Explained: If I Reset Windows 10 will it Remove Malware?

Dennis Faas's picture

Infopackets Reader Abdul M. writes:

" Dear Dennis,

A few weeks ago my computer gave me a warning message that I was infected with virus and that I needed to call 1 800 208 0798 to fix the problem. The man I spoke to had an Indian accent and said he was from Microsoft. He then connected to my computer and removed the virus, then demanded $199 payment which I paid. He then forwarded me to another security specialist, who examined my system and said that my firewall was broken and it would cost another $350 to fix it. If I didn't pay it, he said hackers would attack my computer. At this point I freaked out - I hung up the phone and shut off my computer. After reading your excellent article on Live PC Expert fake tech support, I now understand that I've been scammed. My greatest concern is that the scammers have implanted multiple remote access backdoors into my machine, meaning they can get back in whenever they want. My question is, if I reset Windows 10 will it remove viruses and malware, including the remote access backdoors? "

My response:

If you reset Windows 10, it may or may not remove viruses or malware - including any remote access backdoors. For brevity sake, I will refer to the malware, viruses and remote access backdoors simply as "malware" for the remainder of the article because each one is malicious software by definition (hence, the portmanteau "malware").

Explained: If I Reset Windows 10 will it Remove Malware?

As I mentioned, there is a 50-50 chance of removing malware if you reset Windows.

The reasoning here is that most malware these days embed themselves deep within the operating system, resulting in a reinfection. Oftentimes antivirus or antimalware will report the infection and attempt to clean it, and either find nothing wrong (meaning it couldn't find it at all), or clean it successfully (for the time being); when you reboot the machine, the antivirus or antimalware reports that you're infected again (or you continue to receive fake virus warnings, for example).

Malware authors (and the scammers that use malware) make infections like this incredibly difficult to clean up, because as long as you're infected and the machine is under their control, they have a higher chance of getting paid - whether it's cryptojacking your machine, stealing your identity, or scamming you with fake virus warnings.

Malware Infections: Via Rootkit, Reinfect Mechanism and Legitimate Software used Nefariously

When it comes to the question of whether or not resetting Windows will remove malware, there are three types of malware that are difficult to remove.

1. Malware via Rootkit

Rootkits are incredibly difficult to remove because they are stealthy by nature.

In this case, a rootkit will embed itself into the operating system before the operating system loads into memory. In doing so, antivirus and antimalware may report suspicious activity being "blocked," but won't be able to remove the infection because the rootkit files are locked down (which result in an "access denied" error if you or the antivirus / antimalware tries to delete the infected files). Oftentimes the only way to remove the rootkit is to format the hard drive completely by removing all partitions, then reinstall Windows.

Rootkits make their way into your system through malicious software which is inadvertently downloaded, or by hackers who make their way onto your system and plant the malware - similar to how most ransomware attacks happen.

2. Malware via a Reinfection Mechanism

Most rootkits require extreme sophistication to pull off, therefore many malware authors opt for a much simpler method using a simpler-to-deploy "malware reinfection mechansim".

In this case, reinfections are difficult to trace, though with some diligent detective work (by a specialized tech like myself), it can be undone. Some reinfections come through the web browser (even if you reset the browser, the infection comes back as with JS Coinminer); some are embedded into the Windows Temporary directory or the user %appdata% folder, which get triggered on a reboot through Task Scheduler or some other automatic startup service.

Some malware even embeds itself into the Windows Reset files, meaning that if you reset Windows, your computer becomes infected again. In the latter case, this would be considered a rootkit. Some malware comes directly through the Internet, bypassing your firewall and antivirus if the machine isn't properly patched using Windows Update (security updates, patches), or if the firewall is offline.

3. Legitimate Software used Nefariously

And, there is a third type of malware: one which isn't technically considered malware, but legitimate software that is used nefariously.

As an example, scammers may gain access to your machine using fake tech support, then install multiple remote access backdoors to the machine once connected. These remote access programs are technically not malicious by nature as the serve a legitimate need, however, scammers use them in nefarious ways.

In this case, antivirus and antimalware won't pick up the remote access backdoors as threats. On every system I've worked on (due to a tech support scam) these remote access backdoor programs are well hidden in the operating system - they don't register as a Windows Service, nor are they listed in the Programs and Features, installed programs via Control Panel. These programs are also locked down with special access permissions, resulting in "access denied" if you attempt to delete the files manually - and that's if you can find it.

Conclusion: If I reset Windows 10 will it Remove Malware?

