A "factory restore (reset)
" essentially reformats your hard drive, removes all data and restores the computer to the state it was in when you first purchased it. Most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition
for performing a clean "factory restore". Some factory restore partitions/partitions/disks give you all the options of a full Microsoft Windows CD, but with better instructions and the convenience of having all the right hardware drivers. Others can do nothing except reformat your hard drive and restore it to the condition it was in when you bought the computer. Either way, you will need to reinstall any programs that did not come preinstalled with your computer and run Windows update to redownload all critical patches.
With that said, infections and severity of damage will vary
and there are some types of malware which may resist reformatting. For example, there are some infections (rootkits and bootkits
) which can create a hidden partition table and alter (overwrite) the Master Boot Record (MBR)
of the system drive to ensure persistent execution of malicious code and the MBR would need to be repaired. In these cases, FDISK or similar software utility is typically used to delete the boot partition where the MBR is located and repartition/format a given volume...a separate function. If restoring a full hard drive image it will replace the MBR since hard drive imaging software also clones the MBR. Other types of malware can infect recovery partitions and even render them unusable. If the recovery partition has become infected, you will need to contact the computer manufacturer, explain what happened and ask them to send full recovery disks to use instead. If you lost or misplaced your recovery disks, again you can contact and advise the manufacturer. In many cases they will send replacements as part of their support or charge a small fee.
Researchers have demonstrated in a test environment proof-of-concept viruses
modify the flash BIOS or install a rootkit on the BIOS of some systems so that it could survive hard disk wiping
and reinfected a clean disk. This type of malware is very rare, exists primarily in-the-wild and is not generic...meaning it's vendor specific and cannot modify all types of BIOS.
This is a quote from my Security Colleague, Elise
who works with the Emsisoft Anti-Malware Research Team.
Firmware is typically a small piece of software coded directly into a device (for example a video card or DVD writer) necessary for the device to function correctly. This code is highly device-dependent, different manufacturers and different models all require specific firmware. For that reason a firmware infection is not only highly unlikely but also very impractical for a malware writer. Someone who wants to create a successful infection not only needs to make sure the malware stays on the system (by making it harder to detect and delete), but also that it is distributed on a large scale. Deploying a firmware rootkit on a large scale is close to impossible as you'd have to write a lot of different versions for different hardware models.
These articles explain the complexity of the UEFI (Unified Extensible Firmware Interface), secure boot protocol and exploitation.
Fortunately, it's highly unlikely you will encounter a BIOS-level scenario as it is not practical for cyber-criminals to use such an exploit on a grand scale. Malware writers would much rather target a large audience through social engineering
where they can use sophisticated but less technical means than a BIOS virus.