My hard disk got infected with virus. I am planning to format it. So is
there a way to backup all of the data without carrying the virus?
The short answer is no, there’s no practical way to backup the entire hard
disk without also including the infection in the backup.
Knowing that, however, I can make some strong recommendations on how to proceed.
]]>
Backup tools are not anti-virus tools
To be able to backup an infected system while carefully excluding malware from the backup means that your backup software has to be able to somehow identify what is and is not malware.
It can’t.
In fact, you don’t want it to. Imagine a false positive causing some incredibly important file to not get backed up – that could cause you some serious problems.
Besides, identifying malware is what your anti-malware tools are for.
Option 1: Backup and know that it’s infected
My recommendation is that you backup everything – infection and all – and make careful note that the backup is, itself, infected.
Then never, ever restore that entire backup.
As you’re probably already aware, restoring that entire backup would restore the malware, and thus leave you no better off.
The purpose of taking a full backup of an infected machine is to make absolutely certain you have a backup copy of all of the other files on that machine.
After reformatting your hard disk, reinstalling the operating system from scratch (not from the backup) and installing all your applications from scratch (not from the backup), you would then carefully restore your data files and only your data files from the backup.
Having a full backup simply guarantees that you’ve captured every file that you might possibly need when it comes time to restore.
Option 2: Restore to a different drive and scan
One alternative is to restore that full backup to a second drive – a drive from which you do not boot your computer.
(Or, alternately, get a new primary drive and simply move the infected drive to secondary.)
You would reformat and reinstall the operating system and applications to the primary drive, and then – once again carefully – copy off only your data files from the secondary drive.
I’d actually suggest running anti-malware scans on that secondary drive as soon as practical simply to remove what malware can be found. This makes having that drive attached to your system that much safer.
Option 3: Backup-only data
This is actually what most online backup services do: they backup only your data files and not your system. 99% of the time that means that infections are not included in the backup and you’re typically safe to restore your data files.
You could do the same, online or off.
Rather than backing up your entire infected drive, you could simply copy off or backup only your data.
The biggest reason that I so strongly advise against this is very simple: you might miss something. You might not backup a file that you will later determine that you need. Once the hard disk is formatted and the OS reinstalled, there’s no going back – anything that you didn’t backup is gone.
On the other hand, if you have a full system backup, everything is in the backup. Yes, “everything” includes the malware, but that’s why you shouldn’t blindly restore the entire system image, but rather pick and choose what files – what data files – you want to recover from it.
Next Steps
If you don’t backup your computer, start. This entire article becomes completely moot if you could instead simply restore to last night’s uninfected system backup. How do I backup my computer? is a good place to start.
If you are infected and you have no backups, backup immediately – infection and all. Before giving up and reformatting, you might read How do I recover from a bad virus infection?, which includes several steps to attempt to recover. Even though you might still end up reformatting and reinstalling, you might be able to first create a cleaner, less-infected backup image from which you could later recover your data.
I would make two backups. A full one in case you miss something and a data only backup. Restore from the data backup and you are very unlikely to restore a virus. Only go to the full backup if you find out you missed something.
“This entire article becomes completely moot if you could instead simply restore to, say, last night’s uninfected system backup.”
Unfortunately, “last night’s uninfected system backup” might actually be “last night’s ‘I didn’t know yet that it was already infected’ system backup”, so I’d say that you should still do a thorough scan after restoring it.
10-Nov-2011
You frequently say, “back-up data only”. Well, yes, I do know what data *I* have stored – WORD files, EXCEL files, BitMaps, e-mail, etc.. But what about the “hidden” data, such as cookies – and (I’m sure) LOTS of other files, log files, etc., etc.. (a) Should these be included in a back-up? And (b) what files are these and where are they ?
10-Nov-2011
The best solution, IMHO, is to store all your data in a separate partition apart from C:. That way your data is still there after rebuilding the system or restoring from an image.
When I have system corruption I don’t bother trying to find the source. I simply restore a known good image of my system partition and I’m back in business in about 10 minutes. It’s that easy only because I have moved my user folder to the data partition, too, which isn’t quite so easy. Moving the user folder would not be necessary if you make daily incremental images.
I’ve learned a lot from you, Leo. Thank you.
I have a completely different strategy, although I can’t remember when I had a virus on my machine.( I have firewalls and security strategies that work.)
