I think my computer is infected – what do I do now?
Depending on the malware or potentially unwanted software behavior, you may experience a variety of symptoms, or no obvious symptoms at all.
Some threats have ways to hide themselves in the computer, while others display messages or pictures that may indicate their presence.
To protect your computer, you can install and run an up-to-date antivirus product such as Microsoft Security Essentials, a free solution from Microsoft*, which provides real-time protection from viruses and potentially unwanted software. To remove potentially unwanted software from your computer, you can also use Microsoft Windows Defender. For more information, visit the Microsoft Security site. It is best practice to run a scan with your antivirus/antispyware product on a regular basis.
If you think your Microsoft PC has been affected by a virus and you need help, and if you are currently located within the US, you can get virus-related assistance from the Microsoft Answer Desk.
If you are located outside of the US, go to the Microsoft Support Virus and Security Solution Center.
In addition, you are encouraged to submit files that you suspect to be malware to the MMPC team for analysis.
*
Your PC must run a genuine copy of Windows to download and install Microsoft Security Essentials.
What can I do to prevent my computer from becoming infected?
While there is no method that can 100% guarantee that your computer will be not be infected with malware, there are a
number of steps that you can take to lessen the probability of this happening.
Microsoft offers the following steps to protect your computer from becoming infected:
-
Build up your malware defenses:
- Install antivirus and antispyware programs from a trusted source
- Update software regularly
- Use strong passwords and keep them secret
- Never turn off your firewall
- Use flash drives cautiously
-
Don't be tricked into downloading malware
The following articles also discuss several ways by which you can protect your computer from known attack vectors:
How can I avoid potentially unwanted software, phishing, spam and scams?
Malware are not the only dangers that you may come to face with when using the Internet. Spyware, potentially unwanted programs,
spam and phishing messages, and Internet scams are some of the other threats in the Internet.
How to prevent spyware
contains
useful steps to ensure that you avoid potentially unwanted software. More information on the security and privacy features in Internet Explorer 9 is available in Security and privacy features in Internet Explorer 9.
The following articles discuss several ways by which you can protect yourself from potentially unwanted software, phishing, spam, and scams:
Other scams exist that involve chain letters or fabricated stories. Refer to the following articles for more on these scams:
If you suspect that you have responded to a phishing scam with personal or financial information, see
What to do if you've responded to a phishing scam
for tips on what you can do next. Responding to a scam may lead to your personal information, such as your email login credentials, being stolen. See
How to Recover Your Account if you suspect that an unauthorized person has accessed your account.
How can I be more safe when browsing the Internet?
Internet browsing can be a safe experience but you should still be aware of dangers that exist when visiting websites. "Browser hijacking"
is a type of attack that allows an attacker to take control of your browsing experience, for example by adding links to sites that you
have never visited or relentlessly displaying pop-up advertisements. More information on browser hijacking, including how to avoid it,
is available in What is browser hijacking? .
You should also be vigilant about what information you share on the Internet, and who you share that information with. Your privacy on the Internet depends on your ability to control both the amount of personal information that you provide and who has access to that information. More information is available in Protect your privacy on the Internet.
Internet Explorer users may also encounter a prompt to download an ActiveX control when browsing certain websites. While ActiveX controls have risks, just like a lot of other media used in websites, they can enrich the user experience. Make sure that you are aware of the risks and learn what to look out for if you suspect an ActiveX control
is malicious.
Internet Explorer also has a variety of security options that you can choose to improve the safety of your browsing and email activities, including the introduction of the SmartScreen filter.
What can I do to protect my computer against malware that exploit certain software, for example, malicious PDF files or Quicktime movies?
Software vulnerabilities are errors in software that can lead them to be used for malicious purposes. To prevent this from happening to your software, always keep them up to date. Instructions on how to update commonly used software are available here.
What should I do if Microsoft Security Essentials or Windows Defender detects malicious software on my computer?
If Microsoft Security Essentials or Windows Defender detects malicious software or potentially unwanted software on your PC (either when monitoring your PC using real-time protection or after running a scan), it notifies you about the detected item by displaying a message in the notification area to the right of the taskbar.
In some cases, Microsoft Security Essentials or Windows Defender takes automatic action to remove malicious software from your PC, and will notify you that it is doing so. In other cases, Microsoft Security Essentials or Windows Defender will show you a notification that malicious or potentially unwanted software has been detected.
