Jump to content

Will a recovery clean the hard drive

mike13
 Share

Recommended Posts

mike13

mike13

Posted
Posted

I am working on a friends computer that is badly infected with everything. If I boot to the recovery program where I can restore the computer to its original factory state. will the hard drive be wiped clean of all viruses, trojans, root kits etc. ?? I do not have the Windows 7 discs, so I can't run a program to clean the hard drive because I am afraid it will also wipe out the recovery partition. Thanks, Mike

Link to comment
Share on other sites

jaclaz

jaclaz

Posted
Posted

There's two types of recovery, destructive and non-destructive. Do the former and you'll be fine.

But that may depend on the actual way the recovery process has been designed by the manufacturer, or - if you prefer - on the exact contents of the recovery partition and the exact way those contents are deployed to the OS partition.

jaclaz

Link to comment
Share on other sites
mike13

mike13

Posted
  • Author
Posted

Thanks X and jaclaz for the replies. I am not convinced I need to restore the OS yet as everything is now working great after running several scan with Avast, MSSS, Malwarebytes, CCleaner etc. The only problem is that when I try to run a FULL scan of anything it takes days to complete. The QUICK scans go ok, maybe ten or fifteen minutes, but not the fULL scans. I might start another post and start from the beginning. Thanks, Mike

Link to comment
Share on other sites
jaclaz

jaclaz

Posted
Posted

Thanks X and jaclaz for the replies. I am not convinced I need to restore the OS yet as everything is now working great after running several scan with Avast, MSSS, Malwarebytes, CCleaner etc. The only problem is that when I try to run a FULL scan of anything it takes days to complete. The QUICK scans go ok, maybe ten or fifteen minutes, but not the fULL scans. I might start another post and start from the beginning. Thanks, Mike

Maybe you could boot from a PE of some kind, and attempt the "full scan" on the "offline" filesystem/system (that could be able to remove the "bigger part").

Then boot "normally" and perform only a scan of Registry, RAM and "running files".

I would personally - next thing - have a run with Combofix:

http://www.combofix.org/

as it is usually oine fo the most effective tools for "bad things" that are "live".

jaclaz

Link to comment
Share on other sites
mike13

mike13

Posted
  • Author
Posted

jaclaz, I tried that Combofix you suggested. It only found 4 tracking coookies. I am just about ready to do a system recovery. I found out how to make the system recovery discs, so now I feel safe running that program I have called Wipe Drive Pro. That program should wipe the entire HD clean. I have the option to do 7 passes, but usually one pass is sufficient. As I said above, everything seems normal, but there has to still be a problem that Malwarebytes takes several hours to run, and when I tried to run MSE with a Full scan, it was only about 10 % complete after 8 hours. So it is probably best I wipe the entire HD and reinstall everything for my friend. Thanks again, Mike

Link to comment
Share on other sites
jaclaz

jaclaz

Posted
Posted

Not only it makes NO sense whatsoever to wipe a hard disk (if not in the single case where you are going to sell or dispose of the hard disk, for privacy reasons), it will take HOURS and it will needlessly stress a hard disk, and generate a lot of heat that, particularly in the case of a laptop, may be complex to dissipate/reduce properly.

In any case "Wipe Drive Pro" (not that product particularly, that one like any of the tens of senselessly complex software solutions) is, more than "fluff", "pure Bull§hit™" (and you actually pay money for it :w00t:).

There is NO NEED whatever for "military grade", "several passes", "passes with random data" and all the FUD that has been spread around since the (in)famous Peter Guttmann's paper (and it's worldwide misinterpretation).

JFYI:

http://www.forensicfocus.com/Forums/viewtopic/t=10808/

If you really-really want to ( unneededly :() "wipe" that disk, apply a single pass of 00's to the actual volume or \\.\LogicalDrive (i.e. format the volume under Vista or later WITHOUT the /q switch) and be done with it.

jaclaz

Link to comment
Share on other sites
mike13

mike13

Posted
  • Author
Posted

jaclaz---Now I am confused. My original question was if I booted the computer to the recovery program that restores the computer to its original factory state, would all viruses, trojans, malware be wiped.

