Author Topic: Reformat question  (Read 9205 times)

0 Members and 1 Guest are viewing this topic.

Offline DonnaB

  • Malware Experts
  • Hero Member
  • *****
  • Posts: 815
  • Ms. Congeniality
    • View Profile
Reformat question
« on: March 23, 2012, 11:28:15 AM »
Question concerning reformatting:

As per instructions here and as quoted below, would these same instructions, that include the process of pressing the Shift + F10 key apply to all computers/OS's or does this just pertain to the ASUS laptop that the instructions were posted for?

Also, would the same instructions apply if the user is  restoring back to Factory Condition and not via disk/USB. I'm thinking it will nuke the whole drive wiping the recovery partition as well.

Quote
To ensure all traces of the malware are removed, I recommend doing the following:

a. At the first screen that prompts for language preferences, hold SHIFT and then press F10.
b. You will now see a CMD window with the prompt X:\Sources.
c. Type DISKPART and hit enter.
d. Type list disk and hit enter. It looks like you only have 1 physical disk which should be numbered Disk 0
e. Type select disk 0 and hit enter.
f. Type clean all and hit enter - this will completely wipe every sector of the disk and is more thorough than a format. It may take a few hours.
g. When finished, type exit and hit enter.
h. Type exit and hit enter once more.

"To achieve the impossible, it is precisely the unthinkable that must be thought."
Tom Robbins

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20086
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Reformat question
« Reply #1 on: March 23, 2012, 12:58:23 PM »
Hi, Donna.

Although I found some information that might be helpful, I thought it best to get Golden's input.  It would help to know if your questions are general or for a specific operating system and/or OEM. 


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline DonnaB

  • Malware Experts
  • Hero Member
  • *****
  • Posts: 815
  • Ms. Congeniality
    • View Profile
Re: Reformat question
« Reply #2 on: March 23, 2012, 02:48:23 PM »
Hi, Donna.

Although I found some information that might be helpful, I thought it best to get Golden's input.  It would help to know if your questions are general or for a specific operating system and/or OEM.

Hi Corrine,

I was thinking of Golden when this thought crossed my mind and almost posted in my old thread where he helped to place a link to this thread so he would get an email notification. But I didn't to prevent from bumping the thread.

You know. I had to google OEM just to make sure I  received the answer I was searching for and I found the following which never even crossed my mind.

Quote
OEM means Original Equipment Manufacurer. The difference is that an OEM operating system is bought at a store and can be put to any computer. Non-OEM cannot be put on another PC, it is the operating system that comes with a pre-built pc like a dell.

So my question would be concerning a non-OEM that comes installed on a pre-built PC such as Dell, HP, ASUS etc. For an OEM that is purchased on a disk I wouldn't  have to worry about if the hidden recovery partition would be lost or not because you have the disk available.

And, to be completely honest with you, I was helping a fella here who reformatted to factory condition because he had a strong suspicion that his computer was compromised so he did a Factory Recovery which sent my thoughts in the direction of should he have nuked the drive before he restored the laptop back to factory condition or even better could that be done without wiping the hidden recovery partition?

I didn't think it would but I surely wouldn't want to give the wrong information in the future if I ever come across this scenario again.


"To achieve the impossible, it is precisely the unthinkable that must be thought."
Tom Robbins

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20086
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Reformat question
« Reply #3 on: March 23, 2012, 05:25:25 PM »
When it comes to computer operating systems, OEM would be Dell, HP, ASUS, etc., using the Wikipedia definition of "Contradictory usage":

Quote
An even more confusing, contradictory definition is a company that sells the product of a second company under its own brand name.

or as described here, What is OEM? - A Word Definition From the Webopedia Computer Dictionary.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline DonnaB

  • Malware Experts
  • Hero Member
  • *****
  • Posts: 815
  • Ms. Congeniality
    • View Profile
Re: Reformat question
« Reply #4 on: March 23, 2012, 05:36:19 PM »
Quote
When it comes to computer operating systems, OEM would be Dell, HP, ASUS, etc.,

That's what I thought as well, then I remembered that the Win7 disk I bought for Joe was labeled as an OEM Retail version. Very contradictory. How confusing.   :huh:
"To achieve the impossible, it is precisely the unthinkable that must be thought."
Tom Robbins

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20086
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Reformat question
« Reply #5 on: March 23, 2012, 05:59:10 PM »
Maybe Golden will straighten us out on this issue.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Aaron Hulett

  • Administrator
  • Hero Member
  • *****
  • Posts: 1445
  • Schrödinger's cat walks into a bar... and doesn't.
    • View Profile
    • My Site
Re: Reformat question
« Reply #6 on: March 23, 2012, 08:12:24 PM »
I'm thinking it will nuke the whole drive wiping the recovery partition as well.

