Running AntiVirus or Format and Reinstall Windows?

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

What you just wrote there is perfect sense and great info, but doesn't match with what you originally wrote.

Formatting a windows PC is a perfectly acceptable way of removing a virus safely.

And yes as you very clearly and neatly put, most times by just Cleaning the machine removes/repairs infected files but not the original virus itself which can allow it to spread again in a few cases. Which formatting fixes

I just don't agree with the content of your other post, I do agree with the content of this one though

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

In what sense? I just clarified what I meant in my original post to someone who had a better idea of what I'm talking about.

No it isn't. It isn't sensible to declare that overwriting part of a surface is just as secure as overwriting all of it.

As I said, you can't claim that a partial job is as good as a complete job. There is no reasoning behind that.

 

When you are formatting the drive you are erasing the only areas that the system should have files. So ok a partition on a drive may not occupy the entire platter but it is defining the only usable data area to the OS, but you are wiping out all the data in this area.

You are also rewriting the file allocation tables to be effectively blank. So where does the virus still exist? even if the data area that contained the virus is still there, there is no record of it existing any more so without some special software it cannot come back anyway (as you pointed out). There is also a very high chance that the data area that used to contain the virus would be written over during the install process anyway.

Now while it is possible that the virus somehow manages to create space in an area outside the partition on the HDD which I have never seen a virus do you would then have to go and find that virus in that area to allow it to reinfect the machine after you install the OS the OS has no way of knowing the virus is out there, and how would the virus would do this in the first place? its still a program the is limited to the abilities of the host OS unless it injects itself in to the boot sequence. But still a format would wipe this out as the MBR should be re-written anyway to stop any virus that may have tried to make its home there.

So I fail to see how a virus can live anywhere on the HDD of the PC after a format or make its way back in to the new OS that is installed.

 

What? That's absolute nonsense. You can format a drive many, many times without any loss of capacity.

 

If I've got normal viruses, I'll just format... but if I'm *really* concerned about rootkits and such, I'll actually zero out the drive.

 

I think you may be confusing HDD with tape

 

But... you're not gonna use one of those to bring back malware from the dead... We're not talking about trying to eradicate malware until there's no chance that someone using a quantum interference detector can resurrect it... we're talking about simply wiping out any malware so it can't harm your system anymore. It won't automagically resurrect itself...

 

Wev'e moved on since then mate that was just in reply to the comment

Where it is possible to recover data well beyond that stage.


We are now having a great discussion that I hope mathematix is happy to continue about where a virus can possibly be living and why a format alone will not completely eradicate a virus still allowing it to come back.

We have already agreed that a straight clean of the system would not neccessarily erase all traces of a virus, but why wouldn't a format?

I don't care who is right on the discussion but it would be nice if we can reach an agreed upon conclusion and I hope along the way we can learn something

 

As has already been stated, unless there is some external mechanism to revive the malware (such as another piece of malware that is programmed to find the deleted malware and revive it - and in that case, why wouldn't the malware just recreate it from scrach?!?), then there is no way that the malware can be revived.

Sure, with something external. But deleted malware can't recover itself after a zero-fill.

Because a format (old-school format command) doesn't completely zero out a drive unless you perform a zero-fill format (old-school format /u command): link, link2

 

Good dicussion chaps.

First up, a simple one-pass method using a low-level formatting utility like the free version of killdisk will wipe the disk. From this point there is no way on Earth a virus would be able to reinfect a system - the data is, to all intents and purposes 'gone'. You could recover it using forensic utilities (I used them when I was in law enforcement) - indeed, there are utilities that can even recover data after five or six passes (though not in any easily recognisable state) - seven passes is the DoD recognised standard (available in the commercial versions of Killdisk) - at that point, anything recovered will be fragments or particles of scraps (i.e. not much use )

Secondly, I concur with Mike - once the drive has been zeroed there's no way any virus, malware or rootkitty-goodness will be sat lurking ready to spring back into life when Windoze is reinstalled. Anybody who thinks otherwise has been watching too much weak-arse Sci-Fi/Espionage crap on TV.

Finally, Mike is once again spot on with his assessment of Obinna's post regarding degradation of drives after a format. I've got one 10Gb disk that I've had on an SFF compaq deskpro that is so old it has 'designed for Windows 98' (not even SE - LOL) on the case sticker. At a rough guess I would say that I have formatted & reinstalled this box well over 100 times in ten years. Never had a problem with it. I think the poster is indeed confused between disks that are on the way out already prior to being formatted and disks that have been formatted because they've been ridden with malware

 

Yes a complete zero out of a drive would get rid of the virus but we are not discussing that now we are discussing why a regular format won't completely get rid of a virus and then after the OS is reinstalled the virus reappears as if by magic

Through a regular format my point is that a virus cannot survive to somehow reinfect a system once the OS as been reinstalled which is what was suggested by Mathematix

I'm suggesting that completely zeroing out the drive is uneccessary in this situation, and even overkill.

