Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Can Malware Survive If I Reset My PC?

Reset is the ultimate removal. Or is it?

Explosion

It's possible for malware to be difficult or nearly impossible to remove. It's also extremely rare.
Question: Can a virus survive Windows 10's "Reset this PC" and "Remove everything"?

Technically, yes -- certain types of malware can survive a reset.

Pragmatically, though, these types of malware are very rare, especially if you take a couple of additional steps as you "remove everything".

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

There are certain types of malware that can persist across a "Reset this PC" operation, including some types of rootkits, malware that installs into recovery or other partitions, or malware that installs into your computer's firmware. These types of malware are rare. "Reset this PC" also has different levels of "reset" that may preserve files including malware. Regardless, it's much more common to unwittingly re-install the malware as part of the steps taken or software downloaded as you rebuild the reset PC.

Persistent, resistant, malware

I'll say there are three places malware could, in theory, survive the default "Remove everything" option in Windows 10's "Reset this PC".

Rootkits. A rootkit is a form of malware that takes additional steps to hide its existence from the operating system. This means that when "Reset this PC" deletes the existing files on a hard disk (or moves them aside into Windows.old)  the rootkit could survive to re-infect the resulting clean installation of Windows.

Partitions. Malware could install itself, or a copy of itself, into one of the reserved partitions, including the recovery partition from which Widows will be reinstalled. The fresh copy of Windows could then come with malware.

Firmware. Some malware infects the firmware on your machine, such as your BIOS or UEFI. By definition, this is the software that runs on every boot up and manages access to certain hardware. It's not affected by "Reset this PC".

Everything isn't always everything

If you chose to "Reset this PC", one of the options you you select is how to remove your files.

"Just" remove your files
"Just" remove your files.

The default is to "just" remove your files. This is, presumably, the equivalent of a normal delete. The "less secure" comment acknowledges that some files could be recovered after the reinstall, using data recovery tools.

It also means that a rootkit could be overlooked and not deleted.

Click on "Change settings" to expose an additional option.

Data erasure -- clean the drive option
The data erasure, or "clean the drive" option.

The warning that "Data erasure" can take hours implies that this option formats the drive -- meaning any and all files (including rootkits) on the system partition will be removed prior to the installation.

But it's still not really "everything".

Start with an empty drive

The only way to really make sure that everything on the hard drive is truly removed is to boot from a Windows 10 Setup disk and reinstall Windows 10 from scratch. In other words, don't use "Reset this PC" at all,  because it relies on possibly compromised software in those hidden partitions.

Even then, there are additional steps to take.

You'll be asked what type of installation you want.

Which type of installation do you want?
Windows 10 Setup: Which type of installation do you want?

Choose Custom, which presents a list of partitions on the disk.

Windows Setup - Partition Management
Windows setup partition management.

My recommendation is that you carefully delete each listed partition (click on each in turn, and click Delete). Then click on New to create a new partition out of unallocated space. Windows Setup may create more than one partition. Click on each, and click on Format to format it into a drive for use by Windows Setup.

Then continue to install Windows normally.

But even that doesn't cover "everything".

The firmware dilemma

Malware entrenched in firmware is significantly more difficult to remove.

You can try the procedure outlined by your computer's manufacturer to update your UEFI or BIOS, even if you're "updating" it to the same version as already installed.

Other devices that could be compromised may or may not have similar procedures for updating or replacing their firmware. The problem here is knowing which are installed on your system, and whether this is an option for them.

There's no easy answer when it comes to firmware.

Don't panic!

You could easily become very concerned at this point.

I'll put it this way: you should never, ever jump to the conclusion that you have persistent malware that cannot be removed.

Never.

I hear from people all the time who are absolutely convinced they have malware that cannot be removed -- be it in their BIOS, UEFI, or somewhere else.

As long as I've been doing this, I have yet to encounter it. Not once. As I said, it's extremely rare. There's always been some other, fixable explanation.

If you really suspect this is the case on your machine, take it to a professional for more detailed analysis before throwing in the towel.

Just because something is possible doesn't mean it's likely.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

38 comments on “Can Malware Survive If I Reset My PC?”

  1. Leo –

    Hi. Let’s say my PC gets infected today with one of those nearly impossible to remove malware mentioned in this article. But because of your friendly nagging, I have a disk image (of all disks and partitions) that was created one month ago, which I use to restore my PC.

