dslreports logo

Expand Open navigator
This FAQ is organized into 4 parts:
A. The use of the computer is the primary factor in the decision whether to re-format and re-install, or just disinfect.
B. How the variety of malware influences the decision on whether to re-format and re-install, or just disinfect.
C. Tips on Re-installation.
D. Useful links.


A. The use of the computer is the primary factor in the decision whether to re-format and re-install, or just disinfect.

When deciding whether a re-format and re-install is needed after an infection, the most important factor is generally what the computer is used for, and what information can be accessed via the computer.

The kind of malware and how it got on the computer are only the second and third most important factors.


One major intention of this FAQ is to urge techie friends, forum regulars, technicians, consultants, and service representatives to ask more questions of the computer's users (and administrators) about how the computer is used before making any kind of recommendation on re-formatting and re-installing.

If you are both the computer's owner and only user, and you are removing malware from it, you have two hats to wear. Remember to stop, and switch from technician to business person thought-mode before making the decision on whether or not to re-format and re-install.

Remember to consult the other users on what they use the computer for. (The computer you use for music may be the same one your parents use to manage your future inheritance.)



It is dangerous and incorrect assume that simply because one backdoor trojan has been removed from a computer that the computer is now secure.

When posting questions on this topic, mention if the computer is used for more than games and music.

All of the cautions about backdoors also apply if the hacker or cracker was able to actually physically sit at the computer while it was logged on.




A re-format and re-install should always be considered.

The question is, "Should a re-format and re-install be strongly considered, or merely considered?" The decision is the computer user's and computer owner's, based on their knowledge of their computer's use, and their informed acceptance of the risk.

The experts at CERT and SANS don't think an on-site team of certified trained and experienced professionals can reliably clean a system that has had a backdoor installed, up to the standards of everyday commercial and institutional use. So how can one expect to do that long distance?

We can't and shouldn't force people to do re-installs, but we should:

1. Ask what the computer is used for.

2. Ask if there is any confidential information about patients, customers or clients on the computer, or accessible through the computer (say through an employer's network that the computer connects to via dialup or VPN).

3. Ask if their own banking or personal information is on the computer.

4. Based on those answers, and the nature of all the malware found, and whether the hacker had direct access to the computer, either recommend or strongly recommend they consider a re-format and re-install.

Give them enough information about the risks to make their own informed decision.

5. Let them decide based on what they use their computers for, their assessment of the risks, and their financial and technical resources, whether the re-format and re-install is actually done.

6. Then assist them in securing their computer following the method they choose.



A lot of the people who need help with their computers are in other professions. Some people who come here use their computers for work, and the computers may contain the patient records of a physician, the financial records of an accountant's clients, or credit card and bank account information of their employer's customers.

1. There may be tremendous risks and legal liability for such users in not fully securing the computer. We won't know this unless we ask. We don't want to be accidentally putting those we help in vulnerable positions for law suits.

2. Here is an example of why business factors outweigh technical factors in making the re-format and re-install decision.

Sometimes techie friends give missing CDs or lack of expertise as a reason for not doing a re-format and re-install.

The cost of replacing missing Windows XP and MS Office CDs, and getting an MSCE to come in for 3 hours to do the re-install and apply all the critical updates, is trivial compared with the potential cost of a multi-million dollar lawsuit for breach of trust if confidential client or patient information is disclosed.

3. In specific situations where highly confidential information about others is on the computer, and a backdoor virus or trojan is found, we are helping people more by identifying that they have a backdoor and are in a particularly vulnerable situation, and sending them to seek local professional help from a MSCE, CISSP, GIAC CSE, CCP or ISP, than we would be trying to fully resolve their problems long distance.


B. How the variety of malware influences the decision on whether to re-format and re-install, or just disinfect.

Look up the malware using the virus encyclopedia of the scanner that detected the virus. Click here for virus encyclopedias. If you can't find the virus in the correct encyclopedia, scan click here to scan with a different scanner and then try that scanner's encyclopedia.

The words to look for in the description of the virus, worm or trojan are "root kit", "backdoor", "allows arbitrary code to be executed", or "remote access trojan".

If the computer was connected to the Internet for a long time with the backdoor installed, or if the malware used ICQ to actively contact hackers, then it is more likely the backdoor was used. Therefore there is a high risk if re-formatting and re-installing is not done.

If the backdoor merely opens a port to listen the risk is slightly lower.

