The University of Massachusetts Amherst
Categories
Operating System Security Virus/Malware Windows

Help! I think I have a Virus (Windows)

First it’s important to verify that your computer is infected. The general sign for malicious software is that your computer stopped working as expected. The obvious problem with this is that there are a whole lot of reasons your computer can stop working correctly that are not caused by viruses. For example software updates can often cause unexpected side effects, hardware can stop working, and users can change settings without truly understanding the effect of the change they made. The most general way to determine that you actually have malware is to ask yourself could somebody be making money off of what is happening to my computer. The fact is that almost every piece of malicious software in existence was created with the intent of making money. That being said here are some common signs that your computer may be infected:

  • Unusual Security Warnings: Often times malware disguises itself as anti-malware software with the goal of getting you to pay money to ‘clean’ or ‘speed-up’ your system. To avoid this, know what your security software looks like. If you have McAfee installed and you see a security warning from something that is not McAfee, your machine is almost definitely infected.
  • Being asked for personal information: Legitimate software that is installed on your computer will almost never ask you for personal information or credit card numbers. If you get asked for this sort of information outside of a store in a web browser, then it should be an immediate red flag.
  • Unusual Ads: The only place you should ever see ads is inside your web browser. If you feel that you are seeing an unusual amount of ads when you’re on the web, then try going to a website which you are sure will never have ads, such as UMass.edu.
  • Computer is Abnormally Slow: The most common cause of a slow computer is that there are multiple anti-virus programs installed at once. Anti-Virus suites do not play well with one another, and having multiple can seriously slow down your machine. If you are sure you only have one anti-virus program installed, then the slowness may be caused by malware.

Now that you know some of the signs that you may have malware, the next step is to try to remove it.

Task Manager

You should follow the steps in this section only if malware is causing your computer to be extremely and abnormally slow, if this is not the case, you should skip to the ‘Uninstall a Program’ section.

If you are not familiar with Task Manager, it is a built in Windows utility that displays the resources that each program, process or service that is running on your computer is utilizing in real time. You can open Task Manager directly by pressing the key combination ‘Ctrl + Shift + Esc’ or you can press ‘Ctrl + Alt + Delete’ and then select Task Manager. At this point, select the ‘Processes’, and if you are on Windows 7 or older press the ‘Show Processes for all Users’ button. Next, Click the ‘CPU’ column header.

Click the CPU Header

This will cause the processes list to be sorted by CPU usage. Make sure that the small triangle inside the CPU header is pointing down (if it is not, click the CPU header again), this signifies that it is sorting from highest CPU usage to lowest. If your computer is abnormally slow, you will probably find that the majority of your CPU is being utilized by a few processes, some of which may be malware.

Before ending these high-CPU processes, it is important to verify that they are in fact malicious processes. Generally, if you recognize a program’s name and company name then it probably isn’t malware. For processes who’s name you do not recognize, it is good practice to Google the process name just to be sure that it is malicious.

End Task

Each process listed in Task Manager can be ended by right-clicking the process in the list, and selecting ‘End Task’ (accept any security warnings). If you are using Windows 7 or earlier, right-click the process and select ‘End Process Tree’. Note that this does not actually remove anything from your computer, it is merely a tool to end any programs that may be slowing down you computer so that it will be easier to remove them.

If you are unable to end certain malware processes, it may be worth installing and using RKill. RKill is a free program that is capable of automatically ending malware processes. Note that RKill will not remove any files from your computer, it will only stop malware from running, meaning that it will still be necessary to follow the below steps after running RKill.

Uninstall a Program 

Believe it or not, most programs that people would consider to be malware are actually not legally considered to be malware. The reason for this is that regardless of what a program does, if it can be uninstalled and the user chose to install it, the program is legally considered to be legitimate software. Now obviously nobody would choose to install malware right? Well, actually it happens way more often than you’d think. Most people end up installing malware without even realizing it.

The picture below shows the most common way malware is installed. What you see is the installer for ImgBurn, a legitimate, free and useful DVD burning program. In the process of installing ImgBurn, you are presented with the following screen which, as you can see by looking in the red section, prompts you to ‘install Search Protect’. Now obviously nobody wants Search Protect to be installed, but it still gets installed frequently because when most people are installing software, they just continuously press ‘Next’ until the software is installed without really reading what the installer is asking you.

Install Malware

If you have any sorts of malware whatsoever it is always a good idea to check Window’s Uninstall a Program utility to see if it can be easily removed before you start running scans or take more drastic steps. To uninstall a program in Windows, simply open your start menu and search for “Uninstall a Program” (in Windows 8, press Start and simply start typing to search), and then click on the result that is named “Uninstall a Program”. This window can also be reached through the control panel.

Search for Uninstall a Program

Once the Uninstall a Program window opens it will start filling with the various programs installed on your computer.

Uninstall a Program

Click the “Installed On” header until it shows the most recently installed programs at the top of the list. Generally, malware comes in groups, and chances are that there will be several programs that you will have to remove. When you’re looking at the list of installed programs, look carefully at each program that has been installed since the date the problem started. If you do not recognize the program or its publisher, then it could be malware. If you want to make sure that the software isn’t useful before you uninstall it, do a quick Google search of the program name.

