M  E  N  U
 - Guides
 - Links
 - Tools
 - Themes


Malware Guide: Signs of Infection < [2/7] >

Now that you know the differences between the different types of malware you should learn to recognize signs that should warn you that you may be infected with some form of malware. Before I go any further I should let you know these are signs, and most of these do not tell you if you have malware, just that you may have malware. So if you happen to notice these signs on your computer don't go wiping your hard-drive in fear that you have been compromised, and instead try to conclude whether you are or not from the clues you've gathered. There are many hints to let you know that you've been infected, but none of them are for sure.

The first sign of malware is the speed of your computer. Malware is often programmed so poorly that they are able to bring your computer to a near grinding halt. The irony here is that the authors want their malware applications to be inconspicuous and yet they are often not. So a good way to know something is amiss is if your computer suddenly became a slug after a history of running quite speedily. As a word of caution, this can also be caused by bad drivers, a general bug in software, or from leaving too many applications running (or for that matter, too many at startup). But, even if it isn't malware slowing you down it should be something you try to remedy. The speed of a computer can usually be reduced drastically from a worm that aggressively scans the Internet for other users to infect.

Another sign that should make you suspicious is the appearance of strange icons on your desktop or in your favorites (browser bookmarks). Often adware programs will create icons in very visible locations in hopes that you will be curious and click on them. These will often be websites that are centered around gambling or pornography, but these are just the most common and they could be for just about any type of website. These sites usually pay per click or per registration to the creator the adware program, so it is best just to delete these icons. But, if you have these icons then something put them there and it usually means you have installed an adware program through some method.

The next thing to notice is whether your Internet speed drastically reduced. Many malware programs, especially worms, are able to use up your bandwidth. This not only causes you an annoyance but costs your ISP money and slows down the Internet for others. However, just because your Internet connection is slow does not mean you are infected. This could easily be caused by an issue at your ISP or something silly like bad wiring (got mice?). Before you jump to conclusions make sure you have no file sharing applications open such as KaZaA or eMule since they share your bandwidth. Malware normally either uses up bandwidth if it is a worm that is scanning the Internet for others to infect or if a trojan or rootkit installed some type of file server on your computer that people are using.

One of the most obvious signs that you have malware is when you notice that your startup times has increased dramatically. Malware, like any programs, needs to be running for them to work so they will have to tell your operating system to run them on startup. This will slow down your startup time, and drastically if you have a severe infestation. Do note that normal programs could be slowing your startup time, or a variety of other variables.

A good way to detect if you have things installed you shouldn't is by noticing if you have unknown task tray icons, start menu icons, desktop icons or unknown programs in your add / remove menu. Some of the less evil malware (normally this will be adware) will actually let you know they're installed. If that's the case then you can usually remove these ones from add / remove and it will be over. However, it is also possible a trojan programmer (or worm, etc.) messed up and placed icons in places that could tip you off.

One of the best ways to identify if you have a worm, virus or well known trojan is if your virus scanner fails . If your virus scanner has ceased functioning (fails to update its definitions, disappears when you open it, disappears when you run a scan, doesn't open at startup, or doesn't real-time scan) then you have a broken antivirus program. Often these will be disabled by programs that fear detection, but it could also be just coincidence. A lot of the time you will need to close the running malware programs before your virus scanner can be fixed (they may need to be reinstalled). You can test real time scanning by trying to open the Eicar test string. It is a small text file that all virus scanners detect so you can test them, but it is not a virus. If your virus scanner detects it and doesn't let you open it then your scanner is actively scanning.

Most likely the best way to notice if you have offending malware is by finding unknown processes in the task manager. The task manager is a program that monitors system utilization and allows you to see what programs are running. The only problem with this is that it requires a bit of knowledge of what should be there and what shouldn't be there. Since malware is a program like any other program than it will be (with a few exceptions) in the task list. I will go into detail about this in the detection and removal section.

If you notice your network activity light rapidly blinking on your network card or on your router / cable / DSL modem while your computer is idle then this could be a good sign you are infected with something you don't want to be. By idle I mean that you aren't browsing web sites, you aren't downloading or uploading anything, you don't have any file sharing applications open like KaZaA, etc.. Since those lights blink when data is transferred they can be a good indicator that your computer is transferring data while you aren't. Even while your computer is idle they should blink frequently, but download something and notice the difference to know what I mean. Since a lot of worms use a lot of network bandwidth this could show you need to remove something you don't want. Be sure to close all programs that could potentially be using the Internet before jumping to conclusions.

A sign related to the above is noticing that your computer is consuming a lot of network bandwidth through a network analyzer while your computer is supposedly idle. Luckily a network analyzer is included with Windows XP in the task manager. Under the network tab you can choose to see the bytes sent / interval and bytes received / interval (by selecting that column). Like the previous check this could clue you in to checking your computer for malware.

The most obvious sign for having adware are from popups. You should especially be suspicious if popups appear while you are not actively browsing the Internet. Other signs include obscene (like porn) popups on G-R rated web sites, popups that appear on web sites that didn't previously have them and multiple popups appearing for each web site. Popups can also be caused the Windows Messenger service (not to be confused with the MSN / Windows Messenger program, which is a chat program). Messages from the Messenger service are not caused by malware, but are extremely annoying (you may want to read my Windows Setup guide on security). Often people will see a popup though and just assume they have adware, and then they'll install a popup blocker in order to stop the popups. You have to understand that there are two types of popups. There are popups that originate from a website (your web browser is asked by a webpage to display a new page in a window), and then there are popups that a program on your computer has opened. If the popup came from your computer then you need to remove the adware that is doing it, and if it came from a website then a popup blocker may help.