Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Should I back up if my machine is infected?

Question: I try to be careful about opening my email, but there’s a hacker out there who has the names in my address book. He or she sends out emails that look like they come from people I know. Their email address doesn’t show up, so I can see the address is not correct, but some made up address. The title is something like “Look here” and the message is “Hello, excellent website!” with a name of the website. I opened it thinking that the email was from my son. I got two of these kinds of emails and one after the other before I got suspicious and realized that I’d been hacked. So far, nothing bad has happened. Now I’m afraid to do a backup because it might mean the importation of the virus into my external backup drive. Is my thinking about this correct?

It is and it isn’t.

When people think their machine is infected, I typically tell people to backup that machine. Yes, you are backing up a possible infection, but that’s actually okay. You’re never going to actually restore that infection simply because you know that it’s there.

So why backup?

Let’s walk through the scenario.

Become a Patron of Ask Leo! and go ad-free!

Why should I back up an infected machine?

When you back up, you’re preserving everything that you can. Like I said, the backup includes the malware, but it also has all of your data, your programs, everything. That means that no matter what havoc the malware – or removal attempts – might wreak, you always have a backup of your machine and your data.

Now, like I said, you should back up, but you must be careful not to restore the entire backup to your machine1. You’d use it only for pulling specific files and pieces of data that you know aren’t infected from that backup.

You can’t necessarily predict what files you’re going to want later, which is why you should back up the entire machine.

Back up, get rid of the malware, then back up again

Getting rid of malware sounds like it’s very simple to do. It may or may not be, but you need to do this if you suspect someone infected, hacked, or placed malware on your machine.

You’ll need to run your anti-malware tools – make sure that they’re up-to-date. Then, run an offline anti-malware tool. If you have additional malware tools, like Malwarebytes, run those until your machine comes up clean.

At that point, take another backup. Again, it’s a safety net. This says, “Okay, this is the machine after I did everything that I could to clean up the malware.” That way, you know that you’ve got a snapshot of that point in time as well.

Back up before you’re infected

Because you are doing backups, I need to throw out one additional option that may be easier than any of the above.

Restore your machine to an image backup that was taken immediately before the infection.

That way, the malware isn’t there yet. Moving forward, you know not to open that email or  click on those links.

Backing up an infection does not infect the backup drive

One point that often confuses people is whether backing up an infected machine causes the backup drive to, itself, become infected.

No.2

Perhaps the best way to think of this is similar to the difference between a setup program, and the program that it sets up.

A setup program contains a program that you might want installed on your machine. But it’s not until you run the setup that the program is actually installed and ready to run.

Backing up malware works kind of in reverse: when malware is backed up its files are collected into the backup, but it’s not in any way that actually allows the malware to run. Now, once you restore the backup the malware may be able to do things, but as long as it’s just part of a backup somewhere it’s benign.

Infected!Infection versus hacking

Now, I have to throw out one additional caveat here. In your question, you said that you were hacked. Did you mean hacked, where someone gains access to your online email account? Or did you simply have malware infect your machine?

Malware on your machine is what we’ve been talking about here. That’s what anti-malware tools remove and why you could be originally concerned backing up the infection to your external hard drive.

On the other hand, if your account has been hacked – somebody other than you who isn’t supposed to have access to your account knows your account login name and password – that may have absolutely nothing to do with your machine. And in fact, it’s one of the things that can happen if you click the wrong link and log in to what you think is a site that isn’t really the one that you think it is.

So, be sure that you understand the difference here before you get too concerned about the backup scenario.

If your account has been hacked, then I would point you to an article called, “Email hacked: 7 things you need to do right now.” That will walk you through the steps to recover and rescue your online account.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Footnotes & references

1: Actually there is a scenario where restoring an infected backup might make sense: if your attempts to remove the malware actually make your machine less stable or perhaps even completely unusable, you might consider restoring an infected backup so that you can restart your cleanup efforts.

2: As always there are exceptions. If you “back up” by cloning a drive, so that the cloned drive can simply physically replace the original, then indeed, this type of backup performed on an infected drive does cause the backup drive to become infected. This is not the case for normal  file, image, or online backups.

