how-to block ads
A. The use of the computer is the primary factor in the decision whether to re-format and re-install, or just disinfect.
B. How the variety of malware influences the decision on whether to re-format and re-install, or just disinfect.
C. Tips on Re-installation.
D. Useful links.
When deciding whether a re-format and re-install is needed after an infection, the most important factor is generally what the computer is used for, and what information can be accessed via the computer.
The kind of malware and how it got on the computer are only the second and third most important factors.
One major intention of this FAQ is to urge techie friends, forum regulars, technicians, consultants, and service representatives to ask more questions of the computer's users (and administrators) about how the computer is used before making any kind of recommendation on re-formatting and re-installing.
If you are both the computer's owner and only user, and you are removing malware from it, you have two hats to wear. Remember to stop, and switch from technician to business person thought-mode before making the decision on whether or not to re-format and re-install.
Remember to consult the other users on what they use the computer for. (The computer you use for music may be the same one your parents use to manage your future inheritance.)
It is dangerous and incorrect assume that simply because one backdoor trojan has been removed from a computer that the computer is now secure.
When posting questions on this topic, mention if the computer is used for more than games and music.
All of the cautions about backdoors also apply if the hacker or cracker was able to actually physically sit at the computer while it was logged on.
A re-format and re-install should always be considered.
The question is, "Should a re-format and re-install be strongly considered, or merely considered?" The decision is the computer user's and computer owner's, based on their knowledge of their computer's use, and their informed acceptance of the risk.
The experts at CERT and SANS don't think an on-site team of certified trained and experienced professionals can reliably clean a system that has had a backdoor installed, up to the standards of everyday commercial and institutional use. So how can one expect to do that long distance?
We can't and shouldn't force people to do re-installs, but we should:
1. Ask what the computer is used for.
2. Ask if there is any confidential information about patients, customers or clients on the computer, or accessible through the computer (say through an employer's network that the computer connects to via dialup or VPN).
3. Ask if their own banking or personal information is on the computer.
4. Based on those answers, and the nature of all the malware found, and whether the hacker had direct access to the computer, either recommend or strongly recommend they consider a re-format and re-install.
Give them enough information about the risks to make their own informed decision.
5. Let them decide based on what they use their computers for, their assessment of the risks, and their financial and technical resources, whether the re-format and re-install is actually done.
6. Then assist them in securing their computer following the method they choose.
A lot of the people who need help with their computers are in other professions. Some people who come here use their computers for work, and the computers may contain the patient records of a physician, the financial records of an accountant's clients, or credit card and bank account information of their employer's customers.
1. There may be tremendous risks and legal liability for such users in not fully securing the computer. We won't know this unless we ask. We don't want to be accidentally putting those we help in vulnerable positions for law suits.
2. Here is an example of why business factors outweigh technical factors in making the re-format and re-install decision.
Sometimes techie friends give missing CDs or lack of expertise as a reason for not doing a re-format and re-install.
The cost of replacing missing Windows XP and MS Office CDs, and getting an MSCE to come in for 3 hours to do the re-install and apply all the critical updates, is trivial compared with the potential cost of a multi-million dollar lawsuit for breach of trust if confidential client or patient information is disclosed.
3. In specific situations where highly confidential information about others is on the computer, and a backdoor virus or trojan is found, we are helping people more by identifying that they have a backdoor and are in a particularly vulnerable situation, and sending them to seek local professional help from a MSCE, CISSP, GIAC CSE, CCP or ISP, than we would be trying to fully resolve their problems long distance.
Look up the malware using the virus encyclopedia of the scanner that detected the virus. Click here for virus encyclopedias. If you can't find the virus in the correct encyclopedia, scan click here to scan with a different scanner and then try that scanner's encyclopedia.
The words to look for in the description of the virus, worm or trojan are "root kit", "backdoor", "allows arbitrary code to be executed", or "remote access trojan".
If the computer was connected to the Internet for a long time with the backdoor installed, or if the malware used ICQ to actively contact hackers, then it is more likely the backdoor was used. Therefore there is a high risk if re-formatting and re-installing is not done.
If the backdoor merely opens a port to listen the risk is slightly lower.
If the backdoor merely opens a port to listen and the computer was behind a working firewall or NAT router, then the risk of the backdoor being used is greatly reduced. Therefore there is probably a much lower risk if re-formatting and re-installing is not done.