If the backdoor merely opens a port to listen and the computer was behind a working firewall or NAT router, then the risk of the backdoor being used is greatly reduced. Therefore there is probably a much lower risk if re-formatting and re-installing is not done.

Most search hijackers and pop-up producing adware contain a capability for the maker to automatically update them and to add additional adware. In other words, most of them install backdoors of some sort.

In a case where only search hijackers and pop-up producing adware are found we should not automatically recommend re-formatting provided the malware can be removed another way, and providing the computer requires only normal levels of security. Hijackers and adware are written for advertising money, and their authors are not normally interested in anything more malicious than getting click-through payments from advertisers. Seldom is a backdoor in adware used by the maker to install anything other than more hijackers and ad-ware.

However, there is the potential for any backdoor to be used by others, not just the original author, so the situation with adware and search hijackers is generally one of much lower risk, not no risk. The use of the computer has to be considered, as well as the nature of the specific adware found.

The MBSA and Belarc steps in here /faq/8428 (step 7) will spot-check whether certain common security settings have been changed.

From the May 5, 2004 Handler's Diary on SANS's ISC:
quote:
A reader asked why we recommend a complete rebuild of systems infected with 'sasser', given that 'sasser' is rather benign and easy to clean.

The problem with 'sasser' is that it is an indicator exploit. The fact that you are infected with 'sasser' indicated that you where vulnerable to the LSASS exploit. Before sasser, a large number of bot variants exploited this vulnerability. We find that many systems infected with 'sasser' are infected with one or more bots in addition to 'sasser'.

Each day, we receive several distinct 'bot' samples. Anti virus signatures are typically not able to keep up with all versions, and many 'bots' include specific code to plant backdoors, disable firewalls and anti virus products, or to add additional system accounts.

Antivirus software is not able to reliable detect and clean all these bots. As a result, it is impossible to tell if any of these bots is left on your system. Only a through (and costly) forensics analysis by a trained specialist will provide some comfort.

As a result: If you are infected by 'sasser', try to rebuild your system from scratch. For detailed instructions on setting up a new system safely, see »www.sans.org/rr/papers/i ··· ?id=1298 (Windows XP: Surviving the first day). If you are acquiring a new system, assume it is not yet patched and use extreme care the first time you connect it to the network.

And from CERT, the other main source of professional advise on handling viruses and trojans:
»www.cert.org/tech_tips/w ··· ise.html

quote:
Install a clean version of your operating system

Keep in mind that if a machine is compromised, anything on that system could have been modified, including the kernel, binaries, data-files, running processes, and memory.

In general, the only way to trust that a machine is free from backdoors and intruder modifications is to reinstall the operating system from the distribution media and install all of the security patches before connecting back to the network. Merely determining and fixing the vulnerability that was used to initially compromise this machine may not be enough.

We encourage you to restore your system using known clean binaries. In order to put the machine into a known state, you should re-install the operating system using the original distribution media.
And if this precaution applies to on-site professional security experts on UNIX, LINUX and Windows NT systems, you can bet it applies doubly to home systems with Windows being supported long distance.

The one mitigating factor is that many home users will accept more risk than will businesses, depending on the use of their computers and their own personal circumstances. And this is usually reasonable.

Anti-virus vendors, because they are in competition, and because they charge money for their products, are highly reluctant to recommend re-formatting and re-installing. Vendor A is afraid to recommend re-formatting if vendor B claims just running his tool will clean the system. We don't have that issue because we are not selling anything.

We may be leaving people open to serious financial and liability hazards if we don't make them aware of the potential hazards of not doing a clean reinstall after their system has been infected with a back door.

This is not to say that we shouldn't walk them through the process of identifying and reporting the malware. It is important to prevent further infections that suspect new malware be copied and submitted to the anti-malware vendors before systems are cleaned.



Some Re-installation Notes:

* Be sure to back-up all data before re-formatting the computer's hard drive. This includes address books, documents, music, settings, saved games, and anything else not obsolete.

The re-format process will wipe the computer's hard drive clean, destroying all data and programs.

* PCs are made so they can be reformatted. But sometimes, especially with major brand-name computers, there are special procedures that require reading the manual, visiting the manufacturer's website, or, if the manufacturer has gone out of business, searching on www.google.com.

Some computers have the BIOS or re-installation software in small partitions on the hard drive.

