Computer viruses: description, prevention, and recovery (129972)


The information in this article applies to:

  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition
  • Microsoft Windows Small Business Server 2003, Premium Edition
  • Microsoft Windows Small Business Server 2003, Standard Edition
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Media Center Edition
  • Microsoft Windows XP Tablet PC Edition
  • Microsoft Windows XP 64-Bit Edition Version 2003
  • Microsoft Windows XP 64-Bit Edition Version 2002
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows NT 4.0
  • Microsoft Windows Millennium Edition
  • Microsoft Windows 98 Second Edition
  • Microsoft Windows 95
  • Microsoft Windows XP Home Edition Service Pack 2 (SP2)
  • Microsoft Windows XP Media Center Edition Service Pack 2 (SP2)
  • Microsoft Windows XP Professional Service Pack 2 (SP2)
  • Microsoft Windows XP Tablet PC Edition 2005
This article was previously published under Q129972

INTRODUCTION

This article discusses how to determine if your computer is infected with a virus, worm, or trojan, how to recover from an infection, and how to prevent future infections from a virus.

MORE INFORMATION

A virus is code written with the express intention that the virus code replicates itself. A virus tries to spread itself from computer to computer by attaching itself to a host program. It may damage hardware, software, or data. A worm is a subclass of virus. A worm generally spreads without user action and distributes complete copies (possibly modified) of itself across networks. A worm can exhaust memory or network bandwidth, causing a computer to stop responding. A virus that appears to be a useful program, but that actually does damage, is a "trojan horse."

Take steps to prevent viruses even if you do not visit unknown or untrusted Web sites or open e-mail attachments. There are three steps that you can take to start to improve the security of your Windows-based computer: use a firewall, receive regular updates, and use antivirus software. For step-by-step instructions that explain how to do this for your operating system, visit the following Microsoft Protect Your PC Web site:

www.microsoft.com/protect

On a Windows XP-based computer, the Protect Your PC Web site can automatically detect and configure Internet Connection Firewall (ICF), configure Automatic Updates settings, and provide information about antivirus software. On a Windows XP Service Pack 2 computer, Internet Connection Firewall (ICF) is renamed as "Windows Firewall (WF)."

For additional information about the automated part of the Microsoft Protect Your PC Web site, click the following article number to view the article in the Microsoft Knowledge Base:

828931 Frequently asked questions about the automated portion of the Microsoft Protect Your PC Web site

For free virus-related support in the U.S. or Canada, call (866) PC-SAFETY (727-2338). If you are outside the U.S. or Canada, contact your local Microsoft subsidiary.

Symptoms of viruses, worms, and trojan horse viruses

If you suspect or confirm that your computer is infected with a virus, obtain current antivirus software. When a virus infects your e-mail or other files, it may have the following effects on your computer:
  • The infected file may make copies of itself. This may use all the free space in your hard disk.
  • A copy of the infected file may be sent to all the addresses in your e-mail address list.
  • The virus may reformat your disk drive and delete your files and programs.
  • The virus may install hidden programs, such as pirated software. This pirated software may then be distributed and sold from your computer.
  • The virus may reduce security. This could allow intruders to remotely access your computer or network.
The following symptoms are frequently caused by or associated with a virus:
  • You received an e-mail message that has a strange attachment. When you open the attachment, dialog boxes appear or a sudden degradation in system performance occurs.
  • There is a double extension on an attachment that you recently opened, such as .jpg.vbs or .gif.exe.
  • An antivirus program is disabled for no reason and it cannot be restarted.
  • An antivirus program cannot be installed on the computer or it will not run.
  • Strange dialog boxes or message boxes appear onscreen.
  • Someone tells you that they have recently received e-mail messages from you containing attached files (especially with .exe, .bat, .scr , and .vbs extensions) that you did not send.
  • New icons appear on the desktop that you did not put there, or are not associated with any recently installed programs.
  • Strange sounds or music plays from the speakers unexpectedly.
  • A program disappears from the computer, but you did not intentionally remove it.
A virus infection may also cause the following symptoms, but these symptoms may also be the result of ordinary Windows functions, or problems in Windows that is not caused by a virus.
  • Windows will not start at all, even though you have not made any system changes, and you have not installed or removed any programs.
  • There is much modem activity. If you have an external modem, you may notice the lights blinking too much when the modem is not being used. You may be unknowingly supplying pirated software.
  • Windows will not start because certain critical system files are missing, and then you receive an error message that lists the missing files.
  • The computer sometimes starts as expected, but at other times it stops responding before the desktop icons and taskbar appear.
  • The computer runs very slowly, and it takes a long time to start.
  • You receive out-of-memory error messages even though your computer has much RAM.
  • New programs do not install correctly.
  • Windows spontaneously restarts unexpectedly.
  • Programs that used to run stop responding frequently. If you try to remove and reinstall the software, the issue continues to occur.
  • A disk utility such as Scandisk reports multiple serious disk errors.
  • A partition disappears.
  • Your computer always stops responding when you try to use Microsoft Office products.
  • You cannot start Windows Task Manager.
  • Antivirus software indicates that a virus is present.

