: If you are considering backing up data and reformatting
or doing a factory restore with a vendor-specific Recovery Disk/Recovery Partition
due to malware infection, keep in mind with file infectors
, there is always a chance of backed up data reinfecting your system. If the data is that important to you, then you can try to salvage some of it but there is no guarantee
so be forewarned that you may have to start over again afterwards if reinfected by attempting to recover your data. Only back up your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup
any executable files (*.exe), screensavers (*.scr), dynamic link library (*.dll), autorun (*.ini) or script files (.php, .asp, .htm, .html, .xml) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension
or adding to the existing extension as shown here
(click Figure 1 to enlarge
) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions
. Then make sure you scan the backed up data with your anti-virus prior to
to copying it back to your hard drive.
If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data
. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.
Again, do not back up any files with the following file extensions: exe, .scr, .dll, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.Important
: Since many file infectors are spread by using infected removable usb flash drives
and external drives, before starting the backup and restore process you should disable autorun
This type of infection usually involves malware that modifies/loads an autorun.inf
(text-based configuration) file into the root folder of all drives
(internal, external, removable) along with a malicious executable. When removable media is inserted (mounted), autorun looks for autorun.inf and automatically executes the malicious file to run silently on your computer.Keeping autorun enabled
on USB (pen, thumb, jump) and other removable drives has become a significant security risk
due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
Many security experts recommend you disable Autorun
as a method of prevention. Microsoft recommends doing the same
Microsoft Security Advisory (967940): Update for Windows Autorun
...Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file...
For most novice users, the easiest way to inoculate a flash drive is to create a Read-only
folder on the drive, name it autorun.inf and set file permissions to restrict changes as described by Trend Micro in How to Maximize the Malware Protection of Your Removable Drives
. This folder will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and executing malicious files.
You can download and use tools like Autorun Eater
or Autorun USB Virus Finder
which will allow removal of any suspicious 'autorun.inf' files they find. Panda USB Vaccine
allows for computer and usb vaccination.
- Computer Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not.
- USB Vaccination disables the autorun file so it cannot be read, modified or replaced and creates a hidden AUTORUN_.INF on the flash drive partition as protection against malevolent code by preventing a malicious autorun file from being installed. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.
As an added precaution, hold down the Shift key
when inserting the drive into the computer containing the data to be backed up until Windows detects it in order to keep autorun.inf from executing automatically.