Helping people with computers... one answer at a time.

Unfortunately, it's extremely difficult for an average user to tell if a hack is in progress. I'll touch on a few ways and discuss prevention as best.

How can I tell if my computer is being hacked?

You can't.

Oh, there are some clues which you might look for, and I'll review a few of those, but ultimately, there's no way for the average computer user to know with absolute certainty that a hacker's not in the process of weaseling in, or that they haven't already.

Perhaps now you understand why I talk so much about prevention.

And I'll talk about it some more.

What is a Hack, Anyway?

I'll start by pointing out that there's no real definition of "hacked" to work from. We tend to think of it as someone gaining unauthorized access to your information, which is a fine, albeit a general definition. Unfortunately, it's not nearly enough to go on for the more rigorous definition that we would need to answer questions like, "What does it look like?" and "what do we look for?"

"The sad fact is that a sufficiently talented hacker might not leave any clues that you can easily find."

Heck, someone walking up to your computer and logging in as you because they know your password is a "hack", but there would be no malware or software trace left - other than perhaps something in the browser history.

Contrast that with external network attacks where someone remotely tries to penetrate the software or hardware that's protecting your computer from external access. While it's more likely to leave clues, it's not always guaranteed to be obvious, especially if you often access your computer yourself remotely.

Right away, you can see that things get complex.

Hackers Don't Always Leave Clues

The sad fact is that a sufficiently talented hacker might not leave any clues that you can easily find. This is one of the concepts that makes "rootkits" different than more traditional malware, like spyware or viruses; rootkits actually affect your system so that the normal ways of looking for files, for example, will not find them.

It takes special tools.

The same is true for just about any aspect of hacking - event logs can be emptied, file date and time stamps can be arbitrarily set or modified, files can be renamed or hidden, even malicious processes can be architected to run as part of some legitimate process, or simply look like a legitimate process themselves.

So, what can you do?

First, Protect Yourself

This is where I repeat the standard litany of "stay safe" advice:

  • Use a firewall.

  • Use anti-malware tools - both anti-virus and anti-spyware.

  • Keep your software as up-to-date as possible.

  • If a mobile machine, secure its internet connection.

  • Get educated about things like phishing scams, the dangers of email attachments, and just generally safe internet behavior.

I expand on these in what I often refer to as my most important article: Internet Safety: How do I keep my computer safe on the internet?, and I have recommendations for the tools to consider in this article: What Security Software do you recommend?

Prevention is much more effective by far than any attempts to detect a malicious intrusion, either during or after the event.

Clues To Look For

If you suspect that you have been hacked, the first thing to do is to run scans with your anti-malware tools. Make sure that they're up-to-date and that their databases are up-to-date as well, and then run full scans of your entire hard disk.

After that, things get fairly techie - which is why I said earlier that it's difficult (if not impossible) for the average computer user to determine what's happening.

I'll throw out some ideas, but don't feel bad if they're beyond you - this is tough stuff.

Because most malware these days is all about either communicating back over the internet or sending spam, the first thing that I would look at would be the internet activity happening on the machine. Look for processes that you don't recognize sending data to internet end points which you also don't recognize. Don't assume that they're evil without then researching them, but that's a place to start.

I'd use the same strategy for excessive disk activity as well.

It's worth looking at what's running on your machine as well - once again, looking for processes that you don't expect and then researching them.

If you're feeling particularly adventuresome (and you aren't the type to panic easily), then have a peek at the event viewer. The reason that I admonish the easily panicked not to look here is that there will be errors ... lots of them, in fact. That's normal, and that's because, to put it bluntly, the event log is a mess; occasionally, however, there can be clues in that mess. Exactly which clues are there is impossible to predict (remember, I said this was hard), but sometimes, they're helpful.

If You Suspect You Have Been Or Are Being Hacked

If you don't feel that you can trust your computer, then stop using it.

At least, stop using it until you can get to some reasonable level of confidence that all is as it should be, and that your next foray out to your online banking site won't result in, shall we say, "unexpected results".

Taking the time to secure your machine is important. Again, this is why I'm so adamant that prevention is so important.

It's significantly easier to prevent disaster than it is to recover from it.