Click Clean computer to remove the software, or click Show details to open the Potential threat details window and get additional information about the detected item. If you need help determining which action to apply to the detected item, use the alert level that Microsoft Security Essentials or Windows Defender assigned to the item as your guide (for more information, see Alert levels in Microsoft Security Essentials).
Depending on the alert level, you can choose to either remove, quarantine, or allow the detected item.
What do the actions "Remove", "Quarantine", and "Allow" in Microsoft Security Essentials or Windows Defender mean?
Depending on the threat, Microsoft Security Essentials or Windows Defender will either take automatic action to remove malicious software from your PC, or it will notify you that it has detected a threat. Alert levels help you choose how to respond to in this scenario. While Microsoft Security Essentials or Windows Defender will recommend that you remove all viruses, not all software that is flagged is malicious or unwanted. The following information can help you decide what to do if Microsoft Security Essentials or Windows Defender detects potentially unwanted software on your PC.
Depending on the alert level, you can choose one of the following actions to apply to the detected item:
- Remove — this action permanently deletes the file from your PC.
- Quarantine — this action quarantines the file so that it can't run. When Microsoft Security Essentials or Windows Defender quarantines software, it moves it to another location on your PC, and then prevents the software from running until you choose to restore it or remove it.
- Allow — this action adds the file to the Microsoft Security Essentials or Windows Defender allowed list and allows it to run on your PC. Microsoft Security Essentials will stop alerting you to risks that the file might pose to your privacy or to your PC.
Caution: If you choose
Allow for an item, such as software,
Microsoft Security Essentials or
Windows Defender will stop alerting you to risks that the software might pose to your privacy or to your PC. Therefore, add software to the allowed list only if you trust the software and the software publisher.
How do I review quarantined items in Microsoft Security Essentials or Windows Defender?
Most malicious files detected by Microsoft Security Essentials or Windows Defender are quarantined rather than being removed outright. When malware is quarantined, it cannot run nor do anything else to your computer. Once a threat has been quarantined, you can choose to either remove it completely, restore it, or just keep it in quarantine while you investigate further. You can leave malicious files in quarantine for as long as you like – they pose no risk to you in a quarantined state. Here's how:
- In Microsoft Security Essentials or Windows Defender, click the History tab
- On the History tab, select Quarantined items and then tap or click View details. You might be asked for an admin password or to confirm your choice.
- Do one of the following:
- Tap or click Remove all to get rid of all quarantined software.
- Select individual quarantined items, and then tap or click Remove or Restore
How do I improve security in the enterprise?
Microsoft has a number of resources that you can use to ensure that your workplace is more secure when it comes to IT:
Where can I get virus-related assistance from Microsoft?
If your Microsoft PC has been affected by a virus and you need help, and you are currently located within the US, you can get virus-related assistance from the Microsoft Answer Desk.
If you are located outside of the US, go to the Microsoft Support Virus and Security Solution Center.
What are the Microsoft Security products?
Microsoft offers several security products for both Enterprise and Home users. A summary of all Microsoft Security products is shown in the table below:
|
Product Name
|
Main customer segment
|
Malicious software
|
Potentially unwanted software
|
Available at no additional charge
|
Main distribution methods
|
|---|
|
Consumers
|
Business
|
Scan and Remove
|
Real-time Protection
|
Scan and Remove
|
Real-time Protection
|
| Microsoft Forefront Threat Management Gateway |
|
✓
|
✓
|
✓
|
✓
|
✓
|
|
Volume Licensing
|
| Microsoft Forefront Server Security |
|
✓
|
✓
|
✓
|
✓
|
✓
|
| Volume Licensing |
| Microsoft Forefront Client Security |
|
✓
|
✓
|
✓
|
✓
|
✓
|
| Volume Licensing |
| Microsoft Forefront Endpoint Protection 2010 |
|
✓
|
✓
|
✓
|
✓
|
✓
|
| Volume Licensing |
| Windows Intune |
|
✓
|
✓
|
✓
|
✓
|
✓
|
| Microsoft Online Services Customer Portal
Volume Licensing
|
| Microsoft Security Essentials |
✓
|
|
✓
|
✓
|
✓
|
✓
|
✓
| Web download |
| Windows Malicious Software Removal Tool |
✓
|
|
Prevalent malware families
|
|
|
|
✓
|
Windows Updates/Automatic Updates
Download Center
|
| Microsoft Safety Scanner |
✓
|
|
✓
|
|
✓
|
|
✓
| Web download |
| Windows Defender Offline |
✓
|
✓
|
✓
|
|
✓
|
|
✓
| Web download |
| Windows Defender in Windows XP/Vista/7 |
✓
|
|
|
|
✓
|
✓
|
✓
|
Download Center
Windows Vista
Windows 7 |
| Windows Defender in Windows 8 |
✓
|
|
✓
|
✓
|
✓
|
✓
|
✓
| Windows 8 |
What do the different Alert Levels in Microsoft Security Essentials and Windows Defender mean?
