You opened an e-mail attachment that you probably shouldn’t have and now your computer has slowed to a crawl and other strange things are happening. Your bank called you saying there has been some strange activity on your account and your ISP has just “null routed” all traffic from your computer because they claim it is now part of a zombie botnet. All this and it’s only Monday.
If your computer has been compromised and infected with a virus or other malware you need to take action to keep your files from being destroyed and also to prevent your computer from being used to attack other computers. Here are the basic steps you need to perform to get back to normal after you’ve been hacked.
1. Isolate Your Computer
In order to cut the connection that the hacker is using to “pull the strings” on your computer, you need to isolate it so that it can’t communicate on a network. Isolation will prevent it from being used to attack other computers as well as preventing the hacker from continuing to be able to obtain files and other information. Pull the network cable out of your PC and turn off the Wi-Fi connection. If you have a laptop, there is often a switch to turn the Wi-Fi off. Don’t rely on doing this through software, as the hacker’s malware may tell you something is turned off when it is really still connected.
2. Shutdown and remove the hard drive and connect it to another computer as a non-bootable drive
If your computer is compromised you need to shut it down to prevent further damage to your files. After you have powered it down, you will need to pull the hard drive out and connect it to another computer as a secondary non-bootable drive. Make sure the other computer has up-to-date anti-virus and anti-spyware. You should probably also download a free rootkit detection scanner from a reputable source like Sophos.
To make things a little easier, consider purchasing a USB drive caddy to put your hard drive in to make it easier to connect to another PC. If you don’t use a USB caddy and opt to connect the drive internally instead, make sure the dip switches on the back of your drive are set as a secondary “slave” drive. If it is set to “master” it may try to boot the other PC to your operating system and all hell could break loose again.
If you don’t feel comfortable removing a hard drive yourself or you don’t have a spare computer then you may want to take your computer to a reputable local PC repair shop.
3. Scan your drive for infection and malware
Use the other host PC’s anti-virus ,anti-spyware, and anti-rootkit scanners to ensure detection and removal of any infection from the file system on your hard drive.
4. Backup your important files from the previously infected drive
You’ll want to get all your personal data off of the previously infected drive. Copy your photos, documents, media, and other personal files to DVD, CD, or another clean hard drive.
5. Move your drive back to your PC
Once you have verified that your file backup has succeeded, you can move the drive back to your old PC and prepare for the next part of the recovery process. Set your drive’s dip switches back to “Master” as well.
6. Completely wipe your old hard drive (repartition, and format)
Even if virus and spyware scanning reveals that the threat is gone, you should still not trust that your PC is malware free. The only way to ensure that the drive is completely clean is to use a hard drive wipe utility to completely blank the drive and then reload your operating system from trusted media.
After your have backed up all your data and put the hard drive back in your computer, use a secure disk erase utility to completely wipe the drive. There are many free and commercial disk erase utilities available. The disk wipe utilities may take several hours to completely wipe a drive because they overwrite every sector of the hard drive, even the empty ones, and they often make several passes to ensure they didn’t miss anything. It may seem time-consuming but it ensures that no stone is left unturned and it’s the only way to be sure that you have eliminated the threat.
7. Reload the operating system from trusted media and install updates
Use your original OS disks that you purchased or that came with your computer, do not use any that were copied from somewhere else or are of unknown origin. Using trusted media helps to ensure that a virus present on tainted operating system disks doesn’t reinfect your PC.
Make sure to download all updates and patches for your operating system before installing anything else.
8. Reinstall anti-virus, anti-spyware, and other security software prior to any other programs.
Before loading any other applications, you should load and patch all your security related software. You need to ensure your anti-virus software is up-to-date prior to loading other applications in case those apps are harboring malware that might go undetected if your virus signatures aren’t current
9. Scan your data backup disks for viruses before your copy them back to your computer
Even though you are fairly certain that everything is clean, always scan your data files prior to reintroducing them back into your system.
10. Make a complete backup of your system
Once everything is in pristine condition you should do a complete backup so that if this ever happens again you won’t spend as much time reloading your system. Using a backup tool that creates a bootable hard drive image as a backup will help speed up future recoveries immensely.