    By restoring to a disk image that was created definitely before my PC got infected:

    1. Will that definitely (100%) remove the malware from my PC?

    2. Or am I subject to the same malware survival possibilities (via rootkits, reserved partitions, firmware) as a user who performs a Reset This PC?

    3. Which is more likely to remove that persistent malware: Reset This PC or disk image restoration?

    Thanks.

    Reply
    • 1. 99.9999% yes. (There are no absolutes in this business. Smile)
      2. You could get infected again however you got infected before, but in restoring the image you are NOT(*) infected.
      3. Assuming you know that the image does not, itself, include the infection (i.e. it was created before you became infected) then either will do it. Otherwise, reformat/reinstall, aka Reset this PC, always(*) works.

      (*): 99.9999% — there are no absolutes. Smile

      Reply
  2. You probably did something which got you the malware in the first place. If the malware comes back, you probably did it again.

    Reply
  3. I confess, I haven’t read ALL of the article because I still use Windows 7 professional and am still reluctant to up-grade because of practical experiences by both my ex-wife and now, by my new partner with Windows 10. She stubbornly wants to stay with Apple-Mac, after her bad experience with Windows 10.

    This is not to say that I am not interested to know if that problem will persist within Windows 7 but I’m beginning to feel like the poor relation. I know that you have largely migrated to Windows 10 but, and I agree with you, Windows 7 and even Windows XP, are still viable operating systems but we, too, need a little help from time to time.

    Just saying…

    Reply
    • Yeah, I’m with you, Tom. I’ve heard so many bad things about Windows 10 and its continually, incessantly defective updates that supposedly “fix” one problem only to introduce another one, that I’m sticking with Win7 until Microsoft gets its s**t together. MS needs to stop futzing around with adding features and making unnecessary changes, and throw its resources behind fixing the myriad of defects in Windows 10 once and for all.

      Reply
    • “…but we, too, need a little help from time to time”. Perhaps. But, you are running a far more reliable OS than W10, so you’re not always running into a mess.

      Reply
  4. I use Refresh to lock the positions of the shortcut Icons on the desktop when I have them positioned the way I want them. It is frustrating to have them all move to the left of the screen after an update.

    Reply
  5. Question: Has anyone heard about a diminishing level of malware infections as a result of the pandemic? I ask this because I’ve noticed a significant drop in crank and solicitous phone calls and junk mail. The bright side.

    Reply
  6. When Reinstalling Windows “bare metal style” just press next after deleting all partitions. Windows knows what to do ;-)

    Reply
  7. Hello, Leo! The article is good to read, I don’t know if it is related to the malware that adds on my Chrome and controls as a locked administrator or I think a ransomware? But I hope it works when I custom reset my windows 10 ent. Thank you for your additional details. Have a nice day!

    Reply
  8. Hi Leo! I am not sure I fully understand the part about deleting and creating new partitions and formatting. Would it be possible to explain the steps further? I have 2 drives. They are not partitioned. I suppose there must be a system reserved one. If you don’t need any specific partitions, can you just delete all the partitions and leave it as is or do you need to create at least one partition per drive to format (assuming I will be seeing both drives) and Windows will create the other ones it needs. Thank you!

    Reply
    • When you install Windows from its own bootable media (DVD or USB), it includes options to reformat the hard disk and also includes a rudimentary partition manager. By default it will set up all the appropriate partitions if the disk is completely empty, which is why I say “reformat the hard disk” implying that the entire disk is erased. Removing all the partitions is indeed one way to accomplish that.

      Reply
    • First, perform a system image backup of your infected system in case there are any recoverable files.
      Next follow the instructions in this article starting with the section titled
      “Start with an empty drive”

      Reply
  9. What is the best way to do a clean install if you have more than one drive? Following the instructions in “start with an empty drive”, I guess you probably can format both drives but I always heard it’s best to have only one drive connected when installing Windows as sometimes it install some files on the wrong drive. If formatting the drive without Windows first by right-clicking on the disk and choosing format, I assume there’s a chance the drive with might reinfect before it gets disconnected. I guess my question is how to get two empty drives at the same time and not mess your Windows installation.

    Reply
    • To be clear, “not messing your windows installation” is exactly what a reformat means – it completely empties the drive, erasing Windows.

