How do you know your computer is virus infected ?

It’s better to prevent a computer virus infection than to remove the virus itself but sometimes the inevitable just happen, therefore an article maybe accompanied with your comments and experiences about virus infection signs(symptoms) is necessary for a lot of us.

To be able to  accomplish their main goal of stealing personal data, a lot of stealth malware are coded with low computer resources(CPU and RAM) consumption in mind and run unnoticed in your computer. One of the most advanced method to hide the malware presence, is using the rookits. Them can run at privileged levels , Ring 0 sau kernel-mode rootkits the same as a device driver or Ring 3 – user-mode rootkits  therefore can easily hide the registry keys added by the malware, their files or their active processes on your computer, hiding their presence from the operating system itself or from other software running in the computer including some antimalware programs hence making the detection very difficult. Other trojans inject well-known processes in Windows as explorer.exe, svchost.exe, services.exe and a summary view of the running processes with Windows Task Manager for example, will not expose the trojan process instead of that you will see the parent legitimate process where it is injected. It’s recommended to run an antivirus with an anti-rootkit module–nowadays most of them has antirootkit capabilities, or to use a free one like :

On the other hand, there is malware that makes all the things possible to be noticed, annoying the user and Rogue Antiviruses or Fake Alerts are  the best examples. Repeatedly displaying pop-ups or fake scanner windows, playing sounds and voices with scaring messages and alerts, are forcing the user to buy them, to pay for a license, so all of their creators have a quick financial gain goal.

There is several symptoms of an malware infected computer, it does not matter if the malware is stealth or not :

  • The computer may become unresponsive, it’s freezing or is very sluggish. If you look in Windows Task Manager chances are you will see a process using an abnormal CPU percent, very often the CPU is used 100%. This is the worst scenario because you don’t have enough “freedom”, enough “space” for your actions and your virus removal actions will take a big amount of time. You can set the  CPU “hungry” process to Below Normal or Low priority at CPU. Very often this symptom appear when a “fight” occur between your antivirus and the virus itself, thus you can disconnect from the Internet for a while and deactivate your antivirus to free the CPU. This will give you temporary the resources(CPU and RAM memory) needed for a manual disinfection of your computer, if your antivirus has failed to remove the virus.
  • You can not connect to the Internet. Very often the viruses alter a registry entry, forcing the applications to use a non-existant proxy. You can find this key here :  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] and the value of ProxyEnable must be modified to “0″ . That means no proxy used. A value of “1″ means an illusory proxy is enabled and that block your Internet connection. Of course this is true only in case you don’t use a real proxy for your connections.
  • While you are browsing the Internet, you are served with unsolicited web pages. In this category there are not included the redirecting websites, only when you request a specific webpage, another one is showing up. You must check your hosts file located in %SystemRoot%\system32\drivers\etc and look for another entry other than the default one : “127.0.0.1      localhost”. Though the hosts file has no extension you can open it with Notepad. This file exists from the Arpanet era, the predecessor of the Internet and map hostnames to IP addresses, making possible for example when you request a website to be directed to another IP, presumably a malicious website.   Read about hosts file in Wikipedia, if you want to know more about it. A special case in this category is when the malware modify the hosts file to prevent an antivirus update mapping the antivirus update domains to other IPs.
  • You can not access the Windows Task Manager. A possibly reason, the virus added a registry key under : HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System with name DisableTaskMgr. A value of “1″ will disable the Task Manager and generate the well-known error :

disabled_task_manager

  • You can not access the Registry Editor aka regedit.exe. A possibly cause is a registry value filled under [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
    System]
    key, with name DisableRegistryTools. An  “1″ assigned to this value will disable the Registry Editor.
  • Processes with unusual names, very often random letters are running and can be viewed with Windows Task Manager or  you can see running legitimate processes but not started by you. This is very important, because if you don’t start Mozilla Firefox for example but you can see his process running, that’s mean a virus(trojan) is injected in the Firefox process. Trojans and other malware uses the injection in the Default Browser as an alternative of their configuration.
  • Strange sounds( some users report they hear steps sound for example in the speakers), images, voices, pop-ups which suddenly appear on the screen, alerts, unknown programs windows,alarms all are the signs of an infection with a malware like Rogue Antiviruses and a complete scan with your antivirus is required to prevent a deeper computer infection.
  • New programs installed without user interaction
  • The missing files required by some applications in order to run properly,especially dynamic link libraries(DLLs)
  • The usual programs are not able to run anymore throwing errors
  • Your friends report they receive emails from you, but you have not sent them
  • A disabled antivirus or firewall can be signs of an computer virus infection aswell
  • Your mouse has a strange behaviour, your CD-ROMs trays repeatedly open and close without your interaction
  • Your Wallpaper or Desktop background was changed. Very often malware as Rogue Antiviruses or Fake Alert change the background by changing a setting in Display Properties-> Desktop->Customize-> Desktop->Web->New Web Address and importing a background from that web address
  • A slower Internet connection is a sign that another application use the network bandwidth. You can monitor your network either with your firewall or with a program like Distinct Network Monitor or Microsoft Network Monitor 3.4
  • An unbootable computer
  • Unknown programs reported by your firewall as trying to connect to the Internet
  • Running unexpectedly on low disk space
  • An unusual longer computer start-up time
  • Frequent system errors, crashes, BSODs, your computer reboot on its own

Maybe there are other virus infections signs as well but these described here are the most important. If  one or more of these virus symptoms occur in your computer your first step must be to disconnect the computer from the Internet and to run a full system scan with an up to date antivirus, to prevent a deeper virus infection or even to prevent multiple infections.

If your antivirus is not able to remove the virus infection, you can try a manual disinfection which often being done properly can give better results than a security software. It’s good to have a system partition clone saved somewhere on another partition for a quick system recovery and the last option, if these are unsuccessful is the reformatting of the system partition to avoid bigger troubles as stealing of the private data, logins credentials, online banking credentials and so on.

Posted in Thoughts.

2 Responses

Leave a Reply