Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Will factory restore remove most malware and viruses?


  • Please log in to reply
5 replies to this topic

#1 Hermesx

Hermesx

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:13 PM

Posted 27 December 2013 - 08:59 PM

Just curious about this. If I had already tried removing infected files with an antivirus or anti-malware tool and decided to do a factory restore (not with a disk) but by doing it at startup, will it remove all of the infected files on my computer? I understand that this will also delete anything I have on my computer and will make it look like when I first bought it. But, will it remove all infected files as well?

 

Apparently system restore is not effective at all because of the chance that the restore points will also become infected. I've asked a few friends about this and they all seem to mistake Factory Restore as System Restore which is not at all what I'm talking about. :P

 

I know it is unnecessary in most cases, but is it an effective and fool proof way of permanently ridding your system of the infection?

 

Thanks, Hermes. :)


Edited by Hermesx, 27 December 2013 - 09:01 PM.

I appreciate all the help that anyone ever provides me with. Thank you to everyone that has assisted me in the past. :)


BC AdBot (Login to Remove)

 


#2 Mako

Mako

  • Malware Response Team
  • 238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:13 AM

Posted 28 December 2013 - 04:28 AM

Hello Hermes,

 

Factory Restore will indeed, unlike System Restore, remove all your (infected) files and folders clearing the majority of all infections. You should, however, take special care to rootkit infections as they might infect the recovery partition as well. Therefore it's wise to start a new topic in the appropriate section since most malware can be removed without the need of a factory reset :).

Although most rootkit infections leave the recovery partition alone it's useful to bear in mind that this is not always the case.

 

Cheers,

Mako 


Regards,

Mako

 

Member of UNITE Unified Network of Instructors and Trained Eliminators

Noticed any spelling or grammar errors in my reply? Please feel free to point them out to me, I'm always eager to learn. 


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:13 AM

Posted 28 December 2013 - 07:19 AM


A "factory restore (reset)" essentially reformats your hard drive, removes all data and restores the computer to the state it was in when you first purchased it. Most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore". Some factory restore partitions/partitions/disks give you all the options of a full Microsoft Windows CD, but with better instructions and the convenience of having all the right hardware drivers. Others can do nothing except reformat your hard drive and restore it to the condition it was in when you bought the computer. Either way, you will need to reinstall any programs that did not come preinstalled with your computer and run Windows update to redownload all critical patches.

With that said, infections and severity of damage will vary and there are some types of malware which may resist reformatting. For example, there are some infections (rootkits and bootkits) which can create a hidden partition table and alter (overwrite) the Master Boot Record (MBR) of the system drive to ensure persistent execution of malicious code and the MBR would need to be repaired. In these cases, FDISK or similar software utility is typically used to delete the boot partition where the MBR is located and repartition/format a given volume...a separate function. If restoring a full hard drive image it will replace the MBR since hard drive imaging software also clones the MBR. Other types of malware can infect recovery partitions and even render them unusable. If the recovery partition has become infected, you will need to contact the computer manufacturer, explain what happened and ask them to send full recovery disks to use instead. If you lost or misplaced your recovery disks, again you can contact and advise the manufacturer. In many cases they will send replacements as part of their support or charge a small fee.

Researchers have demonstrated in a test environment proof-of-concept viruses that could modify the flash BIOS or install a rootkit on the BIOS of some systems so that it could survive hard disk wiping and reinfected a clean disk. This type of malware is very rare, exists primarily in-the-wild and is not generic...meaning it's vendor specific and cannot modify all types of BIOS.

This is a quote from my Security Colleague, Elise who works with the Emsisoft Anti-Malware Research Team.

Firmware is typically a small piece of software coded directly into a device (for example a video card or DVD writer) necessary for the device to function correctly. This code is highly device-dependent, different manufacturers and different models all require specific firmware. For that reason a firmware infection is not only highly unlikely but also very impractical for a malware writer. Someone who wants to create a successful infection not only needs to make sure the malware stays on the system (by making it harder to detect and delete), but also that it is distributed on a large scale. Deploying a firmware rootkit on a large scale is close to impossible as you'd have to write a lot of different versions for different hardware models.


These articles explain the complexity of the UEFI (Unified Extensible Firmware Interface), secure boot protocol and exploitation.Fortunately, it's highly unlikely you will encounter a BIOS-level scenario as it is not practical for cyber-criminals to use such an exploit on a grand scale. Malware writers would much rather target a large audience through social engineering where they can use sophisticated but less technical means than a BIOS virus.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Scoop8

Scoop8

  • Members
  • 324 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas TX
  • Local time:11:13 PM

Posted 28 December 2013 - 08:30 AM

Just curious about this. If I had already tried removing infected files with an antivirus or anti-malware tool and decided to do a factory restore (not with a disk) but by doing it at startup, will it remove all of the infected files on my computer? I understand that this will also delete anything I have on my computer and will make it look like when I first bought it. But, will it remove all infected files as well?

 

Apparently system restore is not effective at all because of the chance that the restore points will also become infected. I've asked a few friends about this and they all seem to mistake Factory Restore as System Restore which is not at all what I'm talking about. :P

 

I know it is unnecessary in most cases, but is it an effective and fool proof way of permanently ridding your system of the infection?

 

Thanks, Hermes. :)

 

Here's another thread at this forum that's related to your question:

 

http://www.bleepingcomputer.com/forums/t/515165/factory-state-format-reliability/

 

I have recovered from a couple of malicious infections by deleting the partitions from the infected HDD and then cloning back to the previously-infected HDD and returning it to service.

 

As quietman7 mentioned and that's been what I've seen as well, most malicious items will be removed by a partition-delete and then restoring using a full-disk method (cloning or image restore) to your affected HDD.

 

This topic has been a recent interest of mine and during my reading about it, I found that there's a couple of things that I hadn't known previously regarding some hidden areas of some HDD's that aren't cleaned/erased by the usual methods.  More info is in the other thread link.



#5 Hermesx

Hermesx
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:13 PM

Posted 28 December 2013 - 05:39 PM

So what I've gotten out of all of your posts in a small summary is that a factory restore will get rid of most infections, but it is not a 100% guarantee for such things as rootkits, bootkits and BIOS. Please correct me if this summary is somewhat incorrect.

 

Thanks, Hermes


I appreciate all the help that anyone ever provides me with. Thank you to everyone that has assisted me in the past. :)


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:13 AM

Posted 28 December 2013 - 06:00 PM

Your summary is correct.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




7 user(s) are reading this topic

0 members, 7 guests, 0 anonymous users