Is your computer hacked? learn how to detect and delete malware in your PC
If you’re asking yourself this question, it’s likely because your computer isn’t working like it used to. Many times the inherent decay a system has can make us fall into the false idea that “someone is in my PC”. It’s a normal paranoid delusion, but it usually ends up being only that: paranoia. Usually we aren’t important enough as users to become targets. Sadly, when that idea crosses our minds it’s usually due to the fact that all operating systems (and we mean ALL: Windows, Mac OS and even Linux) decay overtime: they slow down and the tasks that used to be fluid are now hard to run. Before we go on, we should discard this option.
If you still believe your PC to be controlled remotely, infected by a backdoor script or a virus, keep reading
Symptoms of a possible infection or intrusion happening
If at least half of these symptoms seem familiar to you, you may want to continue reading
- Internet browsing “is slow”. This means that beyond the page server you’re trying to access, your real connection isn’t giving you the speed values you hired (meaning, if you were to check your connection speed with a tester, it would be lower than what you usually get). This can imply that someone else is using your network, but doesn’t necessarily mean that your PC is at risk. If you can’t notice inexplicable usage “peaks”, so to say, you can’t notice moments when your internet works as usual and moments when it doesn’t, you can be suspicious but it doesn’t imply that someone is accessing your PC, just that you have a stingy neighbour who refuses to pay for his or her own internet connection. Call your Internet Service Provider and make sure the network password is customised. Standard encryptions are usually “easier” to crack because they’re usually based on your WiFi network’s name, among other things, which reduces the “time” attackers need to calculate your password. Server monitoring tools can be a great support to check internet connections.
- Connections are cut off. Streaming Youtube videos isn’t fluid, file transfers are interrupted, webpages won’t load completely (you can see pages partially, or the images on them won’t load), etc.
- Certificate warnings when entering a large corporative webpage. Most of all if you hadn’t received warnings like these before. Another symptom that can be seen on the browser is if your homepage has been changed without you explicitly doing so.
- The mouse cursor moves by itself. I know this sounds like something poltergeist related, but if your PC is doing things it’s not supposed such as this or typing on its own, filling out passwords you hadn’t previously saved on browsing cache, you can start to relatively panic.
- Browser windows open (or close) on their own with no warning whatsoever. Just like we said before, if all of a sudden a window pops up and it corresponds to a program you didn’t know was on your computer, even if it says that it corresponds to an antivirus (for example), if you don’t remember installing it and it says something like “Your PC might be in danger of being infected! Click here for…”. RUN. Turn off your computer and call a friend who you know can fix this for you, or at least lend a helping hand.
- Your antivirus gets frozen or can’t run, it’s deactivated or “something” is happening that wasn’t happening before.
- We start receiving a lot of SPAM messages. “And how much is too much?” you may ask; well you see, when you open your mail client and outside your SPAM box (which means in your primary inbox) you find 20 emails (just a random number) that you know are SPAM, you can start to suspect something’s going down.
- Our own emails start to be classified as SPAM and we get returned messages from servers we didn’t have issues with before.
- The computer works slower, not only when we run applications, in general it’s just “slow”. This can have a thousand causes but, if those regarded as common operating system errors cannot be solved with “normal” solutions, then the situation might be slightly different.
- There is a lot of disk activity even while the computer is idle or not running any processes, and there is nothing to justify that activity (downloading a scheduled disk compacting, etc.).
- You can’t shut down the computer.
- New installed applications have appeared that you haven’t installed yourself and that include popups, icons in the notification area or search bars on your internet browser. This last one is one of the most common scenarios lately. What has been dubbed ‘Malware’ has blossomed for all internet browsers. This malware replaces your default search engine, forces you to look at pop-ups, blocks certain websites and, most dangerous of all, some of them include a key logger script that is able to pick up all your keystrokes and return passwords and usernames.
and check, with the most advanced tools you can find, if your PC is being compromised. These tips are valid for Mac OS, Windows or Linux systems equally.
How to get rid of malware and viruses
Before you begin trying to rid your PC of security risks, close ALL software you have running, including your browser, mail client, Spotify, etc. All of them means ALL of them.
