I think my computer is infected – what do I do now?
Depending on the malware or spyware behavior, you may experience a variety of symptoms, or no obvious symptoms at all.
Some threats have ways to hide themselves in the system, while others display messages or pictures that may indicate their presence.
Signs of viruses: Are you infected?
outlines possible tell-tale signs that your computer might have malware or spyware installed. However, the most effective way of finding
out if you have malware or spyware installed in your system is to use an antivirus/antispyware product.
To protect your computer, you can install and run an up-to-date antivirus product such as Microsoft Security Essentials, a free solution from Microsoft*, which provides real-time protection from viruses, spyware, and potentially unwanted software. You can also run a full-system virus scan with the
Windows Live OneCare safety scanner. To remove spyware and other potentially unwanted software from your computer, you can also use Microsoft Windows Defender. For more information, visit the Microsoft Security site. It is best practice to run a scan with your antivirus/antispyware product on a regular basis.
If you continue to experience problems after you scan your computer, you can call 1-866-PCSafety or 1-866-727-2338. This phone number is for virus and other security-related support. It is available 24 hours a day for the U.S. and Canada. For contact information outside of the U.S and Canada, please select your region here.
In addition, you are encouraged to submit files that you suspect to be malware to the MMPC team for analysis. For virus-related assistance at no charge, you can also contact Microsoft through the Microsoft Online Safety Portal.
* Your PC must run a genuine copy of Windows to download and install Microsoft Security Essentials.
What can I do to prevent my computer from becoming infected?
While there is no method that can 100% guarantee that your computer will be not be infected with malware, there are a
number of steps that you can take to lessen the probability of this happening.
Microsoft offers 4 basic steps to protect your computer from becoming infected:
- Keep your firewall turned on.
- Keep your operating system up-to-date.
- Keep your antivirus software up-to-date.
- Keep your antispyware technology up-to-date.
The following articles also discuss several ways by which you can protect your computer from known attack vectors:
Since malware can arrive as different files, such as .EXE, .DOC, .PDF, and so on, it's also important to be aware that certain
files available for download may be malware. Microsoft recommends that you read the following articles for more information:
How can I avoid spyware, phishing, spam and scams?
Malware are not the only dangers that you may come to face with when using the Internet. Spyware, potentially unwanted programs,
spam and phishing messages, and Internet scams are some of the other threats in the Internet.
How to help prevent spyware contains
useful steps to ensure that you avoid spyware and other unwanted software. If you have installed an unwanted program,
How to disable an unwanted program
contains ways on how to disable and remove the program using the Add-on Manager.
To avoid phishing scams, see
Recognize phishing scams and fraudulent e-mail.
Other scams that involve chain letters or fabricated stories are also prevalent on the
Internet, see
How to avoid e-mail hoaxes and fraudulent e-mail scams.
If you suspect that you have responded to a phishing scam with personal or financial information, see
What to do if you've responded to a phishing scam
for tips on what you can do next. Responding to a scam may lead to your personal information, such as your e-mail login credentials, being stolen. See What to do if you think your account has been stolen if you suspect that an unauthorized person has accessed your e-mail.
Spear-phishing is a type of phishing scam that target a specific organization. To help you avoid it, see
Spear phishing: Highly targeted phishing scams
.
How can I improve my Internet browsing safety?
Internet browsing can be a safe experience but you should still be aware of dangers that exist when visiting Web sites. "Browser hijacking"
is a type of attack that allows an attacker to take control of your browsing experience, for example by adding links to sites that you
have never visited or relentlessly displaying pop-up advertisements. More information on browser hijacking, including how to avoid it,
is available in Browser hijacking: How to help avoid it and undo damage.
You should also be on the lookout for spoofed Web sites that look similar or even identical to legitimate Web sites but are actually a front by scammers to get your personal
information.
Internet Explore users may also encounter a prompt to download an ActiveX control when browsing certain Web sites. While ActiveX controls have risks, just like a lot of other media used in Web sites, they can enrich the user experience. Make sure that you are aware of the risks and learn what to look out for if you suspect an ActiveX control is malicious. Internet Explorer also has a variety of security options that you can choose to improve the safety of your browsing and e-mail activities .
Internet Explorer 8 can help you have a safe Web browsing experience with the introduction of the SmartScreen filter.
How do I improve security in the enterprise?
Microsoft has a number of resources that you ca use to ensure that your workplace is more secure when it comes to IT:
Where can I get virus-related assistance from Microsoft at no charge?
