Indiana University
University Information Technology Services
  
What are archived documents?
Login>>
Login

Login is for authorized groups (e.g., UITS, OVPIT, and TCC) that need access to specialized Knowledge Base documents. Otherwise, simply use the Knowledge Base without logging in.

Close

Why do I have to format and reinstall Windows after my computer is infected with a virus?

For many virus, worm, or Trojan computer infections, the UITS Support Center or University Information Security Office (UISO) will instruct you to reformat your hard drive (i.e., erase Windows) and reinstall Windows from scratch, even if your antivirus program or other antiviral tools can remove the virus or delete the infection. The reason for this instruction is that a threat usually exists beyond the virus, worm, or Trojan itself. Often, the virus or worm itself is merely the carrier of something more malicious, and most current infections leave the computer open to further compromise. Following are examples:

  • W32.Mytob.JI@mm
  • W32.Spybot.WON
  • W32.Bobax.AJ@mm
  • PWSteal.Reoxtan

The first two examples actively open a backdoor, through which other malicious programs can be loaded. The third turns an infected computer into a proxy, which allows someone to direct Internet traffic through in order to obscure the source of the traffic. The last installs a monitor that attempts to capture passwords and uploads them to some remote computer.

In all these sample cases, removing the infection (the virus) still leaves problems:

  • In the cases of W32.Mytob.JI@mm and W32.Spybot.WON, the backdoor allows material separate from the worm to be installed. Removing the backdoor does not address what may have come through it in the time between infection and removal.

  • W32.Bobax.AJ@mm and PWSteal.Reoxtan modify registry entries and files. Those changes cannot be undone by Symantec's antivirus products, and must be manually restored.

  • PWSteal.Reoxtan keeps password and other information it steals on a text file on the infected computer. Unless these files are found and deleted, they pose a security risk. Any future infection that allows access to files on the infected computer will also allow access to the password(s) in that text file.

It is extremely rare for a virus, worm, or Trojan not to permit or produce a further compromise. In the case of infections that install backdoors, it can be nearly impossible to determine what came through before the backdoor was removed, and how compromised a computer is as a result. Erasing your Windows installation and reinstalling it is the only sure way to guarantee that no further compromises remain.

This is document arrg in domain all.
Last modified on May 10, 2011.

Comments/Questions/Corrections

Use this form to offer suggestions, corrections, and additions to the Knowledge Base. We welcome your input!

If you are affiliated with Indiana University and would like assistance with a specific computing problem, please use the Ask a Consultant form, or contact your campus Support Center.

Contact Information

Note: We will reply to your comment at this address. If your message concerns a problem receiving email, please enter an alternate email address.