      My pragmatic answer (and the one I’d probably use myself) is to simply reformat and reinstall Windows on the primary drive, and then do a complete anti-malware scan on the other. Malware generally installs itself on the system drive, so erasing that is the goal. Anything left on the secondary drive would be malware installers, which as long as you don’t run them are benign. The malware scan of that secondary drive would hopefully catch and remove them. (Alternately you could reformat the secondary drive at that time as well.)

      Actually doing a two-empty drives scenario is difficult, as you’ve surmised. True “sterile technique”, as the medical folks would call it, is complex. The simplest would be to boot from something else like a Linux distribution live DVD/USB, or DBAN, or even a Windows setup disk, choosing the “repair” path and firing up a Command Prompt. In all those cases you should be able to format the two disks. If those aren’t an option, then physically disconnecting that second drive, reformatting and reinstalling Windows, then re-connecting and immediately reformatting the second drive would be the closest. It’s similar to what we did above, but just minimizes the amount of time the system is exposed to that secondary disk.

      But as I said, I don’t think that level of work is generally needed.

      Reply
      • Thanks for the quick reply! It’s a bit of basic follow-up question but I googled it and couldn’t find the answer. If I wanted go the double format route just to be extra safe and wanted to use the command prompt would Format C: H: work or would I need to do one drive and when it’s done, do the other? BitDefender and Windows Defender aren’t pick up anything on the secondary drive now so I assume it’s unlikely they would pick something up after doing a clean install of the OS.

        Reply
          • Thank you for all the information and for the heads up. I looked up how to find the drive letters. And one last question, doing it this way is just as good as the way you suggested in the Start with an empty drive section? The no chance of hidden partition being left behind?

          • This Format only reformats the visible partitions and leaves the others alone. If you want to blow away all the partitions you’d need to use the FDISK command as well. I don’t believe it’s needed, though.

          • Most information I find about using Fdisk are for Linux systems. To use in a Windows system, is the correct way to fully wipe the hidden partitions to select disk / clean / create primary partition / select partition / active / format fs=NTFS label= drive label and then assign a letter? Also, after formatting the two drives that way, is it safe to shut down the computer to disconnect one drive before the windows installation? Thank you.

          • My approach would be to use FDisk to remove all partitions. If you’re about to run Windows Setup, then let Windows Setup re-create them. Heck, if you’re about use Windows Setup you can use it to remove and then re-create the partitions. See above where it says “Choose Custom, which presents a list of partitions on the disk.” You can then manually delete the partitions in that interface before installing Windows.

            To be clear: I really don’t believe this is necessary in most cases.

          • I do understand it might be overkill but I’m about to install a password manager and I’m a bit anxious about making sure my computer is clean first. So basically, I could delete the partitions and format both drives using the custom method? That sounds a lot simpler than using Fdisk. I assume after I formatted both drives, I can stop the process and shut down the pc to unplug a drive. Then turn it back on and continue where I left off.

          • Well, like the entire process I suspect a full-format is overkill, but quick format will do. Honestly, I’m not sure if there’s a choice at setup time. (It probably defaults to quick.)

      • Oh from searching on your website I assume a complete anti-malware scan would mean a full Windows Defender scan and perhaps a Malwarebytes scan?

        Reply
    • If you have a copy of the malware file visible to your computer, it might be able to be activated again. Isolating them in an antimalware quarantine folder is usually safe. If you need to keep the malware for further research, it’s safest on a USB flash drive or encrypted. Be careful with that USB drive. If you plug it into your computer, it might auto-execute if your system defaults to running executable files from a USB drive. Unless you are a malware researcher, just delete it.

      Reply
  10. I run a political Facebook page for Convention of States. As we approach the election my computer has been hacked. I have tried everything and am starting to wonder if I need a new computer. I purchased Windows 11 Home Edition which doesn’t allow remote connection. However, I have found the files for remote connection, phone hook-up and more. Bitdefender told me to make a report to Cybercrimes. They hacked into my system and changed my firewall rules. They aren’t hiding either. When I blocked them momentarily with Bitdefender, the next day I was blocked from logging into my router Dashboard. We have discovered they mirrored my accounts and I believe they even have hacked into my printer to monitor what I am printing/scanning. I am so frustrated. I caught a large upload in the background and was able to copy their remote sign off and a few screen shots of commands before they deleted them. Do I need a new computer?

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.