ENTIRE HDD Erased!

[gregrocker]

I've never had to zero a drive to remove a trojan or virus and I've been doing it for 15+ years. Your mileage may vary.

My understanding is zeroing isn't to remove infections but to reinstall cleanly when using a previously infected HD.

 

[pallesenw]

Zeroing was the full format offered (and used by most tech enthusiasts) in XP and before. It was removed in Vista.

Uhm, no. Zeroing was introduced with Vista

Change in the behavior of the format command in Windows Vista

"The format command behavior has changed in Windows Vista. By default in Windows Vista, the format command writes zeros to the whole disk when a full format is performed. In Windows XP and in earlier versions of the Windows operating system, the format command does not write zeros to the whole disk when a full format is performed."

 

[gregrocker]

Zeroing was the full format offered (and used by most tech enthusiasts) in XP and before. It was removed in Vista.

Uhm, no. Zeroing was introduced with Vista

Change in the behavior of the format command in Windows Vista

"The format command behavior has changed in Windows Vista. By default in Windows Vista, the format command writes zeros to the whole disk when a full format is performed. In Windows XP and in earlier versions of the Windows operating system, the format command does not write zeros to the whole disk when a full format is performed."

I may be wrong about Vista. I don't go there often, and thought the quick format began then.

But what was the full format in XP?

Heard a lot of complaining when it was dumped in Win7, that it had been zeroing.

 

[pallesenw]

A full format in xp was just quick format plus scanning for bad sectors. Nothing more.

 

[gregrocker]

Differences between a Quick format and a regular format during a "clean" installation of Windows XP

Damn. I always thought it was zeroing when it was chkdsk'ing.

Thanks for clarifying that.

In your opinion, is there any advantage to zeroing?

Some still advise doing it for infected HD's. Wonder why?

 

[CrashOverride]

Best you can do at this point since all the messed up, is do a complete reformat/reinstall. Get a decent firewall like comodo firewall (it's free and works great). And leave UAC turned on (default settings) just in case. Also a basic antivirus like Microsoft Security Essential (free and effective). And be careful of what you download. The Adobe CS4 master collection was that pirated? If so possibly there might have been a virus in there. Also that keylogger...might want to get rid of it! Also while browsing try to use firefox as much as possible with addons like "No script", "Adblock Plus", and "WOT" these addons come in as a very handy security measure while surfing the web. No script will block all unwanted scripts. Adblock will block all stupid adds which could lead to malware. And WOT (web of trust) will warn you of dangerous websites.

 

[IggyAZ]

I read most of the messages here. I really sorry to hear about your computer and HD.
One thing I would like to say is that it seems that your HD gets reinfected each time.
I would suggest you scan all the CD's or DVD's you have and used to install your Projects.
I think you have maybe copied the bad stuff when you made your backup copies.
Good luck and keep us posted on your progress.

 

[Tepid]

In your opinion, is there any advantage to zeroing?

There is and isn't.

Zeroing can eliminate any data that may be accessible by addressing (ie. head, sector, blocks).
If a virus is capable of preforming such a task, then it could reinfect that way.
I do not know if zeroing hits the MBR, etc.

To be honest,, I have never had to zero a drive to eliminate a virus.
If i did it, it was just to wipe out all accessible regions of the drive. Just to make sure there was no data accessible to the OS or anything else. But then I learned about int13 debugging. Basically debug the HDD to set back to factory settings, as I understand it. But, this is not a good idea with Sata drive (i have read) and really bad idea on SSD.

(note: accessible regions) which brings up another caveat to the HDD realm that a lot of people don't know. When a HDD discovers a bad block, it marks that block as unusable. Whatever data was there when marked may get copied to a good block (if possible). That data remains and is never over-written by any software or other means cause the inner workings of the drive say that block no long exists. So, when you wipe a drive, those bad blocks never get touched. Forensics however, can read those blocks, so whatever data is there can be accessed.

In the newest drives, there is a built in command that you can invoke to wipe the entire drive including bad blocks. This won't make them not bad, but it will eliminate the data located there, or attempt to.

