Get our Latest Finds
Subscribe to our RSS feed or enter your email address below to get the feed delivered to you by email:
Follow Gizmo
Using this Site
Top Rated
Gizmo's Freeware is Recruiting
We are currently looking for people with skills and/or interest in the following areas:
- Anonymous Surfing Service
- Mobile Apps contributors
- Mac Section contributors
If this sounds like you then click here for more details
How to Know If Your Computer Is Infected
These days malicious software is becoming an epidemic. It seems like it’s everywhere. Also, sadly, there's been a change in the way malware acts. It used to be that it would slow down your computer, or display annoying popups, but now malware is becoming increasingly discreet. You could be infected right now and not even know it. Also, sadly, it often seems as if the only way to make sure you’re not infected is to scan your computer with numerous anti-malware programs. Doing this can be time consuming and, while scanning, may even slow your computer to a crawl. Even after that you still can’t be sure you're clean. This is because scanners cannot recognize all new malware. The only other feasible option that I had heard of is to have someone else examine your computer. Generally this would be done online via scan logs, but this is also time consuming and not 100% reliable.
Because of these difficulties I have come up with a better method. This uses multiple programs, not to remove files, but just to analyze the computer. Each of these programs is very effective. They are all portable applications and will not cause any conflicts on your computer because they are only running when you're using them. However, they do require an active internet connection to function properly. After you have already gone through the below process once, and had all files whitelisted, this approach is much faster, much more certain, and much easier than any other approach I've seen. No type of malware can escape this process. I've never seen another method that could boast of that. However, some of the methods described here may seem very difficult, or even above your level of expertise. I promise that these methods are not nearly as difficult as they seem. Some may require a little bit of effort on your part, but they are certainly doable. In fact, after doing it once the process will become much easier the second time. This is very useful as most people will want to be able to ensure that their computer is clean at all times, not just once.
I also want to stress that in order to make sure that your computer is not infected you must follow each step. None of these programs is meant to be used independently. Each depends on the others to account for different infection scenarios. Also, if any step shows definite evidence of an infection, after your investigation, you should move directly to the last section. There is no reason to continue your investigation as your computer is already found to be infected.
However, if your computer passes all 3 tests below then you can be about 95% certain that it is clean. I would be nearly 100% certain, but there's currently a minor bug with Comodo Autoruns which makes analysis more difficult.
Simplest Way To Follow This Advice
The simplest way to go about following the following methods is to go through each process and, instead of manually making sure each file is safe, just submit all unknown files to Comodo for analysis. Instructions for how to do this are given below. After submitting these files all that is required is for you to sit and wait for them to complete their analysis (although this could take anywhere from a few days to a few weeks depending on the number of unknown files). You won't have to do any analysis of your own.
Index
1. Check for Rootkits
It's important to ensure that there are no rootkits sitting on your computer. First scan your computer with Kaspersky TDSSKiller. The download link is near the bottom of the page. TDSSKiller will scan your computer for some of the most common types of rootkits. I've found it to have relatively few false positives and a very high detection rate. By the way, some scanners, including Comodo Cleaning Essentials, may detect this file as a dangerous file. It's not. This is a safe download link. It's just that the behavior of the program seems suspicious. If it is detected you can safely ignore the detection and continue on with the rest of the methods. As with every program in this article, I recommend that you do not delete any files using this program. A false positive on the wrong file could destroy your computer, even if you’re not infected.
To use this program, download the file and unzip it. Then open the file called TDSSKiller. Next select the option to “Start Scan”. This scan should take less than a minute. If it does not find any rootkit activity then you should next check your computer with Comodo Cleaning Essentials.
Now select the option to do a smart scan with CCE. To do this click on the icon for "Smart Scan". This will scan your computer for all types of malware, but we are specifically interested in its ability to identify rootkits. It will immediately begin downloading the most recent virus database, which may take a long time to complete. Once it has completed downloading it will immediately begin scanning. The scan should not take too long to complete. As before, I recommend that you do not delete any files using this program. One problem with this program is that I do find it to have a few false positives. Thus the best option, in order to be sure of the results from it's scan, is to report any files detected as dangerous, that you believe may be safe, to Comodo for analysis. You can do this by reporting them as a false positive on this page. Just select false positive and fill out the required information. Comodo analysts will get back to you by email with the results of their analysis.
