Checking Your Computer for Malware

I was asked how to ensure that a computer is not infected with evil programs. So this post is sort of a primer in exorcism.

First, I would run a full anti-virus scan on my system (with current anti-virus updates installed). I would also look for the icon in the taskbar associated with the anti-virus program. (Some malware will try to disable or stop your anti-virus program, so the icon may not be visible, or it might have a "slash" across the icon indicating it is disabled.) And I'd use the anti-virus program's "console" to check out the configuration, to ensure that the proper protections are in place. I might also use an on-line virus scanner from McAfee or other mainstream company as a double-check. (I would be very wary about a "virus scanning service" shown via a pop-up advertisement.)

Next, I'd run a spyware detection program, getting rid of all items found except for cookies (which I consider mostly benign). I think that Ad-Aware Personal Edition or Spybot Search & Destroy are good choices that are free for personal use. Watch out for similarly named programs.

Another check is to watch network activity while the computer is idle. I would watch the lights on the modem when the computer is idle. If you see activity via the lights, then it's possible that something is going on in the background.

Then I would run a root-kit detection program. There is one from F-Secure called "Blacklight rootkit eliminator" that is in beta at the moment, and therefore free for personal use. The link is here: http://www.f-secure.com/blacklight/blacklight.html . It is a standalone executable, doesn't install, and has separate Windows and command-line version. I've heard good things about it. I just tested it on one of my systems, and the scan took under 10 minutes. It is able to find hidden stuff, and also able to remove it (although you should take care to backup your important data first).

If you find some sort of malware or rootkit, eliminating it can be difficult. Depending on your system's use (for instance a corporate server), you might want to entirely rebuild the system by reinstalling (not repairing) the operating system and applications. A backup of your important data to CD/DVD would be a good thing to do (two separate backups is better).

You might also want to do some physical checks. For instance, there are keystroke loggers that connect directly to your computer's keyboard cable or USB port. One keyboard keystroke logger looks just like the round plug at the end of the keyboard cable. You may want to set up a power-on password (in the BIOS setup) in addition to having a password-protected login. This might be important to do for a laptop. And consider disk encryption if you have confidential information on the hard disk.

Another BIOS configuration change would be to ensure that your 'boot' order is only the hard disk. Don't allow booting up from floppy, CD, or USB drive (which is the default on many systems).

And, there's the "Safe Computing" thing....