The point you guys seem to be confusing yourselves with was the statement about a zero fill making all data unrecoverable, which isn't true. It can be recovered if you want to. Nothing at all to do with malware or viruses surviving through this.


So discussion continues :- a regular run of the mill format that replaces the MBR and essentially empties the File allocation tables / file headers is enough to stop a virus yes or no? and why?

 

With a regular format, the virus isn't overwritten with zeros. File table allocations that reference the virus are erased... but if you've got a particularly nasty rootkit, there's a chance that it won't go away (depending on what's infecting you).

I have yet to personally see a rootkit survive a normal format, but that doesn't mean they don't exist, particularly when other people claim to have seen them. Just do a Google search for either virus or malware, format or reformat, and survive.

With most viruses, and with the old-school way of dealing with them, yes, I would agree. A normal format does take care of most viruses. However, to be absolutely certain that everything is gone, I'd recommend zeroing out the drive (or performing a bit-by-bit reimaging using a known-clean image), particularly on systems that are heavily compromised or on systems that require increased security.

I saw my first rootkits on an infected workstation on my network about 2 years ago. After wrestling with them and seeing them "hide" with my own eyes, my opinion is changed... because the "game" has changed.

That's the thing... none of us are saying that the data isn't recoverable. We are saying that a zero fill will make sure malware isn't SELF-recoverable - such that the malware cannot restore ITSELF. You seem to keep missing that part of what we're saying. You can certainly restore the malware after a zero fill (with the right tools). But the malware would not be able to restore itself.

 

You are talking about a virus or Malware that writes to sector 0

I haven't seen one of those in the wild for near on 6 years, so long that I had completely forgotten about their existence

But then those are easily repaired with a fixmbr command from XP which then will repair sector 0 (or zeroing the HD)


Cool, so problem solved. Thread done ? everyone learned something?

 

...and then you fall into the trap. What about a rootkit which neutralizes the fixmbr command? Remember, many rootkits become the native "OS" on top of which Windows sits. That's how rootkits "hide" from Windows - they trick Windows into thinking the rootkits don't exist ("These are not the rootkits you are looking for").

Have you? If you must know, I haven't heard anything in this thread that I didn't already know. But thanks for the patronizing comment, anyway.

Dude... this isn't a competition where you've got to "one up" me (or Zeb, or anyone else on this forum), and that's what it sounds like you're trying to do. I'm providing this information NOT to show you you're wrong or to try to act superior, but to provide you with useful information. So you can either use the info I provide, or you can disagree and ignore it... won't hurt my feelings either way.

Cheers.

 

Calm Down BM! (next thing you know it will be Handbags at 20 paces)


Actually, afte re-reading this thread I don't believe Teebor was patronizing you, Teebor was just stating an opinion. If you beileve otherwise then I suggest you bring this to the attention of the staff or PM Teebor and discuss it in private!

You still have a lot to learn about people my young Padawan

 

Young? Not. And I learned quite a bit about people when trained as a spook, my friend.

It was the sentence at the end that I was referring to. In any case, I've handled it all it needs to be handled, depending on the response... I don't need the staff to "save me".

 

Not enough it would seem, from reading the reply.

I guess I will have to explain my point through PM!

:hhhmmm

 

Thanks for your concern, but we're just gonna have to disagree. I've seen this sort of thing far too often in my 25 years of being online.

 

But you just don't stop do you? (see other posts below)

I have to wonder if you actually read ANY of the posts at all in a thread from looking at posts you make.

You have not only repeated what I said about it being a discussion and its doesn't matter who is right or wrong, you missed the smiley I put on the end of the last sentence in my post to suggest that I was joking/messing/being light hearted about the whole thing.

Then you act all as if you are not trying to one up everyone (which you do to a lot of people by the way) which can clearly be seen by the responses you continued to make. Why else would you even mention you trained as a spook? as that is completely irrelevant to the thread.

It does however seem that Ucheekymonkey completely understood the post.

The last thing I will say on the subject (and this board for that matter) is that one the very first day I signed up I noticed most of the threads I read on this forum ended up going in the way that this thread has and I should have never made my first post back then. An error I am now correcting by not returning to this forum again after today.

If Ucheekymonkey or another site moderator/admin sees this and would like to remove my account feel free I won't be needing it any more.