After the scan is complete it will ask you to restart your computer. Allow it to restart. Do not open any unnecessary programs as this will make step 2 simpler. Just as another reminder, do not remove any files with this program. Once it restarts it will pop up with the final results. If it did not find anything, and neither did any of the above methods, then you can continue on to the next step.
For anything either of these programs does detect, I would advise that you navigate to the path given by Kaspersky TDSSKiller, or CCE, and investigate the files using the methods described in How To Tell If A File Is Malicious. However, for rootkits this is not always possible depending on how well the file is hidden. For those of you who are tech savvy you can attempt to follow the advice given in this post on the Comodo forums. However, another option is to post your results in a new topic you create in this section of the Comodo forums. Be sure to also mention the results of everything you did above. Of course, you can also post this in other security forums. However, it will likely be useful to create an account for the following steps, so you may as well post it in the Comodo forums. You will definitely get help in figuring out what’s going on with your computer.
2. Use KillSwitch
Again open Comodo Cleaning Essentials (CCE) and go to "Tools". Then select the option to "Open KillSwitch". KillSwitch which will immediately begin analyzing all your running processes. This analysis should only take a minute or so. The reason I asked you not to open any other programs in the above step is because malware will nearly always run on system startup, while many legitimate programs will not. Thus there will be fewer potentially dangerous processes to examine.
Without waiting for the analysis to complete you can go to “View” and select “Hide Safe Processes”. This will hide all processes that are verified to be safe by Comodo. Once the analysis is complete all that are left are those programs that are either believed to be malicious or are unknown. Be aware that unknown does not mean dangerous. It only means that the file has not yet been whitelisted by Comodo. If KillSwitch now shows that “There are no items to show”, then your computer passed this part of the tests. You can move on to part 3. However, if there are files remaining then you should analyze them. To get to the file right click on the process in question and select “Jump to Folder”. This will open up the folder where the associated file is located and select the file as well. Then you can follow the methods described in How to Tell If a File Is Malicious.
Please note the option to analyze them by submitting them to Comodo to be added to the whitelist. This is very effective, especially as it will also help make future scans much easier to evaluate. Also, as KillSwitch uses the same virus database as CCE, it has a relatively high false postitive rate. Thus you should report any files detected as dangerous, that you believe may be safe, to Comodo for analysis. You can do this by reporting them as a false positive on this page. Just select false positive and fill out the required information. Comodo analysts will get back to you by email with the results of their analysis.
If your analysis shows that the file is safe, or you truly believe the file is safe, I would recommend submitting the program, or file, to Comodo for whitelisting. Instructions for how to submit programs, or individual files that belong to programs, can be found in this topic of the Comodo forums. Make sure you read through the first post entirely and follow all recomendations. This will ensure that your request is completed as quickly as possible. These submissions will be analyzed by Comodo staff and, if appropriate, added to the whitelist. However, in order to submit programs, or files, you do need to have an account on the Comodo forums. If you don't already have one then it's very easy to get one. There is an option to register on the top of any page on the Comodo forums.
If you submit all the safe programs on your computer for whitelisting then, once they're whitelisted, the next time you scan with KillSwitch there should not be any more unknown processes for you to examine. Thus, it becomes an incredibly easy task to ensure that your computer is still clean of infections. In fact, my computer always shows a completely blank screen after selecting the option to “Hide Safe Processes”. This allows me to ensure that my system has passed this test in less than one minute. Once you're done with this part you can close KillSwitch.
3. Use Comodo Autoruns
Now, through CCE, which should still be open, again go to "Tools". This time select the option to "Open Autorun Analyzer". This program will analyze the registry and show you the files associated with each item. Almost all malware will write to the registry. Thus, by scanning for all files associated with registry entries, this program can identify malware and unknown files, even if they aren't running. It may even be useful in identifying rootkits, although that is not its primary purpose. The downside to using this program is that it will likely give you more files to check than the above methods. However, if you really want to be sure that your computer is clean then this step is also necessary. As before, do not delete/disable anything with this program as it can be very dangerous if used improperly. We are only using its analytical abilities. Please do not use it to try and clean up any infections or you could inadvertently harm your computer.
