2. Detection

1. Prevention   |  2. Detection    |  3. Removal

Obvious, "IN_YOUR_FACE" symptoms

If you have any software that automatically "scans" your computer when it first boots up, you may have a "Rogue Antivirus" infection.  A Rogue Antivirus application is a fake antivirus software solution that tells you that you are infected with a variety of different bogus infections.  Often times they ask for you to purchase the product in order to clean the infection.  Ironic, because the "AV" itself is the infection.  NEVER purchase software that gives you this type of alert.  They are either going to steal your identity or simply rip you off. 

Other symptoms you may experience is receiving a "file is infected" warning each time you attempt to launch applications.  These types of infections are pretty nasty and usually require either removing the hard drive or booting to an alternative operating system environment to clean the infection.

Automatic Detection Tools

Using some of the tools I listed on my Virus Tools page, you may be able to detect if a virus has infested your machine.  These tools are particularly beneficial for deleting infected files that you did not even know existed on your machine.  Sometimes malware may be on your machine, just in-active, which makes detecting it a little harder, because there are no symptoms.  Automated antivirus software and other tools can help find active and in-active malware on your system.

Manual Detection

You can use a few of these techniques to see if you have any infection.

• • Click Start->Run and type in "services.msc" or simply Click Start and type in "services.msc" to launch the Windows Services Management application.  Check for any unknown/malicious services.  You can research each entry to determine if they are good or bad.

  • Click Start->run and type in "cmd" or simply Click Start and type in "cmd".  When the console window appears, type "netstat -ab" into the command prompt to see what open ports you have on your machine and what process is opening them.  Investigate unknown processes/ports.

  • Use Process Explorer's "loaded modules" feature to determine if any objects are loaded within another application.

    • Launch Process Explorer

    • Go to View-> Lower Pane View -> DLLs

    • Highlight each process and look at what DLL files are loaded.  Some may stick out in a different color.  Research these to see what they are responsible for performing.  This is where it helps to be familiar with common files that the operating system runs.

    • Verify signatures by going to Options -> Verify signatures.  This will try to verify certain files with a database so that you can rule them out as being malicious.

  • Start Autoruns and look for strange applications and drivers that load on start.  Again, having knowledge of common files helps here.  Though take note that a lot of malware disguise themselves by using common filenames such as dwm.exe and svchost.exe.

  • Verify checksums of system files: explorer.exe, kernel32.dll, C:\windows\system32\*.dll.  There are several ways of doing this.  You can sometimes launch a command prompt (Start->Run "cmd") and execute the command "sfc /scannow"

  • Load into an alternative environment and check for strange files located at %temp%, %profile%, %systemdrive%, %windir%, %windir%\system32 (NOTE: Malware could be hidden anywhere)

• Scan suspicious files using a variety of antivirus engines at VirusTotal.com.

  • Another common symptom you may see if you're infected is if your browser redirects your Internet traffic.  For an example, you may be redirected to another page when you attempt to perform a search from Google or when you enter a URL in the address bar.  If you see this activity, be warned that you may have something on your machine.

Other Symptoms

If your machine seems to be running differently than normal, it's possible you could be infected.  Blue Screens Of Death (BSOD) can be caused by viruses and other malware.  However, keep in mind that the abnormality you're experiencing could be caused by other issues such as a failing hard drive, bad memory, a faulty motherboard, and sometimes a bad processor (very rare).

If you decide to delay disinfecting your machine, it's important that you do not make any online purchases or leave your computer online!

A variety of malware takes advantage of its host's internet connection.  Don't allow your infected machine to get online.  There could be severe consequences to doing so.

KEYLOGGERS: Malware can record all keystrokes that you enter into your computer.  This means that your credit card information, passwords, and other important information can be recorded and sent to someone over the Internet.  Even if you do not submit the information to a website, the data can still be collected.  Malware that utilizes keylogging "features" intercepts all of your keystrokes, records them to a file, and then sends the data to some evil being through your Internet connection.  Backspace does not help.  When you enter a backspace, even though the character may disappear, the key you entered remains in the log.

BOTNET: Malware can also setup a "bot client" on your computer.  What this does is allow remote individuals to "command" your computer to perform some task.  Your computer basically becomes a slave to a hacker.  This can help them facilitate a well-known attack called a Denial-Of-Service (DOS) attack.  When a "bot type" malware exists on a machine, hackers will no longer have to directly connect to your computer to perform tasks, which enables them a little more anonymity.  Instead, your computer is connecting to an easily accessible server, where they can just relay commands to your machine through it without having to connect to your computer.  A lot of times this is done using an IRC server.  A hacker will install malware that will connect you to IRC, join your computer to a certain #channel, and then have it sit and wait for commands.  The hacker may have 100 "bots" in a channel and when they type  "!destroy <someone>" all 100 computers will try to start up whatever task that !destroy has been programmed to perform.

TROJANS: Trojans are somewhat similar to botnets.  Trojans usually make their way onto the computer because of the user of the computer.  It may come packaged with some desirable application.  For an example, the free version of Bearshare comes with what most malware scanners detect as a form of spyware.  Trojans can also open backdoors to your machine that enables a hacker a direct connection to your machine so that it can be remotely controlled.

These two types of malware can enable hackers to make your computer a part of its "army".  They can use your machine to attack other machines.  If there were not any infected machines available to these hackers, they would not be able to create these attacks from these types of machines.  So, if you know you're infected, at least unplug your Internet so that you don't allow the hackers to use your machine to attack others.  It's possible that you could be held liable for penalties if your machine is in on a major attack, so be sure to unplug.

Continue to Removal Tools -->

1. Prevention   |  2. Detection    |  3. Removal