How to find out if your computer has a virus

Worried that you may have a computer virus? Find out and get protected.
An easy to understand introduction to computer viruses and malicious software with guidance on detecting, removing and preventing infection.

Aimed mainly at people who use Microsoft Windows.

If you use the Internet, your computer is at risk of infection from viruses. Much like biological viruses, some are harmless, some are merely annoying and some can make your life hell. Even if you only occasionally use your home computer, it is important that you understand the risks and know how to protect yourself.

What is a virus?

In the 1990s the public's impression of what a virus is came from the media. Newspapers reported how programs such as Michaelangelo^[1] would could cause a financial appocalypse by infecting computers around the world and deleting vital data. If a virus announces its presence in such a melodramatic way as shutting down your PC or deleting your data, although you might find it infuriating, at least you know that you have a problem. Far more dangerous are the new breed of crimeware viruses, unwelcome programs that run unnoticed while you continue to use your computer, blissfully unaware that you are at risk.

A virus is a form of malware (malicious software). Malware is software on your computer that you didn't intentionally install, that is running against your wishes and against your interests. Precisely defining the distinction between a virus and other types of malware can get confusing and the definitions are constantly evolving. For now just rememeber that a virus is a form of malware and that malware is bad news for you and your computer.

Why do people make viruses and other malware?

Some eccentric people make viruses for fun or as a personal challenge, but these are generally harmless or annoying at worst. A lot of malware is now written with truly criminal intent and is designed to acheive financial gain for their creator at your expense. Don't assume that the target is only big business because home users are equally at risk. Here are some common motives for creating malware.

Stealing your bank details

Your bank will have warned you that shopping on the Internet involves a risk of people stealing your financial details. This can result either from inadequate security considerations by the online seller or because you have some form of malware on your computer. This is a scary thought when you consider that certain transactions can take money from your account immediately if the criminal has access to the right details.

Stealing your identity

Even if you don't shop online, you could potentially end up in a lot of difficulty if someone steals your identity. Many websites request that you provide them with personal details that may seem innocuous enough, but to criminals can provide the first step to identity theft. A gradual accumulation of your personal details collected by malware could be sufficient to enable someone to build up a profile of your identity and, for example, apply for credit in your name. You might not find out about this until the credit company has started hassling you for the repayments.

Using your computer for illegal activity

Have you ever wondered where all those spam e-mails come from offering investment tips, cheap viagra and breast enlargemnts? One way that spammers get junk mail delivered is to send it using software, known as bots, running secretly on other people's computers. With millions of computers connected to the Internet, malware that uses innocent home users' equipment for dubious or illegal activities can put a lot of power in the hands of deviant people.

Find out if you're infected

By now you should understand that malware is a bad thing and it can affect you. One last misconception needs to be addressed:

Misconception: 'You only get viruses from dodgy looking websites and emails'.

The reason why this isn't true will be explained later. For now, let's address the problem.

Antivirus software

The practical defence for home users is antivirus software. Crucially this software must be up-to-date. If your computer came with trial antivirus software that has now expired it's as good as useless. This is because there are hundreds of new threats crawling the Internet every year and if your antivirus software hasn't received its updates, it can't defend you against an attack. So, if you don't have antivirus software or if your software is out of date, you must install an antivirus program. Here's how:

1. Manually air gap the computer

Disconnect your computer from the Internet immediately, preferably physically (i.e. disconnect your modem or network cable).

2. Download antivirus software from a trusted source using a clean computer.

Use a computer that is already running up-to-date reputable antivirus software to download the latest antivirus installation software, then burn the installation files CD or DVD. If you don't want to pay for antivirus software, some antivirus companies offer free antivirus software for home use. Make sure you download from a source that has a reputation for virus free downloads such as www.download.com. Avast! Home Edition and AVG Antivirus Free Edtion are two popular antivirus products that are free for home use, easy to download and easy to install^[2].