After Comodo Autoruns opens it will immediately begin compiling the list. This process could take a couple of minutes to complete. Without waiting for the list to finish being compiled you can go to “View” and select “Hide Safe Entries". Note that this option will now be prechecked every subsequent time you run the program. Once the list is compliled Comodo Autoruns will automatically begin analyzing each entry. Wait until all entries have been analyzed. If this is the first time you have run this program, you should now close it and then open it again. I find that this often allows Comodo time to analyze some of the unknown files so that this time there will be less to check. If Autoruns now shows that “There are no items to show”, then your computer passed this part of the tests. If it also passed all of the above steps then your computer is clean and you no longer need to worry.
However, if there are still entries left over you should begin analyzing them. To get to the files that these entries are associated with right click on an entry and select “Jump to Folder”. This will open up the folder where the associated file is located and select the file as well. Also, with this program you will find that often a single file has numerous entries, which means that there’s not nearly as much analysis to be done as there would seem. You can analyze these files by using the same methods described in How To Tell If A File Is Malicious. Please note the option to analyze them by submitting them to Comodo to be added to the whitelist. This can be very effective, especially as it will also help make future scans much easier to evaluate. Also, like above, Comodo Autoruns has a relatively high false postitive rate. Thus you should report any files detected as dangerous, that you believe may be safe, to Comodo for analysis. You can do this by reporting them as a false positive on this page. Just select false positive and fill out the required information. Comodo analysts will get back to you by email with the results of their analysis.
If your analysis shows that the file is safe I would recommend submitting the program, or file, to Comodo for whitelisting. You can do this by following the same process described above. Once again, make sure you read through the first post entirely. If you submit all the safe programs on your computer for whitelisting then, once they're whitelisted, the next time you check there should not be any more unknown entries for you to examine. Thus, it becomes an incredibly easy task to ensure that your computer is still clean of infections. In fact, my computer always shows a completely blank screen after selecting the option to “Hide Safe Entries”. This allows me to ensure that my system has passed this test in just a few minutes.
4. Cleaning Any Infections
If any of these methods do show that your computer is infected you should check out How to Clean An Infected Computer. Following this advice should allow you to remove almost any infection and get your computer back to working order. Once the cleaning is complete I would recommend following the above methods to ensure that all infections were successfully removed.
If you have any problems or are confused by my directions please leave a comment below and I will try to help. Trust me, if you are having a problem then so are many others. I need to know this so that I can improve the article and make it usable for everyone. Also, and this is especially important, if you find a situation in which none of these methods shows evidence of an infection, but the system is definitely infected, please let me know. I have seen no evidence of this happening, but if I do receive proof of a bypass then I will need to rethink my strategy.
In addition, if you believe this article deserves anything less than 5 stars, please leave a comment below explaining how you think it can be improved or where you find fault. This article is written by me but fueled by the community. Thus your opinions and advice are not only much appreciated, but necessary in order for this article to grow and improve.
If you found this article useful then perhaps you'd like to check out some of my others.
How to Clean An Infected Computer
How to Protect Your Online Privacy
How to Tell if a File is Malicious
How to Tell If A Website Is Dangerous
How to Install Comodo Firewall
This software category is maintained by volunteer editor Chiron. Registered members can contact the editor with any comments or suggestions they might have by clicking here.
- Article type:
Printer-friendly version
Comments
Hi chiron,
You said that this is the fastest process ,right?
Actually scanning with autoruns analyser and then determining whether the entries detected by it as safe or not is a pain in the ass and takes days even with the methods you suggested.
So please conider a complete rewrite removing comodo.
I once again apolozise to say this but i am posting this from my heart after severral days of frustration trying to follow this article.
I'm sorry to hear that. I suppose what I meant when I wrote that was that after all files are whitelisted it's very fast. I will change the wording in the next rewrite.