Recovering from and preventing virus infection

To prevent a virus infection, or to recover from a virus, follow these steps:
  1. Use an Internet firewall.
    A firewall is a piece of software or hardware that creates a protective barrier between your computer and potentially damaging content on the Internet. It helps guard your computer against malicious users and many computer viruses and worms.

    Use a firewall only for network connections that you use to connect directly to the Internet. For example, use a firewall on a single computer that is connected to the Internet directly by using a cable modem, a DSL modem, or a dial-up modem. If you use the same network connection to connect to both the Internet and a home or office network, use a router or firewall that prevents Internet computers from connecting to the shared resources on the home or office computers. Do not use a firewall on network connections that you use to connect to your home or office network unless the firewall can be configured to open ports only for your home or office network. If you connect to the Internet by using your home or office network, a firewall can be used only on the computer or the other device, such as a router, that provides the connection to the Internet. For example, if you connect to the Internet through a network that you manage, and that network uses connection sharing to provide Internet access to multiple computers, you can install or enable a firewall only on the shared Internet connection. If you connect to the Internet through a network that you do not manage, verify that your network administrator is using a firewall.

    Note If you use a firewall on all computers on your home or office network you may be not be able to browse (search) for other computers on your home or office network, and you may not be able to share files with other computers on your home or office network. For additional information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:

    298804 Internet firewalls can prevent browsing and file sharing

    Windows XP; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition If you are running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or any version of Windows XP, you can use the ICF feature.

    283673 How to enable or disable Internet Connection Firewall in Windows XP

    For additional information about ICF, visit the following Microsoft Web sites:

    http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/hnw_enable_firewall.mspx
    http://technet2.microsoft.com/windowsserver/en/library/1dde6a20-c5d7-490e-a63f-54db94daaffb1033.mspx

    Other versions of Windows For other versions of Windows, use Basic Firewall (for Windows Server 2003 servers running Routing and Remote Access), Microsoft Internet Security and Acceleration (ISA) Server 2000 (for Windows 2000 or Windows Server 2003), or a third-party hardware or software firewall. For additional information about 3rd party firewall products, visit the following Microsoft Web site:

    http://www.microsoft.com/security/articles/firewall.asp

  2. Update your computer.
    Security updates help shield your computer from vulnerabilities, viruses, worms, and other threats as they are discovered. Steps that you can take include:
    1. Install security updates for Windows and Windows components (such as Internet Explorer, Outlook Express, and Windows Media Player). To do this, visit the following Microsoft Web site:

      Windows Update
      http://windowsupdate.microsoft.com

      For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

      311047 How to keep your Windows computer up-to-date

      Note Microsoft Windows NT Workstation, Windows 98, Windows 98 Second Edition, and Windows 95 have reached the ends of their product support life cycles. Updates that were provided for these operating systems are available on an archived basis on the Windows Update site. However, Microsoft no longer offers technical support for these releases. Because of this, consider upgrading to Windows XP Professional or Windows XP Home Edition so that you can take advantage of Automatic Updates and other security features that have been introduced since these older operating systems were released.
    2. To install security updates for Microsoft Office products, visit the following Office Update Microsoft Web site:

      http://office.microsoft.com/en-us/officeupdate/default.aspx

    3. To install security updates for your other programs, contact the manufacturer of the program for additional information. To locate security updates for other Microsoft products, visit the following Microsoft Web site:

      http://www.microsoft.com/technet/security/current.asp

      For example, you can locate security updates for Microsoft Internet Information Services (IIS), SQL Server, or Exchange Server at this Web site.

