Infected Hard Disk - Reformat
Hi all, not sure if this is the right section and so if it isn't, please do move this thread.
My friend's laptop has been infected with lots of spyware (a scan revealed she had over 20 trojans in there). Given the severity of the issue, I was planning to help her reformat the hard disk and reinstall everything again.
The questions are:
1. Does reformatting the hard disk remove all spyware? I presume it would but I heard reformatting doesn't clean all the data and you need go for a few passes but I am not sure how I truly erase the hard disk if I am reformatting hard disks in totallity.
2. As you may know, laptops dont have setup disks anymore and only a recovery partition on the hard disk. Presumably if I reinstall from that, there wouldn't be any trojans or spyware as it is a different partition?
Many thanks all for your help.
Re: Infected Hard Disk - Reformat
1. Format will remove all spyware.
2. There is no guarantee that the recovery partition is also spyfree. Make sure you do not format the recovery partition.
I would recommend that you boot into the laptop with a live CD and backup all documents and photos (or even image the whole drive) to external storage.
Then start playing around with the recovery.
Re: Infected Hard Disk - Reformat
The only situation I could see malware possibly returning from a formatted drive is if you were to run some file recovery software at a later date. I would just run a regular format and restore the image in this situation. The malware is more likely to corrupt or delete the restorable image to prevent recovery than it is to infect it.
Re: Infected Hard Disk - Reformat
Thank you for your help. Unfortunately, my friend never backup an image of the disk while it was still free from spyware. The only source of Windows and associated drivers are in the recovery partition.
Re: Infected Hard Disk - Reformat
I would also point your friend in the direction of ther hexus freewae list. There are a number of programmes there that could help prevent the same thing happening in the future :)
Personally I'm a fan of the spybot and spyware blaster combination. Malware bytes is also very useful.
Re: Infected Hard Disk - Reformat
Thanks Zadock. she actually had spybot and superantispyware and a good antivirus installed.
Unfortunately for her, I think she clicked and downloaded the wrong file or something like that.
Re: Infected Hard Disk - Reformat
Quote:
Originally Posted by
usxhe190
she actually had spybot and superantispyware and a good antivirus installed.
But has she kept them updated? No antivirus is any use if its out of date ;)
As someone said earlier, there's no guarantee that the recovery partition is malware free, but I don't think you've got a lot of choice in terms of restoring the laptop - you're going to have to use the built in restore tools. My guess is that there'll be a key to press during POST that will then boot from the recovery partition and effectively start the Windows install process: you should be able to choose to format the old system partition during setup and do a clean reinstall.
Once you've done that, find out how to make recovery DVDs (I'm sure there will be a way - I've not met a laptop in the last 5 years that didn't let you) and make some, so next time you can nuke the entire hard drive and restore from the recovery disks instead!
Re: Infected Hard Disk - Reformat
Thanks scaryjim. Definitely will do that! You are right, maybe she didn't keep those things up to date although her antivirus should auto update. Let's see how things go!
Re: Infected Hard Disk - Reformat
One other thing you might want to try, if you can get hold of a suitable adapter, is to mount the hard drive on another computer and do a virus sweep on the recovery partition. You'll need a USB - SATA adapter, or you could connect it to a spare SATA port on your motherboard...
Re: Infected Hard Disk - Reformat
Thanks, will try that too
Re: Infected Hard Disk - Reformat
The problems with getting spyware/malware on the operating system is that you can never trust that OS again.
Have you tried to contact the laptop manufacturer and ask for a OS/Recovery disk?
Re: Infected Hard Disk - Reformat
ChaosSystem, that's a good idea. Let me try that.
Re: Infected Hard Disk - Reformat
Assuming you have to work with what you got on your recovery partition. First image the drive, copy the data off the drive (scan it using a clean computer), this way any mistake will not be critical. Ether do this with a live disk or do this using another computer... if you use another computer make sure you don't boot from it by mistake otherwise you will infect that one too! When you have imaged it, use an external computer to anti virus scan the complete drive. Put it back in the old computer, and do a restore, now take it out again, and use your other computer to scan it again, if its all good, burn the recovery CDs/DVDs, then do a restore from them, take the drive out one last time to do an external anti-virus scan, put the data back and your done.
If your feeling lucky, use the infected computer to burn the recovery CDs/DVD, image the drive, take the data off it (scan the data using a clean computer), do a recovery from the media you created, do an external Antivirus scan using another computer, put the data back, and your done. This is what I normally do, never had an infected recovery media yet.
Always image the drive first, 2TB drives are cheap, losing someone data is not. I bought a new drive just to do a recovery and managed to blow up the external drive, however as I had the image this was just embarrassing, not critical. I normally keep a copy of the persons data and the drive image on seperate drives, also I unplug the drive with the image on it after I have taken to make sure it nice and safe. Always have a customers data in two different places at the same time. Preferably one of them off line.
As to reformatting the drive as long as the files are not addressable any more it does not matter if they exist as they will never be seen again. Multiple passes with random data are not necessary, these are to prevent someone using forensic tools to recover data. Even a quick format will mean your OS will never think the data was ever there, if you really worry a single pass with zeros is fine.
Re: Infected Hard Disk - Reformat
As Oolon says. "Formatting" a disk is a misnomer. What you are doing is making a file system on the disk, that is creating a blank master file table. This effectively removes all the pointers to the existing files.
There is one thing to be careful about and that is boot sector files, because making a new file system does not overwrite the boot sector (or the remaining sectors in that track so malware can reside there. So from that perspective, overwriting the first 63 sectors on the disk would be a sensible precaution. Easiest way is to boot from a linux live CD and then
Code:
dd if=/dev/zero of=/dev/xxx bs=512 count=63
where xxx is the hard drive (probably hda or sda - but you need to check)
This will write zeros to the first 63 sectors with zero
Re: Infected Hard Disk - Reformat
Thank you very much oolon and peterb!
Re: Infected Hard Disk - Reformat
Buying the recovery media from the manufacturer will normally cost about £30. If you've got a copy of the os that laptop came installed with from the factory I'd personally just use a vanilla OEM Windows disc of the same version that it was installed with and use the key from the bottom of the laptop.
Then get all the drivers on the net for whoever made the laptop.