A "factory restore
" essentially reformats your hard drive, removes all data and restores the computer to the state it was in when you first purchased it. Most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition
for performing a clean "factory restore". Read Technology Advisory Recovery Media
Some factory restore partitions/partitions/disks give you all the options of a full Microsoft Windows CD, but with better instructions and the convenience of having all the right hardware drivers. Others can do nothing except reformat your hard drive and restore it to the condition it was in when you bought the computer. Either way, you will need to reinstall any programs that did not come preinstalled with your computer and run Windows update to redownload all critical patches.
With that said, there are no guarantees
when it comes to malware removal. Infections and severity of damage will vary
. While there are some types of malware which may resist reformatting (or a factory reset), in most cases such action will get rid of the infection.
For example, there are some rootkits and bootkits which can alter (overwrite) the Master Boot Record (MBR)
drive to ensure persistent execution of malicious code and the MBR would need to be repaired. Other types of malware can infect recovery partitions and even render them unusable. If the recovery partition has become infected, you will need to contact the computer manufacturer, explain what happened and ask them to send full recovery disks to use instead. If you lost or misplaced your recovery disks, again you can contact and advise the manufacturer. In many cases they will send replacements as part of their support or charge a small fee.
Note: If restoring a full hard drive image it will replace the MBR since hard drive imaging software also clones the MBR.
Other security related articles report researchers have demonstrated in a test environment proof-of-concept viruses
modify the flash BIOS or install a rootkit on the BIOS of common systems so that it could survive hard disk wiping
and reinfect a clean disk. This type of malware exists in-the-wild and is not generic...meaning it cannot modify all types of BIOS.
New BIOS Virus Withstands HDD Wipes
A pair of Argentinean researchers has demonstrated a BIOS-level exploit that allowed the duo to potentially run a great deal of invisible code—which could remain installed even if the hard drive was wiped...BIOS must be switched to write-allow mode before the attack can be executed. The aforementioned attack consists of dumping the new BIOS into flashrom (a BIOS read/write/modify utility), making the necessary changes, adjusting all of the checksums to ensure the hacked BIOS will verify as authentic (the two credit Pinczakko here), and flashing. Voila! One evil BIOS.
BIOS-level rootkit attack scary, but hard to pull off
Viruses that target the BIOS aren’t new, but often they are specific to a type of hardware. Researchers have now demonstrated a new type of attack that could install a rootkit on the BIOS of common systems, making it very lethal and effective.
(March 27, 2009)
Mebromi, a bios-flashing trojan
So how come the world is not riddled with BIOS infectors? The answer to this is probably that it’s not trivial to do. First of all, BIOS is low-level technology which is heavily dependent on manufacturer. Programming one BIOS requires a different approach from programming another. Second, you can’t reprogram BIOS chips without being in kernel mode, which means that you have to have administrator privileges. And thirdly, the interfaces for BIOS reprogramming are poorly documented, and if you do something wrong, you risk turning the computer into an expensive paperweight.
(September 8, 2011)BIOS-MBR-Windows(BMW) or Mebromi, a new virus targeting the computer BIOS
(September 8, 2011)
Fortunately, as these articles note, its highly unlikely you will encounter a BIOS-level scenario as it is not practical for attackers to use such an exploit on a grand scale.