Yes, it will.

From the instructions posted, it looks like we're bringing up a command prompt after booting into WinPE (Windows Preinstallation Environment) - such as from a Windows installation DVD. The commands you quoted wipe the entire disk - everything, including recovery partitions if they're present. I'll detail this one at a time:

a. At the first screen that prompts for language preferences, hold SHIFT and then press F10.

This tells WinPE to open a command prompt.

b. You will now see a CMD window with the prompt X:\Sources.
c. Type DISKPART and hit enter.

DISKPART allows for managing hard disks via the command line. Here's a KB article, from Windows XP, that helps explain it. http://support.microsoft.com/kb/300415

d. Type list disk and hit enter. It looks like you only have 1 physical disk which should be numbered Disk 0

'list disk' asks for a list of hard disks. Remember, in computer land we start counting at zero, so Disk 0, presuming the system only has one hard disk, would be that hard disk. If you have more than one, then you'd see Disk 0, Disk 1, Disk 2 and so on.

e. Type select disk 0 and hit enter.

'select disk 0' tells DISKPART that you want to do 'stuff' to Disk 0.

f. Type clean all and hit enter - this will completely wipe every sector of the disk and is more thorough than a format. It may take a few hours.

'clean all' writes zeros to every sector on the hard disk, effectively wiping out. It's doing this to Disk 0 because we selected it earlier, and just as implied, everything will be wiped - OS partition, Data partitions, Recovery partitions... everything. If you have more than one hard disk, and you want to wipe those, too, then you'd first say 'select disk 1' to tell DISKPART to start working on that hard disk, and then 'clean all' again to clean that one, and so on.

g. When finished, type exit and hit enter.
h. Type exit and hit enter once more.

The first 'exit' exits DISKPART and returns you to the command prompt, the second closes the command console.

Don't have a Windows install DVD or some other form of WinPE handy for this? Get DBAN or some other wiping utility - it'll accomplish the same thing.

Hope this was helpful,

//A

(This information is provided "AS IS" without warranty, and confers no rights.)

Offline MikeW

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 560
    • View Profile
Re: Reformat question
« Reply #7 on: March 24, 2012, 08:03:45 AM »
Quote
When it comes to computer operating systems, OEM would be Dell, HP, ASUS, etc.,

That's what I thought as well, then I remembered that the Win7 disk I bought for Joe was labeled as an OEM Retail version. Very contradictory. How confusing.   :huh:

OEM in this case just means it is 'bare bones' usually just the disk and no fancy boxes or instruction manual.
Win 7 Home Premium  IE11 MSE  Mbam Pro

Offline DonnaB

  • Malware Experts
  • Hero Member
  • *****
  • Posts: 815
  • Ms. Congeniality
    • View Profile
Re: Reformat question
« Reply #8 on: March 24, 2012, 02:13:10 PM »
Quote
As posted by Aaron:
I'll detail this one at a time:

Oh my goodness. Thanks Aaron.  :D  If you don't teach, you really should. Excellent step by step in detail.

Quote
As posted by Donna:   
I'm thinking it will nuke the whole drive wiping the recovery partition as well.
Quote
As posted by Aaron:
Yes, it will.

I thought so but I really needed someone to verify this for me before I ever suggested this method to an OP.

In my sons situation I had created the recovery disks for him before heavy infection set in and noticed that when I did use that method then reinstalled using the Recovery disks the Recovery Partition was reinstalled as well because as soon as the process was complete the request to create said disks was presented and after double checking the recovery partition was there to create the disks from.

Another example, if I may, not long ago I also guided a fella who was given a Dell computer from a friend and he wanted to know how to erase all the other user's profiles, etc. and start from scratch. The computer did not come with a disk and I didn't think to ask if any recovery disks were created. I guided him as to how to reformat back to factory conditions though the Shift + F10 option was not initiated in the process so the recovery partition still exists. If the computer did have malware on it, it is always best to nuke the drive to ensure a "clean install". Can just restoring back to factory condition without nuking the disk still have residual malware left behind?? Or is it safe to say the computer is free and clear of all malware after restoring back to factory condition?

Another thought. If I did instruct the OP to press Shift + F10 that would have wiped the recovery partition in the process and he would not have been able to proceed with being able to restore to factory condition as planned. Right?

Gee, I don't mean to bombard you people with all these questions but my curiosity is really getting the best of me.

Quote
As posted by MikeW:
OEM in this case just means it is 'bare bones' usually just the disk and no fancy boxes or instruction manual.