PS: I'm always curious as to what techniques people use when they feel that their computer might be compromised - I certainly don't know them all. If you have a technique or suggestion that I haven't covered above, leave a comment.

Article C4807 - April 30, 2011 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

11 Comments
Ken B
April 30, 2011 10:50 AM

Well, everyone's first step should be to hire my wife and have her check it out. :-)

A few more signs that your system has been compromised...

* You can't get to Windows Update, or it always fails to determine if any updates are available.

* Your anti-virus/anti-malware programs can't get updates. Or you can't get to any of the major AV sites.

* Your internet connection is "mostly" fine, but you can't get to some websites. In particular, sites for download/discussing anti-virus/anti-malware programs. For example, you can't get to majorgeeks.com or bleepingcomputer.com

* Your anti-virus/anti-malware programs "mysteriously" crash.

Many forms of malware actively try to prevent the "good" programs from running or getting updates, to prevent them from removing the infection.

Jeff
April 30, 2011 4:32 PM

>I'm always curious as to what techniques people use when they feel that their computer might be compromised

A hacker can do anything they want with your machine, except get physical access. I would turn the machine off. Then you can stop panicking and rushing to do everything. The hacker cannot turn it back on (all though I have no idea what 'turn on via LAN' or those type options do) and you are safe. Now, you can research, using another machine, at your leisure, what to do about the situation.

But the first thing to do if you're computer has been violated is turn it off (or even unplug it).

An alternative solution could be to unhook the internet cable.

Also, since Windows machines seem to need to be re-installed every couple of years, you can clean your machine by using this opportunity to do your bi-annual installation.

Ben
May 1, 2011 1:40 AM

I'm confused and paranoid. Let's say I have my firewall on and all anti-malware is installed and current. Now further suppose that my computer was hacked and the hacker was able to get personal information like passwords, contact lists, account numbers, etc. But I'm not aware that I've been hacked. Even if I happen to be one of those people who formats his hard drive and reinstalls his operating system and programs every 6 months or so, if my ISP remains the same, my router or modem remains the same, and I use the same firewall and anti-malware that allowed me to be hacked in the first place, wouldn't my computer still be vulnerable to that same hacker?

That's an unanswerable question. "If I got hacked once could I get hacked again?" - of course the answer is yes. But without knowing exactly WHAT allowed the hacker in the first time there's no way to know if you've done anything to prevent him from returning. So - maybe, maybe not.
Leo
01-May-2011

Dan
May 1, 2011 9:14 AM

Ben-
My guess is no. Even if you think you did everything the same as the first time, updates have been released since then.

Whatever vulnerability that allowed you to be hacked probably affected LOTS of other people. By the time you knew you had a problem, Microsoft probably already had a patch available to prevent it from happening again. You will get the patch automatically when you finish reinstalling your Windows.

Your anti-malware that didn't protect you the first time will also get an update and be more capable in the future.

The scenario you describe is pretty unlikely anyway. If your Windows and anti-malware is up-to-date, and you are using a router, and you STILL get hacked, I think there is a 99% chance that a user of YOUR computer was complicit in the hacking by installing unknown software or allowing a website to install it. Then the way to prevent it from happening again is don't make the mistake again!

Carol Putman
May 3, 2011 11:46 AM

On several occasions I've had the feeling that someone was evesdropping on my internet connection. Fortunately, nothing malicious was happening -- just annoying and silly things to frustrate my usage. The more I tried to do "x" the more difficult it would be. It was like someone was watching what I was doing and getting a kick out of throwing hazards in my way and I could just see them sitting back laughing at my feeble attempts to accomplish the things I had to do. I suspected Remote Assistance on several occasions and did what I could to disable it. I've done several other things to try and stop the problem ranging from reformatting the hard drive, to calling Microsoft to report it and get help, to disconnecting the computer from the phone jack, to turning the computer off for an hour or so ... you name it and I've tried it. I saw an immediate improvement when I disconnected the computer from the phone jack and it was the easiest thing to do. After ten minutes or so, I plugged it back in and went on with whatever I was doing without the difficulties. I don't want to jinks it, but I haven't had the problem in a while, and I'm hoping that whoever was annoying me finally got their driver's license and now they can date. It was that childish.

