Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Which Files Were Affected by a Hack or Malware?

Question: How can you determine which Windows files or registry settings have been compromised after your system has been hacked?

You cannot.

Once your machine has been hacked, it’s not your machine any more.

And yes, that sounds serious, because it absolutely is.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:
  • You cannot tell with certainty what a hack or malware may have affected.
  • The most common approach is to run repeated anti-malware scans.
  • The best solution is to revert to an image backup taken before.
  • The painful solution is to reinstall and start over.

Ramifications of compromise

Once your machine has been hacked, there is no approach that will tell you with 100% certainty exactly what the hacker (or malware) changed.

Assuming a sufficiently proficient hack, the hacker will have had access to absolutely everything. They could have changed anything, and they could have taken steps to explicitly hide everything they’ve changed.

There’s no way to know they haven’t hidden something you’ll never find. This is one of the reasons “rootkits” are so dangerous; they actually modify the system in such a way that they hide their very existence from standard file and folder listings.

Traditional solutions

The hand of a hackerWhat most people do is run scans with anti-malware tools or security packages in the hopes they’ll catch whatever was corrupted and repair it. Often this means running complete scans with their existing utilities and using additional tools in the hopes they’ll discover more.

Generally those tools catch a lot, it’s true. But there’s no guarantee they’ll catch everything.

Once you’ve taken the time to run all the tools, perform all the scans, or look in all the places that you might learn of to look in, there’s still no way to know that you’ve found everything.1

You know you were hacked.

Yet regardless of the steps you take, you’ll never know you’ve cleaned up from it completely.

Pragmatic solution #1: backup to the rescue

While we can’t prove that a machine is free of malware (even if it’s fresh out of the box), there are solutions we can take after a known compromise to improve the odds of having a clean machine.

The first approach is to back up your data to capture any recent changes, and then restore your system from a complete (aka system image) backup taken prior to the hack.

Of course, you can only use this solution if you’ve been creating complete backup images on a regular enough basis so as to be useful, and if you know when the hack happened. Most people fail the first criteria, sadly. The second can be difficult to determine, but more often than not there’s a sign or symptom making the compromise apparent.

Pragmatic solution #2: backup, reformat, reinstall

The second, more painful, approach is to back up your data2, and then:

  • Reformat and reinstall Windows from scratch
  • Reinstall all your applications from scratch
  • Carefully restore your data as you need it

If this feels painful, that’s because it is. It is time-consuming, but it’s often less time-consuming than struggling with a still-infected or unstable machine, and much more reassuring than not knowing if you’ve eliminated the threat.

And after you’ve done so, make sure to implement that full system backup strategy to make recovery simpler should this ever happen again.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

Footnotes & References

1: You can’t prove a negative.

2: Again, this should have been happening all along, but many people fail.

10 comments on “Which Files Were Affected by a Hack or Malware?”

    • Don’t work. Here is why :
      A malware can, and often do, infect the restore points.
      The end result is that by using System Restore, you also restore the malware. EVEN if the restore point was created before the infection.

      Reply
  1. I’ve been working in the database field since the old days of DOS 3.0. Oracle now, but back in the DOS days it was the IBM Assistance Series. Those days were slow, but at least I had time to make a few sandwiches while waiting :) .

    I am petrified of getting malware and viruses on my own PC. I know enough NOT to go clicking where I shouldn’t and I read and scrutinize every option on installation screens. I run “anti-this” and “anti-that” on my PC, but I’m still afraid all that is not enough these days.

    I use a backup company (starts with “Carb…”) but that only backs up my documents, music and videos. I’m going to bet some types of malware can plant itself inside some of these files. LEO… If I have to re-install windows, it seems as if if my backed-up files would need to be scrubbed before I download them from my back-up company.

    I’ve ghosted my PC twice to two separate external hard drives. I recall each time it took over 12 hours to ghost about 775GB. That’s a long time… and I’m sure the ghosting included all my documents too. LEO – Any suggestions for ghosting that will NOT include my files that are backed up to my back-up service? Or should I include EVERYTHING when I ghost my PC?

    Reply
    • Macrium Reflect or EaseUS Todo, Leo’s preferred system image backup software packages, should back up your system in a lot less than 12 hours. Depending on the specs (USB3?), it might be as little as an hour or two.

      Assuming you use Windows, I suggest a full backup is appropriate. If a lot of your storage is consumed by music and videos, you might create a “backedup” folder for each, move your current files into those folders and exclude them from future backups.

      Reply
    • Some backup programs allow you to skip backing up certain files and folders. I’m not sure, but I think the paid version of EaseUS has that feature. Another way to prevent files from being included in a backup is to place them on a different drive or partition.
      Personally, I don’t like that option as I don’t trust an online service as my only backup.

      Reply
  2. I see that you are recommending Malwarebytes Anti-malware.

    Is Malwarebytes Anti-malware superior to Microsoft Security Essentials (MSSE)? There was a time when MSSE was considered pretty much the the ultimate tool for finding and blocking malware. Is this no longer true?

    Reply
  3. Another great piece of advice on a problem that has been seemingly covered for a million times from all possible angles… but this one was not.

    Reply
  4. “While we can’t prove that a machine is free of malware (even if it’s fresh out of the box)…”

    Especially if it’s a Lenovo computer. Do a Google (or better yet, DuckDuckGo) search for Lenovo Preinstalled Malware.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.