Reinstalling Your Compromised Computer

Can't I just clean my computer with anti-virus software?

While reinstalling a computer after it has been compromised can be a painstaking process, it is difficult to manually remove all damage done by an attacker and be certain that everything the attacker left behind has been found. Reinstalling a computer from scratch is the simplest way to be sure that your computer is clear of any back-doors left by the attacker in an attempt to maintain access to the computer. The following is a general guide on how to perform a clean reinstall of your computer.

Checklist before performing a reinstall

  1. Change passwords - You should consider changing passwords to all systems you have connected to from your computer during the period the computer could have been compromised, including, but not limited to online bank and credit card sites, CalNet ID, email, and online stores. The attacker may have installed a keylogger on your computer to collect all of your passwords. DO NOT change the password from the compromised computer. Preferably use a computer that you know is secure. If you do not have access to any other computers, change your password after the reinstall process has been completed. Be sure to choose good passwords. See: Protecting Your Passwords
  2. Make sure your data files are backed up - You should make sure you have a working backup of all of the files you want to keep. Make sure to back it up to places other than your computer's hard drive, such as an USB hard drive or CD/DVD. DO NOT backup applications such as Microsoft Office, iTunes, etc. with the intention of copying back these applications after the reinstall. The attacker may have modified the program files. Do backup files such as term papers, spreadsheets, your music, and emails. Instructions on how to back up the data or settings of your applications such as email clients and media players is beyond the scope of this document.
  3. Gather your installation CDs/DVDs and procedures - Make sure you have your operating system install media as well as media for all other required applications and installation guides. Some computers come without operating system installation media, but with a "recovery" method, either as a disc or as a special partition on the computer's hard drive designed to recover your computer to a "factory default" installation. Make sure to read through the installation to make sure you understand the process. You may also want to download and burn installation files for operating system updates as well as an anti-virus software using a different computer. Downloading operating system update packages is not covered in this document. You can download campus provided anti-virus software from http://software-central.berkeley.edu.

Performing the reinstall

  1. Isolate the computer - make sure all external drives have been disconnected and the computer is not connected to any network.
  2. Reinstall the operating system - Use the appropriate method to reinstall the operating system. During the install/recovery process, be sure to have the installer format your computer's internal hard drive, thus deleting all data on the hard drive.
  3. Turn on the operating system's firewall - If you are installing an operating system with a built-in firewall, enable it. See the "Optional Readings" above for more information. If your operating system does not have a built-in firewall or you wish to use 3rd party software, install it now. Another option is to place the computer behind a hardware firewall device. The typical "broadband router" sold at most computer supplies stores will provide a basic firewall capability. If this method is chosen, here are few warnings during the reinstall process.
    • Change the password on the firewall! Default passwords for these consumer grade routers are widely known and should be changed immediately.
    • If the router is also a wireless access point, disable the wireless radio. This will prevent rogue computers from connecting to the firewall and attack your computer during the reinstall. You may re-enable the wireless feature once the reinstall is completed. Be sure to consult the manufacturer's manual to enable the wireless security features available on the firewall.
    • Make sure no other computers are connected to the firewall during the reinstall, for similar reason as disabling the wireless radio.
  4. Install operating system updates - First, make sure you care connected to the network with a firewall enabled, then run your operating system's native software update tool. DO NOT use the computer for any other online activity such as browsing the web or checking email.
  5. Install anti-virus software - See Software Central for free AV software for the UCB campus community. After anti-virus software is installed, run an update check on the anti-virus software to make sure all parts of the software are up to date. Make sure you do not turn off any scanning function of your anti-virus.
  6. Reinstall applications - This may be a good time to decide what applications you truly need. Also refrain from installing applications from a source you do not trust. Many free applications provided on the web can contain malwares that may have contributed to your compromise in the first place. Do not blindly trust any applications provided to you through an unexpected popup from a webpage. Some applications will not install correctly with anti-virus enabled. Make sure it is not a suspicious application trying to bypass the anti-virus protection.

Recovering from your backup

  1. Make sure the anti-virus software is still enabled - If you had to disable the anti-virus software temporarily while installing an application, re-enable it now.
  2. Run an anti-virus scan on each of the backup media - This step will catch any viruses that may have infected your email or documents.
  3. Copy over the documents to your hard drive - Only copy over files that have not been detected by the anti-virus scan as infected.

Keeping your computer safe

  1. Keep your operating system and applications updated - Turn on automatic update features where available and run update checks regularly.
  2. Keep firewall and anti-virus software enabled - It only takes a foot in the doorway for an attacker to fully compromise a system.
  3. Learn and practice good cyber security - See Minimum Security Standards for Networked Devices for the campus standards and how to be sure you are in compliance