Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Has My Computer Been Hacked? A List of Clues and Steps to Take

How can I tell if my computer is being hacked?

You can’t. Not in any absolute sense.

There are definitely some clues to look for, which I’ll review. Ultimately, though, there’s no way for the average computer user to know with certainty that a hacker isn’t in the process of weaseling in, or hasn’t done so already.

Perhaps now you’ll understand why I talk so much about prevention.

And I’ll talk about it some more.

Become a Patron of Ask Leo! and go ad-free!

A hack generally involves unauthorized access to your data or computer. Symptoms can include excessive network usage, excessive CPU usage or heat, excessive disk activity, new pop-ups, instability, and unexpected online activity. All of these happen for other reasons, but can also be signs of a hack. Prevention is far simpler, and less costly than recovery.

What is a “hack”, anyway?

Have I Been Hacked? There’s no consistent definition of  what it means to be “hacked”.

We tend to think of it as someone gaining unauthorized access to the information kept on our computer, or someone with remote access to our computer running their own programs on it.

Someone walking up to your computer and logging in as you because they know your password is a “hack”. So is someone elsewhere on the internet penetrating your security software. If you accidentally download and run malware, you’ve been hacked.

All of these are considered “hacks” if they give someone else access to something they’re not supposed to have access to.

Hackers try not to leave clues

A talented hacker leaves no trace. This is one of the concepts that makes so-called “rootkits” different than more traditional malware: rootkits alter your system so normal ways of looking for files will not expose the malicious files of the rootkit.

The same is true for just about any aspect of hacking: event logs can be emptied, file date and time stamps can be arbitrarily set or modified, files can be renamed or hidden; even malicious programs can be designed to run as part of a legitimate program, or look like a legitimate program themselves.

So what can you do?

Start with prevention

This is where I repeat my standard litany of “stay safe” advice:

  • Use security software.
  • Keep all your software up to date.
  • Know how and when to secure your internet connection.
  • Stay educated about the latest threats and safe internet behavior.

Prevention is much more effective by far than any attempt to detect a malicious intrusion, either during or after the event.

Clues to look for

I want to stress that these are clues, not indicators. Any or all of these items can happen for a variety of reasons, only one of which is malicious activity. That’s why this is such a difficult question to answer and such a difficult situation to be in.

So don’t panic if some of these symptoms happen to you — you may not have been hacked at all. In fact, I’ll say that without other evidence, it’s very likely you’ve not been hacked. It’s a conclusion I see many people jump to, and most of the time they’re wrong; the symptoms happened for some other, often benign, reason.

But do pay attention. It’s possible you have been hacked or you have other issues you’ll want to act on.

Security software

If your security software has been turned off or disabled, that can be a symptom. The purpose of security software is to alert you when malware is present, so some malware attempts to prevent that by turning off scans, real-time options, or even disabling the tool completely.

While security software can be turned off for other reasons, and finding it turned off is not a guarantee that a hack is underway or present, it’s a symptom that needs to be corrected.

Speed (Internet)

This might be the most common impact of malware and hacking these days: excessive internet use. Be it having turned your machine into a spam-sending zombie in a botnet, or a hacker in the process of accessing all of your files, excessive internet use is high on the list of symptoms to look for.

This can manifest in two different ways: your own internet activity will seem sluggish or slow. Page loads will take forever when in the past they didn’t; videos may not play smoothly; and downloads might take an excessively long time. Or, if you’re on any kind of internet connection that monitors the amount of data you use (like many mobile plans), you’ll see your data usage spike or skyrocket with no explanation.

Speed (CPU)

Your machine unexpectedly slowing to a crawl can be a sign of malware. On occasion, malicious software or hacking attempts run software — intentionally or simply poorly written — that makes excessive use of your CPU. As a result, whatever tasks you’re trying to do don’t have the resources to do them quickly.

Heat

This is really your CPU usage becoming apparent via a different symptom. High CPU usage can generate high heat. Even if your machine is behaving normally otherwise, if it’s abnormally hot to the touch or the fans are running at high speed when they normally don’t, malware could be making excessive use of your CPU.

Disk activity

This is easily overlooked. Your computer may be excessively busy, but be responsive and cool. It’s possible the malicious software is constrained by the speed of your disk, which could be thrashing away like crazy. This is particularly true of ransomware — its speed is limited by your disk as it makes its way through encrypting your files.

Pop-ups

Malicious software often hijacks the software on your machine to promote advertising and other kinds of information in pop-ups. It’s important to understand what’s been affected, though. Pop-ups can appear either inside or outside your web browser.

If the pop-up comes from within your browser (so hiding your browser hides the pop-up as well), then it’s likely not due to software on your machine, but rather the website you’re visiting. On the other hand, if the pop-up appears separately from your browser, or perhaps takes over your whole screen, then malware could be the cause.

Unfortunately, neither of those two rules are absolute: malware on your machine can appear within your browser, and malicious websites can make it look as if they’re running software on your machine. Either way, new and unexpected pop-ups are worth paying attention to.

Stability

Malware has become more sophisticated over the years, but “all software has bugs” applies to all software, regardless of intent. Malware has been known to have bugs that crash or otherwise impact the stability of your entire computer. Even unexpected reboots can be attributed to malware and hacking attempts.

Activity elsewhere

Of course, the intent of a lot of malware or hacking is to gain access to your log-in credentials for online sites and services — anything from email to your bank and everything in between. It’s important to keep an eye on the activity in your accounts and other locations not strictly associated with your computer.

Your computer might be hacked, but at first, the only sign might be an unexpected login to your email account.

Timing

As I said, all of these symptoms can occur for many different reasons that have nothing to do with being hacked, but there is another clue that can help determine if that’s the case: timing.

If things are going well and all of a sudden you experience some of these symptoms without explanation or cause, or perhaps they start to happen immediately after you “did something” — like download something, install something, or visit a new website — that’s additional data to consider. Again, it’s not a definite sign of being hacked, but it can suggest a hack is possible.

On the other hand, if a symptom is something you’ve experienced periodically for years, then it’s unlikely to be anything malicious, since it’s nothing out of the ordinary for you.

If you suspect a hack

If you can’t trust your computer, stop using it.

At least stop until you reach a reasonable level of confidence that all is as it should be, and that your next foray to your online banking site won’t result in, shall we say, “unexpected results”.

The first thing to do is to pretend that your machine has been compromised, and take the steps you would take to remove malware. How Do I Remove Malware? covers these steps. And since not all hacks are technically “malware”, you might also review How Do I Remove PUPs, Foistware, Drive-bys, Toolbars, and Other Annoying Things I Never Wanted?, which covers other software you may have unintentionally invited onto your machine, opening doors for hackers.

In general, full scans with up-to-date anti-malware tools should give you some confidence that all is well — at least from a malicious access and/or hacking point of view.

If you’re still concerned, or if this all seems too much, then it might be time to enlist the help of a techie friend or professional services. It might well be worth it, even if only for your peace of mind.

But, honestly, the best thing to do is never get into this position in the first place. Taking the time to secure your machine is less work and results in less anxiety. This is why I’m so adamant about prevention. The best place to start is my most important article of all: Internet Safety: 7 Steps to Keeping Your Computer Safe on the Internet.

It’s significantly easier to prevent disaster than to recover from it.

If you found this article helpful, I'm sure you'll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I'll see you there soon,

Leo

Podcast audio

Play

16 comments on “Has My Computer Been Hacked? A List of Clues and Steps to Take”

  1. Well, everyone’s first step should be to hire my wife and have her check it out. 🙂

    A few more signs that your system has been compromised…

    * You can’t get to Windows Update, or it always fails to determine if any updates are available.

    * Your anti-virus/anti-malware programs can’t get updates. Or you can’t get to any of the major AV sites.

    * Your internet connection is “mostly” fine, but you can’t get to some websites. In particular, sites for download/discussing anti-virus/anti-malware programs. For example, you can’t get to majorgeeks.com or bleepingcomputer.com

    * Your anti-virus/anti-malware programs “mysteriously” crash.

    Many forms of malware actively try to prevent the “good” programs from running or getting updates, to prevent them from removing the infection.

    Reply
  2. >I’m always curious as to what techniques people use when they feel that their computer might be compromised

    A hacker can do anything they want with your machine, except get physical access. I would turn the machine off. Then you can stop panicking and rushing to do everything. The hacker cannot turn it back on (all though I have no idea what ‘turn on via LAN’ or those type options do) and you are safe. Now, you can research, using another machine, at your leisure, what to do about the situation.

    But the first thing to do if you’re computer has been violated is turn it off (or even unplug it).

    An alternative solution could be to unhook the internet cable.

    Also, since Windows machines seem to need to be re-installed every couple of years, you can clean your machine by using this opportunity to do your bi-annual installation.

    Reply
  3. I’m confused and paranoid. Let’s say I have my firewall on and all anti-malware is installed and current. Now further suppose that my computer was hacked and the hacker was able to get personal information like passwords, contact lists, account numbers, etc. But I’m not aware that I’ve been hacked. Even if I happen to be one of those people who formats his hard drive and reinstalls his operating system and programs every 6 months or so, if my ISP remains the same, my router or modem remains the same, and I use the same firewall and anti-malware that allowed me to be hacked in the first place, wouldn’t my computer still be vulnerable to that same hacker?