I was thinking of adding a quick note for people saying that another way to go about this process, assuming you have time to wait, is to go through the process and, instead of manually making sure each file is safe, just submit all files to Comodo for analysis. (By the way, how many unknown files do you have?)
Then you would just need to sit back and wait, although it could take a few weeks for this to complete in some cases.
Would this sort of approach, if I were to make it more explicit, work better for you?
I really appreciate your feedback.
Thanks.
Hi Chiron,
I am really sorry to say this.
But still I need to.
This article is awesome but you can't suggest autoruns analyser anymore. It is just too buggy.
Don't cheat yourself by thinking its fine.
I am kindly requesting you to remove it from this article.
I am really sorry if i am a bit harsh.
Please try my workaround described in my bug report here:
http://forums.comodo.com/bug-reports-cce/autoruns-analyzer-finds-differe...
and let me know if it helps.
Thanks.
Okay, so I've received a response from the lead developer. He says that this bug is related to cloud server timeouts, but that it cannot list a malicious file as safe, it can only list files as unknown.
The problem is related to poor network and they are currently working on improvements.
Until then we'll just have to deal with what we have. That said, even just following the first two methods I recommend are very effective. There is very little malware which can slip through that net.
I'm not too worried. Because of this I've changed my certainty to 95%.
I wanted to let you know that I tried doing the process you've laid out to determine if my computer was infected. The scans showed that everything was okay but I didn't believe it, went back and did a scan with ESET online and found some malware with that tool. Nor did any of the other tools I used find the malware except for ESET.
Can you please post Comodo Valkyrie (or VirusTotal) links for all files that were not detected by this method? I would really like to look into this.
Also, what were the missed files detected as? It's possible that this was a false positive that ESET detected?
Hi Chiron,
Below is a copy of the scan with the malware paths. You can see the whole malware cleaning process I did with the Smartest Computing Group here, http://www.smartestcomputing.us.com/topic/50476-possible-malware-infection/.
I am redoing all of the scans yet again because I didn't fully get rid of that pdfcreator program and somehow I got reinfected. I am not really sure what happened as I tried using Comodo Firewall which seems to be really great but really really confusing. For best protection, I put it to Defense+ and paranoid mode but got a lot of popups that I was just guessing at and ended up binding my system up pretty badly a couple of times. By the way, I see you have a section in Gizmo on setting up the firewall which I did not find or read till recently. I will try redoing Comodo once I get re-cleaned.
At anyrate, I'm pretty sure something was running on there that wasn't supposed to. I've done gobs of scans & cleaners & saved all the logs but haven't submitted them to anyone yet. Just trying to get it working as fast as possible. As up till now, I've only had one computer to use but now I have another older computer to use for downloading scanners. And I'm almost done with the scans now.
I have a couple of questions during this,
1. I have multiple windows installations a, b, b, recovery console, & media center (I can choose between these when I hit F12, I believe I created one of the b installations by accident).
2. I have UDP ports connecting to IP 205.152.144.23:53 & 205.152.132.53 and I question if I should be getting these. They show up in the comodo firewall active connections & also some of the scan logs I've done.
3. I am trying to track down why I have so many outgoing connections from the Comodo firewall (when I start up the program, I have had up to 80 connections). Maybe this will be less after finishing all of these scans & cleaners.
4. I question if Secunia PSI, windows defender, and some other programs should be accessing my registry: reading or making changes, seems like a lot of processing & I can't imagine what for after they have ample time to update themselves.
4. I am a little confused if I should have my wireless switch on when using malware scanners like GMER, DDS, etc or if it should be off.
Your comments and suggestions are highly appreciated. And I will gladly post my latest round of scans if you would like to look at them.
