Hi Mkis, and others,
First I'd like to say I found a way to get rid of that false positive Hupigon trj, found in images of archives...
Actually pretty easy, and logical, simply defrag the disk, since the sectors will be rewritten (or change), the "ghost" signature should eventually vanish!!
I guess copying files filled with "non blank", multiples of 512 Byte files (clustersize), filling yr drive,defrag, then wiping, can do the trick, also with some defrag soft U can reorder the files, by name, date etc....
Another try could be zipping, and unzipping.
To be didactic, bear in mind that when you create a file the system will only write the "used data" ,the OS will attribute a multiple of a cluster size, (512-bytes in NTFS). So if your file is a small 50-byte text file, you actually have 512-50=462-bytes left, that's where those signatures probably lay.
What bafflz me in this story is that a tool to make an drive image should actually be reading less of the hard drive to make an image, and place it contiguously in an archive. Seems logical no?
Well, any how this the proof, it does not. Thing is, after you delete the archive you could get back that signature, I guess it's better to shred it with some software.
Second, concerning Zimuse worm
I checked
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"Dump" = "%programfiles%\Dump\Dump.exe"
and
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_MSTART\0000\Control]
"*NewlyCreated*" = 0
"ActiveService" = "MSTART"
----
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_MSTART\0000]
I have none of those, thks for info thow.