Based on what I've said above, here is my answer to the question "If I reset Windows 10 will it Remove Malware?":

Malware authors (and scammers that use malware) will do anything and everything they can to get your money. In every fake tech support case I've examined, there have been at least 3 to 5 remote access backdoors on each system. Resetting Windows 10 may not be enough should you decide to go this route (I don't recommended it); your options are to either format the drive completely, or hire a professional like myself (contact link here) to manually go through the system and examine it in order to remove any threats.

If you wipe the drive by formatting it, you will have to reinstall all your programs and user data (assuming you made a backup first). This could take hours or days to complete. On the other hand, hiring a professional like myself to manage it for you will take much less time and you can keep your user data and programs.

For the record, I've helped over 50 people with fake tech support scams and know exactly where to look to remove the threats.

Additional 1-on-1 Support: From Dennis

If all of this is over your head, or if you need help resetting Windows 10 (by formatting the drive entirely) / removing malware / removing remote access backdoors from scammers, I can help. Simply contact me, briefly describing the issue and I will get back to you as soon as possible.

About the author: Dennis Faas is the owner and operator of Infopackets.com. With over 30 years of computing experience, Dennis' areas of expertise are a broad range and include PC hardware, Microsoft Windows, Linux, network administration, and virtualization. Dennis holds a Bachelors degree in Computer Science (1999) and has authored 6 books on the topics of MS Windows and PC Security. If you like the advice you received on this page, please up-vote / Like this page and share it with friends. For technical support inquiries, Dennis can be reached via Live chat online this site using the Zopim Chat service (currently located at the bottom left of the screen); optionally, you can contact Dennis through the website contact form.

Rate this article: 
Average: 4.3 (19 votes)

Comments

Navy vet's picture

Wouldn't restoring your system from a backup image remove the malware? Assuming the image is malware free.

Dennis Faas's picture

Yes, but this can be tricky. Users can use backups to restore, providing that:

(a) it was a disk image backup and not a "file by file" backup program to restore user files and operating system

(b) the image backup will not erase user files on the restore (or the user must accept the risk). Many times a disk image backups the entire C drive, including user files. If an old disk image backup was used 6 months from the point of infection, the user would lose 6 months of user data. This would obviously not be desirable.

(c) there is a restore environment separate from the operating system (I.E. rescue media that is not tainted with a rootkit, with the potential to reinfect even after a restore).

When in doubt consult with a professional!

gkahne_11300's picture

Thanks for your clear and informative newsletter, I read it daily.
On occasion I have helped someone out by using the restore to factory partition on their computer, with the caveat that if the problem were to recur it could be fixed, essentially as you advise, (Format and reinstall Windows etc.)

To date (knock on wood) I have not had any of these computers come back to me. I should add that I live in a very small, isolated, community and offer my services for free to the elderly and those with limited means. But, as the community is so small I do see these people regularly and have ample opportunity for feedback.

Fortunately the average person I am helping has either very little or no data on their machines; they use their computers to email, make voice/video calls to far off children, and sometimes look things up on the web.

When there is data, I take it off on a new and clean thumb drive, and tell them to wait for a week to ten days before I reinstall it for them. Most often this is photos of children and grandchildren.

My question, have I just been extraordinarily lucky or is this a reasonable course of action/ Put another way how likely is malware to get into the 'restore to factory' partition?

Thank you for your reply,

Gary

Dennis Faas's picture

Malware embedding itself into the restore partition is possible - just search Google and you will find plenty of examples. Here's a page describing rootkits and how you can get infected (as I've already described).

Also something I did not mention which is also possible is to have your router infected with malware which then redirects your system to malware no matter which website you visit. I had a client's router infected with JS Coinminer and despite scanning his system with multiple antivirus / antimalware programs (and me scanning it manually), it could not be removed. The malware had to be removed from the router by his Internet provider using a firmware flash.

As for the question "Have I been lucky not to be infected" - it all depends on your risk exposure. For example: it depends on what websites you're visiting, whether they use malware embedded ads, the programs you're installing, whether your computer is properly patched (this is a big reason people get infected), whether your router is infected, whether your machine allows incoming connections (RDP, VNC, Teamviewer, etc), and whether you've allowed scammers into your machine that plant malware.

ronnieronski's picture

i have seen this and noticed that it is only a pop-up page that comes from a lot of websites. I must add that is a very well put together illustrated web page. I almost called but did not because when i clicked the Microsoft logo nothing happened. moving on, it does not install nothing on your system. it is just annoying to get it to stop once its on your screen. the quickest fix for me, is to open the task manager and kill the web browser process completely. I never had to re-set the OS for no one since I first experienced this annoying advertisement to call Microsoft. hope this helps anyone who has been thru the experience of encountering this annoying website. P.S since i have never called. I cannot attest to what they do once you give them access to your computer. but if so, restore from back-up or do an in-place upgrade aka as re-setting your computer on windows 10 just to be completely safe.