Guest Daniel Posted July 31, 2023 Posted July 31, 2023 Hello, I was wondering if malware can carry over from an old operating system if I haven’t formatted the partitions on the installation media tool. I didn’t format but only deleted them all and made new ones. Is this fine? Can malware still carry over?
ESET Moderators Aryeh Goretsky 394 Posted August 1, 2023 ESET Moderators Posted August 1, 2023 Hello, Deleting the data in the partition table about the size and locations of the drives, and/or formatting those drives will remove anything that was stored in them. However… the master boot record (also known as a disk boot record, partition boot record, etc.) contains a few hundred bytes of program code before the partition table begins. That may or may not be cleared or overwritten when you delete all of the partitions on a drive. As such, I always recommend wiping the first sectors at beginning of a drive prior to installing an operating system in order to erase any code that might be present at the beginning of the drive. Here are some instructions on how to do this from a Windows installation USB /DVD/CD: How to wipe a drive using Windows installation media Formatting and even repartitioning a drive under Windows does not erase its MBR (Master Boot Record), which can be infected and replaced by bootkits. Here are instructions to erase a drive, step-by-step, so that it can be re-used. Create a new Windows Installation DVD/USB flash drive on a known-good system. Go to the problematic computer, power it up, and configure it to boot first from its DVD or USB in its BIOS/UEFI firmware and then turn it turn it off. If the computer has multiple drives inside of it, and you only wish to erase one of them, open the computer up and disconnect the power or data cables from the other drives (you do not need to disconnect both, although you can if you want to). Plug the USB flash drive into the computer and power up to have it boot directly from the USB flash drive (or insert the DVD and let the computer boot from it). Once the computer finishes booting, it should be at a Windows installation screen. Do not agree to any prompts, copyright licenses, or click on any buttons. Press the Shift + F10 keys together to open a Command Prompt. Run DISKPART to start DiskPart, the command-line disk partitioning utility. The command line prompt will change from a drive letter to DISKPART>. At the DISKPART> prompt, type LIST DISK to get the numbers of all drives in the system. Make a note of the number assigned to the infected drive. At the DISKPART> prompt, type SEL DISK n where n is the number of the infected drive--it is usually 0 or 1 but it could be something else. At the DISKPART> prompt, type CLEAN and this will erase the MBR code from the beginning of the drive. *WARNING:* After performing the clean operation, the drive now be blank/erased, and everything on it will be gone (all files, etc.). It may still be recoverable by specialist data recovery services, though. If you are planning on selling the drive and do not want the data to be recoverable, issue a CLEAN ALL command, instead. Note that you should ONLY DO THIS IF YOU DO NOT WANT TO BE ABLE TO RECOVER ANY DATA. If you are just reinstalling (regardless of whether you're dealing with malware) then just use CLEAN, if you are selling or donating the drive and do not want the data to be recoverable use CLEAN ALL. The drive is now clean. You can now exit the DiskPart program and continue with your Windows installation. Source: instructions I wrote for the r/24hoursupport wiki on Reddit at https://old.reddit.com/r/24hoursupport/wiki/index#wiki_how_to_wipe_a_drive_using_windows_installation_media Now admittedly, malware such as computer viruses and bootkits that infect an MBR are extraordinarily rare these days: Malware authors usually do not have to dig so deeply into a drive's internal structure to accomplish what they want. However, since this process takes less than a minute with practice it is an easy step to add to any reinstallation of the operating system. Regards, Aryeh Goretsky
Recommended Posts