Thanks Mike! :)

Bare bones is exactly what I got when I had used the Retail OEM disk. Not one program listed in Programs and Features come to think of it. Perfect if you don't have other paid for software installed or you have the disks for the software. If I remember correctly when Joe (zep516) installed the Win7 Retail OEM over Vista he lost his MS Word program and we didn't have the disk. :(



"To achieve the impossible, it is precisely the unthinkable that must be thought."
Tom Robbins

Offline zep516

  • Malware Experts
  • Sr. Member
  • *****
  • Posts: 274
    • View Profile
Re: Reformat question
« Reply #9 on: March 24, 2012, 03:45:56 PM »
Was my name mentioned? :)  DonnaB

I did a reformat when I installed WIN 7 , Because I already had 2 operating systems installed. Vista and the test  RC Version of windows 7 that I ran for a year and was about to expire. I wanted to start fresh so that's what i did. I knew I would lose word, in the process too.

Nice thread, the OEM'S and installing has always confused me too.
You're only as safe as your last update.

Offline DonnaB

  • Malware Experts
  • Hero Member
  • *****
  • Posts: 815
  • Ms. Congeniality
    • View Profile
Re: Reformat question
« Reply #10 on: March 24, 2012, 04:09:20 PM »
Was my name mentioned? :)  DonnaB

I did a reformat when I installed WIN 7 , Because I already had 2 operating systems installed. Vista and the test  RC Version of windows 7 that I ran for a year and was about to expire. I wanted to start fresh so that's what i did. I knew I would lose word, in the process too.

Nice thread, the OEM'S and installing has always confused me too.

Yes. I used you as an example.  :lol: And the thought of losing Word never crossed my mind till your experience revealed this to me.

And the OEM's! It never occurred to me there were different "types" of OEM's till the experience with yours and Bryans computer. You performed the reformat in my absence. I remember you telling me you had to reinstall all your programs. It never really occurred to me exactly what you meant till I used your OEM Retail disk on Bryan's computer.

Gosh I love learning first hand! Seems to "sink in" more.  :embarrassed:
"To achieve the impossible, it is precisely the unthinkable that must be thought."
Tom Robbins

Offline zep516

  • Malware Experts
  • Sr. Member
  • *****
  • Posts: 274
    • View Profile
Re: Reformat question
« Reply #11 on: March 24, 2012, 04:15:12 PM »
I may have an XP Pro disk with product key, If i get it I'll send it. That will give a back up for your XP Machine you have.
You're only as safe as your last update.

Offline Aaron Hulett

  • Administrator
  • Hero Member
  • *****
  • Posts: 1445
  • Schrödinger's cat walks into a bar... and doesn't.
    • View Profile
    • My Site
Re: Reformat question
« Reply #12 on: March 28, 2012, 06:32:52 AM »
"Oh my goodness. Thanks Aaron.  :D  If you don't teach, you really should. Excellent step by step in detail."

You're welcome, and thank you for your kind words. I don't really teach beyond my occasional posts here, but when I see something that I can help clarify, I jump in.

"Can just restoring back to factory condition without nuking the disk still have residual malware left behind?? Or is it safe to say the computer is free and clear of all malware after restoring back to factory condition?"

This depends on the particulars of the malware, and how we get back to factory condition. If the way back to factory is via a recovery partition, then we have to wonder if malware infected the recovery partition. If it did, well, then the recovery partition is not so great, and cleaning it could be possible, or it could break the ability to recover if things are bad enough. The best way around this is to have clean restore media on something that's not editable, such as a DVD or set of CDs or such. Also, taking a backup is a good way, too. I wish more people would do that.

We also need to figure in if a hard disk wipe is necessary. If something nasty enough infects the system, then it could survive a format and a simple recovery might not fully eliminate it. This is the reason for wiping the disk - it obliterates everything.

One time, a family member's system was hit because Adobe Flash wasn't fully updated, and the antimalware program did stop it. But, being that I'm 2,000 miles away, and I had it taking automatic backups, I just said, "Wipe the drive and restore." When asked, "Well can't we just try to clean..." I just said it again. "Wipe the drive and restore." That's what we did. The system was back running in under two hours, and now, rather than going, "Did we get it all? Is it ok?" I can say, "It's ok." I don't have to second guess anything, which is totally worth the 'overkill' of wiping and restoring from backup.

"Another thought. If I did instruct the OP to press Shift + F10 that would have wiped the recovery partition in the process and he would not have been able to proceed with being able to restore to factory condition as planned. Right?"

