How to fully clean a computer that had been infected, beyond simply reformatting the hard drive?

Question

note: While the bulk of the answers to How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC? involve removing malware from running systems, my question is different.

I will definitely be reformatting the drive and reinstalling a new OS. That's already a given. I will not look for ways to "de-infect" an existing installation.

Instead, I am asking here about other forms of nonvolatile memory in the computer (e.g. the GPU)

I am also asking about overwriting random ones and zeros as part of the reformatting process in order to make sure no traces of malware can be found my new malicious code and reactivated.

---

We have a DELL Precision T-3600 series computer that the network folks told us was mining bitcoin due to some hacking. It's unknown how bad (i.e. how malicious, pernicious, tenacious, etc.) the hacking was, so we will assume the worst.

We want to reformat the NEO N510+ SSD including overwriting with ones and zeros first, then clean install a different flavor of Linux (I don't know which yet). I opened the box there are no other hard drives (and no DVD in the drive), but there is an NVIDIA T600 GPU which we don't currently use, but may want to experiment with in the future.

For now I plan to pull the GPU out because I don't know if it has any firmware or nonvolatile memory that could have potentially been hacked and now carry something malicious, and we don't need it right now. But I wonder, could it now contain something malicious?

I also don't know how much nonvolatile memory the CPU board or anything else has or whether it has any potential to be hacked.

Besides the reformatting + overwriting and clean install, what else should we do?

Answer 1

Besides the reformatting + overwriting and clean install, what else should we do?

Nothing.

GPUs do have a lot of firmware, but it is almost always volatile – it's distributed with the OS driver, and the driver needs to upload it to the GPU's RAM on every boot. They also increasingly often enforce digital signature checks (you can mostly thank MPAA for that).

But if it was mining Bitcoin, then it's a fairly safe assumption that the hacking was not a targeted attack, as such attackers would generally try stay below the radar instead of mining Bitcoin, so I wouldn't really worry about GPU firmwares much.

Things like Ethernet interfaces do have non-volatile firmware, on the other hand, as does your computer's mainboard itself – both the system firmware and Intel ME or AMD PSP firmware, for example, though at least the latter is likewise digitally-signed.

Overwriting the SSD multiple times with 1s and 0s is fairly useless. What may be useful against physical data recovery is pointless for virus cleaning, as the OS and CPU will not "see through" overwritten data the way recovery labs might do (which is indeed why recovery labs exist in the first place). From the perspective of the CPU, as soon as a disk sector has been overwritten its data is gone, since it will no longer be returned by READ operations, so it cannot influence the host PC in any way. So just zero it out once, or use the SATA or NVMe "secure erase" command – and it should be fine.

Answer 2

Just wipe the machine and move on with life.

There are no risks of malware being somehow embedded in nonvolatile components. Just wipe the machine and move on with life.

“note: While the bulk of the answers to How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC? involve removing malware from running systems, my question is different.”

This is not at all substantially different. You are fabricating scenarios that just don’t exist:

“I also don't know how much nonvolatile memory the CPU board or anything else has or whether it has any potential to be hacked.”

There is no risk to the CPU, CPU or RAM. None at all. Just wipe the machine and move on with life.

“For now I plan to pull the GPU out because I don't know if it has any firmware or nonvolatile memory that could have potentially been hacked and now carry something malicious, and we don't need it right now.”

Utter paranoia. Just wipe the machine and move on with life.

Also, this…

“I am also asking about overwriting random ones and zeros as part of the reformatting process in order to make sure no traces of malware can be found my new malicious code and reactivated.”

If it is an SSD, that level of erasure is not needed. If it is a hard drive, maybe that would help. But mainly it will just give you a better level of confidence in the process. The risk of “zombie” malware springing to life from an erased storage device doesn’t exist. Even just wiping out the drive with a basic “zero-writing” erase is a bit of overkill.