Determining if a machine is infected with a virus is one of the most difficult tasks facing a computer user. This expert system will help you decide.

Question: Did your scanner say you had a virus?

Yes
No, it found no virus
I did not scan

Comments

Yes: Scanners sometimes false alarm...

No: Then you must have some other reason for thinking that you have a virus. The symptoms of a virus are sometimes similar to other symptoms, so we will have some work to do here.

I did not scan: Scanning would be a good idea. It is probably the single best way of determining whether you have a virus.

No, Your Scanner Found No Virus

If you scanned with a good, recently updated scanner, and found no virus, you may not have one. Scanners detect a large percentage of those viruses you are most likely to get.

However, scanners do not detect all viruses. We recently tested one "good" scanner against our collection of 55,000 virus samples, and found 5,500 that it did not detect. One of those viruses might be in your machine. You will have to use other clues to determine if you have a virus, or get another scanner.

Click here to read about what to do next.

Yes, your scanner said you had a virus. Where was the virus located?

Memory
Boot Area
File
Memory and Boot Area
Memory and File
Boot Area and File
Memory, Boot Area, and File
Don't Know

Your scanner found a virus in Memory only.

You DO have a virus if:

1. This virus is a stealth virus (such as Monkey). More info
2. You did not run two different scanners since booting this computer. More info
3. You did not recently copy a virus-infected file from one place to another in your computer. More info

More info: You did not recently copy a virus-infected file from one place to another in your computer.

When a file is copied from one drive location to another, it passes through memory. The copy command leaves a useless copy of the file in memory, to be overwritten by the next process that requires this memory. If you copy a file that is infected from one place to another, then scan memory, your scanner may find the virus in memory.

This is not a false alarm, but it is certainly a misdiagnosis. The copy of the file that is in memory cannot be accessed, must less executed. Your machine is NOT infected by merely copying an infected file.

More info: You did not run two different scanners since booting this computer

If you run scanner 1, then scan memory with scanner 2, scanner 2 will sometimes find a scan string in memory left behind by scanner 1, and report the virus name that matches that scan string. This is a false alarm.

How it Works

1. When a scanner runs, it reads its scan strings from a file, and places them in memory. One or more of its strings were likely taken from a published source (such as Virus Bulletin), and so is widely used by other vendors who also use strings from such sources. (Nearly every vendor will use reliable strings when they cannot obtain a specimen of the virus, because they want their products to detect the virus!)
2. Scanner 1 exits, not clearing memory. Its strings remain until overwritten by the next program.
3. Scanner 2 now runs, and tries matching its stored strings with what it can see in memory. It finds a match, and as implausible as this is, yells for help.

Should scanners false alarm this way?

No.

The problem would be prevented if scanner 1 cleared memory when it exited, removing its scan strings from memory. The problem would be prevented if scanner 2 used a little good judgment, and recognized the folly of looking for a scan string in the location in which the match was found. (Viruses are found at the bottom of conventional memory (they "load low") or at the top (they "load high"), and never smack in the middle, where the scan strings will normally be located. The virus in question almost certainly could not be located in memory where it is reported. For instance, a virus that loads low will never be found in the middle or top of conventional memory; a virus that loads high (just below 640K) will never be found low.

Good scanners do not leave strings in memory, so can always be run before a second scanner. They look for virus scan strings in memory in a position-sensitive way, so are unlikely to determine that a previously-run scanner is a virus. Seven Locks Software's MEMSCAN doesn't even use scanstrings, but rather uses the same "are you there" calls that the virus uses, so it is will not false alarm on some other product's scan strings.

Testing this Hypothesis

Deciding if you have a false alarm from this condition is simple: record the name of the virus found, boot clean (from uninfected floppy), and run the second scanner again, against the entire drive. If you have a real virus, you will find the same virus on the drive that you recently found in memory. If no such virus is found on the drive, you have found a false alarm, instead.

You can try a second test of the hypothesis that this is a false alarm: Reboot from your hard disk, and scan memory with scanner 2 before running scanner 1. It should find nothing if you have a false alarm on scanner 1's scan string residue. Now run scanner 1, followed by scanner 2. Scanner 2 should now false alarm on that same virus in memory.

More info: You found a stealth virus (such as Monkey) in Memory

A stealth boot virus is like any other boot virus, except for one interesting characteristic: when you (or some software) asks the computer to examine a sector in which the virus is located, the virus "redirects" the software to instead view the original (uninfected) sector. Your anti-virus software believes it is examining the master boot sector, but it is actually examining the displaced master boot record. It doesn't find any problem, and moves on in its search for the virus.

A stealth boot virus can be easily seen by anti-virus software if the virus is not active in memory (if you have booted clean), or if you can disable the copy of the virus that is in memory. But such software usually has trouble finding a stealth boot virus in your boot area if the virus is active in memory. So a report of a virus in memory, with no other copy on your drive, can be because the virus is stealth.

Your scanner found a virus in the Boot Area only.

You likely DO have a virus if:

1. You have not recently added any software which permits you to do "multi-boot"
2. You have ever scanned this machine with this scanner previously, and did not find a virus in the boot area.

Your Scanner Found a Virus in Both Memory and the Boot Area

You DO have a virus.

Your scanner might not happen to give the same name to what it found in memory and what it found in the boot area. If this is the case, it is because one developer, using one set of naming rules, worked out the memory detection, while another, using another set of rules, worked out the boot sector detection. Both names will help you triangulate on what you really have.

Because your product was able to see this boot virus in the boot area, even while it was active in memory, we can be confident that this is not a "stealth" boot virus. That will make removal easier.

Your Scanner Found a Virus in Both Memory and One or More Files

You DO have a virus. It is a resident, non-stealth file virus.

Your scanner might not happen to give the same name to what it found in memory and what it found in your files. If this is the case, it is because one developer, using one set of naming rules, worked out the memory detection, while another, using another set of rules, worked out the file detection. Both names will help you triangulate on what you really have.

Because your product was able to see this file virus in files, even while it was active in memory, we can be confident that this is not a "stealth" file virus. That will make removal easier.

Your Scanner Found a Virus in Both the Boot Area and One or More Files, but Not Memory

You DO have a virus. It is a "multi-partite" virus (infecting two parts: boot areas and files)

Your scanner might not happen to give the same name to what it found in the boot area and what it found in your files. If this is the case, it is because one developer, using one set of naming rules, worked out the boot virus detection, while another, using another set of rules, worked out the file detection. Both names will help you triangulate on what you really have.

Because your product was able to see this virus in files and the boot area, but did not find it in memory, it is either not active, or you elected to bypass a memory scan. If you booted from the drive which is infected, then it is not a stealth virus. That will make removal easier. Also, multi-partite viruses tend to not be "polymorphic", so cleaning your files may be more likely, when using your anti-virus software.

If you can see the virus in the boot area or files when you boot from an uninfected floppy disk, but can only find it in memory when you boot from the hard disk, then it is a stealth virus. If you get "invalid drive specification" when you type DIR C: having booted from a floppy, then the virus has encrypted the master boot record.

Your Scanner Found a Virus in Memory, Boot Area, and One or More Files

You DO have a virus. It is a "multi-partite" virus (infecting two parts: boot areas and files)

Your scanner might not happen to give the same name to what it found in the boot area and what it found in your files. If this is the case, it is because one developer, using one set of naming rules, worked out the boot virus detection, while another, using another set of rules, worked out the file detection. Both names will help you triangulate on what you really have.

Because your product was able to see this virus in memory, it is active. Because it is active, and you were still able to detect it in files and the boot area, it is not a stealth virus. That will make removal easier. Also, multi-partite viruses tend to not be "polymorphic", so cleaning your files may be more likely, when using your anti-virus software.

If you get "invalid drive specification" when you type DIR C: having booted from a floppy, then the virus has encrypted the master boot record.

You Did Not Scan, or Your Scanner Did Not Find a Virus, But You Believe You Have a Virus.

Finding a Virus with your Bare Hands

Checking Conventional Memory with ChkDsk
Checking Conventional Memory with Mem
If a boot virus, try infecting a floppy disk

Unraveling Symptoms

Does a program report itself to be infected?
My printer doesn't work.
My machine is displaying odd messages or making odd sounds.

If a boot virus, try infecting a floppy disk

If you think you might have a boot virus, but your scanner isn't reporting one, it might be because the virus is both new and stealth, and the scanner isn't seeing it in memory, and isn't disabling it to see it on the drive. You can double-check with this simple (and harmless) experiment:

1. Format a floppy in a machine that your scanner reports to be uninfected. Scan it with the product that produced the alarm, to ensure that it does not produce an alarm.
2. Boot the infected machine from its hard disk, and place the fresh floppy in A: of this machine.
3. Access A: (by typing "A:" or "DIR A:")
4. Remove the floppy, take it to a clean machine, and scan it again.
5. If the scanner reports that the floppy is infected, you have a boot virus.
6. If that scanner doesn't report a virus on this floppy, either the floppy is not infected with a boot virus, or the scanner is not analyzing the boot sector. You can examine the boot sector with utilities, such as the Norton Utilities. View side 0, cylinder 0, sector 0, and compare it with the boot sector of an uninfected floppy. Do you count two and only two occurrences of "CD 13"? Do messages at top and bottom appear normal?

Checking Conventional Memory with Mem

To find a non-stealth file virus in memory, use the command MEM /C /P. Any program that "allocates" memory will be listed. If, since booting, you have run an infected non-resident program, you might see a that program listed when you run MEM /C /P. You know that 1-2-3 does not use 2 Kb of memory, and that it is not a TSR. So if you see it listed here, it might be infected! Look at other machines which you believe to be virus-free, to see if they differ in this result.

A file virus will infect many files, but only the first infected file to run will put the virus in memory. So even if 1-2-3 is infected, and even if you have run it since booting, the virus might not go resident via 1-2-3 if it has already gone resident when some other infected program ran.

Not all resident viruses will show up with the MEM command. Some will not allocate memory, instead loading up at the top of memory, where they think they are safe. A program that allocates memory will not be overwritten as other programs load; a program that loads at the top of memory will rarely be overwritten. Viruses which load at the top of memory are generally craftier than those which allocate memory, and may show other "stealth" properties as well.

Checking Conventional Memory with CHKDSK

Run CHKDSK (no switches). It should report "655,360 total bytes memory". If you have a number less than this, it is because some program loaded before DOS and reduced the memory available to DOS. That program could be a boot virus. If you find a non-standard number when you boot from your hard disk, but find 655,360 total bytes memory when you boot from a floppy, you know that the problem is not related to odd hardware in your machine.

Record the number of total bytes of memory DOS thinks it has. Divide the number by 1,024 (1 Kb) to determine how many Kb you are missing. Use this information to help determine what virus it might be. Boot viruses in the Stoned family will reduce it by 2 Kb. Other boot virus families also make characteristic reductions.

My printer doesn't work.

Hardware, software, and user troubles continue to be confused with a virus. "My printer won't work! Is it a virus?" asks the user, when the printer's power cord is lying near the wall outlet. Sometimes distinguishing between virus and non-virus is difficult. "PARITY ERROR" can come from a machine finding itself with a bad memory chip or a virus that displays this message. "Insert Cheeseburger in disk drive" is likely a virus. Use your best skills in distinguishing between virus and non-virus, and call us if you have any doubts.

My machine is displaying odd messages or making odd sounds.

This might be a virus, or might be a "joke" program.

• It is likely a joke program if your scanner identified the "virus" using the word "joke" Because joke programs sometimes are confused with viruses by users, many products detect this category of software, too. But jokes are not viruses. They don't make copies of themselves, and don't add their code to other programs.
• It is likely a joke program if the screen display is extremely obvious, or triggers reliably soon after you turn your machine on. Jokes are intended to get your attention. Viruses try to not get your attention, so they can spread. While some viruses do display messages on the screen, the more obvious a virus is, the more poorly it spreads, and the lower your chances of getting it. Count on viruses being subtle, jokes being obvious.

"Joke" programs can cause letters to drip from the screen, a flasher to popup in the middle of your word processing activity, or water to be detected in drive A:. Joke programs are not usually received with the same mirth and goodwill as was involved in their creation and installation. They are not viruses, but users frequently believe they are.

• How do joke programs differ from viruses? How can they be distinguished? There are several ways. Viruses rarely display anything on the screen; jokes would have little point if they didn't display something vaguely humorous. About 60% of all viruses are memory resident, and most of the viruses your organization will ever get are resident. In contrast, most joke programs are simple non-resident programs called from a batch file. But most important, viruses make copies of themselves, and jokes don't.
• Detecting a joke can be done by looking for an unfamiliar line in AUTOEXEC.BAT or your logon script, or looking for an unfamiliar program on the machine. The DOS MEM program is likely to be able to show you the joke in memory, if it is resident. Many scanners detect joke programs, though no scanner will detect all jokes. You won't be able to "remove" the joke, except by deleting the file.

Your Scanner Found a Virus in One or More Files Only

If the virus was found in one or more files, but not in memory, it either means that the virus is not a resident virus, or is not resident at the moment.

How many files were found to be infected?

Just one file
More than one file

Your Scanner Found a Virus in Just One File

If your scanner found a virus in just one file, it is quite possible this is a false alarm. Here are some questions to ask:

• Do you use this program all the time?
• Is the file a swap file, TXT file, .DAT file, .DBF file, or other non-program/non-document file?
• Is the infected file named COMMAND.COM?
• Does the "infected" file report itself to be infected?
• Did your late-model, trustworthy scanner identify the infection as "possible" or the virus as "damaged", when it normally doesn't use this qualifier?
• Did your scanner identify a reasonably common virus or something exotic?
• Did your scanner name the virus precisely, or indicate it was a "new variant" or use some generic name, such as "GenB" or "Jerusalem Family"?
• Is the "infected" program larger in this machine than in other machines?
• What is the opinion of a second scanner you trust?
• If you have copies (same date, time, size) of this one "infected" program on other machines, are they, too, reported as infected by this scanner?
• Did a previous scan of this file with this version of this scanner find this virus?
• Vendors like to be responsible, and we never know whether to tell you that the sky is falling or that it is foggy. But you should know that your odds are low for getting a virus, and much lower for getting a new, rare virus.

• If your scanner is false alarming, call the vendor and ask if they are aware of the problem. If so, ask for a copy of the "fix" to be sent. You should not have to pay for this, or wait more than a week or so.
• If your scanner is false alarming, and the vendor is unaware of the problem, send them a sample of the program that is not getting along with the scanner. You have the right to expect a free solution in two weeks or less.

Did a previous scan of this file with this version of this scanner find this virus?

If your scanner finds it in a file or boot sector today that it didn't find it in yesterday, then you have a virus. Any false alarm should be a repeatable event, if the same switches are used and the same files or sectors are examined. So if your scanner has never alarmed when scanning, and now does when looking at previously scanned stuff, you've got a virus.

If you have copies (same date, time, size) of this one "infected" program on other machines, are they, too, reported as infected by this scanner?

If your scanner reports a virus in "ABC.COM" on one machine, but not in "ABC.COM" on other machines, then it may be telling the truth. If the scanner is false alarming, then it is finding a match between one of its scan strings and the code in some part of the file. The scanner should give the same false alarm on every copy of this file that is the same version. But if two copies of ABC.COM version 1.234 are examined, and only one contains the virus, your scanner is likely on to something. Check the size of the two files after a clean boot: the infected one will either be larger (a "parasitic" virus) or it won't run properly (an overwriting virus).

What is the opinion of a second scanner you trust?

If two scanners agree that some file is infected with something, it likely is. Scanners are sometimes wrong. Many scanners miss more viruses than they detect. Most can't catch all copies of any of the world's 250+ polymorphics. None seem to agree on what a virus should be named. So if you can find two of these uncooperative weapons that agree that file "X" is infected, believe it.

Of course, two scanners can be wrong. Even when they agree on a name. One explanation is the Virus Bulletin virus: Virus Bulletin publishes a scan string for virus XYZ. Neither vendor has a copy of this virus, so they both use the Virus Bulletin scan string, and name anything that matches "XYZ." Both products find their way to your machine, where they both detect the scan string in some odd place, and pronounce that file infected. Both, in such a case, might be wrong. Two wrongs don't make a right.

Is the "infected" program larger in this machine than in other machines?

If the suspect file on this machine is larger than on other machines, and you are not running any anti-virus software that adds protection to files, then it is quite possibly infected. Viruses add code to programs, and code takes bytes. Our smallest virus is about 30 bytes, our largest around 15 Kb. But the average virus adds 1,140 bytes or so to a file - about 1 Kb. You will need to get out your notepad to record such subtle differences between infected and uninfected, but unless the virus "stealths" its size, you'll be able to see which are infected by comparing the sizes of infected and uninfected files. Even a stealth virus can be caught this way if it is not resident, which you can force by booting clean.

Did your scanner name the virus precisely, or indicate it was a "new variant" or use some generic name, such as "GenB" or "Jerusalem Family"?

The less precise your scanner in naming, the more it proves to be guessing, based on partial information. For instance, suppose a scanner is looking for two scan strings in order to identify a virus: string A and string B. Suppose it finds A only. The scanner is likely to report "[name of family defined by scan string A] family" or "[name of family defined by scan string A] related" or "new variant of [name of family defined by scan string A]" But considering the length of scan string A, this presumption is a bit risky. Your odds of a false alarm are higher when your scanner doesn't do a positive, exact identification.

Did your scanner identify a reasonably common virus or something exotic?

Scanners sometimes false alarm on polymorphic viruses or new, rare viruses. But they rarely false alarm on common viruses. Scanners which follow the jumps within a file produce few false alarms because they use position information for its scan strings, not just scan strings. The chance of the string "ABCDEFGHIJ" being in a file is non-zero. But the chance of finding it in a pre-defined location - at the end of a series of jumps - is essentially zero. On the other hand, a scanner using a "heuristics" or "analyze" switch is quite likely to false alarm. Many programs contain code that is virus-like.

Did your late-model, trustworthy scanner identify the infection as "possible" or the virus as "damaged", when it normally doesn't use this qualifier?

It is likely a false alarm if your late-model, trustworthy scanner identifies it only as a "possible" virus, and only in one file. If the scanner you trust doesn't have the nerve to assert that it has found a virus, but rather wimpers that there might be something here, the chance is there is nothing here.

If the scanner refers to this single file as containing a "damaged" virus, it means that the scanner has found part of one of its short scan strings. Part of a 10-byte scan string is not enough for you to base career decisions on. Get a second opinion, from another scanner you trust even more or from a virus expert. And consider the other factors suggested here in reaching your conclusion.

Does the "infected" file report itself to be infected?

This might be a false alarm caused by one scanner adding checksum or inoculation information to a file, and that file, when run, detecting this unwanted modification. Many anti-virus products write some code to files to "inoculate" the file. Inoculation is the process of scanning the file for viruses using scan strings, then adding to the file its checksum, or a checksum for the top and perhaps bottom bytes of the file. On the second pass, the scanner becomes a checksummer, comparing the current checksum with that stored in the file. This process can be very fast, and so products such as Central Point AntiVirus, IBM's Anti-Virus Software Product, and Norton AntiVirus turn out to be checksummers in normal use, scanning only those files that haven't been checksummed.