First off, we’ll check the list of ACTIVE network connections on our computer. You’ll have to open a terminal window; yeah, that small black screen with high contrast writing that scares most people and is stereotypically thought to be related only to “real haxx0rs” (chill, you aren’t going to surprisingly grow a plaid shirt and have to use ultra-thick glasses). Stay calm, as long as you don’t stray from what someone who knows is telling you to do or type on there, you can open one of these without having to worry. In this case you’ll need to copy or type the following command lines:
netstat -an | grep ESTAB (linux, mac)
netstat -an | findstr ESTAB (windows)
which will return a list that looks something like this one:ç
C:\Users\god>netstat -an | findstr ESTA
TCP 192.168.43.134:49370 188.8.131.52:80 ESTABLISHED
TCP 192.168.43.134:49475 184.108.40.206:443 ESTABLISHED
TCP 192.168.43.134:49493 220.127.116.11:443 ESTABLISHED
TCP 192.168.43.134:49530 18.104.22.168:80 ESTABLISHED
In this example we have four connections that originate on my computer (the left hand column is the “ORIGIN”) and that have four IP’s on the internet as destinations (right hand column lists these), with destination in ports 80 and 443 TCP, generally used for web browsing. This looks like legitimate traffic but, what if I don’t have an opened web browser? Then this can be suspicious, but the reality is that many background system processes and services (legitimate ones) connect every now and then to some service. These connections are usually intermittent, but it would be quite weird to see a PERMANENT connection to one of these IPs, it can be a reason for suspicion.
In each system (Windows, Mac, Linux) there is a way to search for active processes on the system. In Windows it’s the ‘Task Manager’, in Mac OS and on Linux it’s similar, on Mac OS it’s calle ‘Activity Monitor’ and on Linux since each graphic environment has its own name for it, the most common way to access this list is through the command ‘ps -ef’ or ‘top’.
With all your applications closed, open the task manager you’re using and look through the entire list of processes (including system or administrator processes) and investigate each of them manually.
Discard those that seem licit and write on a list those that may seem suspicious. Some licit processes can be:
And many many more. All those that you do not know what they are or why they’re being executed will have to be analysed with further detail. An interesting clue is the original location for the executable process. In order to see this, on the task manager select the process and then right click—>properties. If an executable that has a suspicious name is also being executed from a fishy directory (such as c:\windows\temp) then it has more chances of actually being dangerous.
Many of the options used for attacks (trojans, viruses, backdoor scripts, etc.) usually change filenames, but not their means of infection. Searching Google for the filename it’s very possible you’ll find more information on it. You’ll also have to be careful with false positives, this means, avoid identifying as malware things that are not.
You may identify one of them, and maybe confirm it as a ‘worm’. At this point you can confirm that you have at least one access point into your system. Deleting an infection can be very complicated, since processes that allow a trojan to remain alive in your system can be very complex and tedious to decipher and effectively delete. Once you’re at this point, the best thing you can do is use a professional antivirus, and after some days verify manually that the malicious process isn’t running anymore and that there is no other suspicious activity present.
You must remember that no antivirus is 100% trustworthy. One of the symptoms of being infected can be that it’s impossible for you to correctly install any antivirus. The first step can be to delete (kill) one of these processes that make it impossible for us to install an antivirus, and after that retry the installation. Rebooting the system will make your PC run the infection process again.
This manual verification process can be improved with many additional tasks, but if you have a network with multiple systems, it’s more likely you won’t have time to do this one by one for each PC, and therefore you should follow a series of good practices.
- Have an antivirus installed on al PCs on the network
- Make sure that you’re always running said antivirus and that it doesn’t stop, wether that is because of a manual intervention, or because of something else.
- Verify that the antivirus is always up-to-date.
In a large installation (with 20-30 devices or more on the same network) this can’t be done automatically. The ideal solution for this situation is for you to use some sort of server monitoring software that you can customise enough to be able to identify the three factors mentioned above permanently, and update the data every short amount of time. This means that whenever there’s an issue, you’ll be able to react faster to it. A couple of good examples of monitoring systems that are flexible, multiplatform and open source are Pandora FMS or Nagios