Finally, I want to thank you guys a million times over for your AMAZING website! I love Gizmo and go to your website for just about everything! I only found your website in the last 6 months but it has been a great blessing in my life - with such well reviewed programs, information, and suggestions! Without which I would probably have bought a second computer (new) by now & had not learned what I needed to keep it safe from malware. I recommend your site to all my friends, family, & colleagues. Thank you so much for a such a great service! )
Aaron J
ESET Scan
C:\Documents and Settings\Aaron\My Documents\Downloads\BestVideoDownloaderSetup-TurboUpgrade.exe probably a variant of Win32/Adware.DWTYODG application cleaned by deleting - quarantined
C:\Documents and Settings\Aaron\Desktop\Junk\Program Setups\UBCD4WinV360.exe.vir Win32/PrcView application deleted - quarantined
C:\Documents and Settings\Aaron\Desktop\Junk\Program Setups\PDFCreator-1_2_3_setup.exe multiple threats deleted - quarantined
C:\Documents and Settings\Aaron\Desktop\Junk\Program Setups\UBCD4WinV360.exe Win32/PrcView application deleted - quarantined
C:\Program Files\PDFCreator\Toolbar\pdfforge Toolbar_setup.exe Win32/Adware.Toolbar.Dealio application deleted - quarantined
C:\Program Files\TuneUp Utilities 2012\keygen.exe a variant of Win32/Keygen.BU application cleaned by deleting - quarantined
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP203\A0056007.exe probably a variant of Win32/Adware.DWTYODG application cleaned by deleting - quarantined
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP215\A0062425.exe multiple threats deleted - quarantined
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP215\A0062426.exe Win32/PrcView application deleted - quarantined
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP215\A0062427.exe Win32/Adware.Toolbar.Dealio application deleted - quarantined
C:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP215\A0062428.exe a variant of Win32/Keygen.BU application cleaned by deleting - quarantined
It is a kind request. If you have an individual problem, which will take up long comments like these, and require some amount of discussion, please open a thread in the forum, so that it can be dealt with in a proper manner. The comments section on main site is not meant for such long discussions, or such long comments. Please register on the site, and post the issue in the forum in a new thread please.
Okay, there's just one thing I want to make sure of. Simply scanning with the programs I advise in this article and finding nothing malicious is not enough to guarantee that your computer is not infected. You must manually analyze each unknown file that is found or (even better) submit them all to Comodo to be whitelisted.
Only when you have manually investigated every unknown file found by the methods above can you say that your computer is not infected.
Did you go through all that work or did you think that because nothing dangerous was found your computer was not infected?
I'd really appreciate it if you could clarify this point.
Thanks.
I don't know if I have backups of those files to submit to virus total or not. I will have to see once the scanner gets done as I've saved many of these programs to an external hard drive.
A lot of these tools flag things as malware for a variety of weird and wonderful reasons, the motive being to sell you the full program.:) As you say though, results are meaningless without the file/path names.
Actually, I have an idea for what this may be, and it's something that I should have mentioned in the article.
My methods will identify any malware that is active, or potentially dangerous, on your computer. However, there may still be remnants of malware that go undetected by my method. However, these are likely harmless files or registry entries that cannot hurt your computer. However, other scanners may find these entries and flag them, but I'm not going to make this article even more complicated in order to clean up all traces of programs. I personally don't think that this is worth your time.
Therefore, I'd be very interested to know what this file was detected as, where the file was located, and the name of the file. A link to the Comodo Valkyrie results would be useful as well.
Thanks.
Hi chiron,
I installed CCE and ran autoruns analyser and it first detected 5 as unknown and when I again ran autoruns after an hour or so it detected 7 files as unknown.
And what shall I do in order to confirm that the 7 files detected are safe?
Thanks in advance.
(P.S. I thank you heartily for your articles on this site and I also deeply admire ur helping nature on the comodo forums. )
Please read through this section:
https://www.techsupportalert.com/content/how-tell-if-file-malicious.htm#... (If you believe the file is safe)
of How to Tell if a File Is Malicious.
If you don't want to wait for the files to be whitelisted then you can check it with the methods in the other parts of the article. This will be faster for now, but I would still recommend submitting them to be whitelisted anyway. It will make future analysis much quicker and easier.
Hi Chiron,
I really liked your article but I have a problem though. I was trying to run CCE autorun but it didn't work. I tried it several times(even restarting the pc),the first time it ran for a while than stopped and was frozen. After that every time i tried,it started but after few seconds the window simply disappeared! Later I tired to run CCE smart scan same thing happened,it stated scanned a few items and then just simply disappeared. On the other hand I can run KILLSwitch without having any problem. Can you please let me know what to do. My OS is vista 64bt sp2, I am using avast av and comodo firewall.
