Viruses and malware
- 1 Introduction
- 2 What should I be looking for?
- 3 My Computer is Quarantined or in the Penalty Box
- 4 My computer might be infected! How do I fix it?
- 4.1 Helpdesk policy on malware support
- 4.2 Infection Removal
- 4.3 Computer Security Checklist
- 4.4 More resources to help you with protecting yourself and computer
It's an unfortunate, but ever-present possibility: any time your computer is connected to the internet, there is the chance that malware or viruses can infect it. The Helpdesk receives dozens and dozens of calls per week requesting assistance with malicious software that is disrupting a computer's functionality. Right off the bat, we can tell you that, similar to the way regular checkups are the best way to maintain your health, the best countermeasures against malware are preventative: you should have both an anti-virus program and an anti-malware program installed on your computer, and you should be browsing the internet behind a firewall--either one that's installed on your computer, or one that network administrators install on the network, or both. Unfamiliar about what these terms mean, or how to go about installing these things on your machine? No worries. It's all explained below. (Or, if you're in a rush, you can check out a security checklist we are currently developing: Computer Security Checklist)
But before you go any further, take note: because of the high frequency of requests for assistance with malware-related issues, the Technology Helpdesk requires you, the user, to perform several steps on your own before you ask that we get involved. This, too, is explained below.
What should I be looking for?
Types of computer infection
There are many types of computer infection with varying levels of threat to your computer and personal data. Here is a brief breakdown:
- Malware — a combination of the terms "malicious" and "software" — is a catchall word used to describe threats such as viruses, worms, Trojan horses, spyware, adware, and software installed by hackers.
- Viruses and worms (a type of self-replicating virus) usually spread very quickly and can cause a number of problems, including repeated computer crashes or the deletion of important files. Unlike traditional viruses, Trojan horses cannot spread on their own, but they are just as dangerous, tricking users into installing them by masquerading as a legitimate or useful program. Once it has infected your computer, a Trojan horse can even allow hackers to access your computer or force it to attack other networks.
- Adware will merely annoy you by occasionally (or frequently) subjecting you to pop-up ads. However, malignant forms of spyware can have more serious consequences. For example, a nasty piece of spyware could redirect your home page against your will or hog so much memory that your computer slows to a crawl. The worst spyware variants can even steal your personal data by installing a keylogger, a component that records every keystroke you make and sends a log back to a cyber-thief.
Symptoms of infection
Not all complaints mean that a computer is infected. Here are some common symptoms of infection:
- Pop-up ads: Particularly watch out for popups from an unfamiliar program warning you that your computer is infected with viruses; the popup is fake and malicious.
- Error messages mentioning filenames that look fake or suspicious.
- Bluescreening, freezing, slowness, or crashes can be the result of hardware problems just as easily as viruses. Do some Hardware Diagnostics to determine whether your computer has a hardware problem.
- Mouse moves on its own: someone has infected and hijacked the computer. Ensure it's disconnected from the network before taking any other steps; then either do a very thorough clean, or just wipe the system.
- Computer is slow: When is it slow? Slowness can result from too many autostarted programs, old hardware, or even Windows updates. If a virus infection is causing slowness, it is severe enough that you will see other clear symptoms of an infection as well.
My Computer is Quarantined or in the Penalty Box
If you get a message that your computer has been quarantined or in the penalty box, please follow these instructions Penalty_Box.
My computer might be infected! How do I fix it?
Helpdesk policy on malware support
For the typical computer user, the first steps of the infection removal process happen like this: (1) you suspect an infection, and then (2) you try to remove the infection with anti-virus or anti-malware scans. If the scans are successful, you're all set. If the scans are unsuccessful, however, the next step is to re-image. In technology jargon, an "image" generally refers to the file structure that houses all of your data, which roughly equates to your operating system, and so "re-imaging" generally means installing a new instance of your operating system. To re-image your computer, you back up all your important data (e.g., documents, spreadsheets, photos, music) onto an external hard drive, wipe your hard drive completely clean, and reinstall the operating system. You're starting from scratch, basically.
Because of the high demand for malware support, the Helpdesk asks that you, the user, do as much as you can of the scans and data backup on your own before we, the Helpdesk, get involved. But let's say that you suspect malicious software has infected your computer but you don't know which anti-virus or anti-malware scans to run. Or let's say you've run the right scans, but the virus is still there, so you want to re-image, but you don't have a place to back up your data. Or perhaps you've run the scans and backed up your data but you don't know where to get the right image for your computer. In each of these cases, we're happy to step in and assist, directing you to the resources you need to treat and remove the infection.
The kind of support we can provide, however, differs between faculty/staff and student computers, and even between student computers of different models. Read on.
