BleepingComputer.com: Reformat and reinstall after virus - Any advice?

DaChew, on 16 October 2010 - 10:48 AM, said:

I've got all the drivers downloaded from the IBM website and burned onto a CD ready to install. And no, the Thinkpad T41 only has one internal hard drive bay - If you want a second hard drive, you need to use an adapter that replaces the optical drive (which is what I've done with the R32 I'm using now - It's that rarely that I need an optical drive, I usually have the adapter with a second hard drive in it in place of the DVD-ROM drive...). Of course, having the second hard drive in the machine means you don't have an optical drive available except via USB!

So I've now got the new hard drive in my hands and ready to install in the machine. I'm OK with the physical act of fitting it, and have partitioned and formatted drives before, so I should be OK with that. But I do have a question concerning the old drive. As it's still physically OK and it's just the data on the drive that's been corrupted, I'd like to re-use the drive again in some way such as external storage. Of course, before I do that, I need to reformat it to get rid of the infection. So my question is this - What's the best (i.e. safest) way to do this without risking infecting another machine? My initial thought is to use the Windows install disk, using it to reformat the drive while still in the laptop, then stopping the Windows installation, swapping the drives over in the machine, and then starting a new Windows installation process on the new drive. Is that the best way to do it, or is there another better way that will work on a machine that just has one drive bay?

If you have a Windows install CD...just use it to delete the existing partition.

No need to use it to format...

Then put your new drive back as the boot drive, attach the old drive as secondary/USB drive...and format it from Disk Manager in XP.

Louis

Another option to what Louis stated.

Since you plan on using the old drive as additional external storage you will most likely be purchasing either a hard drive docking station or enclosure. If this is the route you chose then after placing the hard drive into the device of your choice, connect it to your working PC and format it using Disk management or going into My Computer, right clicking it and selecting format.

No infections present on the external drive will transfer to the PC. Since this is seen as an external drive, non-boot drive, the OS as well as the malware will remain dormant and harmless.

Quote

I still wouldn't trust it that much, some infections can have a hard drive act like a usb thumb drive and reinfect other OS installs?

Good point. autorun.inf?

I forget many do`t disable auto-run & play on their machines. That and Flash Disinfector for some purposes have`t failed me......yet.
I can`t think of any other circumstances where this is`t a safe procedure. But malware is constantly evolving and an individuals mileage may vary.

It might be kind of hard to hold the shift button down and catch a bootup when windows first sees an infected drive if connected internally.

Of course I am overly paranoid about such things?



Connecting as an external the shift trick would be safest.

Having the computer accessing the infected drive fully protected would also be my reccomendation.

It took me about 10 seconds to pull my wireless adapter when I pulled a text log off an infected usb drive(my own), amazing what got installed in those few seconds.

This post has been edited by DaChew: 21 October 2010 - 11:00 AM

Placing any drive in an external enclosure and hot swapping it, plugging it into my all ready running bench machine as well as having auto-run\play disabled pretty much negates most threats.

I do`t use Flash Disinfector on anything other then Flash drives. If the hard drive in question is planned to be cleaned instead of salvaging data then nuked and repaved, I don`t need it hosing the OS install or legit programs.

Just cause your paranoid does`t mean someone is`t after you.

My infection was a real nasty, I always disable autorun/play when I first setup my box.
Just opening a plain text file on the flash drive executed the infection.

oowwwww. Plain text used to be one of the last safe formats. Have always right clicked and "opened with" if I wanted to view a txt, script etc.
Times, they are a changing.

Opening the text file or copying it to my desktop must have initiated the autorun somehow?

The actual txt file couldn't have carried the infection.

After removing the drive and cleaning the infection off my desktop I formatted the flash drive and didn't investigate further.

At this point I had only read about flash disinfector.

Was there a double extension on the text file?
Was never aware of such a possibility until my AV popped up once a while back and warned me of a file I was d\l`ing.

But I`m afraid we are getting way

hamluis, on 20 October 2010 - 02:33 PM, said:

That's kind of what I thought, and what I'll be doing. I've not actually done the work yet, as I've managed to locate a set of the recovery disks used by IBM engineers to restore the machine back to factory settings after a hard drive replacement. Not only does this set of disks install Windows and all of the drivers and utilities, it also creates the hidden recovery partition too, which should make any future O/S restoration much simpler! So I'm just waiting for those disks to arrive, and then I'll get working on doing the work.

Slightly off-topic, but does anyone have any tips for removing a zero-byte file from a boot drive - I've got one stuck on one of my machines after a failed download, and I can't delete or do anything with it...