can any infection survive a "format c:"?

nordloewelabs · Jul 6, 2007

i heard a long time ago (maybe from a misinformed person) that there are viruses that wont be eliminated by plain "format c:" and can only be wiped out with some special switch...."format c: /something" -- cant remember now, but maybe the guy mentioned the Master Boot Record...

well, is there any truth to that? can a malware really survive "format c:" (assuming a system with 1 single partition)? is there a "safest way" to start from scratch?

mechBgon · Jul 6, 2007

One extra-safe way is to nuke the hard drive using something like DBAN.

I'm not up on what precisely happens with boot sectors when you format C: the ordinary way, but the next-best method I'd try (other than DBAN) would be to

1) start Windows Setup

2) get to the part of Setup where it shows the HDD partitions, and delete all of them

3) press the F3 key twice to exit from Windows Setup, without going any further

4) start Windows Setup a second time and install Windows with the system absolutely isolated from sources of infection (wired or wireless network devices, USB drives, other hard drives, and burned CDs/DVDs). suggestion on how to install Windows XP (scroll down past the Vista v. XP stuff)

FallenHero · Jul 7, 2007

low level formats usually will take care of ALL problems. If you are really paranoid, use a program to overwrite the entire thing as well.

ForumMaster · Jul 7, 2007

as mechBgon said, DBAN should take care of anything. i belive the program does a low level format (instead of simply deleting the data, it zeroes the drive) and that really should take care of anything that was residing on the drive. when reinstalling windows, install windows completly isolated from the world. disconnect the network cable and take any USB keys out. install all the patches, your firewall and only then reconnect the box to the world.

RadiclDreamer · Jul 9, 2007

If you kill all the partitions and recreate them, the virus is gone. I think what you are referring to is a boot sector virus which would be taken out when you kill all the partitions

wanderer27 · Jul 10, 2007

Well, there used to be BIOS Virus's - get one of them and you're pretty much FUBAR.

Don't know if they're still around or still an issue these days though . . . .

Bradtechonline · Jul 10, 2007

fdisk /mbr
Will only rewrite on Disk-0

format C:

or just do a low level format if you are really worried about it.

ForumMaster · Jul 11, 2007

Originally posted by: wanderer27
Well, there used to be BIOS Virus's - get one of them and you're pretty much FUBAR.

Don't know if they're still around or still an issue these days though . . . .

keyword is "used to be" today, a BIOS is mostly read only. you can update it, but i don't think there are any modern BIOS viruses. most viruses today focus on keylogging and things like that that earn the writer money. BIOS viruses would ruin the computer.

although i have heard of some extreme cases of rootkits that act like virtual PC in which it loads the OS as a virtual OS and thus, the OS can't see it.

Nothinman · Jul 11, 2007

can a malware really survive "format c:"

Sure, if your backups are infected too.

I think what you are referring to is a boot sector virus which would be taken out when you kill all the partitions

No, it won't. The MBR boot code is separate from the partition layout section.

or just do a low level format if you are really worried about it.

Technically it's impossible to do a real low level format these days, what most utilities call low level format is just writing all zeros to the drive which will just waste your time.

although i have heard of some extreme cases of rootkits that act like virtual PC in which it loads the OS as a virtual OS and thus, the OS can't see it.

I don't think there's any hypervisor rootkits in the wild yet but there was a recent article about how they are indeed detectable right now. If writing a good hypervisor was really that easy don't you think Xen, VMWare and MS would have their software perfected by now. =)

stash · Jul 12, 2007

There is a reason why hard drives containing classified information are usually first physically destroyed (drill through the platters, etc) and then incinerated.

Atheus · Jul 12, 2007

Originally posted by: Nothinman

can a malware really survive "format c:"

Click to expand...

Sure, if your backups are infected too.

Or if any part of the computer other than the hard disk is infected - you could flash something to the video card BIOS for example. Or if some other part of your network is infected. Don't have a network? You probably have a DSL or cable router though, and it should be possible to flash some evil firmware to it, maybe have it push you a virus next time you download something over HTTP.

Don't worry though, this is just my ramblings, you're unlikely to encounter that sort of thing.

Atheus · Jul 12, 2007

Originally posted by: stash
There is a reason why hard drives containing classified information are usually first physically destroyed (drill through the platters, etc) and then incinerated.

Yea, it's so no one can recover the information, but that isn't nescesary to get rid of a virus...

The point of a format in this case is that the FAT/inode/whatever tables are destroyed, and hence there will be no pointer to the virus anywhere on the disk, and hence it will never be executed.

stash · Jul 12, 2007

Yea, it's so no one can recover the information, but that isn't nescesary to get rid of a virus...

Yeah you're right of course. I was thinking about it from the perspective of recovering "deleted" data from a drive, which really isn't relevant to the topic

My bad...

Nothinman · Jul 12, 2007

Or if any part of the computer other than the hard disk is infected - you could flash something to the video card BIOS for example. Or if some other part of your network is infected. Don't have a network? You probably have a DSL or cable router though, and it should be possible to flash some evil firmware to it, maybe have it push you a virus next time you download something over HTTP.

