What should I do if my computer has been compromised?
30 Sep 2010
It’s not always easy to tell if your computer has been compromised. More than ever before, the authors of viruses, worms, Trojans and spyware are going to great lengths to hide their code and conceal what their programs are doing on an infected computer. That’s why it’s essential to follow the advice given in this guide: in particular, install Internet security software, make sure you apply security patches to your operating system and applications and backup your data regularly.
It’s very difficult to provide a list of characteristic symptoms of a compromised computer because the same symptoms can also be caused by hardware and/or software problems. Here are just a few examples.
- Your computer behaves strangely, i.e. in a way that you haven’t seen before.
- You see unexpected messages or images.
- You hear unexpected sounds, played at random.
- Programs start unexpectedly.
- Your personal firewall tells you that an application has tried to connect to the Internet (and it’s not a program that you ran).
- Your friends tell you that they have received e-mail messages from your address and you haven’t sent them anything.
- Your computer ‘freezes’ frequently, or programs start running slowly.
- You get lots of system error messages.
- The operating system will not load when you start your computer.
- You notice that files or folders have been deleted or changed.
- You notice hard disk access when you’re not aware of any programs running.
- Your web browser behaves erratically, e.g. you can’t close a browser window.
Don’t panic if you experience any of the above. You may have a hardware or software problem, rather than a virus, worm or Trojan. Here’s what you should do.
- Disconnect your computer from the Internet.
- If your computer is connected to a local area network, disconnect it from the network.
- If your operating system will not load, start the computer in Safe Mode (switch on the computer, press and hold F8, then choose Safe Mode from the menu), or boot from a rescue CD.
- If you don’t have a recent backup, back up your data.
- Make sure your anti-virus signatures are up-to-date. If possible, don't download updates using the computer you think is compromised, but use another computer (e.g. a friend’s computer). This is important: if your computer is infected and you connect to the Internet, a malicious program may send important information to a remote hacker, or send itself to people whose e-mail addresses are stored on your computer.
- Scan the whole computer.
- If a malicious program is found, follow the guidelines provided by your Internet security vendor. Good security programs provide the option to disinfect infected objects, quarantine objects that may be infected, and delete worms and Trojans. They also create a report file that lists the names of infected files and the malicious programs found on the computer.
- If your Internet security software doesn't find anything, your machine is probably not infected. Check the hardware and software installed on your computer (remove any unlicensed software and any junk files) and make sure you have the latest operating system and application patches installed.
- If you have any problems removing malicious programs, check your Internet security vendor’s web site for information on any dedicated utilities that may be needed to remove a particular malicious program.
- If necessary, contact your Internet security vendor’s technical support department for further advice. You can also ask them how to submit a sample file for analysis by a virus researcher.