Most search hijackers and pop-up producing adware contain a capability for the maker to automatically update them and to add additional adware. In other words, most of them install backdoors of some sort.
In a case where only search hijackers and pop-up producing adware are found we should not automatically recommend re-formatting provided the malware can be removed another way, and providing the computer requires only normal levels of security. Hijackers and adware are written for advertising money, and their authors are not normally interested in anything more malicious than getting click-through payments from advertisers. Seldom is a backdoor in adware used by the maker to install anything other than more hijackers and ad-ware.
However, there is the potential for any backdoor to be used by others, not just the original author, so the situation with adware and search hijackers is generally one of much lower risk, not no risk. The use of the computer has to be considered, as well as the nature of the specific adware found.
The MBSA and Belarc steps in here /faq/8428 (step 7) will spot-check whether certain common security settings have been changed.
From the May 5, 2004 Handler's Diary on SANS's ISC:
And from CERT, the other main source of professional advise on handling viruses and trojans:
And if this precaution applies to on-site professional security experts on UNIX, LINUX and Windows NT systems, you can bet it applies doubly to home systems with Windows being supported long distance.
The one mitigating factor is that many home users will accept more risk than will businesses, depending on the use of their computers and their own personal circumstances. And this is usually reasonable.
Anti-virus vendors, because they are in competition, and because they charge money for their products, are highly reluctant to recommend re-formatting and re-installing. Vendor A is afraid to recommend re-formatting if vendor B claims just running his tool will clean the system. We don't have that issue because we are not selling anything.
We may be leaving people open to serious financial and liability hazards if we don't make them aware of the potential hazards of not doing a clean reinstall after their system has been infected with a back door.
This is not to say that we shouldn't walk them through the process of identifying and reporting the malware. It is important to prevent further infections that suspect new malware be copied and submitted to the anti-malware vendors before systems are cleaned.
* Be sure to back-up all data before re-formatting the computer's hard drive. This includes address books, documents, music, settings, saved games, and anything else not obsolete.
The re-format process will wipe the computer's hard drive clean, destroying all data and programs.
* PCs are made so they can be reformatted. But sometimes, especially with major brand-name computers, there are special procedures that require reading the manual, visiting the manufacturer's website, or, if the manufacturer has gone out of business, searching on www.google.com.
Some computers have the BIOS or re-installation software in small partitions on the hard drive.
- Do not re-partition the hard drive without carefully consulting the maker's manual and website.
- Check on the use of any partition, other than C:, before re-formatting it.
* Some computers require special drivers which are downloadable from the computer manufacturer's or vendor's website or device manufacturer's website. Use an uninfected computer to download these files to diskettes or a CD, and print out the installation instructions, in advance.
* Gather together the CDs, diskettes, and Internet addresses required to re-install the software.
* Since you should avoid searching the web until your computer is fully secured, it is a good idea to download any programs you will need to secure your computer prior to re-formatting. Use an uninfected computer to do this.
* Physically unplug the computer from the Internet before re-formatting.
* Leave the computer physically disconnected (unplugged) from the Internet until it is protected by a firewall (ICF, an NAT router, or other hardware or software firewall).
If the computer has a wireless card, remove or shield the card so that the computer cannot connect to any access points.)
* An unpatched computer without proper firewall protection can be infected within seconds of being connected to the Internet.
The computer must be protected by a hardware firewall, NAT router, or a software firewall before plugging it back in to the internet or you can be infected in a few seconds.
* When installing from a Windows XP SP2 CD, the installation will default to having the Windows XP SP2 Firewall activated, so the hazard is greatly reduced. With earlier service packs of Windows XP and earlier versions of Windows, you must manually turn on a firewall.
* Assistance on re-installing operating systems is available from the FAQs on the "Links" pull-down menu here: BBR Microsoft Forum
* Be sure to run Windows Update to install all service packs and critical updates, and to update your anti-virus and other security products, before using your computer to do anything else.
Terminating Spyware With Extreme Prejudice
»Security »What questions should I ask when doing a security assessment?
»Security »I think my computer is infected or hijacked. What should I do?
»Security »How to report ID theft, fraud, drive-by installs, hijacking and malware?
»Security »When is an NAT router inadequate protection?
Microsoft Security at Home
Microsoft Security Guidance Center
Search Microsoft Knowledge Base
BlackViper' Operating System Guides (including installation tips)
All BBR Security Forum FAQs
2008-07-21 by Keith2468: Fixed some broken links.
Feedback received on this FAQ entry: