Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Will factory restore remove most malware and viruses?


  • Please log in to reply
5 replies to this topic

#1 Hermesx

Hermesx

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:51 AM

Posted 27 December 2013 - 08:59 PM

Just curious about this. If I had already tried removing infected files with an antivirus or anti-malware tool and decided to do a factory restore (not with a disk) but by doing it at startup, will it remove all of the infected files on my computer? I understand that this will also delete anything I have on my computer and will make it look like when I first bought it. But, will it remove all infected files as well?

 

Apparently system restore is not effective at all because of the chance that the restore points will also become infected. I've asked a few friends about this and they all seem to mistake Factory Restore as System Restore which is not at all what I'm talking about. :P

 

I know it is unnecessary in most cases, but is it an effective and fool proof way of permanently ridding your system of the infection?

 

Thanks, Hermes. :)


Edited by Hermesx, 27 December 2013 - 09:01 PM.

I appreciate all the help that anyone ever provides me with. Thank you to everyone that has assisted me in the past. :)


BC AdBot (Login to Remove)

 


#2 Mako

Mako

  • Malware Response Team
  • 203 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:51 AM

Posted 28 December 2013 - 04:28 AM

Hello Hermes,

 

Factory Restore will indeed, unlike System Restore, remove all your (infected) files and folders clearing the majority of all infections. You should, however, take special care to rootkit infections as they might infect the recovery partition as well. Therefore it's wise to start a new topic in the appropriate section since most malware can be removed without the need of a factory reset :).

Although most rootkit infections leave the recovery partition alone it's useful to bear in mind that this is not always the case.

 

Cheers,

Mako 


Regards,

Mako

 

Member of UNITE Unified Network of Instructors and Trained Eliminators

Noticed any spelling or grammar errors in my reply? Please feel free to point them out to me, I'm always eager to learn. 


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 34,070 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:51 AM

Posted 28 December 2013 - 07:19 AM

A "factory restore" essentially reformats your hard drive, removes all data and restores the computer to the state it was in when you first purchased it. Most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore". Read Technology Advisory Recovery Media.

Some factory restore partitions/partitions/disks give you all the options of a full Microsoft Windows CD, but with better instructions and the convenience of having all the right hardware drivers. Others can do nothing except reformat your hard drive and restore it to the condition it was in when you bought the computer. Either way, you will need to reinstall any programs that did not come preinstalled with your computer and run Windows update to redownload all critical patches.

With that said, there are no guarantees when it comes to malware removal. Infections and severity of damage will vary. While there are some types of malware which may resist reformatting (or a factory reset), in most cases such action will get rid of the infection.

For example, there are some rootkits and bootkits which can alter (overwrite) the Master Boot Record (MBR) drive to ensure persistent execution of malicious code and the MBR would need to be repaired. Other types of malware can infect recovery partitions and even render them unusable. If the recovery partition has become infected, you will need to contact the computer manufacturer, explain what happened and ask them to send full recovery disks to use instead. If you lost or misplaced your recovery disks, again you can contact and advise the manufacturer. In many cases they will send replacements as part of their support or charge a small fee.

Note: If restoring a full hard drive image it will replace the MBR since hard drive imaging software also clones the MBR.

Other security related articles report researchers have demonstrated in a test environment proof-of-concept viruses that could modify the flash BIOS or install a rootkit on the BIOS of common systems so that it could survive hard disk wiping and reinfect a clean disk. This type of malware exists in-the-wild and is not generic...meaning it cannot modify all types of BIOS.

A pair of Argentinean researchers has demonstrated a BIOS-level exploit that allowed the duo to potentially run a great deal of invisible code—which could remain installed even if the hard drive was wiped...BIOS must be switched to write-allow mode before the attack can be executed. The aforementioned attack consists of dumping the new BIOS into flashrom (a BIOS read/write/modify utility), making the necessary changes, adjusting all of the checksums to ensure the hacked BIOS will verify as authentic (the two credit Pinczakko here), and flashing. Voila! One evil BIOS.

New BIOS Virus Withstands HDD Wipes (March 2009)

Viruses that target the BIOS aren’t new, but often they are specific to a type of hardware. Researchers have now demonstrated a new type of attack that could install a rootkit on the BIOS of common systems, making it very lethal and effective.

BIOS-level rootkit attack scary, but hard to pull off (March 27, 2009)

So how come the world is not riddled with BIOS infectors? The answer to this is probably that it’s not trivial to do. First of all, BIOS is low-level technology which is heavily dependent on manufacturer. Programming one BIOS requires a different approach from programming another. Second, you can’t reprogram BIOS chips without being in kernel mode, which means that you have to have administrator privileges. And thirdly, the interfaces for BIOS reprogramming are poorly documented, and if you do something wrong, you risk turning the computer into an expensive paperweight.

Mebromi, a bios-flashing trojan (September 8, 2011)
BIOS-MBR-Windows(BMW) or Mebromi, a new virus targeting the computer BIOS (September 8, 2011)

Fortunately, as these articles note, its highly unlikely you will encounter a BIOS-level scenario as it is not practical for attackers to use such an exploit on a grand scale.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#4 Scoop8

Scoop8

  • Members
  • 214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas TX
  • Local time:01:51 AM

Posted 28 December 2013 - 08:30 AM

Just curious about this. If I had already tried removing infected files with an antivirus or anti-malware tool and decided to do a factory restore (not with a disk) but by doing it at startup, will it remove all of the infected files on my computer? I understand that this will also delete anything I have on my computer and will make it look like when I first bought it. But, will it remove all infected files as well?

 

Apparently system restore is not effective at all because of the chance that the restore points will also become infected. I've asked a few friends about this and they all seem to mistake Factory Restore as System Restore which is not at all what I'm talking about. :P

 

I know it is unnecessary in most cases, but is it an effective and fool proof way of permanently ridding your system of the infection?

 

Thanks, Hermes. :)

 

Here's another thread at this forum that's related to your question:

 

http://www.bleepingcomputer.com/forums/t/515165/factory-state-format-reliability/

 

I have recovered from a couple of malicious infections by deleting the partitions from the infected HDD and then cloning back to the previously-infected HDD and returning it to service.

 

As quietman7 mentioned and that's been what I've seen as well, most malicious items will be removed by a partition-delete and then restoring using a full-disk method (cloning or image restore) to your affected HDD.

 

This topic has been a recent interest of mine and during my reading about it, I found that there's a couple of things that I hadn't known previously regarding some hidden areas of some HDD's that aren't cleaned/erased by the usual methods.  More info is in the other thread link.



#5 Hermesx

Hermesx
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:51 AM

Posted 28 December 2013 - 05:39 PM

So what I've gotten out of all of your posts in a small summary is that a factory restore will get rid of most infections, but it is not a 100% guarantee for such things as rootkits, bootkits and BIOS. Please correct me if this summary is somewhat incorrect.

 

Thanks, Hermes


I appreciate all the help that anyone ever provides me with. Thank you to everyone that has assisted me in the past. :)


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 34,070 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:51 AM

Posted 28 December 2013 - 06:00 PM

Your summary is correct.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators




4 user(s) are reading this topic

0 members, 4 guests, 0 anonymous users