If downloading and burning isn't possible or seems too complicated you're probably going to have to buy some software from your local computer shop. There are many commercial antivirus products available off-the-shelf for home use. Ask the dealer which product will suit you best.

3. Stop suspicious software from running

Kill any processes that are running that you suspect may be malware. To do this, bring up Task Manager (by pressing Control, Alt and Delete at the same time and then clicking on Task Manager) then look through the list of processes on the processes tab. Make a note of the names of all the processes, then using an uninfected computer, look up the names of these processes on a reliable site like http://www.processlibrary.com/. If possible, manually stop any unidentified or malware processes on the infected machine using the End Process button from Task Manager. You should also try to stop any unnecessary or suspicious applications from running using the End Task button on the Applications tab in Task Manager. Leave your computer running in this condition as malware is likely to restart if you restart the infected computer.

4. Backup your data

Backup your important personal files to CD, DVD or another form of removable media. Beware that these files may contain infected material so put a warning label on the disk. These backups are for an emergency restore only, such as if the files on your hard drive are wiped unintentionally later on in the procedure or if the antivirus installation prevents the computer from starting correctly.

5. Install antivirus sof tware and scan for viruses.

It is preferable to install the antivirus software in a diagnostic mode such as safe mode in Microsoft Windows^[3]. Malware and extraneous operating system services are less likely to be running on you computer if you are in safe mode, hence it is less likely that the installation can be sabotaged or conflict with another program. Not all antivirus programs will allow you to perform an install in safe mode. In that case, at least make sure that suspicious and unneccesary processes are not running by following the instructions in Step 3 before installing the antivirus software.

Follow the instructions supplied by your antivirus software providor to complete the installation. This will usually involve restarting the computer and automatically retrieving the latest antivirus updates from the Internet.

Once you have completed the installation you should use the software to run a scan of your computer. Depending on the age and type of your setup this may take hours, so have patience. Once the scan is complete your antivirus software should present you with some reassuring information - either that the machine is clean or that malware has been detected that can now be bannished. The exact procedure will vary depending on your antivirus software.

Make another backup of the now (hopefully) clean personal data files to CD or DVD. If you are intending to or have to do a low-level reinstallation (see Advanced Techniques), use these backups to restore your personal data rather than those you made in step 1.

6. Get advice on identity theft.

If you suspect that you may have been the victim of malware you need to prepare for the possibility that your identity has been stolen. Advice may vary depending on your country, but a good starting point will be contacting your bank. You may need to renew accounts and cards or even file a police report. In all cases you must keep a close watch on any future bank statements. Advice in the UK is available from the Home Office online: http://www.identity-theft.org.uk/what-if.html. In the USA, the Department of Education provides similar advice at http://www.ed.gov/about/offices/list/oig/misused/index.html.

If you are still having problems then you probably fall into one of two categories - either your operating system is not applicable to the process presented above or you are dealing with a particularly nasty virus that requires a more complex removal process. In either case, if you're not confident or able to deal with the attack using advanced techniques (see 'Advanced malware removal') then you will probably have to get help from a trusted person more technical than yourself to help you. If in doubt, contact your Internet Service Provider for advice.

Isn't there a faster detection method?

There are some common symptoms that arouse immediate suspicion including:

• Computers mysteriously shutting down on their own.
• Programs running excessively slowly.
• Unfamiliar processes running on the computer.
• Unfamilar programs starting on their own or duplicating themselves.
• Other unexpected computer behaviour.

Unfortunately, the most insidious attacks will not be apparent to the victim until it's too late, so looking out for syptoms alone is not a substitute for installing antivirus software. Ultimately there is no guarantee that your computer is not infected with malware. New attacks are becoming ever more sophisticated and many attacks will innevitable infect home systems before the antivirus updates are available, however, antivirus software is currently the most reliable and practical way for a home user to reduce the risk of a problem and to detect infection.

How do you get a virus?

Returning to the question of how malware is transmitted in the first place, it should be repeated that in the current age this is not limited to getting infected through contact with dubious material such as Internet porn sites, pirated games and unsolicited e-mails. Although these traditional sources still propogate malware, many of today's attacks employs more subtle and sophisticated methods than, for example, the Anna Kournikova virus^[4].

The Blaster worm

Blaster was a malicious program that spread itself over the Internet to Windows XP and Windows 2000 computers in 2003. One of the syptoms was quite dramatic, effectively making a computer unusable by forcing it to shut down within seconds of booting up. Most of the high profile viruses in the recent years up until then had spread through email attachments and required a bit of assistance from the user themselves, but Blaster could spread over a network without the user being involved. Computers without the latest Windows updates or the protection of a firewall were vulnerable merely by being connected to the Internet.

Phishing sites

Your bank has probably warned you about phishing (pronounced 'fishing') sites. Users are directed to the phishing site from a phishing email - a bogus but official looking electronic communication pursuading you to visit the phishing site. By presenting a web page that looks identical and could even appear to have the same URL as a familar trustworthy site, such as your online bank, the phishing site lures you into following instructions or submitting information in the belief that you are safe, when in fact you are submitting information to a criminal or assisting them with the installation of malware on your computer.

A variation on this idea is that gaining the victim's trust by appearing that you are there to help them with an urgent problem. Some malicious webpages disguise themselves as a warning messages claiming that you have a virus but that it can be removed by following certain instructions. Those instructions then acheive the exact opposite - exposing the computer to an attack and installing the malware.

Auto run from CDs, DVDs and pendrives

The PC's autorun or autoplay feature was once very useful as it enabled you to insert a disk, such as a data CD, and the software on the disk would start automatically. As long as you only inserted media that came from a reputable source, you could be pretty sure that this feature wasn't going to automatically run any malware because in the old days, CDs read only for most users, so malware was not able to write itself to the disk media in the first place.

Today most users have CD or DVD burners and can use pen drives (also known as 'USB sticks' or 'memory sticks'). Although lots of CDs and DVDs are still read only, pen drives are almost always the opposite. With the autorun feature still enabled on most computers, malware can easily install itself to and from pen drives that are inserted into your computer. You can stop autorun from functioning by holding down the shift key while you insert the pen drive or CD. To disable the feature more permanently is a bit more complicated, but instructions are provided in a Microsoft knowledge base article available from http://support.microsoft.com/kb/953252.

The unprotected transfer of data with pen drives is so prolific at the moment, it is suspected malware has even managed to make its way onto the International Space Station using this method ^[5].

Staying protected

The battle against malicious attacks is an exercise in risk management and as always there is a trade off between risk and cost. For example, when Blaster was spreading itselft over the Internet, the protected Windows XP/2000 users were those with either firewall software (which was less common at the time) or both the latest antivirus updates and the latest operating system updates. Should you therefore religiously download and install the latest operating system updates? Not necessarily. Even the more rigorously tested and less frequently released service packs may not be suitable to install on your computer^[6], although this is the exception rather than the rule.

So what can you do? Whilst there's guaranteed solution to the problem, there are steps you can take that are not too complicated, time consuming or expensive and will help to keep you protected:

1. Always have antivirus software installed and up to date. Check for web browser and OS updates regularly.
2. Use 'strong' passwords and don't reveal them to anyone. See http://www.microsoft.com/protect/yourself/password/create.mspx for password advice.
3. Don't use an administrator account if you don't have to. Most modern operating systems support accounts with different levels of privelege. If you're just surfing the web, you don't need to be logged on as the system administrator and your normal user account doesn't need administrative priviledges.
4. Verify the authenticity of websites and emails that request information. Check that the webpages and emails come from the company they claim to be and are not a clever typographical variation on the company name. Be suspicious of any email requesting personal or financial information and ignore all spam mail.
5. Don't download or install software from an untrusted source and hold down the shift key when inserting pen drives or other types of media.
6. Use an e-mail service that scans emails for malware and don't open email attachments from an untrusted source, even if apparently forwarded by friends.
7. Use a personal firewall. Most commercial home operating systems now come with a free firewall built in. If not, use a third party personal firewall product designed for your operating system.
8. If while browsing the Internet you start to receive messages claiming that you have a virus, exit your web browser, disconnect from the Internet and restart your computer. Once restarted, if you genuinely have a malware problem, your antivirus software will inform you after downloading the latest updates and doing a scan.
9. Be suspicious of instuctions from unverifiable sources. If an someone tells you to manually adjust the configuration of your computer, find out what the risks are and try to understand what your browser configurations actually do^[7]. Never assume that an unverified source is an innocent source because it has plausible motives. A plausible positive motive is exactly what malicious attackers use as their disguise.