The Alert Levels that you see in Microsoft Security Essentials and Windows Defender for the threats that are detected correspond to how much of a threat Microsoft
determines the detected files to be. The Alert Levels are there to help you determine what action to take with the detected files.
The different Alert Levels are discussed in
Understanding alert levels
.
How does the MMPC name different malware?
The naming standard used by the MMPC can contain some or all of the following components:
Full details on each component, and the different types for each component, can be found here.
What is a Software Assurance ID?
Your Software Assurance ID identifies you as a Microsoft Forefront customer. You can set this ID, along with your product in your
profile. You must provide a valid ID in order to submit a high priority submission. For more
details on Software Assurance please visit
the Software Assurance website.
What is Microsoft DaRT?
DaRT stands for Diagnostics and Recovery Toolset. It aims to assist administrators in recovering PCs that have become unusable, diagnosing probable causes of issues, and repairing unbootable or locked-out computers.
One of its components is Windows Defender Offline, which boots and works off an alternate operating system. Using the Microsoft virus and spyware definitions, it inspects the target operating system present on the user's computer for malware infection.
Use of Windows Defender Offline is recommended when a computer is being repeatedly infected by the same malware or if you suspect that it is infected with a rootkit. Enterprise administrators may run Windows Defender Offline against such infected computers on a one-time basis or choose to schedule a reminder to manually run Windows Defender Offline on PCs on a regular basis.
For more information about Microsoft DaRT, please visit the Microsoft DaRT website.
.
What is the Network Inspection System (NIS)?
The Network Inspection System (NIS) is a feature in Forefront Threat Management Gateway 2010 that is used to narrow the window of opportunity for exploitation between software vulnerability disclosure and patch deployment. This is achieved through creating and deploying NIS signatures that detect when an attempt to exploit a vulnerability is made. The NIS aignatures are available through the Microsoft Update servers.
Where can I get a complete list of the available NIS signatures?
An index of all currently available NIS signatures is available in this page.
What do the different Severity Ratings in NIS descriptions mean?
There are four possible severity ratings for NIS writeups:
- Critical - refers to a vulnerability whose exploitation could allow the propagation of an Internet worm without user action
- Important - refers to a vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of user's data, or of the integrity or availability of processing resources
- Moderate - refers to a vulnerability whose exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation
- Low - refers to a vulnerability whose exploitation is extremely difficult, or whose impact is minimal
What are the different classes/types of NIS signatures?
There are three types of NIS signatures:
- Vulnerability-based - refers to vulnerability-based signatures. Those signatures will detect most variants of exploits against a given vulnerability.
- Exploit-based - refers to exploit-specific signatures. Those signatures will detect a specific exploit against a given vulnerability.
- Policy-based - refers to signatures that are generally used for auditing purposes and are developed when neither an exploit- nor a vulnerability-based signature can be written.
- Test - refers to signatures that are generally used to test NIS functionality. They are often used by customers to confirm that NIS is actively inspecting network traffic and alerting according to policy.
What does "Authentication Required" mean in the NIS descriptions?
Authentication Required
describes if the attacker needs to authenticate or not before exploiting a given vulnerability.
What does "Signature Detections" mean in the NIS descriptions?
Signature Detections
gives the number of detections for a specific NIS signature based on telemetry data.
How do I update my Microsoft product with the latest virus/spyware definitions?
For information on how to update your Microsoft product with the latest definitions, please select your product:
What is a definition?
A definition is a set of signatures that can be used to identify malware using antivirus or antispyware products. Other vendors may refer to definitions as DAT files, pattern files, identity files, or antivirus databases.
What is a new definition?
New definitions are definitions that did not exist previously. These definitions are added in response to
new threats. A new definition may also be created for an existing threat if changes in detection are necessary.
