Thanks for the thread, interesting reading. This is a topic that I've been reading about recently, ie, sanitizing an infected HDD, recovering from malicious content without the use of malware-removal experts.
That's an amazing track record, since 1995 . My batting average isn't even in "AAA" level compared your major league stats .
On average, I've been affected by some kind of unwanted intrusions about once every 1.5 years or so since my home 'net use began in 2004 but the rate has declined. The last occurrence was in Nov 2012, an "FBI" malware variant.
One thing that I've seen with my own experiences with malicious intrusions, is that sometimes things happen even when exercising the usual cautious practices, ie, no e-mail attachment openings, no suspicious 'net site visits, etc.
The last time, with the FBI screen ransomware, I was at a reputable site which I've visited twice-daily for years. I'm guessing that the intrusion penetrated my AV defenses via a 3rd-party ad route but that's just a guess.
The point is, I was careful but still got hit by an intrusion. Fortunately, by that time, I had been cloning and imaging on a periodic basis. I removed my original "C" HDD and installed the cloned spare and was running normally in minutes. I later booted up on "Gparted" (HDD utility tool) and removed the partitions from the affected HDD and recloned back to it from the spare HDD. After testing the previously-infected HDD (booted up and ran on it a while), I returned it to service as a cloned spare HDD.
Since then, I've read more about a few instances where a rootkit or other difficult to remove malicious object can sometimes survive a standard format, and in less frequent incidences, removing partitions on the HDD.
Due to that, I read more about the topic so as to have a couple of alternative plans in the event that future HDD sanitizing is required.
Fortunately from what I've read here and elsewhere, BIOS/firmware/CMOS intrusions are rare. I've been curious about UEFI PC's, ie, Windows 8[.1], GPT HDD's vs MBR's and how that's working for Win 8 members here and elsewhere. I haven't looked into that much yet since I'm running Win 7 on my PC's but a friend has asked me to check it out so I'm starting to do that.
I want to be clear; I think the malware-removal experts serve a very valuable avenue of recovery for many PC users. My approach is just a personal choice that I want to learn about, to be able to recover locally without seeking assistance.
My nephew, years ago, mentioned the same thing that quietman7 referenced in his post, the part about recommending a HDD clean and reinstall in the event of malicious infections, or to be more specific, a rootkit or one of the more difficult types of malicious intrusions into one's HDD.
Since I don't like to reinstall (who does), reload all programs, etc, I chose to pursue and learn the cloning/imaging scene.
I've recovered twice over the years with this method so I guess it's "so far, so good" for now.
I realize that it may not be a cure-all, in the event that I have an unknown dormant infection that may have a delayed-trigger mechanism included in the code.
Since that's a possibility, although from what I've read, rare, I have several full-HDD images stored on a disconnected HDD with the images taken over several months' time.
To summarize my thoughts about this, it would seem that there are 2 main points that need to be known:
- Are the malicious intrusion[s] confined to the HDD? In other words, are the BIOS/Video Card BIOS/CMOS EEProm components of the PC affected? From everything I can find to read about this specific concern, those incidents seem to be very rare.
- If the HDD alone is affected, then one would need to formulate a plan for restoring the affected HDD to clean operational status as the cloned backup HDD.
That may be accomplished by several methods, ie secure-erase utilies. I've used the "Diskpart" utility within CMD to run the "clean" command which marks all content for deletion, including any hidden partitions ("HPA"s).
Diskpart also provides a one-pass secure erase command "clean all" . The CMD prompt can be accessed via a Windows System Repair CD.
If the PC user is maintaining a periodic full-HDD Imaging or Cloning schedule, it would seem to me that a HDD (OS) reinstall shouldn't be required to recover from malicious intrusions.
In the rare event of any firmware infections, there are also some things that can be tried to restore the PC's functionality.
Thanks to member TsVk! for providing some of the following ideas about this topic.
- Power off the PC: Desktop's, remove AC power, press and hold the power switch to discharge residual capacitor voltages and to insure that the RAM is fully reset/emptied of any stored content.
- Remove the CMOS battery for a few minutes. In the event that the BIOS IC has been compromised and a reflash doesn't restore it to operational status, all may not be lost.
I have my BIOS backed up on a .ROM file just in case I need to reflash but if that didn't fix an infected BIOS IC, there's another alternative to pursue.
If the PC is a Desktop model, inspect the MotherBoard to see if the BIOS IC is socketed (removable). With my Asus Board, the BIOS IC is a "DIP 8" design and removable. I can order a BIOS IC online that comes flashed with the BIOS version of my choice, for about $14.00 U.S.
In the event of a more involved issue, such as the Video Card BIOS containing the malicious object, I have a .ROM BIOS file saved on a backup HDD. I've never flashed a Video Card's BIOS though, wouldn't want to try that except as a last resort.
I figure the odds of encountering an issue outside of the HDD are somewhat rare. I've only been able to read a few posts around the 'net where such cases seemed to have been verified.
Here's what I'd do in the event of future malicious intrusions into my HDD:
- Shut down PC. Remove AC power from tower Leave PC powered down for a few minutes to allow power supply to discharge, push power button on, etc.
- Remove all HDD's from tower except for the infected "C" HDD.
- Boot up into the Windows System Repair CD.
- From CMD prompt, select the "C" HDD. Run the "clean" command.
* Optional: Run the "clean all" command. I'd probably not do that to see if the "clean" command was all that was needed to render all malicious content benign.
- Shut down PC. Install my cloned spare from the shelf, into my PC in one of my Sata bays. Keep the original "C" HDD installed.
- Boot up on a cloning media, Acronis in my case. Clone back to the original "C" HDD.
- Shut down PC. Remove the cloned spare. Keep the original "C" HDD installed. Boot up and see if all's ok.
I've recovered twice over the years with some of these steps. Having read more information the past couple of years, I'd include all the above steps if I encounter another malicious intrusion.