Why you should wipe your system if it is infected with a virus...

Table of contents

1. What's a removal tool?

As "removal tools" I consider all programs that claim to be able to disinfect a computer which is infected by a malicious software (i.e. a virus) without having to reinstall the system.

This includes the desinfection routines of virus scanners as well as dedicated removal tools. McAfee AVERT Stinger shall serve as an example of such programs although there are many more available.

2. Why should I not use removal tools?

I will explain that in detail in the following paragraphs. I'm always open for criticism and suggestions, so feel free to send me an e-mail.

2.1. The infected system cannot be trusted anymore

Most removal tools are supposed to be used directly on the infected system. Your Windows has a virus, then you download a tool and run it. This lead to a number of problems.

The system is already infected. That means the virus (or the person controlling the virus) has already control over the system and could have replaced or manipulated parts of the system.

But the removal tool has to use the functions which the operating system provides to do its job. If those functions are manipulated, if the operating system is lying to the removal tool, then it cannot work properly.

So called rootkits are a well-known phenomenon on Unix system. But it appears that their existence is still not known amongst many Windows users.

You could solve this problem by running the tool from a clean rescue system. But this rescue system would need write access to the infected system. That may prove difficult if you're using Microsoft's EFS encryption on your NTFS, for example.

And the other problem cannot be worked around.

2.2. Finding viruses is not that simple

If you want to remove a virus you have to find it first. However, it can be mathematically proven that the general and absolutely reliable detection of malicious code by an algorithm is not possible.

No matter how sophisticated it is - once the removal tool is done, there's no guarantee that your system is acutally clean.

2.3. Variations are difficult to distinguish

Once a virus spreads, there will always be people who analyse and modify it to their own need. The more "successful" the virus, the more variations pop up on the internet. Some are just modified so that they are not detected by virus scanners anymore, others contain complete new malicious functions.

Virus scanners (and thus removal tools) never scan for the exact code. In fact, the code is changed often to prevent detection. Instead, they only search for certain short parts which are characteristical for this virus. Those are called "signatures".

The parts of the virus' code which are not covered by the signature are ignored. They can be different from the code which the scanner manufacturer had when he analysed the virus (note: the very fact that the many specimens of the virus differ from each other in these parts, is the reason why they were not included in the signature).

A computer program is - by the very laws of mathematics - unable to evaluate these differences in the code. It cannot determine if they are irrelevant or if they include important (new) functions that someone implanted in the original virus code.

For example, the removal tools cannot say whether you just have a mail worm that only uses another text for the e-mails it uses to spread itself or whether your version of the worm includes new code that replaces important system files and for which the removal tool has no remedy at hand.

2.4. Code is not always known

Modern viruses and worms are programmed to load new code from the internet and execute it. One can never say when exactly the infection took place (unless you caused it intentionally and looked at the clock). And one can never say what code was stored on those internet servers by the time the virus downloaded it. So you never know what the virus actually did while it was active on your system. How should anyone - let alone a simple programm - be able to undo it?

By the way: It is quite common that virus authors change the code which they store on the internet server for their viruses to avoid detection by scanners.

2.5. Backdoors might have been used for further manipulations

Many modern viruses and worms install a backdoor on the infected system by which the attacker gains complete control over it. Such a system is called a "zombie" or "bot" in the scene. And usually, it is used for all things that the attacker does not want to do on his own machine (send spam, store illegal files like child pornography, etc.).

So even if the removal tool really could completely remove the virus, it could never guess what the virus author changed after the infection. These manipulations will remain undetected - and unreverted.

Even if backdoors are detected and removed, that does not undo the harm that has already been caused. And a smart attacker will use the first backdoor to install other, better hidden ones.

2.6. The virus found does not have to be the virus responsible

Another possibility is often ignored: The one that this particular virus is not the real problem and was just placed there as a distraction and to present a scapegoat for any conspicuous behaviour.

It works like this: An evil attacker writes a worm A which spreads by e-mail and installs a backdoor on the infected system. Then he gives the worm some time to spread itself before he uses the backdoor and deletes the worm. It has outlived its usefulness by now.

Now he copies worm B on the system. Worm B is a rather harmless and primitive specimen of his kind. It is known not to install backdoors and such things.

If the user on the system noticed nothing of that whole action, nothing is lost by that. But if the user became suspicious (perhaps because the system behaved strangely during the infection) and now checks the system for viruses, the most he can get as result is: "Worm B has been found!"

The user now removes worm B and feels secure again because the source of the problem has been removed - or so he thinks. He has no reason to dig any deeper and perhaps stumble across the backdoor still on the system.

3. Conclusion

3.1. It cannot work!

Any attempt to remove a virus with a program reliably is doomed to fail. It can work but it doesn't have to. And you never know if it worked or not. You're playing russian roulette.

Those of you who don't believe me: Diejenigen, die mir nicht glauben: Microsoft thinks the same.

A human could do it. But of course it would require more than just deleting a few files. A complete analysis of the infected system under a controlled environment would be necessary to determine if all manipulations have been undone. That take a great deal of time and knowledge which make it very expensive. For a normal home user, this is not really a suitable solution.

3.2. The only secure way...

...is to wipe the system. Delete everything on the low level (reformat) and reinstall the operating system from scratch. That may be a frightening thought at the beginning but it is the only solution that guarantees to put your system in a well-defined state within a reasonable amount of time.

It may take a few days until everything is back where it belongs but after that, you can be sure that your PC belongs back to you. A painful, but clean break.

Based on the (german) instructions by Oliver Schad and Jürgen P. Meier, here my own Step-by-Step-Instruction.

3.3. Alternatives

Theporetically, there are other options:

  • A comparison system. If you had a second PC absolutely identical to the first, with the same software and drivers in the same version as your original, then you could compare it to the infected system. Any changes on the infected system would be caused by the virus and could be undone.

Practically, that's no viable solution. Who has an exactly identical PC around that is used for nothing and regularly synchronised with the original?

  • Checksums. If you had checksums of all system files then you could determine the manipulated files because there checksums would not match.

Again, that's not really practical. You would have to store the checksums some place where the virus cannot access them and any change to the system (updates, etc.) would require that you recalculate the checksums. Also, it's not an easy task for a computer novice to extract a single manipulated file from a msi package.