What is an updated definition?
Detection of these threats has been modified with the indicated definition version. This may be
due to a threat rename, an update to the threat alert level, or an update to the threat classification.
What does definition available date/time mean?
The definition available date/time is the date and time that the definition is available to download. Your Microsoft product may display the created date/time, which is the date and time that the definition was created. There is often a time lag between the created date/time and the available date/time.
How do I know if I have a 64-bit or 32-bit operating system?
You can learn more about the version of your operating system by reading the article
How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system
.
My Microsoft security product has detected a threat on my computer. Where can I find more information about it?
The MMPC Encyclopedia is the central repository of information on current malware threats. To learn more about a particular threat, you can search the encyclopedia.
What is the Microsoft Malware Protection Center?
The Microsoft Malware Protection Center (MMPC) is comprised of several teams at Microsoft who are
all committed to providing customers with comprehensive protection against viruses and
potentially unwanted software. This organization is composed of a dedicated group of experienced
analysts, security researchers, and Microsoft security technologists that are responsible for researching
and responding to new threats, as well as providing the necessary security technology and infrastructure
through our Malware Protection Engine and Online Portal to help protect customers.
The MMPC also supplies the core antimalware technology (including the scanning engine and malware definition updates) for Forefront Server Security, Forefront Client Security, Microsoft Security Essentials, Windows Safety Scanner, Microsoft DaRT, Windows Defender, Windows Defender Offline, and the
Malicious Software Removal Tool.
How can I submit files that I suspect to be malware?
You can submit the files that you suspect to be malware through the MMPC sample submission page
; either anonymously or by signing in using your Microsoft account. The advantage of signing in is that you will be able to track your submissions through your sample submission history.
Having trouble signing in?
If you are having trouble signing into the MMPC Portal using your Microsoft account, you can continue to use the portal as an anonymous user. Any sample(s) submitted as an anonymous user will not show up in your sample submission history; however, we will provide a link that you can use to view the details of your submission. If you are unable to sign in or have questions about your account please visit this page.
How do I track or view past sample submissions?
To view a detailed status of sample submissions, we recommend that you sign in before submitting
any samples. Once you have submitted a sample, you can track it through the Submission history page.
You can also submit samples without signing in. To track these submissions you must bookmark the sample submission tracking page that is displayed after you submit your sample.
What does submission status mean? What are the possible status values?
Submission Status indicates the current status of the submission by listing all stages of submission
as they are completed. Possible status values are:
- Received - The Microsoft Malware Protection Center (MMPC) team has received your submission
- Under Active Investigation - The MMPC team is actively investigating your submission
- Preliminary Results Available - The MMPC team has completed a preliminary analysis and has results from this analysis
- Analysis Completed - The MMPC has completed a full analysis. If there was malware found in this submission, then there is a
definition update ready to download for the malware
What does submission priority mean?
The user sets the submission priority at the time of submission. The priority is
based on the submitted malware's impact on their computer(s). Possible values for the
submission priority are:
- Low Impact: A sample submission should be considered "low impact" if it has only a minor impact on
your ongoing operations. Examples include:
- Annoyance behavior, e.g. general pop-ups, "joke" programs
-
Samples which did not infect or propagate, e.g. received email with suspicious attachment but
did not run it
- Suspicious files found elsewhere – no impact on my computer
- Medium Impact: A sample submission should be considered "medium impact" if it
moderately impacts your ongoing operations. Examples include:
- Renders optional programs to be unusable
- Causes minor loss of product functionality
- Contained, partially or low propagation threat
- Generates fake security warnings and pop-ups
- High Impact (
available only to authorized Microsoft Forefront Server Security and Forefront Client Security customers
): A sample submission is considered "high impact" if it significantly
impacts your ongoing operations. Examples include:
- Causing your network or computer to fail catastrophically – "System Down"
- Compromises overall system or data integrity
- Makes networks or core business applications unstable
- Uncontained and propagating threat
Please provide information for this level such as the severity impact on business created by this threat, e.g. number of computers
already infected.
What does submission source mean?
The submission source describes how/where the sample was submitted for analysis. Possible values are:
- MMPCPortal - this indicates that the sample was submitted for analysis via the Portal.
- Email - this indicates that the sample was submitted for analysis via email.
How can I contact Microsoft Help and Support?
If you are having difficulties navigating the Microsoft website and require assistance please choose from the following:
