Freeing up free space on your hard drive: WIMBoot. Terminate Image from Chrome

Recently, one of my colleagues came to me and said that he picked up a virus on his flash drive that appeared in the form of a folder called images. When you try to delete this folder, the folder is deleted and immediately reappears. Formatting the flash drive does not help to get rid of this viral images folder either.

To begin with, the operating system Windows 7 is installed on the computer. Antivirus is installed free of charge, which does not see this virus when scanning. Antivirus software is also installed. USB program Disk Security, which is also bypassed by this virus.

First of all, I went to the office. Web site and downloaded the anti-virus program Dr.Web Curelt. I scanned my computer with this program and was glad that the virus was detected as Trojan.Siggen4.36517 and was successfully removed. But for complete removal the virus required a computer restart.

Before rebooting, I opened the flash drive and was surprised that the folder with the virus called images is still on the flash drive and does not want to be deleted, because this virus sits in the computer and is automatically registered on any USB drives connected to the computer. After rebooting, I scanned the Dr.Web Curelt computer again. The virus has indeed been removed. But after I inserted the flash drive into the USB socket, the virus entered the computer from the flash drive again.

Then I decided to believe this flash drive with using Live CD with Windows XP operating system. After inserting this flash drive into my computer, to my surprise, the images folder was successfully removed from the flash drive. After scanning this computer with the Dr.Web Curelt antivirus program, the images.scr, images.exe virus was not detected.

This moment alarmed me and at the same time puzzled me, and I went to the Internet for more detailed information. It turns out that this virus is relevant for Windows 7 and possibly for subsequent Windows versions... The images virus does not work on Windows XP and is therefore not dangerous.

After re-removing the virus from the Windows 7 computer using Dr.Web Curelt, I inserted the flash drive and made sure that I got rid of the images.scr, images.exe virus.

Read also:

1. Cryptowall is a virus capable of encrypting all your files. All operating systems of the Windows family are susceptible to its malicious activity. You can not...
2. Today the topic of Vault-viruses is quite relevant. Many users are often interested in what to do in case of personal infection ...
3. How to protect your site from intruders - this question probably arises for every novice blog or site owner. In the Internet...
4. Antivirus software for home computer- is it necessary or not? How much am I willing to pay for it? In my opinion, what is the answer ...
5. DoS attacks The Internet is a harsh environment: Websites are constantly being attacked. DoS-attack (Denial of Service) or "denial of service", server overload, item ...

The MBR code, which starts immediately after the BIOS code is processed, loads the partition boot sector code (PBR) into memory at 0000: 7C00 and transfers control there. Continuing the series of articles on booting Windows, in this publication we will consider the next stage of loading the OS and consider the logic of the boot sector of the partition PBR Windows 7.

PBR (Partition Boot Record) - boot record section (partition), which is the second conditional stage of launch operating system Windows 7 and performs the steps to locate and load the Boot Manager (BOOTMGR).

Often in certain sources you can find and alternative name partition boot record - Volume Boot Record (VBR, volume boot record), less commonly called Partition Boot Sector (PBS, partition boot sector).

Physically PBR (VBR) is located on the media starting from the first sector of the partition (partition). Please do not confuse it with the first sector of the physical disk (drive) where the MBR is located.

In the case of the Windows 7 operating system, the partition boot record occupies as many as 9 physical sectors (512 bytes each). There is an opinion that by itself PBR Windows 7 is limited to one sector, and all the other (following) 8 sectors already belong to the BOOTMGR boot code. This feature is not so fundamental for us, and we agree that for PBR, the section on which it is located is reserved sequential sectors. In theory, in systems with multiple partitions, there can be several PBR records - one record for each primary partition (partition), but this situation is quite rare.

Let's use the previously tested algorithm and save the Windows 7 PBR sector dump to a file using the specialized utility DMDE. Now let's see what he is like:

Windows 7 PBR Sector Dump - Click to Expand

Shell

0000000000 EB 52 90 4E 54 46 53 20 20 20 20 00 02 08 00 00 LRђNTFS .◘ 0000000010 00 00 00 00 00 F8 00 00 3F 00 FF 00 00 08 00 00 w? i ◘ 0000000020 00 00 00 00 80 00 80 00 FF 1F 03 00 00 00 00 00 € i. 0000000030 55 21 00 00 00 00 00 00 02 00 00 00 00 00 00 00 U! ☻ 0000000040 F6 00 00 00 01 00 00 00 1A AA 3B C8 C2 3B C8 CC c. → Є; IV; IM 0000000050 00 00 00 00 FA 33 C0 8E D0 BC 00 7C FB 68 C0 07 ъ3АЋРј | yhА 0000000060 1F 1E 68 66 00 CB 88 16 0E 00 66 81 3E 03 00 4E ▼ ▲ hf Л € ▬. fЃ>. N 0000000070 54 46 53 75 15 B4 41 BB AA 55 CD 13 72 0C 81 FB TFSu§ґA "UN.r.Ѓy 0000000080 55 AA 75 06 F7 C1 01 00 75 03 E9 DD 00 1E 83 EC UЄu.hW. u.ee ▲ ѓm 0000000090 18 68 1A 00 B4 48 8A 16 0E 00 8B F4 16 1F CD 13 h → ґHЉ▬ ♫ ‹f▬ ▼ N. 00000000A0 9F 83 C4 18 9E 58 1F 72 E1 3B 06 0B 00 75 DB A3 џѓДћX ▼ rb; .. uЫЈ 00000000B0 0F 00 C1 2E 0F 00 04 1E 5A 33 DB B9 00 20 2B C8 ☼ B.☼. ▲ Z3Ы№ + И 00000000C0 66 FF 06 11 00 03 16 0F 00 8E C2 FF 06 16 00 E8 fя.◄ .▬☼ ЋВя.▬ и 00000000D0 4B 00 2B C8 77 EF B8 00 BB CD 1A 66 23 C0 75 2D K + Иwпё "Н → f # Аu- 00000000E0 66 81 FB 54 43 50 41 75 24 81 F9 02 01 72 1E 16 fЃыTCPAu $ ЃЃ.r ▲ ▬ 00000000F0 68 07 BB 16 68 70 0E 16 68 09 00 66 53 66 53 66 h »▬ hp ♫ ▬h ○ fSfSf 0000000100 55 16 16 16 68 B8 01 66 61 0E 07 CD 1A 33 C0 BF U▬▬▬hё.fa ♫ Н → 3Аї 0000000 110 28 10 B9 D8 0F FC F3 AA E9 5F 01 90 90 66 60 1E (No.Ш☼ьуЄй_.ђђf` ▲ 0000000 120 06 66 A1 11 00 66 03 06 1C 00 1E 66 68 00 00 00 .fЎ◄ f..∟ ▲ fh 0000000 130 00 66 50 06 53 68 01 00 68 10 00 B4 42 8A 16 0E fP.Sh. h ґBЉ▬ ♫ 0000000 140 00 16 1F 8B F4 CD 13 66 59 5B 5A 66 59 66 59 1F ▬ ▼ ‹fN.fY)