In general you should be vigilant regarding computer security and not just where it concerns malware. If personal or financial data needs to be kept secret then it must be sent using a secure web page. This is usually signified by an address starting with 'https' instead of 'http' and a symbol presented by the web browser (not the webpage) such as a padlock. Find out exactly what this should look like in your web browser so you don't fall for fakes and remember that this is only protecting the information in transit, you still need to be sure that the recipient is trustworthy. Also, be aware that a standard e-mail is not a secure private communication - the data is very easy to read in transit by someone snooping with the right equipment. If you do send payment details over the Internet use a credit card. Credit cards are less risky than debit cards as the seller does not receive immediate payment, so you may have time to cancel the transaction if you realise that you're being ripped off.

Advanced malware removal

Re-installation

This may seem like overkill, but re-installation is the most reliable way to get rid of a virus. The lower the level at which you can do this the better, because the aim of some malware is to entrench itself at as low a level as possible. So if you know how, format your hard drive, then re-install the OS with current anti-virus before restoring your applications and data. Obviously you are in a better position to do this if you are pre-prepared. Sometimes when you buy your computer it will come with a restoration disk that can be used to return the machine to its factory condition. Keep this safe. If not, find out from the manufacturers/suppliers if your computer has an alternative factory restoration method, and if not, look in to preparing your own restoration procedure.

Malware removal tools

Specific malware often needs a specific removal tool in addition to the standard antivirus software. These can often be obtained for free from antivirus companies. Semantec, for example, provides a list of recent removal tools at http://www.symantec.com/business/security_response/removaltools.jsp.

Remember: the main threat to your computer is no longer a tennager writing writing programs for kicks in his bedroom - it's organised crime. There is a growing blackmarket in malware for criminal purposes^[8], and the new demand is for malware that goes undetected, so be as thorough as you can in cleaning your system.

Recent improvements from Microsoft

When Blaster attacked, a typical Microsoft user had no firewall, no antispyware and was using Windows XP. From a security point of view, Microsoft's latest offerings are an improvement, but the attacks are also becoming more sophisticated. Windows Defender (anti-spyware) and Windows Firewall are free security products that now come as standard with the Windows operating system. Vista, the latest home version of Windows, now protects the user from using administrator priveleges accidentally by requiring an administrator's password to be entered every time that privelege is required, regardless of the account logged in.

Some jargon explained

The information presented here has been aimed at people who don't know whether they have an infected computer or not and are therefore more interested in the consequences of malware rather than the technical vocabulary. Some of the more common terms used in relation to home computer security are explained below to help readers with further research.

Worms - Worms are a special category of virus. The most significant distinction between a normal virus and a worm is that worms travel from one computer to another without the user being involved, whereas normal viruses are introduced unintentionally by the user.

Trojan Horse - as the name implies, a trojan horse may not appear to be anything dangerous, but it secretly provides an enemy with a way into somewhere they shouldn't be. A typical trojan horse program will create a 'back door' to your computer, enabling attackers to get at your private data or control your computer remotely.

Adware - this is software that routinely delivers unsolicited adverts to the user. Sometimes the inclusion of adware in ligitimate software packages subsidizes the cost of providing the useful software to home users, i.e. you get some free software but you have to put up with the adverts. This is why adware is not generally considered malware, even if it is annoying, and anti-adware may not be included for free with your antivirus product.