Programs Installed since Problems Started

The above screenshot shows each program that has been installed since I started noticing malware symptoms. As I said above ImgBurn is legitimate software that I intended to install, however, I am not familiar with the other 3 programs and there’s a good chance that at least one of them is causing the malware symptoms I am experiencing so I am going to remove them. To remove a program, simply select it and then press Uninstall/Change. This will run the program’s built in uninstaller, so follow the prompts you see on screen in order to remove the unwanted program. Remember to read each screen of the uninstaller carefully. Uninstall a Program

If you get the following message:

Wait While the Current Program is Being Uninstalled

Then follow its directions and wait. Sometimes programs will not display a progress bar, or any information at all when they are uninstalling. Even if this message comes up for over 10 minutes, do not restart your computer, just wait. I promise it will allow you uninstall the next program eventually.

If you are having a hard time removing a particular program, it might be worth installing the Revo Uninstaller application. The Revo Uninstaller is basically an upgraded version of the Windows uninstaller. From my experiences, the Revo Uninstaller works faster and has the added benefit of cleaning temporary, hidden and system files associated with the programs it’s uninstalling.

Clean your Browsers

A common tactic that malware uses is to replace your browser’s homepages and search providers with their own ad-ridden pages and search engines. Once you’ve finished the above section, it is necessary to inspect each browser and revert any changes that malware may have made. The following screenshots are taken using Mozilla Firefox, but the process is very similar in other browsers, if you are unable to figure out how to do one of the following steps on a different browser, try Googling it.

Check your browser’s Extensions/Plugins/Add-ons

Firefox Add-ons

As seen above, click the three-line button on the top right and then select ‘Add-ons’ from the list that appears.

Next, check through both the ‘Extensions’ and ‘Plugins’ menu for anything unwanted. In my case, all my Plugins were legitimate, but under Extensions I found something I don’t want.

Unwanted Extensions

In the above screenshot, the Adobe and McAfee Extensions are both Extensions that I want, but MySearchDial New Tab 9.5.3 and mysearchdial.com 1.6.0 are both unwanted and need to be removed. This can be done by clicking the remove button.

If you are unable to remove an Extension/Plugin/Add-on, then there is a chance that a program is installed on your computer in addition to the Extension/Plugin/Add-on. If this is the case, go through the steps in the above sections ‘Uninstall a Program’ again.

Change your Browser’s Homepage

On Firefox, select the three-line button in the top right of the window, and then click ‘Options’. Once the Options window opens, go to the ‘General’ tab as seen below.

Firefox Change Homepage

As you can see above, my Homepage in Firefox has been changed to something I don’t want. Simply replace whats written in the ‘Home Page’ text field with the URL of your desired Homepage and then select ‘Ok’.

Change your Browser’s Search Engine

To change your search engine in Firefox, click the down arrow that’s on the left side of the search bar and then select ‘Manage Search Engines…’.Firefox Change your Search Engine

In the Manage Search Engine List window that appears, select any unwanted search engines and then press ‘Remove’. Then make sure that your desired search engine is at the top of the list and press ‘Ok’.

Remove Search Engine Firefox

Software Malware Removal

If you have not been able to clean the infection by following the steps in the above section, then you’re going to have to try to clean the computer using malware removal software. There are a variety of anti-malware software available, and some are better than others. Below are a list of some of the best anti-malware software as well as a description of when the software should be used. Each of these programs are safe to use and free.

  • Virus Scan: The first scan you should run is the anti-virus software that is already installed on your computer. If you are affiliated with UMass Amherst then you have free access to McAfee, and should install it and run its scan. Please note that you should never have more than one anti-virus program installed on your computer.
  • Malwarebytes: Malwarebytes is a lightweight and robust malware removal tool which will can detect and remove most common infections. Malwarebytes is not an anti-virus program so it can be installed alongside McAfee without issues. Malwarebytes should always be the first malware scan you run. You can download Malwarebytes here (select the free version).
  • ComboFix: You should run ComboFix if Malwarebytes was unable to remove a particular infection. ComboFix will automatically scan and attempt to remove malware, and it can be installed alongside Malwarebytes and McAfee. Please note that ComboFix searches through your registry and system files for infections; many viruses attempt to access the same files, so ComboFix may cause security warnings. If you are running ComboFix you should disable your anti-virus software before installing it. You can download ComboFix here.

Windows Reinstall

At this point, you’ve tried everything. If you still have an infection, the easiest way to get rid of it would be to just wipe your hard drive and reinstall a clean copy of Windows. To do this, first back up any important documents or data (reinstalling your operating system will cause the deletion of all your files and programs). Then, either boot your computer from the recovery disk that came with it, or follow our detailed guide: How to Install Windows.

After you have Removed the Infection

After removing programs from your computer it is always a good idea to clean your registry of any files or code fragments relating to the now deleted programs. If ‘clean your registry’ doesn’t make any sense, then don’t worry, there is a program that will do it for you called CCleaner. Simply download CCleaner here, and then install it.

Once CCleaner is installed and open, select the ‘Registry’ tab on the right click the ‘Scan for Issues’ button, and then select ‘Fix Selected Issues’. Press ‘No’ when asked ‘Do you want to backup changes to the reigstry?’ and then press the ‘Fix all Selected Issues’ button. Repeat this process until nothing appears in the list when you press ‘Scan for Issues’.