How can a restore partition get corrupted?

[philo]

I just worked on a Gateway laptop.
The machine was filled with trojans and almost completely
non-responsive, even after removing them by the use of a Kaspersky
rescue cd.


Backed up the data and attempted a factory restore which could not get
past the part of the post-installation "additional software" stage.

I had to boot to safe mode and remove the startup registry entries.

When all done the system was very sluggish and not acceptable.

After performing a RAM test and hard drive diagnostic and confirming the
H/W was OK I just did a fresh install from DVD and the system works fine.

I'm wondering if the entire hard drive had somehow gotten corrupted?

 

[Paul]

I just worked on a Gateway laptop.
The machine was filled with trojans and almost completely
non-responsive, even after removing them by the use of a Kaspersky
rescue cd.


Backed up the data and attempted a factory restore which could not get
past the part of the post-installation "additional software" stage.

I had to boot to safe mode and remove the startup registry entries.

When all done the system was very sluggish and not acceptable.

After performing a RAM test and hard drive diagnostic and confirming the
H/W was OK I just did a fresh install from DVD and the system works fine.

I'm wondering if the entire hard drive had somehow gotten corrupted?

It's a sitting target. I guess boredom got the better
of the malware writers.

You'd think the files would be signed or protected
with checksums or something.

Paul

 

[philo]

ph

It's a sitting target. I guess boredom got the better
of the malware writers.

You'd think the files would be signed or protected
with checksums or something.

Paul

So, it being a hidden diagnostic partition was an easy target then?


Glad I deleted it too.

 

[Paul]

So, it being a hidden diagnostic partition was an easy target then?


Glad I deleted it too.

Nothing on a computer is really "hidden". Only a few
features on a computer, use the "trap door" method, so
software can't override a setting made early
in the operation of the computer. A "hidden" partition
only stays hidden, because nobody could be bothered
to attack it.

As an example, consider what the TestDisk program does.
Namely, scan the disk sequentially looking for partition
types. It can recognize a FAT32 when it finds one, an NTFS,
and so on. It's pretty hard to hide a hidden partition
from such a scan.

What's surprising to me, is that hidden partition isn't attacked
more often. Considering how reliably and thoroughly
the restore points get attacked. Maybe some of those
partitions have better corruption detection than others.

Paul

 

[philo]

phil

Nothing on a computer is really "hidden". Only a few
features on a computer, use the "trap door" method, so
software can't override a setting made early
in the operation of the computer. A "hidden" partition
only stays hidden, because nobody could be bothered
to attack it.

As an example, consider what the TestDisk program does.
Namely, scan the disk sequentially looking for partition
types. It can recognize a FAT32 when it finds one, an NTFS,
and so on. It's pretty hard to hide a hidden partition
from such a scan.

What's surprising to me, is that hidden partition isn't attacked
more often. Considering how reliably and thoroughly
the restore points get attacked. Maybe some of those
partitions have better corruption detection than others.

Paul

This is the first machine I've seen with a corrupted "restore" partition
but I guess I should not be surprised.