Except that none of those things are run on the host's CPU so they'll be extremely limited in what they could do. And they'd still have to drive the hardware they're flashed on for you to not notice them.

Atheus · Jul 12, 2007

Originally posted by: Nothinman
Except that none of those things are run on the host's CPU so they'll be extremely limited in what they could do.

Well keep in mind I'm making this up as I go along, but say you flashed the router with malware - you could set it up so the first http file download is replaced by malware padded out with dummy bytes. When the user runs the executable, which they think is legit, it installs something on the machine.

Not so sure on the details of video card operation, but if you can have it return whatever data you want when the host asks for the answer to some vector operation, you should be able to make it at least crash, if not execute arbitrary code.

Nothinman · Jul 12, 2007

Well keep in mind I'm making this up as I go along, but say you flashed the router with malware - you could set it up so the first http file download is replaced by malware padded out with dummy bytes. When the user runs the executable, which they think is legit, it installs something on the machine.

If the binary they're downloading is signed in some way it won't check out. And your firmware would need to be device specific so to get any amount of penetration you'd need dozens or hundreds of variants.

Not so sure on the details of video card operation, but if you can have it return whatever data you want when the host asks for the answer to some vector operation, you should be able to make it at least crash, if not execute arbitrary code.

Again your firmware would have to be able to drive the video card with at least VGA and whatever 2D functions Windows/Xorg needs. If Linux people can't even reverse engineer the drivers to created decent OSS drivers how do you expect someone will fare with the firmware?

Atheus · Jul 13, 2007

If the binary they're downloading is signed in some way it won't check out.

Users do not verify downloads. Only some tiny percentage of technical people do this.

And your firmware would need to be device specific so to get any amount of penetration you'd need dozens or hundreds of variants.

So what I'm only targetting a specific individual.

And why don't you think of something smartarse? How would you allow software to survive a hard disk wipe? This is a home user so no 'it survives with the nightly backup' stuff.

Nothinman · Jul 13, 2007

Users do not verify downloads. Only some tiny percentage of technical people do this.

But some things do automatically, apt for example verifies the MD5/SHA1 and I would bet that WU does too so your proxy would have to be pretty smart to get the first manual download.

So what I'm only targetting a specific individual.

That's extremely rare, most forms of malware want as much penetration as possible because it's control of the machine that's important not the person running it.

And why don't you think of something smartarse? How would you allow software to survive a hard disk wipe? This is a home user so no 'it survives with the nightly backup' stuff.

Because in general it doesn't survive a hard disk wipe. Some disks have a bit of protected space called the Host Protected Area that you might be able to store something in but it won't be very useful since it would be hard as hell to get it executed again after the format.

mechBgon · Jul 13, 2007

At the practical level, I keep reading malware descriptions, and more and more of them seem to include "oh, and it writes itself to removable drives along with an Autorun.inf file so it gets executed when the drive is plugged in." USB flash drives are the new floppy diskette in more ways than one, eh

(CDs and DVDs as well, though)

nordloewelabs · Jul 13, 2007

so the "consensus" is that a low-level format is usually enough...?

are there viruses that infect the MBR? if yes, would the low-level formatting take care of those too?

Nothinman · Jul 13, 2007

so the "consensus" is that a low-level format is usually enough...?

There's no such thing as a low-level format these days, at least not one that you can do. You can wipe the drive with something like dban but that's not a low-level format.

Red Squirrel · Jul 14, 2007

I think using a program like SPFdisk to manually delete the drive could work. It shows a hex dump of the drive so you could probably just do an edit and hold down the 0 key and clear sectors 0-63 or whatever. Or would this totally fubar the drive? I've never played much with low level hdd stuff.

RebateMonger · Jul 14, 2007

Originally posted by: nordloewelabs
are there viruses that infect the MBR? if yes, would the low-level formatting take care of those too?

Viruses that affect either the MBR or the Boot Sector in general have been around for a LONG time. I've only had two viruses on my PCs in the past 25 years. One was in the Boot Sector. Both were in the early 90's.

One was "given" to me by an office PC techncian via his floppy disk. The other got into the boot sector or MBR of a hard drive and I didn't know about it until years later, when an attempt to install Windows resulted in complaints about a possible boot sector virus. Again, it probably came from a contaminated floppy disk.

BTW....
Does FDISK /MBR actually work in XP? I had occasion to try this a while back and it appears that the FixMBR.exe and FixBoot.exe programs had replaced it. Maybe I'm missing something.

can any infection survive a "format c:"?

Senior member

Super Moderator<br>Elite Member

Diamond Member

Diamond Member

Diamond Member

Platinum Member

Senior member

Diamond Member

Elite Member

Diamond Member

Diamond Member

Diamond Member

Diamond Member

Elite Member

Diamond Member

Elite Member

Diamond Member

Elite Member

Super Moderator<br>Elite Member

Senior member

Elite Member

No Lifer

Elite Member