Helping people with computers... one answer at a time.

Once your machine is infected, system backups are likely to include the infection as well. I'll look at what steps to take when that happens.

My hard disk got infected with virus. I am planning to format it. So is there a way to backup all of the data without carrying the virus?

The short answer is no, there's no practical way to backup the entire hard disk without also including the infection in the backup.

Knowing that, however, I can make some strong recommendations on how to proceed.

Backup tools are not anti-virus tools

To be able to backup an infected system while carefully excluding malware from the backup means that your backup software has to be able to somehow identify what is and is not malware.

“If you're not backing up, start. This entire article becomes completely moot if you could instead simply restore to, say, last night's uninfected system backup.”

It can't.

In fact, you don't want it to. Imagine a false positive causing some incredibly important file to not get backed up - that could cause you some serious problems.

Besides, identifying malware is what your anti-malware tools are for.

Option 1: Backup and know that it's infected

My recommendation is that you backup everything - infection and all - and make careful note that the backup is, itself, infected.

Then never, ever restore that entire backup.

As you're probably already aware, restoring that entire backup would restore the malware, and thus leave you no better off.

The purpose of taking a full backup of an infected machine is to make absolutely certain you have a backup copy of all of the other files on that machine.

After reformatting your hard disk, reinstalling the operating system from scratch (not from the backup) and installing all your applications from scratch (not from the backup), you would then carefully restore your data files and only your data files from the backup.

Having a full backup simply guarantees that you've captured every file that you might possibly need when it comes time to restore.

Option 2: Restore to a different drive and scan

One alternative is to restore that full backup to a second drive - a drive from which you do not boot your computer.

(Or, alternately, get a new primary drive and simply move the infected drive to secondary.)

You would reformat and reinstall the operating system and applications to the primary drive, and then - once again carefully - copy off only your data files from the secondary drive.

I'd actually suggest running anti-malware scans on that secondary drive as soon as practical simply to remove what malware can be found. This makes having that drive attached to your system that much safer.

Option 3: Backup-only data

This is actually what most online backup services do: they backup only your data files and not your system. 99% of the time that means that infections are not included in the backup and you're typically safe to restore your data files.

You could do the same, online or off.

Rather than backing up your entire infected drive, you could simply copy off or backup only your data.

The biggest reason that I so strongly advise against this is very simple: you might miss something. You might not backup a file that you will later determine that you need. Once the hard disk is formatted and the OS reinstalled, there's no going back - anything that you didn't backup is gone.

On the other hand, if you have a full system backup, everything is in the backup. Yes, "everything" includes the malware, but that's why you shouldn't blindly restore the entire system image, but rather pick and choose what files - what data files - you want to recover from it.

Next Steps

If you don't backup your computer, start. This entire article becomes completely moot if you could instead simply restore to last night's uninfected system backup. How do I backup my computer? is a good place to start.

If you are infected and you have no backups, backup immediately - infection and all. Before giving up and reformatting, you might read How do I recover from a bad virus infection?, which includes several steps to attempt to recover. Even though you might still end up reformatting and reinstalling, you might be able to first create a cleaner, less-infected backup image from which you could later recover your data.

Article C4975 - November 6, 2011 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

8 Comments
Ronny
November 7, 2011 8:30 AM

I would make two backups. A full one in case you miss something and a data only backup. Restore from the data backup and you are very unlikely to restore a virus. Only go to the full backup if you find out you missed something.

Ken B
November 7, 2011 4:03 PM

"This entire article becomes completely moot if you could instead simply restore to, say, last night's uninfected system backup."

Unfortunately, "last night's uninfected system backup" might actually be "last night's 'I didn't know yet that it was already infected' system backup", so I'd say that you should still do a thorough scan after restoring it.

Very true.
Leo
10-Nov-2011
Robin Clay
November 8, 2011 8:42 AM

You frequently say, "back-up data only". Well, yes, I do know what data *I* have stored - WORD files, EXCEL files, BitMaps, e-mail, etc.. But what about the "hidden" data, such as cookies - and (I'm sure) LOTS of other files, log files, etc., etc.. (a) Should these be included in a back-up? And (b) what files are these and where are they ?

