Help! My PC is infected with malware (FAQ)
Here is basic information for how to figure out if your computer might be infected and what to do if you think it is.
Has your computer been acting funny, crashing, running slow, or displaying unusual error messages? Have you been promiscuously clicking on Web links and opening up attachments from strangers? You could have a malware infection.
I get questions all the time from readers and friends asking what to do when they think their computers are infected. Here's a primer that should help. It's focused on Windows-based PCs because that's where most of the malware is targeted.
What are the warning signs of an infection?
An infection may cause the computer to run more slowly than normal, stop responding, or just crash. Applications may not work properly, and disk drives may be inaccessible. There may be unusual error messages and distorted menus and dialog boxes.
If spyware or adware is on your machine, in addition to it running slower, there may be new toolbars and links in your browser; your home page, mouse pointer, or search engine may be changed; you may be redirected to a different Web page from the one you typed in; and there may be pop-up ads even if you are not connected to the Internet.
But slow downs and other problems don't necessarily mean your computer has an infection. It could mean that there is some other problem with your system. Your disk could need defragmenting, you could need to add memory to your machine, or there could be some other issue. (To deal with noninfection slow-down and other issues, there are some tools. CCleaner, is an excellent free utility for tune-ups, browser track remover and dead registry keys. IOBit Smart Defrag and Auslogics Disk Defrag are good defraggers. Windows 7 tends to not need defragmenting help the way that XP does. System Mechanic is another helpful maintenance tool.)
Typically, fake antivirus is the only malware that shows itself and that's because it's designed to trick you into thinking you have an infection so you will pay money to have it cleaned up, said David Perry, global director of education at Trend Micro. "The bad guys are building the smallest, lightest, most undetectable items they can so you don't get symptoms at all," he said. "They are entirely silent and entirely invisible."
What are the chances I'm infected?
Even if you practice safe computing and don't click on random links that lead to malicious Web sites or open unsolicited attachments hiding a virus or Trojan, you could get infected. and using porn and pirate Web sites can also increase your chances of encountering malware. Legitimate Web pages can be hiding malware that gets stealthily dropped on your computer in so-called drive-by downloads. More than 1 million Web sites were infected with malware during the second quarter of this year, many of them innocent sites whose administrators are unaware of the hidden malware, according to antimalware service provider Dasient.
Given that an estimated 40 percent of computers are not running antivirus software and that some malware disables security software, which opens the door to additional infections, there are many more infected computers than people realize.
How do I check for an infection?
There are a many free online scanners that check your computer for viruses and other malware, including Trend Micro's HouseCall, and Malwarebytes, which is designed to catch malware that traditional anti-virus software misses. (For the Mac there's the free ClamXav virus scanner.) Every major antivirus vendor offers scanners. Trend Micro's Perry suggests getting a second opinion if the scan fails to detect an infection and running a second scanner from a different vendor. Chances are that if one scanner misses an infection the other one will catch it since they use different technologies. However, outside of scanning for a potential infection it is recommended that you use only one anti-virus software for ongoing protection as running more than one can may cause system slowdowns. (Anti-malware software Malwarebytes works in conjunction with anti-virus products.)
How do I remove an infection?
Most of the antimalware scanners include tools for removing the problem program once it has been detected. Microsoft has its own Malicious Software Removal Tool, which is updated to detect new malware every month on Patch Tuesday, checking for specific malware on the machine. Another good resource is the Bleeping Computer forum, which specializes in free help to remove malware. It's helpful for those who are patient or on a severely tight budget. The forum is also excellent at helping users diagnose the difference between malware-caused performance problems and nonmalicious ones. However, if using the removal tools doesn't do the job, or you are not computer savvy enough to dive in to your system to try to remove the malware yourself, you might have to contact tech support through your security software provider or an independent firm. Microsoft's Consumer Security Support site requires users to run the company's free antimalware scan before an agent can help.
Getting tech help to clean up an infection can wind up costing as much as several hundred dollars for a complicated job. Support can be done over the phone and some services can reach out to your computer over an Internet connection to perform the fix. In worst cases, the machine can be taken in to a shop or sent to the vendor and the hard drive will need to be wiped and the operating system reformatted and re-installed. It's always a good idea to make regular backups of your data and store it on a separate hard drive or to use an online back up service. And you should keep your operating system recovery disks in case of such an emergency.
How do I manually remove it?
The first thing you might want to do is attempt a System Restore to a known clean state. The goal is to return your system to the condition it was in before the infection. If you don't have a clean copy of your system some people suggest ignoring or even disabling System Restore so that the malware itself is not restored when you reboot. To disable System Restore click "Start," right-click "My Computer" and click on "Properties." On the System Restore Tab click the "turn off" box and "OK."
You can try looking for and uninstalling any aberrant programs under "Add/Remove Programs" in the "Control Panel." Before deleting any files or programs, though, you should search for them on the Web to see what other people have said about the threat. There's a good chance that others have encountered it before you. You can also submit a file to most security vendors through their Web sites. (Virustotal.com uses programs from multiple anti-virus vendors to assess a file.) If you don't have access to a clean computer, it's worth the extra time to go to a public library or Internet cafe and check from there. Be careful not to confuse corrupted system files with malware infections. Sometimes installing or uninstalling a program can accidentally corrupt essential system files. Always do a Web search on the suspect software before assuming it's malware. If you're seeing the blue screen of death, it's unlikely to be an infection.
You can then reboot your computer in Safe Mode by restarting it and pressing "F8" until the Windows Advanced Options Menu is displayed. Select "Safe Mode" from the menu and hit "Enter." You can run the antimalware scanners now for a more sanitized scan.
If this all fails to clean the computer, you can download the free HiJackThis tool. It examines vulnerable or suspect parts of your system, such as browser helper objects and certain types of Registry keys, and generates a log of items. If you can't make sense of the logs, you can post them to forums like Bleeping Computer or Geeks To Go where more knowledgeable people can take a look. Don't expect immediate answers as these are volunteers.
For an even more hands-on approach to the clean up, you can use the command prompt. Find it through the Start menu among the "Programs" under "Accessories." Then you must try to locate the virus file. If you think you got infected from an e-mail, you can find it in the e-mail attachments folder. Often a virus will show up in the system folder or temporary folder. You can remove the permissions with this command "attrib -r -a -s -h VIRUSNAMEHERE.vbs. To remove it from the system type "del VIRUSNAMEHERE.vbs.
If all else fails, you may have to do a clean install of the operating system and applications. Microsoft has information on how to do it safely here.
How do I prevent future infection?
Of course, all the best software in the world can't protect you if you are reckless. Specifically, you should avoid clicking on unsolicited Web links and opening dubious attachments. You can verify e-mail addresses and Web links by typing the main URL into a browser, particularly for sensitive sites like PayPal. You should also avoid inadvertently downloading malware on sites by not clicking "agree," "OK" or "I accept" in banner ads or pop-up windows. Instead, you should press "CTRL + F4" on your keyboard and if that doesn't close the window, press "ALT + F4" to close the browser.
For more information, watchthat shows steps to take to clean up after an infection.
CNET's Seth Rosenblatt contributed to this report.
Updated July 13, 2011, at 2:50 p.m. PT with more details on how Malwarebytes works and Oct. 19, 2010, at 3:54 p.m. PST with CNET how-to video link and Updated Oct. 18, 2010, at 2:19 p.m. PST with recommendation to not use more than one anti-virus software at a time for ongoing protection.