0

Backstory: I got infected while installing some shady software and at that time I kept Windows Defender off, (I have very much faith on my shady website) by turning its features off. But when I started noticing some weird behavior, I enabled Windows Defender and got tons of alerts and went to neutralize the threat. But could not turn on the cloud-based protection and sample submission as they got disabled.

Nevertheless, I ran a scan from Windows Defender and let it catch the trojan that got inside. In all this chaos, I had a Malwarebytes free edition exe in download folder, so I installed it and run a scan that also caught viruses and some registry entries. Till this point, I was completely freaked out and ran multiple scans by Malwarebytes while Windows Defender was on Full Scan. Malwarebytes was assuring me that the threat was neutralized.

Since cloud-based protection was still offline in Windows Defender, I ran some commands to edit the registry value and was able to turn it back on. But after a couple of minutes, Malwarebytes start sending messages about a script that is trying to connect to some mining site to download crypto miners and it won't stop. Every minute a pop-up appears warning me and Malwarebytes could not terminate the shell process that was causing it, only to stop the download from that site. I manually tracked down and killed the process and then deleted all the temp files created by the virus.

After this I stopped the Windows Defender full scan and it showed a threat, neutralized it and ran multiple times quick scan by both Windows Defender and Malwarebytes I also verified all the registry entries by a program 'autorun' as told by google everything was clean (At least what the system was telling me) but due to failure of Malwarebytes in deleting all registry values and stopping shell script.

I went extreme and triggered the "Reset PC" tool in Windows, choosing the "Remove Everything" option. The reset was completed but the data in my 2 other partitions (D and E) is still there.

Now my biggest fear is whether the virus can still be in any of those drives and can act behind the scenes in the system while keeping itself out of the radar of Windows Defender. Since resetting I have run 2 full scans and an offline scan.

Main Question:-

So, should I completely believe that my computer is completely clean and there is no hidden virus or trojan remaining or any other setting or its components because my files do get survived the reset even after selecting completed data removal?

schroeder
  • 129,372
  • 55
  • 299
  • 340
newperson
  • 1
  • "I went extreme and reset all my PC without keeping any data in them." -- what does this mean? Can you rephrase this? If you just reformatted your C drive, then, no the other drives would be unaffected. Did your scans include the D and E drives? – schroeder Mar 09 '23 at 11:41
  • 1
    Can viruses reside in any drive on a system? Yes. Can viruses survive formatting? We have a few questions on that. The answer is a little complicated. – schroeder Mar 09 '23 at 11:44
  • @schroeder I have performed Windows 'reset this PC' option that is available in settings under Recovery tab and there were only two options 'a) Keep my Files' and b)'Remove everything'. In the latter option it supposed to delete everything including personal files and I proceeded with 'Remove everything' but even after this my files are in D and E partitions, why this happen I don't know and there is no option to select specific partition. – newperson Mar 09 '23 at 11:49
  • The Reset PC function only resets the portion that Windows is installed on. Other partitions are not touched, for obvious reasons. – schroeder Mar 09 '23 at 11:52
  • @schroeder My concern is that my files somehow not get deleted even they supposed to be so can same be said for viruses and should I worry for them? – newperson Mar 09 '23 at 11:53
  • Did your scans include the D and E drives? – schroeder Mar 09 '23 at 11:53
  • @schroeder So can virus still be lurking in other drives to re-infect or is it gone? – newperson Mar 09 '23 at 11:54
  • Reset PC would not delete the files in the D and E drive, as I said. I understand that you expected it to, but that's not what the tool is meant to do. So, your question is, can the virus still be on the D and E drives? Yes. Are those drives clean? Well, you have yet to answer my question about your scans of those drives. – schroeder Mar 09 '23 at 11:55
  • @schroeder yes I have done full system scan using windows defender and I thought it automatically also scans D and E drives. – newperson Mar 09 '23 at 11:56
  • Well, you have an opportunity now to check what was scanned with Defender and Malwarebytes. – schroeder Mar 09 '23 at 11:56
  • @schroeder Is scan from windows defender enough or I should try something else? – newperson Mar 09 '23 at 11:57
  • If the tool you used was able to detect it before, then it is reasonable to assume it will detect it again. – schroeder Mar 09 '23 at 11:57
  • @schroeder how can i check it now? – newperson Mar 09 '23 at 11:58
  • Scanning tools will include some sort of log of what was scanned. – schroeder Mar 09 '23 at 11:59
  • @schroeder As i said after Resetting I have scanned 2 times and it shows nothing, but I am little paranoid about it so can please suggest what should i do to completely get sure about it? – newperson Mar 09 '23 at 11:59
  • If your scans included the D and E drives, then you can be reasonably sure that the virus is not on those drives. That's why I'm asking about them. Aside from that, I can't help. – schroeder Mar 09 '23 at 12:04
  • @schroeder I checked the log of windows defender but it does not shows what files it has checked but googling it says by full scan it scans 'all files, folder and running program' so my best hope is it also checked those drives. – newperson Mar 09 '23 at 12:07
  • To be sure, you can choose to scan those partitions specifically. – schroeder Mar 09 '23 at 12:12
  • @schroeder Thank you for your kind support. I have scanned both my drives and they are both clean and now I am confident that there is no virus present on my system :) . Thank you once again for helping me in need. – newperson Mar 09 '23 at 12:31

1 Answers1

1

So, should I completely believe that my computer is completely clean and there is no hidden virus or trojan remaining or any other setting or its components because my files do get survived the reset even after selecting completed data removal?

Once your system has been infected all bets are off. The only way to be sure you're malware free is wiping your drive(s) clean (at the very least System EFI partition and Windows installation drive) and installing from known to be clean media. Having Secure Boot enabled for an UEFI system is a plus.

If your system is compromised with malware it's highly recommended not to use it at all (power off immediately) - failure to do so may result in your files being encrypted or deleted, or malware propagating onto other devices on your network including your Wi-Fi router (which far too often contain vulnerabilities and can be accessed by easy to guess user/password combos, such as "admin/admin").

Personally I would not trust "resetting Windows". It uses files on the disk which could be compromised beyond repair.

And of course check this question: Help! My home PC has been infected by a virus! What do I do now?

Artem S. Tashkinov
  • 3,312
  • 7
  • 19