Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Reformat vs FRestore


  • Please log in to reply
10 replies to this topic

#1 nCharge

nCharge

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:40 AM

Posted 14 March 2013 - 07:45 AM

Hey ,

 

In particular cases of infection , we should consider reformating in order to ensure no hidden malware remains.
That said , how about the option called "Factory Reset" from either a clean & safe hidden partition on the hard drive/CD ?

Can a factory reset (from a clean source) remove infections like a classic reformat ?
(What a factory reset do is reformating the drive and then put "pre-installed" software like AV Trial , basic drivers...)


Edited by nCharge, 14 March 2013 - 07:45 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:40 PM

Posted 15 March 2013 - 09:25 AM

Reformatting refers to formatting a hard disk (or partition) that already has been formatted. It is the process of configuring the disk with a file system and enabling it to read and write data so the operating system can store information on the disk. Reformatting will deletes all data previously stored on the hard drive but some ot it may be recoverable with special tools.

What Does Formatting a Hard Drive Do?
Formatting disks and drives



Most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore". Read Technology Advisory Recovery Media.

A Recovery Disk is a CD-ROM or DVD data disc that contains a complete copy/image of the entire contents of the hard drive that will restore the system to its factory default state at a certain time. Essentially, it will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. You will lose all data and have to reinstall all programs that you added afterwards. This includes all security updates from Microsoft so you will need to download/install them again.

Some factory restore CDs give you all the options of a full Microsoft Windows CD, but with better instructions and the convenience of having all the right hardware drivers. Others can do nothing except reformat your hard drive and restore it to the condition it was in when you bought the computer. Before using a factory recovery disk make sure you back up all your data, photos, etc to another source such as a CD or external hard drive. If you do a Google Search, you will find links to topics on how to obtain a replacement recovery disk from various vendors.

A Recovery Partition is used by some OEM manufacturers (Dell, HP, IBM, Gateway) instead of a recovery disk to store a complete copy of the hard disk's factory default contents for easy restoration. This consists of a hidden bootable partition containing various system recovery tools, including full recovery of the preinstalled Windows partition that will allow you to restore the computer to the state it was in when you first purchased it. The recovery software will then re-hide its own partition after creating a new partition and installing the software to it. You will lose all data and have to reinstall all programs that you added afterwards. This includes all security updates from Microsoft so you will need to download/install them again.

Recovery partitions may only work with a start-up floppy disk (on older computers) or the user may be prompted immediately after the "Out Of Box Experience" (OOBE) to create backup CD-R disks for the software on the hard drive image for future use. Once the CD's are made, the Operating System, Drivers, or Applications can be reinstalled using the files on the hard drive or the backup CDs. Before using a recovery partition make sure you back up all your data, photos, etc to another source such as a CD or external hard drive.

If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead. If you lost or misplaced your recovery disks, again you can contact and advise the manufacturer. In many cases they will send replacements as part of their support or charge a small fee.


BTW, i you have made a disk image with an imaging tool (i.e. Acronis True Image, Drive Image, Ghost, Macrium Reflect, etc.) before your system was infected, then using it is another option. Disk Imaging allows you to take a complete snapshot (image) of your hard disk which can be used for system recovery in case of a hard disk disaster or malware resistent to disinfection. The image is an exact, byte-by-byte copy of an entire hard drive (partition or logical disk) which can be used to restore your system at a later time to the exact same state the system was when you imaged the disk or partition. Essentially, it will restore the computer to the state it was in when the image was made. You will then have to reinstall all programs that you added afterwards. This includes all security updates and patches from Microsoft.[/list]
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 nCharge

nCharge
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:40 AM

Posted 17 March 2013 - 07:57 AM

I understand what are reformatting and factory reset.

1)But technically , against malware , do they clean the drive as efficiently each other ?

 

2)When searching in forums , I can see "X resist formating" posts : Can a malware really resist Formatting/Factory reset ? (If using clean CD/hidden partitions , etc...)



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:40 PM

Posted 17 March 2013 - 04:28 PM

There are no guarantees or shortcuts when it comes to malware removal. Infections and severity of damage will vary. While there are some types of malware which may resist reformatting (or a factory reset), in most cases such action will get rid of the infection.

For example, some TDSS rootkit variants and Bootkits can alter (overwrite) the Master Boot Record (MBR) of the system drive or create a hidden partition table to ensure persistent execution of malicious code.

Other security related articles report researchers have demonstrated in a test environment a new type of malware that could install a rootkit on the BIOS of common systems and survive hard disk wiping.
 
New BIOS Virus Withstands HDD Wipes
BIOS-level rootkit attack scary, but hard to pull off
Mebromi, a bios-flashing trojan

Fortunately, as these articles note, its highly unlikely you will encounter a BIOS-level scenario as it is not practical for attackers to use such an exploit on a grand scale.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 nCharge

nCharge
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:40 AM

Posted 18 March 2013 - 08:38 AM

Thank you for these infos.