- Do not re-partition the hard drive without carefully consulting the maker's manual and website.
- Check on the use of any partition, other than C:, before re-formatting it.

* Some computers require special drivers which are downloadable from the computer manufacturer's or vendor's website or device manufacturer's website. Use an uninfected computer to download these files to diskettes or a CD, and print out the installation instructions, in advance.

* Gather together the CDs, diskettes, and Internet addresses required to re-install the software.

* Since you should avoid searching the web until your computer is fully secured, it is a good idea to download any programs you will need to secure your computer prior to re-formatting. Use an uninfected computer to do this.

* Physically unplug the computer from the Internet before re-formatting.

* Leave the computer physically disconnected (unplugged) from the Internet until it is protected by a firewall (ICF, an NAT router, or other hardware or software firewall).

If the computer has a wireless card, remove or shield the card so that the computer cannot connect to any access points.)

* An unpatched computer without proper firewall protection can be infected within seconds of being connected to the Internet.

The computer must be protected by a hardware firewall, NAT router, or a software firewall before plugging it back in to the internet or you can be infected in a few seconds.

* When installing from a Windows XP SP2 CD, the installation will default to having the Windows XP SP2 Firewall activated, so the hazard is greatly reduced. With earlier service packs of Windows XP and earlier versions of Windows, you must manually turn on a firewall.

* Assistance on re-installing operating systems is available from the FAQs on the "Links" pull-down menu here: BBR Microsoft Forum

* Be sure to run Windows Update to install all service packs and critical updates, and to update your anti-virus and other security products, before using your computer to do anything else.

Useful Links:
Terminating Spyware With Extreme Prejudice
»Security »What questions should I ask when doing a security assessment?
»Security »I think my computer is infected or hijacked. What should I do?
»Security »How to report ID theft, fraud, drive-by installs, hijacking and malware?
»Security »When is an NAT router inadequate protection?
Microsoft Security at Home
Microsoft Security Guidance Center
Search Microsoft Knowledge Base
/faq/8463
BlackViper' Operating System Guides (including installation tips)

All BBR Security Forum FAQs

2008-07-21 by Keith2468: Fixed some broken links.


Feedback received on this FAQ entry:
  • Exceptional guide! Really a nice guide on weighing the pros and cons of reformatting the HDD. Keep it up.

    2014-06-27 08:38:47

  • What great info you have! And it is explained in great laymans terms; I really like that! I have never reformatted a pc (& don't particuliarly want to now) but root kits, trojans, dialers, and 2 IP's were found and I am nervous about >not< reformating. So much is NOT working on this pc now, including my printer. I tried to make a list of things to do before I reformat and what to do afterwards. You don't have a simple 1,2,3 list to follow; thanks if you do or dont! Also, I must say I AM confused about reformating. I have another partition (D) which I think is a recovery console; could that at all possibly be infected at all?? I do have the disks made when I first booted up this Vista pc (recovery disks?) Anyway, I am confused as to >which< to use or do; is there one "better" than the other? Are they exactly the same and it doesn't matter? (And could D drive possibly be infected also - it seems as if I saw that it was on one of the thousand of scans that I did =) I have tried to back up my files to DVD (but am also worried about infection there also because you said not to copy any .exe and something else that could replocate?) Am not proficient in that and just copied all my important stuff to DVD so would running scans on that CD turn up anything before I put it back on to the clean PC? I don't know if I could rummage thru it all and know what I would be looking for that might contain malicious code except for .exe =) Many thanks for your great help to us who are not as proficient and for getting out of the fast lane to help us who are struggeling with all of this. Any info is greatly appreciate to be sure I end up with a clean pc. Joy to you! MassagePS@aol.com PS I have a Linksys 2.4 ghz router I'd like to hook up but don't know how to do that and read that this was a good thing to have.

    2010-04-07 01:11:40

  • Re: * Be sure to back-up all data before re-formatting the computer's hard drive. This includes address books, documents, music, settings, saved games, and anything else not obsolete. While a good idea in theory, not so good in practice. Some of the newer root kits can infect and hide code in any type of file, including documents, pictures, etc. Restoring backups after a reformat and reinstall, unless made at a point in time prior to when the computer was infected, would almost certainly reintroduce at least part of the infection or a hidden back door. That was my experience and the experience of many others.

    2009-08-26 07:45:23



Expand got feedback?

by keith2468 See Profile
last modified: 2008-07-21 01:57:19