• United States




Starting from scratch is the only malware cure

Feb 20, 20095 mins
Data and Information SecuritySecurity

If you discover malware on your system, don't mess around. Back up your data, format your hard drive, and begin again

Most people I meet who have found malware on their computer regale me with a cat-and-mouse story of the fight and the painstaking steps they had to take to remove it. When it comes to battling today’s malware, the plot shouldn’t have so many twists and turns. I’ve got an easier answer.

In the old days (i.e. just two or three years ago), most malware programs were harmless — annoying, yes, but ultimately benign. They were mainly ways for tech-headed teens to show they could do something neat. Their creations would replicate files, modify the computer in a funny way, or pull a goofy prank — maybe play a tune, print out a joke, or display a dramatic but fake warning. Only a small percentage of viruses or worms did something intentionally harmful.

[ See Roger’s guide to browser security and security reviews of Chrome, Firefox, Opera, Internet Explorer, and Apple Safari. See also his comparison of Web browser security tools, “Sandbox security versus the evil Web.” ]

Fast forward to today, and 99 percent of malware is crimeware designed to hurt you financially. If you discover that a malware program is active on your computer, you don’t want to take any chances. Even if your antivirus program tells you it is simple adware, don’t take any chances. Go to full eradication.

Today’s malware exists to steal your money, whether it be through your identity, passwords, data, or bank account. There is no way to tell how the malware has modified your computer beyond the rogue executables you or your antivirus program has found. There is no antivirus removal program that can be guaranteed to have completely cleaned your machine. Your livelihood is at stake. So don’t fight malware — eradicate it!

Immediately unplug the computer in question from the network. This will prevent the computer from receiving additional commands from its remote user or command-and-control server.

Back up all your data, which you should have been doing all along, anyway. To make things simple, I back up all personal data to a single folder. You may want to make sure you back up your e-mail, browser favorites, and preferences files.

Take a quick inventory of all your installed applications, plug-ins, and components. Note which ones you have to re-download and document the license numbers for software that requires them. On a Windows computer, sometimes I’ll go so far as to back up the HKLM and HKCU registry keys (you can do so within the Registry Editor tool); these sometimes contain information that is easier to restore than to re-create. Document your network settings, if any are different from the normal DHCP (Dynamic Host Configuration Protocol) defaults.

If you don’t have a system restore disk (from your computer vendor), you have more work to do. Go into the Windows Control Panel and document any hardware devices that require separate downloads to restore. Usually I’ll go out of my way to note the network interface card model, and then download the network card driver to removable media. (During a recovery, you many need to get your network card working before you can download and restore patches and other drivers.) Do the same for your video card. It will save you much time during the re-install if your base OS doesn’t immediately recognize the hardware.

Because you’re doing all of this while the malware is in memory, there is a chance it could infect your backup media. Some readers may suggest using a boot disk image, like BART or similar utility, to boot to a clean state. This is actually great advice, but when booting to other media, it can be harder to find out application and hardware-specific information, such as license numbers or specific models.

Once everything is backed up or documented, format your hard drive and begin again. If you’re lucky, you can use the system restore disk that came with your computer. The first thing you should do is restore all critical security patches for your operating system and pre-installed applications. Do this before installing any additional applications. With a Windows machine this normally means several rounds of install and rebooting before the job is done.

Restore the data, sometimes even before restoring the applications. Many applications will search for and automatically “re-join” data belonging to the application. Re-install any missing applications and then re-do the patch check. Install your anti-malware tools. You may want to consider something new if your old defenses let you down.

Corporate types often have this whole process on auto-pilot and can simply restore the originally supported image in a few minutes. You can do the same thing at home if you use any of the myriad complete backup programs.

After all the time and effort you put into the restore, you’ll want to figure out how you got infected so you don’t repeat the mistake. Chances are either you were running an unpatched system or you were somehow fooled into running something malicious.

Finally, be sure to change any logon credentials you used online while exploited. I know it was your favorite password, but you’ve probably been using it too long already, and change is good. Monitor credit card and bank balances on a daily basis for a few months and consider getting one of those credit monitoring services. If you see something suspicious, report it to your bank or card vendor immediately, file a police report, and confront the likelihood that you are a victim of identity theft. You may need to take further action.

Don’t simply dismiss today’s computer exploitations as an annoyance like we did just a few years ago. That was play time; this is serious. And don’t let a well-meaning friend or computer geek talk you into merely scanning and “removing” the malware and hoping for the best. Back up your data, reformat your hard drive, and start over. I’m right and they are wrong.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author