Steuart B
May 3, 2011 12:50 PM

Many people who have been hacked will find their traditional antivirus, anti-malware and process viewing tools compromised and providing false feedback. A hacker of the kind that leaves Jeff paranoid would not want to tip off the user that something is wrong. Hostage-ware hacks, on the other hand, intentionally disable things the user would notice. The hidden kind are by far the hardest to deal with. I assume that everything running in a hacked machine's native environment is lying to me. Most of the hacks and rootkits I have encountered were specifically designed to hide from Windows, so running tools in a non-Windows environment often lays them bare. I use a boot disk (usually BartPE) loaded with some partitioning and process tracking tools which don't rely on Windows to run.

Compare a CD-launched process viewer with the one running on the compromised machine to see what's different and then do some research to see why. A partitioning tool can reveal a small place on the drive used to store the hacking tools. A registry cleaner can sometimes identify where hidden files are because it cannot link the registry entry to the hidden file and will identify it as an obsolete key. I even found one by accident when I turned up a deleted FTP log file using a data recovery/undelete software. The guy wanted accidentally deleted pictures of his daughter's birthday party recovered. I got back the pictures and discovered a keylogger and probable rootkit in the process. Prior to that there was no sign at all that anything was amiss.

What I hate most about these things is that I never feel sure I really got it all. The best we can do is clean what we find, update and patch everything, beware of what you type, and hope for the best.

johnpro2
May 3, 2011 1:46 PM

The computer can be booted from a CD/DVD with a Linux based boot disk when performing financial truncations if security is a real concern.

This process by passes the hard drive and any bad stuff lurking there, although it can take several minutes to load everything into RAM.
Many Linux boot disks come with all essential programs like Firefox and Open Office pre-installed.
http://www.knoppix.net/
http://www.ubuntu.com/download/ubuntu/download

AJNorth
May 10, 2011 11:30 PM

To determine if a machine is infected with malware, the Process Explorer is a useful initial and quick tool; monitoring the data transfer rate in quiescence using Network Connections or Local Area Connection Status can also provide useful information (as can some firewalls, such as Comodo). For an in-depth analysis, my tool of choice is Trend Micro's HijackThis (http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html?tag=mncol;1), with analysis it at: http://www.ghacks.net/2008/02/08/hijackreader-analyse-hijackthis-results/ Many consider this the 'gold standard.'

When attempting to disinfect a Windows rig suspected of harboring malware, the procedure I invariably employ is to scan with at least one (usually more) third-party on-demand scanners, typically beginning with Malwarebytes Anti-Malware (http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;1). If anything is found (or an infection still suspected), a full scan with SUPERAntiSpyware (http://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html?tag=rb_content) would follow. Finally, a scan with Hitman Pro (http://download.cnet.com/Hitman-Pro-3-32-bit/3000-2239_4-10895604.html?tag=mncol;1) adds a very high degree of confidence. (Since on occasion a valid process may be tagged as malware, it is ALWAYS a good idea to backup all data, and set a Restore Point before beginning each scan. Also, as Leo points out, the latest version of the scanner is always employed, and the database updated immediately before starting the scan). I have yet to encounter a machine that gave any indication of infection after using these utilities.

(NOTE: Since running more than one anti-malware app at a time can really slow things down, I always temporarily disable the resident real-time scanner while performing the on-demand scans. Sometimes, a particular infection requires the on-demand scanners be installed - and run - in Safe Mode.)

Grady
August 3, 2011 8:52 AM

Stay away from using the Admin profile.. Create and use a standard profile.

Mike
November 11, 2011 3:13 PM

Turn on via LAN(Or 'Wake up via LAN') is where if you put your computer to sleep(i think it only applies to that), you can turn it back on with another device. For me though, I look at how my computer acts - if it's super slow, or is unstable. Or i'll look at the hard drive activity light. that's a few ways i do it.

Perry
January 7, 2013 11:47 AM

I have found an unauthorized password protected network has been set up on my computer by a housemate. How does this happen? Can it be accidental, somehow? Appears to be from their laptop, but I have had other people access my wifi without a network being set up. Whay can cause this and what can I do about it?
Did a search on AskLeo and brought me to this page, which did not answer my question. Can u?

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.