      Note Network administrators can use the Microsoft Baseline Security Analyzer (MBSA) tool to centrally scan Windows-based computers for common security misconfigurations and generate individual security reports for each computer that it scans. MBSA runs on computers that run Windows Server 2003, Windows 2000, and Windows XP. MBSA can scan for security vulnerabilities on computers that run Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003. MBSA scans for common security misconfigurations in Windows, Internet Information Services (IIS), SQL Server, Internet Explorer, and Microsoft Office. MBSA also scans for missing security updates in Windows, IIS, SQL Server, Internet Explorer, Windows Media Player, Exchange Server, and Exchange 2000 Server.

      For additional information about MBSA, see the following Microsoft Web site:

      http://www.microsoft.com/technet/security/tools/mbsahome.mspx

    4. If you are running Microsoft Outlook before version 2002, make sure that the Microsoft Outlook E-mail Security Update is installed:
    5. If you are running Outlook Express, use caution when you open e-mail attachments.
      • By default, Outlook Express 6 SP1 blocks access to attachments.
      • Earlier versions of Outlook Express (pre-Outlook Express 6) do not contain attachment-blocking functionality. Use extreme caution when you open unsolicited e-mail messages with attachments.
    6. Disable Active Scripting in Outlook and Outlook Express.

      Note By default, Active Scripting is disabled in Outlook Express 6 and Outlook 2002 and later. For additional information about how to disable active scripting in Outlook Express, click the following article number to view the article in the Microsoft Knowledge Base:

      192846 How to disable active scripting in Outlook Express

      For additional information about how to disable active scripting in Outlook 2000, click the following article number to view the article in the Microsoft Knowledge Base:

      215774 Scripts embedded in HTML messages run without warning

      For additional information about virus protection features in Outlook Express, click the following article number to view the article in the Microsoft Knowledge Base:

      291387 Using virus protection features in Outlook Express 6

  3. Use current antivirus software.
    Microsoft does not provide software that can detect or remove computer viruses. If you suspect or confirm that your computer is infected with a virus, obtain current antivirus software. For additional information about antivirus software vendors, click the following article number to view the article in the Microsoft Knowledge Base:

    49500 List of antivirus software vendors

    Antivirus software helps protect your computer against most viruses, worms, trojans, and other malicious programs. Many computers come with antivirus software installed. You can also purchase antivirus software and install it yourself. You must also keep your antivirus software up to date.

    Notes
    • If you do not have an antivirus program installed, Trend Micro, Inc. offers a free online virus scanning service at the following Trend Micro Web site:

      http://housecall.trendmicro.com/housecall/start_corp.as

    • If your antivirus program has stopped working, reinstall it.
    • Obtain the latest virus signature file from your antivirus vendor's Web site. For each new virus, antivirus vendors issue updates as inoculants against new viruses.
    • After a virus has been removed, scan your computer again to make sure that the virus has been removed. Schedule your antivirus program to check your system while you sleep.
    • You may have to format your computer's hard disk and reinstall Windows and all your computer programs if one or more of the following conditions are true:
      • Your antivirus software displays a message that it cannot fix or remove the virus.
      • The virus damaged or deleted some of the important files on your computer. This may be the case if Windows or some of the programs do not start, or if they start with error messages that indicate that you have damaged or missing files
      • The symptoms that are described in this article persist even after you clean your workstation and you are sure the problems are caused by a virus.

Antivirus Information
http://www.microsoft.com/security/antivirus/default.mspx

Virus Protection Strategies for IT Professionals
http://www.microsoft.com/technet/security/topics/virus/default.mspx

Microsoft Product Support Security Response Team Virus Alerts
http://www.microsoft.com/technet/security/alerts/default.mspx

324731 Support WebCast: Microsoft Windows XP: Internet Connection Firewall

Modification Type:MajorLast Reviewed:10/11/2006
Keywords:kbMSCCSearch kbPubTypeKC kbFirewall kbvirus kbhowto kbenv kbinfo KB129972
©2004 Microsoft Corporation. All rights reserved.