Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

windows reinstall question


  • Please log in to reply
3 replies to this topic

#1 amara_racing

amara_racing

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 04 August 2009 - 12:50 PM

Hi,

Recently my pc has been infected with system security 2009 and trojan.tdss rootkit. I've searched on the forum and learned that I should format and reinstall my pc.

So my question is, will formatting get rid of the rootkit and its possible backdoors for sure? Because i also learned that formatting doesn't actually erase the files.

Additionally, I've formatted and reinstalled windows on a different pc before. I remember using recovery console to format and using the text-based windows to do the reinstall. But when i looked it up again this time, all i found was the directions for using the text-based windows to delete the partition and then format it. Is there any different between the two methods?

My pc was a emachine one with C drive being the ntfs system and D drive, the recovery partition, being fat system. Now i don't want to leave the D drive behind because I'm afriad that the rootkit or whatever else there may be might also infected the D drive. So in terms of partitioning my drives, i can just get rid of the C and D and make one ntfs C drive correct?

Thanks

Oh, also, i should use quick format because I'm reinstalling, not installing the first time, right? I read that full format checks for bad sectors, which then I reasoned shouldn't have anything to do with getting rid of virus.

Edited by amara_racing, 04 August 2009 - 12:54 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:58 AM

Posted 04 August 2009 - 01:30 PM

Yes and yes it will. I am assuming you have XP.

Not an unwise decision to make. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.

==============================

2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

Download Belarc Advisor - builds a detailed profile of your installed software and hardware, including Microsoft Hotfixes, and displays the results in your Web browser.
Run it and then print out the results, they may be handy.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 amara_racing

amara_racing
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 06 August 2009 - 09:30 PM

Hi,

Thanks for the reply. I didn't expect an answer so fast :thumbsup:

My question is, is a low level formatting a common practice to clean an rootkit infection or is it something that's "good practice"?
I heard that a zero fill would take a long time, compared to quick format/install, which only took about an hour.

In terms of backup, I just copied my important folders into my external harddrive. I didn't really have much options to back up the files that's not exe, although most of them are just data files.

I reformatted the computer because I read that even if I do all the stuff to remove the rootkit, it may still leave backdoors behind, which I assume cannot be detected by my antivirus and antimalware programs.

I don't know a lot about computers. So the purpose of the "backdoor," is it to reinstall the rootkit, or to access the target pc directly? Because if latter is the case and anti software can't detect the backdoor, can't the virus/rootkit just uninstall itself so that the owner of the computer would never know that something has happened? Basically, I want to ask if after formatting (not 0 filling), there still is a chance of having backdoors in my windows or pc and my anti software would fail me in detecting them.


I didn't really get the program to list all my drivers etc (guess I should have). Only got my important folders. However, I did locate a webpage that has all the drivers for my pc model. Since I have tons of files and they're mostly unorganized, Backuping up the files one by one wasn't an option.


Also, I noticed that in the first windows reinstall link you gave me, the instruction said to do a full format as opposed to a quick one. As I already did the quick format (haven't connected to the internet yet), should I redo it over with the "full" option? I just want to be sure. From what I've read, full formatting scans for physical damages to the harddrive, which should be unrelated to rootkit right?

Edited by amara_racing, 06 August 2009 - 09:50 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:58 AM

Posted 07 August 2009 - 08:45 AM

Hi, We believe it is a good ,safer practice..
Low-level formatting is the process of outlining the positions of the tracks and sectors on the hard disk, and writing the control structures that define where the tracks and sectors are. This is often called a "true" formatting operation, because it really creates the physical format that defines where the data is stored on the disk. The first time that a low-level format ("LLF") is performed on a hard disk, the disk's platters start out empty. That's the last time the platters will be empty for the life of the drive. If an LLF is done on a disk with data on it already, the data is permanently erased.

After the format and I feel the low level is even more secure nothing (malware survives). The backdoor if it survives/exists can call home, That is what it wants to do. Find what it's after and send that to it's host. So the Full format is needed over the quick. We don't want to leave behind a file of it that could later be triggered and reactivate this,

Rootkits, backdoor Trojans, Botnets, and IRC Bots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:

What danger is presented by rootkits?
Rootkits and how to combat them
r00tkit Analysis: What Is A Rootkit

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
Identity Theft Victims Guide - What to do


Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Where to draw the line? When to recommend a format and reinstall?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users