It is and it isn’t.
When people think their machine is infected, I typically tell people to backup that machine. Yes, you are backing up a possible infection, but that’s actually okay. You’re never going to actually restore that infection simply because you know that it’s there.
So why backup?
Let’s walk through the scenario.
Become a Patron of Ask Leo! and go ad-free!
Why should I back up an infected machine?
When you back up, you’re preserving everything that you can. Like I said, the backup includes the malware, but it also has all of your data, your programs, everything. That means that no matter what havoc the malware – or removal attempts – might wreak, you always have a backup of your machine and your data.
Now, like I said, you should back up, but you must be careful not to restore the entire backup to your machine1. You’d use it only for pulling specific files and pieces of data that you know aren’t infected from that backup.
You can’t necessarily predict what files you’re going to want later, which is why you should back up the entire machine.
Back up, get rid of the malware, then back up again
Getting rid of malware sounds like it’s very simple to do. It may or may not be, but you need to do this if you suspect someone infected, hacked, or placed malware on your machine.
You’ll need to run your anti-malware tools – make sure that they’re up-to-date. Then, run an offline anti-malware tool. If you have additional malware tools, like Malwarebytes, run those until your machine comes up clean.
At that point, take another backup. Again, it’s a safety net. This says, “Okay, this is the machine after I did everything that I could to clean up the malware.” That way, you know that you’ve got a snapshot of that point in time as well.
Back up before you’re infected
Because you are doing backups, I need to throw out one additional option that may be easier than any of the above.
Restore your machine to an image backup that was taken immediately before the infection.
That way, the malware isn’t there yet. Moving forward, you know not to open that email or click on those links.
Backing up an infection does not infect the backup drive
One point that often confuses people is whether backing up an infected machine causes the backup drive to, itself, become infected.
No.2
Perhaps the best way to think of this is similar to the difference between a setup program, and the program that it sets up.
A setup program contains a program that you might want installed on your machine. But it’s not until you run the setup that the program is actually installed and ready to run.
Backing up malware works kind of in reverse: when malware is backed up its files are collected into the backup, but it’s not in any way that actually allows the malware to run. Now, once you restore the backup the malware may be able to do things, but as long as it’s just part of a backup somewhere it’s benign.
Infection versus hacking
Now, I have to throw out one additional caveat here. In your question, you said that you were hacked. Did you mean hacked, where someone gains access to your online email account? Or did you simply have malware infect your machine?
Malware on your machine is what we’ve been talking about here. That’s what anti-malware tools remove and why you could be originally concerned backing up the infection to your external hard drive.
On the other hand, if your account has been hacked – somebody other than you who isn’t supposed to have access to your account knows your account login name and password – that may have absolutely nothing to do with your machine. And in fact, it’s one of the things that can happen if you click the wrong link and log in to what you think is a site that isn’t really the one that you think it is.
So, be sure that you understand the difference here before you get too concerned about the backup scenario.
If your account has been hacked, then I would point you to an article called, “Email hacked: 7 things you need to do right now.” That will walk you through the steps to recover and rescue your online account.
In the olden days, if you put a floppy drive in your infected computer, the virus would copy itself to the floppy drive so the next computer you put your floppy into, the virus would copy itself to that computer. Have malware writers stopped this behaviour?
What’s the guarantee that the malware won’t copy itself to my removable hard drive so that it can copy itself back to the computer that I just cleaned?
James,
Yes, malware can still do this. In fact it’s often smart enough to transfer to a USB device or even a camera. The biggest thing I got from Leo’s article is that your whole problem is pre-solved if you were backing up all along. Then you simply restore and get on with your life. But if you don’t have a backup, and you do get a virus, then you need to make some attempt to preserve all your data.
Yeah, I get that too. But before I restore my system with my backup, I will want to hook up my external hard drive to my malware infected computer to copy the data that’s changed since the last backup. In the process, the malware transfers to my external hdd. Then I pull out the recovery boot CD and reboot. So far, clean system. Hook up external hdd to begin the recovery process with the pre-infection backup and copy data that’s changed since. In the process, the malware transfer from my external hdd to my now clean computer.
To the best of my knowledge that never happened with Floppy drives, as auto-run and auto-play are the main culprits today in removable storage. That’s one reason I recommend turning those features off.
Hi, so I already made a full system scan (clean) and it took me a few external hard drive scans until it told me it was free from viruses. More than anything, I’m worried about files being deleted by a virus. Would I easily notice if that were to happen? And should I still worry about that after the mentioned steps I took? The viruses are a few years old and my AV is up to date.
Thanks
It depends on how often you use those files. If they’re not files you use or access frequently of course you might not realize they’re gone for some time. That’s why I so strongly recommend backing up. Always.
Thanks Leo. Those files are part of my backup in my external drive though. Can they still be affected?
There’s no absolute answer here. YES they can be, BUT the probability is very VERY low.
Hi Leo,
I read your article with interest.
I have a Samsung Tab A 2019 SM-T290 which appears to be infected with the nasty xhelper malware. So far, according to my reading, this is nigh on impossible to remove. All the advice seems to be that doing a factory reset will not not get rid of the virus because of its extremely insidious nature.
Have you heard of this and if so have you any comments as to how I might proceed?
Thanks
A factory reset will get rid of all malware. The problem is that some phones may not be capable of a factory reset. Most are.
According to ZDNet, the malware is finally removable: There’s finally a way to remove xHelper, the unremovable Android malware:
Hi Leo,
I’m sorry for email I g out of the blue but I’m desperate for some advice please, if possible.
I’ve just had an Android phone suddenly lose all power , 100% to 0% in about 20 minutes, then turn off. I to it to a repair shop and changed the battery thinking it was the battery, which initially started to charge to allow me into the phone. Then it just closed down after about 20 seconds. I booted it into safe mode, deleted browser history etc. Deleted the outlook app, and the Microsoft phone companion app. It then started accepting a charge quite quickly. Once fully charged I started it again back in full system , it seemed fine,.and I ran “Anti-Malware” ( the app) which said it was clean….. Then I opened google chrome, the phone which had 59% at that time just instantly flicked to 0% battery and close down. It now won’t take a charge or start up, though still vibrates when you press the power button.
Does this sound like a virus to you or a battery thing? I ‘m now worried that the phone which backed itself up to Google automatically every hour or so will have backed up whatever this virus was too. ( If it is a virus). Google warned me when I looked at my account online that my details had been exposed in a security breach at a well known takeaway delivery app a monthly so ago ( who didn’t bother warning anybody that this has happened!).
I have to buy a new phone either today or tomorrow as I don’t feel safe without a phone. Now after all that info , please could you tell me what I need to do.to be able to get my data from the Google backup and restore ( photos etc that I am desperate not to lose), and be able to stop my New phone being reinfected, ( again if that is what this is). The Android that just died was only 2 months old but the company went bust a fortnight ago so no support to be able.to ask and the Google/android forum haven’t answered my question . I’m.assuming that my PAYG sim is still ok but I. don’t even know if that can be infected.
I’m really stuck, Please could you help me?
Thanks
Lisa H
I’d work with your mobile provider on this. Android phones often just restore everything automatically when you fire up the phone, but different mobile providers may also have different options as well.