Why do I have to format and reinstall Windows after my computer is infected with a virus?
For many virus, worm, or Trojan computer infections, the UITS Support Center or University Information Security Office (UISO) will instruct you to reformat your hard drive (i.e., erase Windows) and reinstall Windows from scratch, even if your antivirus program or other antiviral tools can remove the virus or delete the infection. The reason for this instruction is that a threat usually exists beyond the virus, worm, or Trojan itself. Often, the virus or worm itself is merely the carrier of something more malicious, and most current infections leave the computer open to further compromise. Following are examples:
The first two examples actively open a backdoor, through which other malicious programs can be loaded. The third turns an infected computer into a proxy, which allows someone to direct Internet traffic through in order to obscure the source of the traffic. The last installs a monitor that attempts to capture passwords and uploads them to some remote computer.
In all these sample cases, removing the infection (the virus) still leaves problems:
- In the cases of W32.Mytob.JI@mm and W32.Spybot.WON, the backdoor
allows material separate from the worm to be installed. Removing the
backdoor does not address what may have come through it in the time
between infection and removal.
- W32.Bobax.AJ@mm and PWSteal.Reoxtan modify registry
entries and files. Those changes cannot be undone by Symantec's
antivirus products, and must be manually restored.
- PWSteal.Reoxtan keeps password and other information it steals on a text file on the infected computer. Unless these files are found and deleted, they pose a security risk. Any future infection that allows access to files on the infected computer will also allow access to the password(s) in that text file.
It is extremely rare for a virus, worm, or Trojan not to permit or produce a further compromise. In the case of infections that install backdoors, it can be nearly impossible to determine what came through before the backdoor was removed, and how compromised a computer is as a result. Erasing your Windows installation and reinstalling it is the only sure way to guarantee that no further compromises remain.
Last modified on November 12, 2012.