Helping people with computers... one answer at a time.

Once infected it's often difficult to know what malware has done to a machine. What you do next depends on your concern and some legitimate paranoia.

I have found that my computer contains 2 trojans. I have heard that hackers use trojans to gain unauthorized access to all your data. Is this true? If so, then is the data in my external hard disk (which I connect to the computer at least once a week and for a span of half an hour) also compromised?

Sometimes. Maybe.

There are so many different types and variations of malware out there that it's hard to give a definite answer. However we can certainly examine what they might be doing, and why. We'll also look at the assumptions you'll probably make, and which of those I'd make in your shoes.

To answer your second question first, without knowing the specific malware that you've been infected with we can't make any assumptions at all about what it might, or might not have access to.

Strike that, we can make only one assumption: malware can access everything on your machine (even devices that are connected only occasionally) and quite possibly any other machines on your local network as well.

Scary, huh?

So in your specific configuration, if your machine was infected the last time you connected that external hard drive, it's quite possible that it was compromised.

Now, I also need to clarify what we might mean by the word "compromised". There are two primary forms:

"... this is malware we're talking about. There are no guarantees."
  • Infection: the malware might simply copy itself to your external hard drive. The goal here is the malware's propagation - it's trying to move to other machines. If your external drive becomes infected and you were to then plug it into another machine it's possible that the malware could infect that other machine. Your external hard drive could become a "carrier" for the malware.

  • Data Access: If your machine has been infected and the malware is active, then it absolutely could be accessing that external hard disk when it's connected and, for all we know, locating "interesting stuff" and sending it off to points and people unknown.

Now, I want to be clear about something: as I understand it most malware does neither. Most malware simply infects your machine and then goes on to do other things. And of the two compromises that I've listed above, Infection is the most likely form of compromise, in my opinion. As we'll see in a moment, most malware is more interested in propagating than it is in your data.

More often than not if you've been infected data on your external drive has not been harvested. But this is malware we're talking about. There are no guarantees.

So just what is malware doing if it's not likely sucking up all your data and sending it off somewhere?

In years past, malware's goal was simply to cause trouble. It was more likely that your data would disappear as the result of an infection, and not much more. You might lose the contents of your hard disk, but none of that data would have been sent anywhere.

In recent years the landscape has changed, and in a word that change is "spam". Some very large percentage of malware these days is all about trying to infect machines in order to create spam-sending zombies operating as part of botnets. They have two goals:

  1. Propagate and infect more machines into joining the botnet.

  2. Wait for further instructions from the botnet operator. Typically that means being prepared to send out huge amounts of spam when instructed.

You can see that looking at your data isn't part of their job.

Why the shift? Money. There's no money in causing trouble for trouble's sake, but there are people willing to pay to get their spam sent. As a result botnet operators can actually make money by managing a network of infected zombie machines to send out spam.

So all that's well and good, but if you're infected what should you do?

It depends on your level of paranoia.

What I would do is this: use anti-malware tools remove the malware from the infected PC, and then also scan the external drive for infections. Assuming everything turns out clean, I'd be satisfied and move on with my life. (Taking note to avoid whatever it was I did to get infected in the first place, of course.)

However, there's an extremely paranoid, and yet very valid position with regard to malware infections: "Once infected, all bets are off." That means that once you've been infected malware has become so stealthy and malicious that there's no way to know with 100% certainty that it's really been eradicated from a system. If you follow this philosophy to its logical conclusion, the only action you can take after an infection is to reformat and reinstall your machine from scratch. And sadly, taken to this extreme, that includes the external hard drive.

To be clear, I would not do this on a personal machine. Your situation might be different; I'd expect government and other sensitive installations to perhaps need to be more paranoid about these types of things. I'm typically quite happy with a good virus scan and cleanup. The only exception was some years ago when the server hosting Ask Leo! became infected - I elected at that point to build out a new server and move the site and my other data to it. The infected server was then reformatted.

