that it is on an SSD.
 

sonicboom282

Estimable
Oct 9, 2014
9
0
4,510
I am on the custom install screen right now, it appears that this is what I did last time and the virus still survived. I selected delete on all partitions.

PS: DBAN says it only works with hdds.
 

USAFRet

Illustrious
Moderator


oops..thats right. Not SSD.

A virus absolutely will NOT survive deleting all the partitions.
You've booted from the install media, rather than starting it from within the current windows instance?
 

sonicboom282

Estimable
Oct 9, 2014
9
0
4,510
I have now discovered that it is also infected one of my family members laptops, after running in Avast scan on it. I immediately shut down the computer. Does this mean it's infected our Network? What do I do, I'm starting to become quite scared.
 

USAFRet

Illustrious
Moderator


It did not infect 'the network'.
It simply infected other systems it could see in the same network.

This is where you isolate all the systems, and either recover each from an uninfected backup, or wipe and reinstall all of the systems.
Do not connect anything until it is fully restored.
 

sonicboom282

Estimable
Oct 9, 2014
9
0
4,510
https://forum.avast.com/index.php?topic=205279.0

I saw this thread on the Avast forums just now. Is it possible that these are false positives? And if so, what should I do just to be safe?

Second question, after a windows reinstall, upon restart it said that bitdefender had an error. I don't have bitdefender, and never have. This seemed to much of a coincedince, and is one of the things that worries me so much.

If it helps, I have Spybot Search & Destroy, and I've heard that that uses bitdefender technology and that could be causing the error. Any advice or help is greatly appreciated, I'm sorry for all the questions but I just want to be safe.
 

USAFRet

Illustrious
Moderator
I did not pick up on that in your OP.
desktop.ini is common and to be expected. Every system, including mine...has those files.
If Avast is marking that, and only that, as a virus....Avast has serious issues.

Scan with some other tool. See what happens.
 

atljsf

Estimable
Jun 17, 2015
256
1
5,210
the virus could be a attachment or a file you copied on a usb drive you have there

use malwarebytes and a good antivirus, if you can install windows from clean, that is great too

if you can use a linux livecd and you know what the virus are, just delete them, linux is not scared of any windows virus, for linux a virus is just a simple file
 

sonicboom282

Estimable
Oct 9, 2014
9
0
4,510
I scanned with Malwarebytes and Spybot Search & Destroy before performing the nuke, both showed no detections. Does this mean I am safe and good to reinstall Windows, and that I can just ignore the Avast threat warnings as false positives? Or should I err on the side of caution and wait, or do something else?

PS: there are a lot of threads popping up on the Avast forums saying that it appears to be a false positive. I think I'm safe. But any advice or research anyone can do/point me towards to help put my mind at ease would be awesome. Thank you all for your help
 

atljsf

Estimable
Jun 17, 2015
256
1
5,210
reinstall no, again, no, you need a clean install

remember that a virus is just a file that does something you don't want and also can put registry ntries, that is why you need to get rid of the install and the users folder, only save personal files and add them after you install windows, updates and antivirus, that way of some surprise was in downloads folder or my documents folder will be found and nuked easily, after you install a clean version of windows

the other hard disks you mention, keep them unplugged same applies for the backup we are telloing you to do, add it when you know your system has all updates, a good antivirus and a malwarebytes install helping catch any surprise you got there

the key here is save files and then clean them after the install is capable of do that, but you need a clean installation, no reinstalls

start backing up all what you find in desktop, my documents, downloads, pictures, music, videos, all you know you really need

the rest must be wiped because you can't be sure if appdata files and folders like bookmarks, configs for other things stored on c:\users can be reused

after this, remember, always keep backups of your personal files, outside the machine, not inside, to avoid these situations again
 
Solution
Status
Not open for further replies.