When you have to assume your computer isn’t your computer anymore.
A tricky problem: someone breaks in, but you don’t know what they did.
Can you clean up? How do you keep it from happening again?
The news isn’t great.
Become a Patron of Ask Leo! and go ad-free!
Once your computer has been compromised, you can’t assume it’s yours anymore. The hacker could have left undetectable malware so they can continue to access the machine. The only safe solutions are to restore to an image backup taken prior to the compromise or to reinstall Windows (and everything else) from scratch.
It’s not your computer anymore
Once someone has accessed your computer, particularly if they’ve had an extended time with it and they happen to be particularly savvy, you can only assume it’s not your computer anymore.
By that I mean they could have installed malware, remote access software, keyloggers, and more. While a good anti-malware scan should catch most of that, there’s no guarantee that it’ll catch everything. You simply have no way to know what was done and no way to know what needs to be undone… or even if it can be undone completely.
You have two options.
Restore from backup
IF you know when the intrusion or compromise began, and you’ve been backing up regularly and completely, one solution is simple: restore your entire computer from a backup image taken prior to the compromise.
This depends on three things.
- You’ve been routinely taking image backups: backups that include everything on your hard disk.
- You know when the intrusion began.
- You’re certain that the intruder wasn’t able to compromise your backups. It’s rare, but once again, a possibility.
It sounds like the intrusion you’re speaking of has been going on a while. Even if you did specifically know when it started, restoring from a very old backup might not be practical.
That leaves the nuclear option.
Assume the worst: rebuild from scratch
You can’t trust your machine, so the only absolute solution is to start over.
That’s a drastic step, but if your intruder is as adept as you indicate, it’s likely the best approach. If they’re really good, they could leave hooks you could never find.
In your shoes, I would:
- Disconnect from the network
- Reinstall Windows from scratch
- Reinstall my applications from scratch
- Restore my data from backups or other locations as convenient
Then, for additional security:
- Either disable the administrator account (the default these days), or be sure it has a strong password.
- Ensure your own login account has a secure password.
- Make sure Windows and your applications are as up to date as possible.
- Remember physical security. If someone can walk up to it and reboot, then all the other security might be bypassed.
Consider reviewing all the steps outlined in Internet Safety: 7 Steps to Staying Safe Online. While we’re considering the security of your PC here, your online security is just as important, if not more so, and can sometimes be the steppingstone allowing access to your machine.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!