Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Can virus/program/ anything stay after a full reformat?

  • Please log in to reply
3 replies to this topic

#1 vox345


  • Members
  • 16 posts
  • Local time:04:39 PM

Posted 14 April 2012 - 05:29 PM

Suppose: I have a computer. I connect it to the internet to update windows, download some programs, etc, then disconnect it from the internet and never hook the internet back up until after I do a full reformat of windows. Could any sort of Trojan/virus/malware/hack programs etc be attached to the computer during the time it had internet and still be on it to relay info after it was fully reformatted and connected to the internet again?

BC AdBot (Login to Remove)


#2 Animal


    Bleepin' Animinion

  • Site Admin
  • 35,905 posts
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:01:39 PM

Posted 14 April 2012 - 07:17 PM

As long as you reformat the hard drive prior to reinstalling the OS again, any malware will be obliterated by the format process. This is not to say that any programs or applications you might save and reintroduce after the nuke and repave will not reinfect you.

But as far as the reformat and OS re-install, no you'll be fine.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)

A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)

"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)

Follow BleepingComputer on: Facebook | Twitter | Google+

#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,734 posts
  • Gender:Male
  • Local time:10:39 PM

Posted 15 April 2012 - 06:35 AM

It is possible, but very rare. There is malware in the wild that will modify your flash BIOS so that it can reinfected a new disk. But this only works on a very specific model of PC (Award BIOS).

In general, you don't have to worry about this, because it is very rare: there is extremely few malware in the wild that does this, and said malware can only do this on a very limited set of machines.

For more technical details:

Didier Stevens

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019


If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.


Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"

#4 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,907 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:39 PM

Posted 16 April 2012 - 01:23 PM

Bios virus's are very rare and those which are known have been found primarily in older Windows operating system versions like 9x/NT. These types of virus's erased the BIOS of flashable BIOS's resulting in a machine that would not boot properly and on certain chip sets, the virus was reported to flash the BIOS.

BIOS viruses that affected 9x/NT machines included:
  • Win95/CIH infected program executable files and caused damage to systems with a flash BIOS ROM by attempting to reprogram the flash BIOS ROM chip. There was no remedy, other than replacing the chip or having it “reflashed” by a hardware service agent. If the flash BIOS ROM was permanently attached to the mother board, the entire motherboard had to be replaced. It was hardware-specific, affecting some PCs and not others. Some motherboards can have their flash memory write-disabled, making them immune to the virus.
  • W32.Kriz infected program executable files, modified the kernel32.dll file and directly attacked the code stored in the flash ROM chip making the computer unbootable.
  • Troj/Flashkill was repoprted to destroy the first megabyte of data on a hard disk and wipe out the contents of the BIOS chip.
  • W32.Magistr.24876@mm erased CMOS and the Flash BIOS (Windows 9x/Me only).
  • W32.Mypics.Worm monitored the system clock and when it detected the year 2000, the worm would modify the system BIOS. On the next reboot attempt, the computer would usually display a message such as "CMOS Checksum Invalid" and prevent the computer from booting.

More recent articles indicate researchers have reported a new type of attack that could install a rootkit on the BIOS of some systems. In addition to the link provided by Didier Stevens, here are a few more articles.

Fortunately, as these articles note, its highly unlikely you will encounter a BIOS-level scenario as it is not practical for attackers to use such an exploit on a grand scale.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users