XP Formatting

Took infected machine to the shop to fix as at this point my disk management skills are a bit thin. stayed with the tech to watch ...

infected 320Gb disk had 3 partitions. From what I can remember the tech deleted partitions C, D & E then created one 100Gb partition & began the installation & to me it looked like only the first 100Gb of the drive was getting formatted.

question is, as the new OS installed in the new C partition, did the remaining 200 Gb get formatted & wiped. what's going on on the disk at this stage of the procedure? would viruses get left behind? isn't it best to format the entire disk before installing etc ... ?

Do i need to format the disk first then reinstall?

 

Deleting a partition and creating a new partition is the same thing as formatting a partition.

Deleting a partition will permanently remove all viruses and malwares on that partition or drive. Since the tech deleted all you partitions on your drive, so your drive will be clean of all viruses/malwares.

The tech then created a new 100 GB partition and begun installation of the OS. I am assuming after installing the OS he will recreate the remaining two partitions too. If this is true then you have nothing to worry about and yes, your infections are all gone from your hard disk.

 

U cannot open the remaining partitions since those were deleted .
you have to format the remaining partitions in order to use.
All malwares and files will be deleted from ur Hard disc.

 

It,s OK, Rest is raw disk and no malware is alive any more. Also the rest of raw disk needs to be formatted before you can use it.

 

Hello sired.

Did you ask that tech the questions you are asking here ?

During the installation process, Windows will format the entire partition on which it is being installed.
If one 100gb partition was created and XP was installed on it, then it is formatted.
Having been formatted, it is doubtful that any malware would be left behind in the area that was formatted.

I always wipe the entire drive, then format, then install an image whenever I choose or need to start over.

When you enter properties, what is the stated total size of the hard drive ?
Perhaps the tech created a 100gb partition, installed XP (which would have formatted the 100gb partition), and left the remaining space untouched or unallocated.

Go to Administrative Tools/Computer Management/Disc Management and look at the graphical representation of how your hard drive is currently portioned.
If you see one partition and the remainder is unallocated, you can easily create that area into another partition by right-clicking on the unallocated area and selecting "create new partition".

Post a screenshot of the current state if you are still unclear.

-And get in touch with that technician, find out what exactly was done, and what guarantee is provided to you that the malware which caused the problem necessitating a reinstall has been removed.

 

Hmmm... why you doubt that a format has not removed the malware?

 

Because some malware can survive a simple format.
Stacked MBR and the Host Protected Area (HPA) have been known to remain infected following a format.

Please don't confuse a format with a low-level zero-fill process, and even some methods of zero-fill can leave some areas untouched.

http://forums.cnet.com/5208-6132_102-0.html?threadID=49909

 

That would be expected....if you delete any/all partitions..and then during the XP install process you create a 100 gig partition and format it...once Windows is done installing and you look at My Computer, you will have a 100 gig C drive. To utilize the remaining 220 gigs...you'll have to go into disk management and create/format the remaining 220 gigs into however you want. Once that is done you'll see that/those additional drive letter(s) in My Computer.

 

I do not believe this is true. A simple format will mark the old mbr, as well as the disk sectors, as empty and create a new mbr. After this the filing system does not have any info on the old mbr and those areas will not be accessed. A virus/malware need either the OS or the filing system to access it in order for it to infect the computer, they can not just decide themselves to take a walk and infect the computer.

 

I'm not going to get into a back-and-forth with you about this.
I provided links from reputable sources and many more are available if you care to look for them.

Believe what you will, but you are wrong !

 

Your reputable sources are discussion forums. You may believe whatever you want to believe.

 

Quote. Some rootkits for exemple can prevent by formatting the MBR and other sectors. I apologize to don't remember now the links.

 

Viruses and all other malwares are just softwares. They need an OS or some source to execute them. They can not execute themselves. When you format a hard disk, it removes all partition structures and previous data and it marks every sector on the disk as free space. A new mbr is also created that replaces the old mbr. Even if the new mbr is exactly on the same sectors, the old mbr sectors are now marked as free space and now can not be read by the new OS or the filing system. The OS by default only accesses a sector for reading if it is marked as data sector in the mbr. If the sector is not marked as data then regardless of what is stored in the sector, it is treated as free space and then that sector is only used for writing new data only. My point is that viruses/malwares need to be executed and once the disk is formatted, they then can not execute themselves.

 

Right. But if the partition is formatted, then these rootkits are gone from the drive.

 

This virus is in the BIOS, not on the hard disk. If you start looking at it this way then if your USB flash drive is infected, then even if you get your computer cleaned and then you reinsert the usb flash drive, the virus gets back on the computer again.

What I was taking about was that a virus can not survive a format if it is on the hard disk. Formatting destroys all malwares on the disk.

Edit: Andyman35, what happened to your post!

 

I deleted that post when I realised you meant malware on the HD not any possible malware.

 

You might want to check more into boot sector viruses, not that they're common much anymore, but...well..rather than type myself, I'll quote from a reputable source.
http://www.f-secure.com/v-descs/virus.shtml

Of interest from the below quotes are facts such as "A virus traps one of BIOS functions (usually disk interrupt vector Int 13h) and stays resident in memory. "

Loading into RAM from a BIOS function. Now what's interesting here....came in from the HDD, goes to BIOS..you can wipe/format that drive all you want, even replace the drive with a brand new one..but the drive will simply get reinfected.

"A boot virus infects Master Boot Record (MBR) or DOS Boot Record (DBR) of a hard drive and Floppy Boot Record (FBR). A boot virus can be overwriting and relocating. An overwriting boot virus overwrites MBR, DBR or FBR sector with its code preserving partition table information or logical drive information respectively. Relocating boot viruses save the original MBR, DBR or FBR somewhere on a hard or floppy drive. Sometimes such action can destroy certain areas of a hard or floppy drive and make a disk unreadable. Boot viruses can also be non-encrypted, encrypted or polymorphic.

When a computer is started, boot virus code is loaded in memory. A virus traps one of BIOS functions (usually disk interrupt vector Int 13h) and stays resident in memory. A virus then monitors disk access and writes its code to boot sectors of media that is used on an infected computer. For example a boot virus started from a diskette infects a hard drive. Then a virus will infect all diskettes that are inserted in to infected computer's floppy drive."

 

YeOldeStonecat,

You have missed my point, or in fact you have proved what I saying. A virus has to run from the hard drive to save itself, it can not survive a format. If a virus is on the hard disk and the hard disk is formatted, the virus is gone.

However, your system can be reinfected again from the BIOS, removable drive, internet etc. but that is not what started this argument. I read a comment that a virus can still be present on a hard disk after a simple format, by hiding in a hidden sector or somewhere on the mbr and even zero-filling can leave some areas on a hard disk untouched, which is not true.

So let me summarize, a virus on a hard disk can not survive a format. A simple format will cleanse you drive of all viruses and malwares.

 

Raza the tech created one new C: partition & installed XP to that leaving 200GB unused. After the machine had run for a few days I partitioned the 200GB space to D: & E: & Windows did a fast format taking 5 seconds at most. So there was some time interval when the machine was running before C & D were created.

 

The problem is, making another exemple, that a rootkit can infect the system, transfer it self in the BIOS ( see i.e. this old article: http://www.securityfocus.com/news/11372, and so survive to any format.