Student-owned computers purchased through Middlebury College (or, more specifically, computers with an image that is unique to Middlebury College) are supported by the Helpdesk in that we have the proper licenses to provide a new image as a last resort. Student-owned computers purchased through the College are typically Dell Latitudes, from the older D series (610, 620, 630, etc.) to the newer E series. For liability reasons, the student owner of the computer will be required to sign a waiver before the Helpdesk can get to work installing the new image. Once the data has been backed up and the waiver has been signed, the Helpdesk can re-image the computer with a turnaround time of about 5 business days.
As you can probably guess, personal computers not purchased through Middlebury College are not supported in the same way. If a student with a non-College computer comes in for malware assistance, Helpdesk consultants may oversee and advise a student's efforts, but it is the student's responsibility to treat and remove the malware infection, even when it comes to re-imaging. If it comes down to a situation where you, a student with a non-College computer, need to re-image, we'll ask if you have the CD's that came with your computer, or if your computer has a special partition on its hard-drive that contains the computer's image. If you don't have a special partition, but you do have CD's, except the CD's are at home, we'll suggest you have them shipped to you. If the CD's have been misplaced, or there were no CD's that came with the computer (which is rare), we'll suggest purchasing new ones online. In these situations where a user is having trouble finding an image, we recommended seeking out further support resources from the computer's vendor (e.g., HP, Toshiba, etc.).
Faculty and staff computers
All Middlbury faculty and staff computers, as well as all public workstations, are fully supported by the Technology Helpdesk. In general, if a machine has a Midd # on a blue tag somewhere on it, the Helpdesk covers it.
However, personal computers owned by faculty and staff are not covered. Those machines are subject to the same rules as student computers purchased independently of the College--which is to say, the Helpdesk can direct you to the proper resources, but the actual countermeasures are the user's responsibility.
First, shut down your computer and restart in Safe Mode:
- While restarting the computer, press F8 once every second to load the Windows "emergency startup" menu.
- Select Safe Mode with Networking and press your Enter or Return key to boot into Safe Mode, which is a stripped-down version of regular mode.
- Booting into Safe Mode disables some of the functions of normal mode Windows, which might prevent the virus from running its infection scripts long enough for you to get in and run the anti-virus and anti-malware scans and remove it.
STEP 1 - Run an anti-virus scan with Sophos
To scan your computer for viruses:
- Right-click the Sophos icon in the system tray (this is a blue icon, shaped like a shield, in the lower right corner of your screen).
- Select Open Sophos Anti-Virus and then select Scan my computer
- The scan will commence. Be aware that while a quick scan typically lasts twenty minutes or less, a full system scan typically lasts a few hours.
- Any viruses found will be reported in the scan window. If no viruses were found, the window will remain blank.
- If a virus is detected on your system that is not cleaned automatically, LIS Network Security will be notified directly.
- If the infection persists, try step 2 (below).
STEP 2 - Contact the Helpdesk
If you perform the infection removal steps as described above, but you hit a snag, contact the Technology Helpdesk at x2200. If you have a laptop, we ask that you bring it in to our Walk-in center located on the main floor of the Main Library (room 202). After you drop off your laptop, you can walk across the lobby to the Circulation Desk to check out a loaner laptop while your personal laptop is being processed. If you have a desktop or tower computer then please contact the Technology Helpdesk at x2200 and ask for the unit to be picked up.
Before contacting the Technology Helpdesk, please make sure:
- You are aware that the Technology Helpdesk does NOT offer cleaning support for personal computers that weren't purchased through the College (see above).
- You have backed-up ALL of your data from the computer and placed it in a safe place (e.g. MiddFiles home directory, External Hard Drive).
- You fully understand that the next steps performed by the Helpdesk will be to wipe all information from the computer and re-install the Microsoft XP operating system. At this point the Helpdesk will not be responsible for any personal data, so it is very important for you to backup everything that you will want to restore on the newly imaged computer. If the infected machine is a student's personal computer, then a waiver must be signed before work begins.
The Technology Helpdesk has a turn-around time of 5 business days, so if you cannot make do with public workstations and need to use a personal laptop during that time, you will need to check-out a loaner from the Circulation Desk on the main floor of the Main Library. You should check with the Circulation Desk as soon as possible to see if there are any loaners available, either in person or by calling ext. 5494.
Computer Security Checklist
We are currently compiling a cross-platform, comprehensive checklist of preventative anti-virus and anti-malware measures: Computer Security Checklist. The checklist is also a good resource if you suspect that a malicious program has infiltrated your security and you are actively being infected.
More resources to help you with protecting yourself and computer
- Visit "Viruses and Risks" page at Symantec.Com
- Visit "Threat Explorer" Page at Symantec.Com
- Dartmouth has a very detailed and clear set of guidelines for dealing with a compromised system: www.dartmouth.edu/comp/docs/Nercomp-IRTActionPlans.doc