That's odd. It sounds like you've either encountered a bug or the computer is very infected. Either way it should be able to run, but it appears there is a problem.
Please try re-downloading it and see if that fixes it. If it doesn't then I would really appreciate it if you could create a new topic here on the Comodo forums:
http://forums.comodo.com/help-cce-b270.0/
See if anyone has an idea for how to fix this and if they don't then please report this as a bug so the developers can fix it for the next release.
Thanks.
I re-downloaded it and it didn't work either.It allows me to run Killswitch while it doesn't work when I try to run autoruns(I have noticed on smart scan it stops during autoruns).Anyway,I am gonna start a new topic on that forum. So far I have tested my pc with MSE,MS malware removal tool,malwarebytes(safe mode),avast(boot scan),Killswitch,treatfire and have found nothing in my system.
Thanks a lot again.
I'm very sorry to hear about this. It really sounds like this is a bug.
Actually you can go ahead and post it here instead:
http://forums.comodo.com/bug-reports-cce-b272.0/
This is the bug reports section. If we find it to be something other than a bug then I'll move it back to the help section.
Hi Chiron,
I am sorry for asking too many doubts. But please clarify this one.
Actually when running any of the programs mentioned above do I need to disable my comodo firewall and defense+ ?
Thanks in advance.
No, these program are already trusted by Comodo. Thus there shouldn't be any problems.
Excellent article Chiron. Yes, these steps require a little more user input than a conventional scan, but if the results are more comprehensive and reliable then it's worth it.
There'a just one thing that puzzles me. The first time I ran the Comodo Autoruns Analyser there were about 4 unsafe items, the second time I ran it one, and the third time no unsafe items, without me deleting anything. Is this quite normal, and is this because of the additional time Comodo has had to analyse, that you referred to?
Yes, I have noticed that as well. There does also seem to be a bug that sometimes causes it to detect different files at different times, but if the trend is always towards less being identified then I have seen that before and it's nothing to worry about.
Please try running it one more time and make sure that no more files are found. If there are none then I wouldn't worry.
Hi Chiron,
Actually many users are complaining about excessive RAM usage by CCE(especially killswitch). I have 512mb of RAM. So please shed some light on this issue.
And What I asked in my previous comment is suppose TDSSkiller detected all false positives How shall I take no action against them? I mean is there any option like skip,no action etc for that purpose.
For TDSSKiller you must manually select to delete files. You can choose to ignore them. It will not delete them automatically. I hate programs that do that.
Also, about RAM usage for CCE, I have noticed that some users have noticed a good amount of memory usage. However, since you'll only be using it while doing this analysis, which shouldn't take too long, it shouldn't be a major concern. However, you will likely notice it with 512MB of ram.
Hi Chiron,
Thank you for clarifying that.
I have some more doubts.
Actually after scanning with TDSSKILLER,it shows a list of detected items,right?
How shall I take no action against all of them as u suggested in this article,Please let me know.
Thank you.
This article is mean to tell you if your computer is clean or not. If, as you indicate, TDSSKiller shows you that your computer is not clean of rootkits then you can likely assume that your computer is not clean.
Therefore you can follow the advice given in this article:
http://www.selectrealsecurity.com/malware-removal-guide
it should be able to clean most infections and get your computer back to working order.
I'm working on my own simpler guide, but am very busy right now, so I'm not sure when I'll be able to get back to it.
Let me know if you have any questions.
Thanks.
Hi Chiron,
Will these methods work effectively in detecting a keylogger too? Please let me know.
Yes.
Essentially they will detect any unknown or known dangerous files that are either running on your computer or have written entries in the registry. Since malware must start itself this is necessary, and since you also remove the possibility of a rootkit hiding it all files become visible.
I downloaded CCE for 32 Bit and the Zip file I received only had a .ddl in it, no .exe file. I am using Win XP.
Post new comment