Does "Bootkit" refers to "MBR Virus" or "Boot Sector Virus" or "Boot Sector attacking Rootkit" ?

 

Then , for the examples you are refering to : TDSS Variants can be detected via an AV Live CD such as Kaspersky's , how about Bootkits ? Can they be detected using a Live CD ? What tools do we have to scan for them ?



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:40 PM

Posted 18 March 2013 - 01:46 PM

Look at the Glossary of Malware Related Terms which includes details you are inquiring about.

There are specialized tools for this type of malware (i.e. aswMBR, TDSSKiller, ComboFix) but we recommend they be used under the guidance of a trained expert in case something goes wrong.


LiveCD/Rescue CD utilities may or may not work...depends on the security vendor and how their product detects/removes malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 nCharge

nCharge
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:40 AM

Posted 18 March 2013 - 04:06 PM

According to virusbtn : "A boot sector virus is a virus that infects the master boot record of a storage device"

According to Kaspersky : "A bootkit is a type of malware that infects the Master Boot Record (MBR)"

So , Boot sector virus = Bootkit = MBR virus , right ?

 

You say these are specialized tools , but can classic AV like Avira Free (in my case) detect these threats ? Or bootkits are exclusively detected by aswMBR and such ?


Edited by nCharge, 18 March 2013 - 05:02 PM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:40 PM

Posted 18 March 2013 - 05:10 PM

There is no guarantee an anti-virus will detect or remove all variants of a threat, especially newer variants. That's why even the anti-virus vendors offer specialized tools. You would need to check with the vendor.

BTW, you just don't run some of these specialized tools just to see if they find anything...they don't work like typical scanning programs.

If you were infected with this type of malware you would be experiencing problems with your computer. These are some examples (all are not be present as signs depend on malware variant and extent of infection).

Signs of infection seen with Mebroot:
1. When attempting to log into ebay, Paypal, gmail, Yahoo! mail, user is redirected to a phishing screen asking for personal info (SS number, Credit card number, ATM pin). <- seen more with MBR infection
2. Random Audio/Radio/Voice ads & sounds such as "Congratulations You've Won" audio.
3. Commercials in foreign languages.
4. Pop ups when no browser is open.
5. Mouse clicking sounds.
6. BSOD and Stop 0x0000007B error message while booting the system.

Signs of infection seen with TDSS:
1. Google search results redirected as the malware modifies DNS query results.
2. Infected (patched) files like atapi.sys, iastor.sys and others in the Windows drivers folder.
3. Internet Explorer opens on its own.
4. BSODs, slown computer and poor performance.
5. Random Audio/Radio/Voice ads.
5. Repeated Fake alerts indicating the computer is infected.
7. Frequent IExplore.exe instances.
8. Symantec Anti-virus reports: [SID: 23615] HTTPS Tidserv Request detected, HTTP Tidserv Request detected.

Signs of infection seen with TDL4, TDL4/MaxSS bootkit:
1. Redirections in all browsers.
2. Infected consrv.dll file which places various files in a random folder in the systemroot\INSTALLER folder.
3. Hidden malicious partition <- cannot be modified through Disk Management within Windows.
4. Presence of C:\WINDOWS\$NtUninstallKB3057$, %WinDir%\$NtUninstallKB32069$, etc folder
5. Booting issues.
6. Affects both x64 and x32 Windows
7. Infected/modified Master Boot Record (MBR)
8. Infected/modified Partition Table
9. Infected/modified VBR (volume boot record)

If you're experiencing any of these problems you can get expert help in our Virus, Trojan, Spyware, and Malware Removal Logs forum.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 nCharge

nCharge
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:40 AM

Posted 18 March 2013 - 05:39 PM

"There is no guarantee an anti-virus will detect or remove all variants of a threat, especially newer variants. That's why even the anti-virus vendors offer specialized tools. You would need to check with the vendor."

I mean , do AVs (such as my Avira Free) include in their database the 'Bootkit' category ? (I know no AV that can detect 100% of variants)



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:40 PM

Posted 18 March 2013 - 06:45 PM

I have never used Avira Free. Further, each security vendor uses their own naming conventions to identify various types of malware and scanning engine to detect and remove threats. You need to check the vendor's documentation and website for specifics on detection and specialized tools.

A quick look at the Avira User Manual indicates it checks for Boot sector viruses and Rootkits. It also says "If your Avira product is unable to perform the repair, you can download a special tool for detecting and removing boot sector viruses."

Kaspersky is similar and TDSSKiller is their specialized tool.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 nCharge

nCharge
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:40 AM

Posted 19 March 2013 - 09:36 AM

May I ask you the difference between AV and "Tools" , are AV meant to be used for general scanning and malware detection and tools are for when we really know we are infected by a particular malware ?

Thus , tools are not made for regular scanning (that's AV and AntiMalwares' job) ?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users