Article C3109 - August 7, 2007 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

7 Comments
Chris
August 12, 2007 5:14 PM

I hate this question cause it's happened to me so many times before..... I can not stand just a single, standard AV run to catch everything... I have to do a fully detailed scan with NOD32 (my recommended av)with all the options checked and let it run for as many hours as it needs. I then have to do the same with another av to make sure and then another scan with a mal/spyware checker.. All this while disconnected from the internet, just in case something is trying to communicate outside... It's such a hassle, but it's 99.9% guaranteed to catch it all.. I would then connect back to the internet, download the latest virus defs for both AVs and run them both on detailed scan again if there were new update.

Chris
August 12, 2007 5:16 PM

Just another thought. There is nothing more safe than having your Virus scan turned on at all times. Catch the threat BEFORE you get infected. I've had to many times, after a fresh windows install, pass on installing an AV till the end. Biggest mistake ever each time, yet I sill do it thinking I would be safe... Never am...

I do install backup software first before anything though :)

Mr. Man
February 18, 2008 4:36 AM

Hello, as a fellow quote unquote "G33K", there be many ways of clearning your nasties (otherly known as bugs, worms, trojans, viruses, and etc). The most promenant way of clearing these is of the use by the avarage anti-virus cleaner. These are for your everyday use and most people think with the mindset that if these dont pick up anything, then your clean, this is a wrong usumption. Often scan with tools other than your antivirus, and make them a different brand, dosn't meen you need to go spend 400 dollars, 200 british pound or etc on software, I did mine all for free.

AVG free is for simple cleaning once a week. I recomend you do a complete scan with every tool I mention. You do not need to use these to keep in mind, but alternatives are also usefull. I often just use trials of programs, and just uninstall them when done or crack, buy, torrent, p2p or get ripped versions of them (don't, most people will regret this since doing this can often result in malware). Ad-aware is usefull, until about the first week when the trial expires. That is one thing I should say to the mom. It is good that you buy the program because it will not update after then. Use command prompt utils availible at both Nortan and Macafee (both free for IT peoples that know what they be doing) and when buying as a normal persons, you be buynig for the contant security and visual boggieness, use this to scan about once a week or ever seven days, or you know what I mean.

As an ex-virus writer, to mindset is of the most important, to catch me, or the billions of others, then you must think like us. Protect your sensitive material, make your computer safe with a good firewall, even if that means getting zone alarm.

One thing you should know, is that I turned to programming as my professions, it be much more chalenging (although much in the same as virus programming), it actually has a purpose for macking legal money these days, and thats what I do. Like I said, use a good fire wall (that means patching and securing your routers too, they are easy to get into and kill yer computers if they are left unsecure since all I have to do is walk up to yer be's house with a laptop and wireless card and start 'a' tappin' on the keys and I can make your computer a living zombie to do anything I say, send me all your cached files, install keyloggers and etc and make your bank accout virtualy open to the world, not to scare yall, but this is the risks of viruses at the extreme.)

Now a good malware remover (take in mind microsoft is new at this, that is why they have so many holes in windows, they are novice antivirus writterns.), antivirus, firewall, spyware remover, adware remover (often packaged with spyware removers) and etc, and just scan, dont download anything that seems to not be needed, and scan weekly, this should help yer daily persons.

Mr. Man
February 18, 2008 4:40 AM

Also Chris, NOD32 is gewd. But viruses are in the breeding constantly, antiviruses look for attributes and actions of viruses, and in most cases, viruses are in the form of windows files, making a reinstall neccisary, and etc, and most antiviruses wont catch new malware for at least a day, thats many computer infected, by the milliuons, so there is never a complete security.

Sorry I completely butchered me spelling, its too early in the mosrning.

Putra
November 10, 2008 5:58 PM

My answer is why when i open properties from ny computer icon the taskbar will autokick in a few second that mean i cannot view or use properties.

eli
December 2, 2008 3:17 AM

hi
please help me
my cool disk has a terrible problem.
when i have a data in it sudenley all folder change to folder that their name is unintelligible and when i open this folder it apear nothing in it. and i cant delet them. i had to format my cool disk to delet . i use avg antiviros or remove run auto paly but it dosent work.please help me

joeyjuviyani
December 30, 2009 3:59 PM

For any types of queries regarding computer infections, get ready help on: http://forums.techarena.in/networking-security/

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.