Your question illustrated exactly why I much prefer image backups, which backup everything whether you need it or not. In a scenario like this you would then have the image backup - albeit itself infected - with every file that you could then recover individually if you discovered you needed them. When I talk about backup data only I do specifically mean the data you know about. That's typically the most critical of all.
Leo
10-Nov-2011
Tom S
November 8, 2011 11:00 AM

The best solution, IMHO, is to store all your data in a separate partition apart from C:. That way your data is still there after rebuilding the system or restoring from an image.

When I have system corruption I don't bother trying to find the source. I simply restore a known good image of my system partition and I'm back in business in about 10 minutes. It's that easy only because I have moved my user folder to the data partition, too, which isn't quite so easy. Moving the user folder would not be necessary if you make daily incremental images.

I've learned a lot from you, Leo. Thank you.

Jim Jewell
November 8, 2011 11:40 AM

I have a completely different strategy, although I can’t remember when I had a virus on my machine.( I have firewalls and security strategies that work.)
As soon as I have everything working correctly on my computer, I clone it and put the copy on the shelf. When something goes wrong, even most crashes, I move the problem disk to another slot, Install the cloned disc and boot from it. I can then move any files I need to the cloned drive. Often if the drive had crashed “Windows XP” will check the old disc for errors before booting, automatically fix problems and it will then boot correctly. Once I have the new drive working perfectly, well actually perfect is not a computer term, I clone it to the problem drive and put it back in the shelf.

Duane Ferguson
November 9, 2011 1:03 AM

I'd often find this situation while working for various IT support departments or companies. My strategy is to backup the users profile (most likely backing up the infection). Format and rebuild the machine, then restore only the parts of the user profile that the user actually sees. Desktop, My Docs, music, photos, videos, and Internet favorites. Any infection is most likely buried deep within the profile, therefore you'd be very unlucky to restore an infection. Once you've re-installed things like MS Office, you can dig around the old profile and recover .pst files and the like.

markww
November 13, 2011 5:27 AM

http://ask-leo.com/how_do_i_safely_backup_an_infected_drive.html

Leo I have a suggestion for this person, that would work.

Most viruses on computers need Internet connections. Here is what I would do for this person.

Download Malware bytes and and do not do a update. Disconnect the computer from the Internet that way the payload can not talk back to the virus writer it isolates the system , then reboot the computer into safe mode without Internet connection and run malware bytes. It might take 2 times to get all the infected files recognized. I have cleaned a few computers that way. After the infection is cleaned reboot the computer and again disconnect it from the Internet and run a antivirus program like Microsoft security essentials. After cleaning the system I would do a total backup on a external drive..

Mark in Houston

Cindy Gioffredi
November 15, 2011 8:57 AM

Might not hurt to say a little prayer either. Definitely put those data files on an external drive of some sort on a machine not connected to a LAN or any other machine. 2 weeks ago, for the first time in 14+ years I ran into a virus that left me with no option but to XOXOXOXO the entire HDD, reformat, repartition & reload the OS. This virus infected the MBR & I ran every single geek-approved A-V program & repaired the MBR half a dozen times. I'd re-boot & run it through all the A-V programs (I was using 6 or 7 of the highest recommended programs - 1st time they've failed me) until each scan showed me a clean computer. I'd re-boot & bam - here it came again. I know when the time vs money becomes absurd it's time to give up. Really thought I had beat it when I began to hear sound coming from the speakers. Bits of a speech, an advertisement, some pop music, & after a period of silence a voice telling me I had won an i-pod & to click a key to claim my prize. Oh yeah! I'm jumping on that! NOT. The one who wrote the program has a brilliant mind - too bad he or she can't do something constructive with it. There was a lesson learned though - the user will now save to the network AS INSTRUCTED where files are backed up nightly. Unfortunately, everything on the local drive was wiped out. I set this user up on a new PC & installed Win7 Pro & am going to test drive the built in disc imaging program & see if it's as good as reviews indicate. Back in the day (Stoned Monkey days), a virus would made me laugh at the dumb message(s), I'd get it gone & happy sailing. They are getting scary sophiticated now. I personally believe the next terrorist attack will target the grid via a computer virus.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.