"X" replied in post #2, that there are two types of recovery, destructive and non-destructive, and if I did the former I would be "fine" You replied in post # three, that "that may depend .......etc, So, that I completely understand.I ask again. If I boot to the recovery partition, or whatever it is called, where I have the option to restore the computer to its factory state, (which I believe starts with a format) will the computer be cleaned of any viruses, trojans. malware etc. I was unclear with the replies, so that is why I asked about running Wipe Drive Pro.Thanks, Mike

Link to comment
Share on other sites
Yzöwl

Yzöwl

Posted
Posted

The confusion may be because nobody here is exactly sure what the structure of the drives are and how the factory re-setting interacts with them. Any malware located anywhere other than the System Disk may not be removed by a 'factory restore'.

I would say however that if I'd successfully run the scanners you've mentioned on a system that I'd need a much better reason to restore, wipe or re-install anything than you've given thus far.

Link to comment
Share on other sites
submix8c

submix8c

Posted
Posted

FWIW, you could get a LiveOS (eg. LiveLinux of some kind) ISO, burn it, boot to it, and have a look at your HDD to determine "what's what" (structure, alterations etc). The Recovery Disks you (apparently) made won't restore the Recovery Parition and you'll forever be beholden to them. (Generally) Vista/7 has the Recovery Images in the "Boot" (first) partition and is (generally) hidden from the running OS (second) partition. Bet that's what you'll "see".

Link to comment
Share on other sites
jaclaz

jaclaz

Posted
Posted

@mike13

There are several "methods" through which a "recovery partition" can be implemented.

The most common one is a "disk image"->basically a "snapshot" is taken in factory on a "given machine", and when you initiate the recovery the whole disk is overwritten with the content of the image.

If this is the case, there is no need to partition, format or wipe, once the recovery image has been restored the whole disk is EXACTLY like it was at the time the PC was first switched on the first time.

In some cases the recovery partition may instead contain a sort of "unattended install", i.e. something that once run will re-install without user intervention the OS.

If this is the case every file that is part of the OS install will be overwritten by the "original", but files belonging to anything else may be left on the hard disk.

In some (few cases) the user can even choose to perform the first (what -X- defined "destructive") or the latter (what -X- defined as "non-destructive").

There may be even "intermediate" approaches, just as an example a "smart" sort of installer that only re-formats the system volume if the filesystem is found to be invalid (but leaves it "as is" if CHKDSK or the like finds not any error) or something that (say) leaves data in the "C:\Documents and settings\<username>" (or whatever "user" folder) untouched.

Without knowing the make/model of the actual PC or - better - the contents of the "recovery partition" it is hard to say which "type" of recovery the manufacturer has implemented and thus the effects it produces.

jaclaz

Link to comment
Share on other sites
mike13

mike13

Posted
  • Author
Posted

jaclaz ---Thanks for the explanation. This is my plan. I have already copied my documents, music, pictures, favorites, videos, and email from the still infected (I think) computer to a flash drive. Last night I booted to that recovery program that restores the computer to its factry state. All went well so far. Tonight if I have time, I will get all the Windows updates, and install Microsoft Security Essentials, and Malwarebytes. Then I will do a FULL scan with MSE and MB to see if it still takes days to complete. If these scans only take 1-2 hours, which it should instead of days, then I can feel confident I have removed all problems from the computer. Then I will re-install the documents, music, pictures email, etc AFTER I have scanned them with Bitdefender and Malwarebytes on a clean computer. I will then post back with the NEW scan times. Thanks again to everyone who offered suggestions, Mike

Link to comment
Share on other sites
mike13

mike13

Posted
  • Author
Posted

OK, update. I got all the Windows updates. Downloaded Microsoft Security Essential and ran it. It only took an hour and 15 minues, compared to several hours before and I stopped it before it was even 25% complete. I then downloaded Malwarebytes and ran it. It ran and completed in under an hour, versus the days it took before to run. So, the Recovery which started with a Format, must have cleaned out whatever was causing the excessive scan times before. I have also scanned the flash drive where I copied the documents, music, pictures, videos etc. from the infecteed computer with MSE, Bitdefender, and Malwarebytes. Bitdefender did find an item but removed it. So all is good. Thanks again for all suggestions. Mike

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...