If your Microsoft system has been affected by a virus and you need help, you can get virus-related assistance at no charge from the Microsoft Online Safety Portal.
What are the Microsoft Security products?
Microsoft offers several security products for both Enterprise and Home users. A summary of all Microsoft Security products is shown in the table below:
|
Product Name
|
Main customer segment
|
Malicious software
|
Spyware and Potentially unwanted software
|
Available at no additional charge
|
Main distribution methods
|
|---|
|
Customers
|
Business
|
Scan and Remove
|
Real-time Protection
|
Scan and Remove
|
Real-time Protection
|
| Microsoft Forefront Server Security |
|
•
|
•
|
•
|
•
|
•
|
| Volume Licensing |
| Microsoft Forefront Client Security |
|
•
|
•
|
•
|
•
|
•
|
| Volume Licensing |
| Microsoft Security Essentials |
•
|
|
•
|
•
|
•
|
•
|
•
| Web download |
| Windows Live OneCare safety scanner |
•
|
|
•
|
|
•
|
|
•
| Web |
| Windows Malicious Software Removal Tool |
•
|
|
Prevalent malware families
|
|
|
|
•
|
Windows Updates/Automatic Updates
Download Center
|
| Windows Defender |
•
|
|
|
|
•
|
•
|
•
|
Download Center
Windows Vista
|
| Microsoft Forefront Online Security for Exchange |
|
•
|
•
|
•
|
|
|
| Web purchase |
What do the different Alert Levels in Windows Defender mean?
The Alert Levels that you see in Windows Defender for the threats that are detected correspond to how much of a threat Microsoft
determines the detected files to be. Windows Defender detects spyware, which means that the files detected may not necessarily be
unwanted. Therefore the Alert Levels are there to help you determine if the detected files should be removed or retained.
The different Alert Levels are discussed in
Understanding
Windows Defender alert levels.
What is a Software Assurance ID?
Your Software Assurance ID identifies you as a Microsoft Forefront customer. You can set this ID, along with your product in your
profile. You must provide a valid ID in order to submit a high priority submission. For more
details on Software assurance please visit the Software Assurance website.
What is Microsoft DaRT?
DaRT stands for Diagnostics and Recovery Toolset. For more information about Microsoft DaRT, please visit the
Microsoft DaRT website.
What is the Network Inspection System (NIS)?
The Network Inspection System (NIS) is a feature in Forefront Threat Management Gateway 2010 that is used to narrow the window of opportunity for exploitation between software vulnerability disclosure and patch deployment. This is achieved through creating and deploying NIS signatures that detect when an attempt to exploit a vulnerability is made. The NIS aignatures are available through the Microsoft Update servers.
What do the different Severity Ratings in NIS descriptions mean?
There are four possible severity ratings for NIS writeups:
- Critical - refers to a vulnerability whose exploitation could allow the propagation of an Internet worm without user action
- Important - refers to a vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of user’s data, or of the integrity or availability of processing resources
- Moderate - refers to a vulnerability whose exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation
- Low - refers to a vulnerability whose exploitation is extremely difficult, or whose impact is minimal
What are the different classes/types of NIS signatures?
There are three types of NIS signatures:
- Vulnerability - refers to vulnerability-based signatures. Those signatures will detect most variants of exploits against a given vulnerability.
- Exploit - refers to exploit-specific signatures. Those signatures will detect a specific exploit against a given vulnerability.
- Policy-based - refers to signatures that are generally used for auditing purposes and are developed when neither an exploit- nor a vulnerability-based signature can be written.
What does "Authentication Required" mean in the NIS descriptions?
Authentication Required describes if the attacker needs to authenticate or not before exploiting a given vulnerability.
What does "Signature Detections" mean in the NIS descriptions?
Signature Detections gives the number of detections for a specific NIS signature based on telemetry data.
How do I update my Microsoft product with the latest antivirus/antispyware definitions?
For information on how to update your Microsoft product with the latest definitions, please select your product:
What is a definition?
A definition is a set of characteristics that can be used to identify malware using antivirus or
antispyware products.
What is a new definition?
New definitions are definitions that did not exist previously. These definitions are added in response to
new threats.
What is an updated definition?
Detection of these threats has been modified with the indicated definition version. This may be
due to:
- analysis of new samples of an existing threat, requiring changes in the way it is detected
- a threat rename
- an update to the threat alert level
- an update to the threat classification
What does definition available date/time mean?
The definition available date/time is the date and time that the definition is available to download. Your Microsoft product may display the
created date/time, which is the date and time that the definition was created. There is often a time lag between the created date/time
and the available date/time.
