Your hard drive is rattling more than it used to, your router's LEDs are blaring, ads pop up in your browser every now and then, your system is slower to respond, or your friends are complaining that you're sending them spam. Weird and annoying things happen, but does that mean your system has been hacked?
Tip 01: Not me!
Many (home) users have a hard time believing that others find their PC interesting enough to break into or install malware on. That's a misconception. Even a simple home computer can contain interesting information, such as account details for all kinds of services and account numbers. Many home PCs are also used for internet banking, and criminals have software with which they can intercept and modify financial transactions. Also read: Hacked! - The danger of public Wi-Fi.
Moreover, any PC can actually serve as part of a botnet, in which infected PCs (so-called zombies) send spam on behalf of a command and control server or try to bring a web server to its knees in a joint DDoS attack. In addition, hackers are often less selective during their reconnaissance and scan random PCs for possible security holes. So assume that your PC is also a possible target.
Tip 02: Don't panic
Just as there are users who are still unaware of the obvious signs of a hacked or compromised system, there are also users who panic at the slightest irregularity. For example, the fact that your drive is suddenly much more active could be due to a legitimate update process, or your backup tool may be working on backups in the background. Or maybe it's the Windows defragmenter or disk indexer program.
And also that the LEDs of your switch or router suddenly start to flicker, does not immediately mean that some backdoor program is secretly sending data to a hacker. And if your friends are suddenly receiving spam from your email address, it could just as well mean that spammers found your address somewhere and 'spoofed' their spam messages with that address.
In short, it is important to be aware of suspicious symptoms, but it is equally important to analyze them calmly and thoroughly, so that you know exactly what the cause is and how you can remedy the problem. In this article we focus on such symptom analysis, but of course the preventive tips are not lacking either.
Busy Disk
Tip 03: Task Manager
As noted, a noticeably busy drive is one of the symptoms that may indicate a compromised system. So it will come down to determining exactly which processes are behind that disk activity. Initially, you can contact the Windows Task Manager for this, via the key combination Ctrl+Shift+Esc. Windows 7 and 8's Task Manager works a little differently. In Windows 7, open the tab Processes and preferably put a check next to Processesdisplay from all users. Then click the column title Processes On: you will then see all processes in a list, sorted by CPU usage. However, if you want to know which processes are taking up the most disk activity, go to the menu View / Select Columns and check both I/O: bytes read if I/O: bytes written, after which you sort the information in these columns. If you don't recognize or trust the associated process, right-click it and choose Open file location.
Tip 04: Online feedback
In Windows 8, the Task Manager looks a little different. Go to the tab Processes and click on the column title Disc, after which you will also see the processes sorted by disk activity. In the context menu you will also find here Open file location.
Perhaps the file location and the associated program name are enough to know whether it is a bona fide process. Nope? Then you can always type the process and/or program name into a search engine such as Google. The Task Manager context menu in Windows 8 even has the option Search online. If it turns out to be unwanted software, you should remove it as soon as possible. See also tip 17.
If you also do not find the necessary information in the search results, you can always turn to ProcessLibrary, a database that contains more than 140,000 processes. You can also request this data via an alphabetically ordered table. Many items are also provided with a security score and possibly also with removal instructions, if you indeed conclude that the process is rogue.