Well, yes, that'd wipe absolutely everything, including recovery partitions. Once that's gone, there are a few options:
  • Use a backup taken before disaster (my preferred option)
  • Use a set of recovery CDs/DVDs made (just as you mentioned)
  • Use the CDs/DVDs the manufacturer maybe included
  • Contact the manufacturer for replacement recovery media ($)
  • Purchase a retail license ($$)
Probably some other options, but those stand out for me at the moment.

Ideally, plans would be in place before distaster strikes, just as people would have plans for, say, a tornado warning; they know where to go and what to do, and have important documents stored in a safe deposit box and such. But some people don't look at their computers like their homes and preparing for a tornado. They look at them like washing machines that, when they break, someone comes in and replaces the broken parts and off things go. And when your washing machine breaks, you don't lose all your clothes, so when computers break and there's potential for losing all the data (pictures, documents, all that)... well... they learn these aren't washing machines.

There are several good backup options out there. Some options are available within Windows (the specific features are dependant on what version of Windows is installed). One could burn important documents and files to a DVD, or copy them to the cloud somewhere. There are also removable hard drives, some even have software included to automatically back the system up as soon as they're plugged in. I personally have a network-based backup (Windows Home Server) and my computers automatically back up over the network to a central server every night. Lots of options - find one, use it, consistently.

Ok, done preaching about backups. ;)

One last thing about OEM installs. There are two types of OEM 'experiences' for lack of a better word. One is where the OEM creates a unique set of media/recovery partition that, when used, restores Windows, drivers, preinstalled software, and so forth. This is usually seen with the larger OEMs like Dell, Lenovo, HP and so on. This other one is extremely similar to using an install DVD that you'd buy in a store with only Windows and nothing else. In this case, if the computer came with additional software, their install discs would also be included with the computer and you'd need to install each thing one at a time. There may also be a driver disc included to get peripherals working propertly.

And finally, one quick note:

"I may have an XP Pro disk with product key, If i get it I'll send it. That will give a back up for your XP Machine you have."

While there are good intentions, it's important to respect the licensing terms. If the licnese allows for a transfer (meaning you've completely uninstalled it from the computer and the license allows for its sale/transfer), then OK. If it's an OEM license (such as it came with your PC and your PC has an OEM sticker with the license key on it), those are tied to the hardware and don't transfer. I don't know the particulars here, but I ask that licensing terms be respected so that the forum's policy regarding pirated software doesn't need to come into play. Hope this is understandable?

//A

This information is provided "AS IS" without warranty, and confers no rights.

Offline DonnaB

  • Malware Experts
  • Hero Member
  • *****
  • Posts: 815
  • Ms. Congeniality
    • View Profile
Re: Reformat question
« Reply #13 on: April 05, 2012, 12:31:01 AM »
Hi Aaron,

I am so sorry for the late reply. I don't know why I am not getting email notifications from certain sites. I'm totally baffled!

Again you have provided a plethora of information though I fear it will take me some time to absorb it all. Please allow me some time to read through your charitable contribution for my learning needs. I may have more questions if you don't mind taking the time and sharing your knowledge with me. I would be very grateful indeed!

@ zep. I look forward to receiving that XP Pro disk so I can pull my XP Pro out of the closet and use as a lab rat to further my "hands on training" in the removal of malware. Anticipating the moment when I can download those attachments in those spam emails I have in my CDC folder.  :evil:

 :grin: Donna

"To achieve the impossible, it is precisely the unthinkable that must be thought."
Tom Robbins

Offline DonnaB

  • Malware Experts
  • Hero Member
  • *****
  • Posts: 815
  • Ms. Congeniality
    • View Profile
Re: Reformat question
« Reply #14 on: May 14, 2012, 02:12:04 AM »
Hi, I haven't forgot about this thread at all and I have been reading, watching other threads, experiencing personal issues that deal with a lot of what's been discussed in this thread.

I have a question concerning this particular statement by Aaron concerning store bought OEM's that includes only Windows files no drivers:

Quote
This other one is extremely similar to using an install DVD that you'd buy in a store with only Windows and nothing else. In this case, if the computer came with additional software, their install discs would also be included with the computer and you'd need to install each thing one at a time.

Can you use this type of disk to perform a System File Check or does it have to be a Retail disk that is not the OEM version?

Example:

I have an XP Home Edition that has no recovery partition. The registry is corrupt. I was given an OEM  XP Home Edition SP3 disk that was never removed from the package and intend to use it for a clean install but first I thought I'd try to use it for SFC to see if that would fix the corrupt registry just for educational purposes. When I am asked for the disk to be inserted, I insert and click try again yet WFP continues then asks for the disk again.  Is it because it is an OEM version and not a Retail version?

"To achieve the impossible, it is precisely the unthinkable that must be thought."
Tom Robbins