Removing more than just a format would

[Tylor Schuessele]

I just formatted my hard drive because it may have had a virus. Now what? is there a program to overwrite all the remaining data? would just copying movies until it is full work as well?

 

[Darkbreeze]

If you performed a format of the drive, then that's it. Nothing remains after you format, at least, nothing that's potentially still "there". There is no need to do anything further. Just use the drive as you wish now. Might be a good idea to verify there is in fact a virus before wiping all your data though, in the future.

 

[bjornl]

There is very little chance a virus survived a full-format. If you did a QUICK format, than filling the drive with movies (like you were wondering about) would work.

Be advised that even the above is not a guarantee. Even a full-format can leave a technically leave a rootkit behind, though I haven't see this personally Kaspersky wrote a white paper on this.

To be certain, do a rootkit scan when you are done.

 

[Darkbreeze]

Even a quick format writes zeroes over everything. Anything that WAS there is not practically accessible anymore. Nothing further needs to be done.

 

[bjornl]

Even a quick format writes zeroes over everything. Anything that WAS there is not practically accessible anymore. Nothing further needs to be done.

This is not correct. Google what a quick format actually does. it does not overwrite anything it fiddles with the FAT.

 

[Darkbreeze]

You're right, Sorry. My mistake. I knew that, but was responding to too many posts at once. It does however rewrite the file table.

The only way the files could be accessed again, and it couldn't happen unless you intentionally TRIED to do so, is if you rebuild the volume which isn't something that is going to be affected by a virus that was present prior to the FAT being rewritten.

 

[bjornl]

That is why for virus removal a fast/quick format is not considered enough. Best practices calls for a full-format AND a couple of scans afterwards. Ideally two which can detect rootkits. There are 'stubs' which can attach to all sorts of things which while not the full-virus can invoke the remains of the virus. Sometimes the lead portion will be nothing but the installer of the virus and can call to the host to get the rest.

Virus-writers are typically not very good coders and not very imaginative. But a few of them are real poo-heads.

This is anecdotal.... meaning a guy told me, not something I saw. I was in charge of IT security and was presented with a virus which "could not be removed". He claimed to have formatted and re-installed, etc. My guess was that some data file was saved with enough of a "bad" macro embedded to invoke the remains of the virus. Because when I formated and re-installed and scanned we found nothing. Option 2, is that he was not precise or accurate... but I tend to trust him (very smart, PhD in a tech-related job, etc).

 

[Darkbreeze]

As I said, it's generally best to do all of this BEFORE you start formatting stuff, so you can at least verify there is an infection to begin with. Otherwise, you're kind of just chasing ghosts and shadows. Worst case, you end up doing a full format, which is what he should probably do anyhow, now.