This article explains it better than I can.

and more importantly,, this one

and this

Cool eh?

 

[stevieray]

(note: accessible regions) which brings up another caveat to the HDD realm that a lot of people don't know. When a HDD discovers a bad sector, it marks that sector as unusable. Whatever data was there when marked may get copied to a good sector (if possible). That data remains and is never over-written by any software or other means cause the inner workings of the drive say that sector no long exists. So, when you wipe a drive, those bad sectors never get touched.

I wonder if that could be used by a virus to hide in. Trick the HD into thinking that sector is "bad", until it wants to activate itself. Then it could trick the drive again, this time declaring the sector "good" and emerge from its safe cocoon.

 

[Tepid]

I wonder if that could be used by a virus to hide in. Trick the HD into thinking that block is "bad", until it wants to activate itself. Then it could trick the drive again, this time declaring the sector "good" and emerge from its safe cocoon.

To my knowledge you can not set a bad block as good once it is marked as bad by the drive.

Every HDD is alloted a certain number of bad blocks before the HDD will begin to fail or produce errors of eminate failure.

Every HDD already has bad blocks on the drive and there is no way (that I know of) to know how many Bad Blocks exist on new drives. But it is well under what is allotted. You would need to do more research if you want more info on this. I am going off of old memory here.

The only way to make a Block completely disappear (like bad block marking) is by the drive setting the block bad. Otherwise the sector is visible to any software. I could be wrong, or there is some secret black ops type thing, but if it were known,, I think it would common knowledge an we would see software designed to use such a trick for security reasons other than encryption.

You can hide sections of the drive by partitioning and hiding the partition, yes. But this is not the same thing.

Which is also why you need to use the Drives Built-in Secure Erase feature to wipe bad sectors also.

I keep saying Sectors,,, it should be Blocks.... I am going to fix it,, but if you see sector in my previous posts, then I probably actually mean Block

 

[karthurk]

Virtual Girl HD appeared two times since the last time I posted, I deleted it every time and rescaned, no malware found, I start to think that there is some sort of downloader inside my MBR(I deleted it and rebuilt it, hope nothing comes back). I am throughly scanning my projects, burn them again to DVD, and than full zeroing.

 

[gregrocker]

She likes you.

 

[Hakon]

Lol, very true!
I would recommend formatting and installing thing step by step, wait and see when VGirl HD comes back

 

[pparks1]

Virtual Girl HD appeared two times since the last time I posted, I deleted it every time and rescaned, no malware found, I start to think that there is some sort of downloader inside my MBR(I deleted it and rebuilt it, hope nothing comes back). I am throughly scanning my projects, burn them again to DVD, and than full zeroing.

Do you perhaps have another computer on your network that is infected? Or perhaps running an open access point and a neighbor or other unknown wireless user is infecting you?

 

[Etihtsarom]

what is the status of the problem?

 

[karthurk]

Zeroed everything, after a succesfull attempt of VHHD tonight of deleteing all the content on both of my computers .....

Honestly I am sick of this, I am two weeks late on 3-4 projects of mine, my clients are killing me, I am installing MacOSX and continue my work, and when I am done with everything I am going to kill it again and again, btw, how does sound a bios virus?

 

[pparks1]

karthurk,

I feel for you. I don't think it's a BIOS virus. I'm still convinced it's in your data files, or some shady cracked application that you think is fine.

While moving to OSX might help, you say it like it's Windows' fault that you are in this predicament. Poor choices as an end user can cause problems in both operating systems.

 

[karthurk]

Honestly the only apps that I need are Photoshop and Dreamweaver at the moment to finish everything I have to do ... Anyhow, no more Christmas for me ... WORK WORK WORK. Who said Santa Clause doesn't exist?

I'm gonna reinstall win7 after this is done with all of my drives zeroed, I am not gonna copy any of my projects and if VGHD returns .... oh well, I'll see then.

 

[Lordbob75]

Karthurk, do you use a router or a network storage drive?

~Lordbob

 

[karthurk]

writing with wirtual keyboard, gonna be brief, just poured juie. i have a d-link di524 router