How do I know if I have a 64 bit or 32 bit operating system?
You can learn more about the version of your operating system by reading the article
How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system.
My Microsoft security product has detected a threat on my system. Where can I find more information about it?
The MMPC Encyclopedia is the central repository
of information on current malware threats. To learn more about a particular threat, you can search
the encyclopedia.
What is the Microsoft Malware Protection Center?
The Microsoft Malware Protection Center (MMPC) is comprised of several teams at Microsoft who are
all committed to providing customers with comprehensive protection against viruses, spyware, and
other potentially unwanted software. This organization is composed of a dedicated group of experienced
analysts, security researchers, and Microsoft security technologists that are responsible for researching
and responding to new threats, as well as providing the necessary security technology and infrastructure
through our Malware Protection Engine and Online Portal to help protect customers.
The MMPC also supplies
the core antimalware technology (including the scanning engine and malware definition updates) for Forefront
Server Security, Forefront Client Security, Microsoft Security Essentials, Windows Live OneCare, Microsoft DaRT, Windows Defender and the
Malicious Software Removal Tool.
How can I submit files that I suspect to be malware?
You can submit the files that you suspect to be malware through the MMPC sample submission page; either anonymously or by signing in. The advantage of signing in is that you will be able to track your submissions through your sample submission history.
If you want to submit a file or multiple files via e-mail, please compress the file(s) into a single zip or rar archive (must be less than 25 megabytes in size) and password protect the file with the password "infected" (without quotes). Then, send the archive to mmpc@submit.microsoft.com.
Having trouble signing in?
If you are having trouble signing into the MMPC Portal, you can continue to use the portal as an anonymous
user. Any sample(s) submitted as an anonymous user will not show up in your sample submission history; we
will provide a link that you can use to view the details of your submission. If you have questions or need
help regarding sign in issues, the following may be of assistance:
How do I track or view past sample submissions?
To view a detailed status of sample submissions, we recommend that you Sign In before submitting
any samples. Once you have submitted a sample, you can track it through the Submission history page.
You can also submit samples without signing in. To track these submissions you must bookmark the sample submission tracking page that is displayed after you submit your sample.
What does submission status mean? What are the possible status values?
Submission Status indicates the current status of the submission by listing all stages of submission
as they are completed. Possible status values are:
- Received - The Microsoft Malware Protection Center (MMPC) team has received your submission
- Under Active Investigation - The MMPC team is actively investigating your submission
- Preliminary Results Available - The MMPC team has completed a preliminary analysis and has results from this analysis
-
Analysis Completed
- The MMPC has completed a full analysis. If there was malware found in this submission, then there is a
definition update ready to download for the malware
What does submission priority mean?
The user sets the submission priority at the time of submission. The priority is
based on the submitted malware's impact on their system(s). Possible values for the
submission priority are:
-
Low Impact: A sample submission should be considered “low impact” if it has only a minor impact on
your ongoing operations. Examples include:
- Annoyance behavior, e.g. general pop-ups, “joke” programs
-
Samples which did not infect or propagate, e.g. received email with suspicious attachment but
did not run it
- Suspicious files found elsewhere – no impact on my system
-
Medium Impact: A sample submission should be considered “medium impact” if it
moderately impacts your ongoing operations. Examples include:
- Renders optional programs to be unusable
- Causes minor loss of product functionality
- Contained, partially or low propagation threat
- Generates fake security warnings and pop-ups
-
High Impact (available only to authorized Microsoft Forefront Server Security and Forefront Client Security customers): A sample submission is considered “high impact” if it significantly
impacts your ongoing operations. Examples include:
- Causing your network or system to fail catastrophically – “System Down”
- Compromises overall system or data integrity
- Makes networks or core business applications unstable
- Uncontained and propagating threat
Please provide information for this level such as the severity impact on business created by this threat, e.g. number of machines
already infected.
What does submission source mean?
The submission source describes how/where the sample was submitted for analysis. Possible values are:
-
MMPCPortal - this indicates that the sample was submitted for analysis via the Portal.
-
Email - this indicates that the sample was submitted for analysis via Email.
How can I contact Microsoft Help and Support?
If you are having difficulties navigating the Microsoft Web site and require assistance please choose from the following:
How can I give feedback on the MMPC portal content, layout, and so on?
If you would like to provide feedback for the content available on the Microsoft Protection Center Portal pages, you can email the Microsoft Malware Protection Center Feedback team. Please provide a reference to the existing text and proposed changes.