12 comments on “Should I back up if my machine is infected?”

  1. In the olden days, if you put a floppy drive in your infected computer, the virus would copy itself to the floppy drive so the next computer you put your floppy into, the virus would copy itself to that computer. Have malware writers stopped this behaviour?

    What’s the guarantee that the malware won’t copy itself to my removable hard drive so that it can copy itself back to the computer that I just cleaned?

    Reply
    • James,
      Yes, malware can still do this. In fact it’s often smart enough to transfer to a USB device or even a camera. The biggest thing I got from Leo’s article is that your whole problem is pre-solved if you were backing up all along. Then you simply restore and get on with your life. But if you don’t have a backup, and you do get a virus, then you need to make some attempt to preserve all your data.

      Reply
      • Yeah, I get that too. But before I restore my system with my backup, I will want to hook up my external hard drive to my malware infected computer to copy the data that’s changed since the last backup. In the process, the malware transfers to my external hdd. Then I pull out the recovery boot CD and reboot. So far, clean system. Hook up external hdd to begin the recovery process with the pre-infection backup and copy data that’s changed since. In the process, the malware transfer from my external hdd to my now clean computer.

        Reply
    • To the best of my knowledge that never happened with Floppy drives, as auto-run and auto-play are the main culprits today in removable storage. That’s one reason I recommend turning those features off.

      Reply
  2. Hi, so I already made a full system scan (clean) and it took me a few external hard drive scans until it told me it was free from viruses. More than anything, I’m worried about files being deleted by a virus. Would I easily notice if that were to happen? And should I still worry about that after the mentioned steps I took? The viruses are a few years old and my AV is up to date.

    Thanks

    Reply
    • It depends on how often you use those files. If they’re not files you use or access frequently of course you might not realize they’re gone for some time. That’s why I so strongly recommend backing up. Always.

      Reply
  3. Hi Leo,
    I read your article with interest.
    I have a Samsung Tab A 2019 SM-T290 which appears to be infected with the nasty xhelper malware. So far, according to my reading, this is nigh on impossible to remove. All the advice seems to be that doing a factory reset will not not get rid of the virus because of its extremely insidious nature.
    Have you heard of this and if so have you any comments as to how I might proceed?
    Thanks

    Reply
  4. Hi Leo,
    I’m sorry for email I g out of the blue but I’m desperate for some advice please, if possible.
    I’ve just had an Android phone suddenly lose all power , 100% to 0% in about 20 minutes, then turn off. I to it to a repair shop and changed the battery thinking it was the battery, which initially started to charge to allow me into the phone. Then it just closed down after about 20 seconds. I booted it into safe mode, deleted browser history etc. Deleted the outlook app, and the Microsoft phone companion app. It then started accepting a charge quite quickly. Once fully charged I started it again back in full system , it seemed fine,.and I ran “Anti-Malware” ( the app) which said it was clean….. Then I opened google chrome, the phone which had 59% at that time just instantly flicked to 0% battery and close down. It now won’t take a charge or start up, though still vibrates when you press the power button.
    Does this sound like a virus to you or a battery thing? I ‘m now worried that the phone which backed itself up to Google automatically every hour or so will have backed up whatever this virus was too. ( If it is a virus). Google warned me when I looked at my account online that my details had been exposed in a security breach at a well known takeaway delivery app a monthly so ago ( who didn’t bother warning anybody that this has happened!).
    I have to buy a new phone either today or tomorrow as I don’t feel safe without a phone. Now after all that info , please could you tell me what I need to do.to be able to get my data from the Google backup and restore ( photos etc that I am desperate not to lose), and be able to stop my New phone being reinfected, ( again if that is what this is). The Android that just died was only 2 months old but the company went bust a fortnight ago so no support to be able.to ask and the Google/android forum haven’t answered my question . I’m.assuming that my PAYG sim is still ok but I. don’t even know if that can be infected.
    I’m really stuck, Please could you help me?
    Thanks
    Lisa H

    Reply
    • I’d work with your mobile provider on this. Android phones often just restore everything automatically when you fire up the phone, but different mobile providers may also have different options as well.

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.