As soon as I have everything working correctly on my computer, I clone it and put the copy on the shelf. When something goes wrong, even most crashes, I move the problem disk to another slot, Install the cloned disc and boot from it. I can then move any files I need to the cloned drive. Often if the drive had crashed “Windows XP” will check the old disc for errors before booting, automatically fix problems and it will then boot correctly. Once I have the new drive working perfectly, well actually perfect is not a computer term, I clone it to the problem drive and put it back in the shelf.
I’d often find this situation while working for various IT support departments or companies. My strategy is to backup the users profile (most likely backing up the infection). Format and rebuild the machine, then restore only the parts of the user profile that the user actually sees. Desktop, My Docs, music, photos, videos, and Internet favorites. Any infection is most likely buried deep within the profile, therefore you’d be very unlucky to restore an infection. Once you’ve re-installed things like MS Office, you can dig around the old profile and recover .pst files and the like.
http://ask-leo.com/how_do_i_safely_backup_an_infected_drive.html
Leo I have a suggestion for this person, that would work.
Most viruses on computers need Internet connections. Here is what I would do for this person.
Download Malware bytes and and do not do a update. Disconnect the computer from the Internet that way the payload can not talk back to the virus writer it isolates the system , then reboot the computer into safe mode without Internet connection and run malware bytes. It might take 2 times to get all the infected files recognized. I have cleaned a few computers that way. After the infection is cleaned reboot the computer and again disconnect it from the Internet and run a antivirus program like Microsoft security essentials. After cleaning the system I would do a total backup on a external drive..
Mark in Houston
Might not hurt to say a little prayer either. Definitely put those data files on an external drive of some sort on a machine not connected to a LAN or any other machine. 2 weeks ago, for the first time in 14+ years I ran into a virus that left me with no option but to XOXOXOXO the entire HDD, reformat, repartition & reload the OS. This virus infected the MBR & I ran every single geek-approved A-V program & repaired the MBR half a dozen times. I’d re-boot & run it through all the A-V programs (I was using 6 or 7 of the highest recommended programs – 1st time they’ve failed me) until each scan showed me a clean computer. I’d re-boot & bam – here it came again. I know when the time vs money becomes absurd it’s time to give up. Really thought I had beat it when I began to hear sound coming from the speakers. Bits of a speech, an advertisement, some pop music, & after a period of silence a voice telling me I had won an i-pod & to click a key to claim my prize. Oh yeah! I’m jumping on that! NOT. The one who wrote the program has a brilliant mind – too bad he or she can’t do something constructive with it. There was a lesson learned though – the user will now save to the network AS INSTRUCTED where files are backed up nightly. Unfortunately, everything on the local drive was wiped out. I set this user up on a new PC & installed Win7 Pro & am going to test drive the built in disc imaging program & see if it’s as good as reviews indicate. Back in the day (Stoned Monkey days), a virus would made me laugh at the dumb message(s), I’d get it gone & happy sailing. They are getting scary sophiticated now. I personally believe the next terrorist attack will target the grid via a computer virus.
Might not hurt to say a little prayer either. Definitely put those data files on an external drive of some sort on a machine not connected to a LAN or any other machine. 2 weeks ago, for the first time in 14+ years I ran into a virus that left me with no option but to XOXOXOXO the entire HDD, reformat, repartition & reload the OS. This virus infected the MBR & I ran every single geek-approved A-V program & repaired the MBR half a dozen times. I’d re-boot & run it through all the A-V programs (I was using 6 or 7 of the highest recommended programs – 1st time they’ve failed me) until each scan showed me a clean computer. I’d re-boot & bam – here it came again. I know when the time vs money becomes absurd it’s time to give up. Really thought I had beat it when I began to hear sound coming from the speakers. Bits of a speech, an advertisement, some pop music, & after a period of silence a voice telling me I had won an i-pod & to click a key to claim my prize. Oh yeah! I’m jumping on that! NOT. The one who wrote the program has a brilliant mind – too bad he or she can’t do something constructive with it. There was a lesson learned though – the user will now save to the network AS INSTRUCTED where files are backed up nightly. Unfortunately, everything on the local drive was wiped out. I set this user up on a new PC & installed Win7 Pro & am going to test drive the built in disc imaging program & see if it’s as good as reviews indicate. Back in the day (Stoned Monkey days), a virus would made me laugh at the dumb message(s), I’d get it gone & happy sailing. They are getting scary sophiticated now. I personally believe the next terrorist attack will target the grid via a computer virus.