• When a file is inoculated, the file changes and grows in size. If the file happens to be a program that does a checksum of itself before loading, it will find that it has changed, and usually exit with a warning that it has been modified. If the program does not check itself, then an inoculation false alarm can occur if two anti-virus products try to inoculate the same file. The second to inoculate it will never find a problem, since its checksum is based on a combination of the original file and the code added by the first inoculator, but the first inoculator always should find a problem, since the program has changed and grown since first inoculation. In some cases, the first inoculator will be able to remove the effects of the second inoculator.
• If you have any product capable of inoculation, and then upgrade to another product, it is important to remove any old inoculations before discarding the old product, as we have nothing in our package to remove the inoculations of other anti-virus software. (If it is too late, and you have already discarded all copies of the other product, contact that product's vendor for help.)

Is the Infected File Named COMMAND.COM?

Vendors may not test their scanners on every program in the world, but they surely have had a chance to test it against COMMAND.COM. Since over 1,900 viruses infect COMMAND.COM, an alarm here is likely meaningful.

But why only COMMAND.COM? Perhaps you just got infected (many viruses will infect COMMAND.COM first, and not infect other files until you reboot.) Perhaps this is a "multi-partite" virus which infects the boot area and COMMAND.COM only. Perhaps other files are infected, too, but the virus in memory protects them from being seen as infected by your scanner. Frankly, having only COMMAND.COM infected is an odd condition!

Is the "infected" file a swap file, TXT file, .DAT file, .DBF file, or other non-program/non-document file?

It is a false alarm if your scanner finds the virus in a swap file, TXT file, .DAT file, .DBF file, or some other data file only. A virus can add its code to anything it can reach, which means that your jelly donut is safe, your data files and documents and spreadsheets are not. But since your operating system has no idea on how to run (load and execute instructions in) data files, it won't be able to run a virus that is in them. If there is virus code in your Notepad document, then you will be able to see it when you open the file with Notepad.

You have no chance of finding a virus in a data file unless you tell the product to scan "all files". In such a case, a scanner that follows jumps in files may still not false alarm, because the data file just doesn't have such an organization. However, there are many scanners on the market that just grab a big gob of a file and with brute force look for the set of scan strings in the gob. The results can be silly, embarrassing, or terrifying, but they are most often wrong. One California vendor lost a fortune on a case involving such a false alarm.

Do You Use this File All the Time?

If you find a virus in only one file, and you use this program all the time, then it either was infected since your last use, or it is not infected.

If you use it all the time, the "virus" has had lots of time to make more copies of itself. If it has failed to do this, it has failed to meet the definition of a virus - code which makes functionally identical copies of itself without user permission. If it isn't a virus, we don't need to worry.

Your Scanner Found a Virus in More than One File

If your scanner found a virus of the same name in more than one file, you almost certainly DO HAVE a virus.

Viruses are rarely loners. They like company in the machine, and make their own friends. If you find just one file infected with some exotic polymorphic, and you run this file repeatedly, you either have a false alarm or a virus that doesn't want to come out and play - most likely a false alarm. On the other hand, if 10 files are found to contain the XYZ virus, then at least 10 files are infected with this virus.

False alarms are sufficiently rare that you are unlikely to have more than one false alarm per scan. Finding a virus in two or more files likely means that the virus spread from one of these file to the other(s). If you have only a few infected files, and you can determine which of these files you most recently acquired, it may be that this file is the source of the virus.

If you can establish where the virus came from, you will want to contact the source and tell them what you've learned. They may be unaware of the infection.

By looking at how many files are infected, and which of these was least recently run, you may be able to guess about how long you have been infected. Any user you have shared any of these files with is likely to be infected.