Spyware - spyware is a form of malware whose purpose is to monitor your activity and report it to someone else without you knowing about it. Some spyware products are not necessarily destructive but are often objectionable and an invasion of privacy, other products are designed for just plain theft of private information. The level of spying could be anything from monitoring which websites you go to on the Internet to keystroke logging, which is the electronic equivalent of having someone constantly looking over your shoulder as you type.

Firewall - think of a firewall as a monitored gateway between your computer and the network it's connected to. Any communication between your computer and the outside world is subject to the firewall allowing that communication through. Most firewalls are not intelligent enough to understand if the communication is malicious or not, instead they restrict communication with your computer to approved applications (such as your web browser), or designated channels of communcation (known as ports). If communication is attempted over a disallowed port or is started by a disallowed application the firewall will block the commication.

Phishing and Pharming - Phishing is described above. Pharming is a very similar concept, but instead of using e-mails as the lure, pharmers use alternative ways to direct you to the spoof web page, such as by exploiting an existing vulnerability to redirect you to a spoof web page when you attempt to access your online banking website.

Notes

[1] Michelangelo was one of the first viruses to gain worldwide attention when news of its destructive powers started a media frenzy in 1992. The actual amount of damage caused by the virus is thought to be negligible compared to what was predicted but has had a lasting effect on the antivirus industry and public perception.

http://www.research.ibm.com/antivirus/SciPapers/White/VB95/vb95.distrib-node7.html#SECTION00041000000000000000

[2] This article is not intended to provide an exhaustive list of antivirus companies or to recommend one product over another. Avast! and AVG are mentioned as they are currently very popular and the author has recently used both products. Check with your operating system providor for recommended products.

[3] To boot up a Windows based PC in Safe Mode the standard procedure is to power the machine on and to press the F8 key when prompted. Be alert as this option is only presented to you for a few seconds, usually after the computer has displayed its low level system check (such as memory and CPU statistics) and before any colourful Microsoft Windows logo screen has been displayed.

[4] In February 2001 the Anna Kournikova Virus spread like wildfire using email and Microsoft Outlook as its distribution platform. The worm, which tempted victims with the promise of interesting photos of the celebrated Russian tennis player and sex symbol, would email itself to everyone in the user's contact list with a bit of assistance from those users who hadn't secured their email client.

http://www.symantec.com/security_response/writeup.jsp?docid=2001-021219-1830-99&tabid=1

[5] See http://news.bbc.co.uk/2/hi/technology/7583805.stm for the Computer viruses make it to orbit story

[6] Service packs are collections of updates rolled up into a convenient package and tested for compatability with common configurations. In 1999, Microsoft released Service Pack 6 for Windows NT, their premier server product at the time. Customers who used Lotus Notes and other 'Winsock' applications were in for a nasty shock if they deployed the service pack without testing. Microsoft promptly released a hotfix and a released a new service pack - service pack 6a.

http://support.microsoft.com/kb/245678/EN-US/

http://news.zdnet.co.uk/software/0,1000000121,2075206,00.htm

If, as a home user, this leaves you unsure whether to patch your computer with updates or not, my advice would be to install all patches marked as 'security updates', 'critical security updates' or similar, but be aware of how to restore your computer to its previous state. see: http://www.microsoft.com/windowsxp/using/helpandsupport/getstarted/ballew_03may19.mspx

[7] Configuring your browser can be a daunting task involving lots of unfamiliar terminology. Get someone technical to help you and get advice from the software provider.

http://www.microsoft.com/protect/computer/advanced/browsing.mspx

[8] Some useful information on 'crimeware' is available on the Semantec website. http://www.symantec.com/norton/cybercrime/blackmarket.jsp

The size of the industry for phishing scams alone is estimated to be billions of dollars, see: http://www.consumerreports.org/cro/electronics-computers/computers/internet-and-other-services/protect-yourself-online/state-of-the-net-2008/protect-yourself-online-state-of-the-net.htm