    That’s an unanswerable question. “If I got hacked once could I get hacked again?” – of course the answer is yes. But without knowing exactly WHAT allowed the hacker in the first time there’s no way to know if you’ve done anything to prevent him from returning. So – maybe, maybe not.

    Leo
    01-May-2011
    Reply
  4. Ben-
    My guess is no. Even if you think you did everything the same as the first time, updates have been released since then.

    Whatever vulnerability that allowed you to be hacked probably affected LOTS of other people. By the time you knew you had a problem, Microsoft probably already had a patch available to prevent it from happening again. You will get the patch automatically when you finish reinstalling your Windows.

    Your anti-malware that didn’t protect you the first time will also get an update and be more capable in the future.

    The scenario you describe is pretty unlikely anyway. If your Windows and anti-malware is up-to-date, and you are using a router, and you STILL get hacked, I think there is a 99% chance that a user of YOUR computer was complicit in the hacking by installing unknown software or allowing a website to install it. Then the way to prevent it from happening again is don’t make the mistake again!

    Reply
  5. On several occasions I’ve had the feeling that someone was evesdropping on my internet connection. Fortunately, nothing malicious was happening — just annoying and silly things to frustrate my usage. The more I tried to do “x” the more difficult it would be. It was like someone was watching what I was doing and getting a kick out of throwing hazards in my way and I could just see them sitting back laughing at my feeble attempts to accomplish the things I had to do. I suspected Remote Assistance on several occasions and did what I could to disable it. I’ve done several other things to try and stop the problem ranging from reformatting the hard drive, to calling Microsoft to report it and get help, to disconnecting the computer from the phone jack, to turning the computer off for an hour or so … you name it and I’ve tried it. I saw an immediate improvement when I disconnected the computer from the phone jack and it was the easiest thing to do. After ten minutes or so, I plugged it back in and went on with whatever I was doing without the difficulties. I don’t want to jinks it, but I haven’t had the problem in a while, and I’m hoping that whoever was annoying me finally got their driver’s license and now they can date. It was that childish.

    Reply
  6. Many people who have been hacked will find their traditional antivirus, anti-malware and process viewing tools compromised and providing false feedback. A hacker of the kind that leaves Jeff paranoid would not want to tip off the user that something is wrong. Hostage-ware hacks, on the other hand, intentionally disable things the user would notice. The hidden kind are by far the hardest to deal with. I assume that everything running in a hacked machine’s native environment is lying to me. Most of the hacks and rootkits I have encountered were specifically designed to hide from Windows, so running tools in a non-Windows environment often lays them bare. I use a boot disk (usually BartPE) loaded with some partitioning and process tracking tools which don’t rely on Windows to run.

    Compare a CD-launched process viewer with the one running on the compromised machine to see what’s different and then do some research to see why. A partitioning tool can reveal a small place on the drive used to store the hacking tools. A registry cleaner can sometimes identify where hidden files are because it cannot link the registry entry to the hidden file and will identify it as an obsolete key. I even found one by accident when I turned up a deleted FTP log file using a data recovery/undelete software. The guy wanted accidentally deleted pictures of his daughter’s birthday party recovered. I got back the pictures and discovered a keylogger and probable rootkit in the process. Prior to that there was no sign at all that anything was amiss.

    What I hate most about these things is that I never feel sure I really got it all. The best we can do is clean what we find, update and patch everything, beware of what you type, and hope for the best.

    Reply
  7. To determine if a machine is infected with malware, the Process Explorer is a useful initial and quick tool; monitoring the data transfer rate in quiescence using Network Connections or Local Area Connection Status can also provide useful information (as can some firewalls, such as Comodo). For an in-depth analysis, my tool of choice is Trend Micro’s HijackThis (http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html?tag=mncol;1), with analysis it at: http://www.ghacks.net/2008/02/08/hijackreader-analyse-hijackthis-results/ Many consider this the ‘gold standard.’

    When attempting to disinfect a Windows rig suspected of harboring malware, the procedure I invariably employ is to scan with at least one (usually more) third-party on-demand scanners, typically beginning with Malwarebytes Anti-Malware (http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;1). If anything is found (or an infection still suspected), a full scan with SUPERAntiSpyware (http://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html?tag=rb_content) would follow. Finally, a scan with Hitman Pro (http://download.cnet.com/Hitman-Pro-3-32-bit/3000-2239_4-10895604.html?tag=mncol;1) adds a very high degree of confidence. (Since on occasion a valid process may be tagged as malware, it is ALWAYS a good idea to backup all data, and set a Restore Point before beginning each scan. Also, as Leo points out, the latest version of the scanner is always employed, and the database updated immediately before starting the scan). I have yet to encounter a machine that gave any indication of infection after using these utilities.

    (NOTE: Since running more than one anti-malware app at a time can really slow things down, I always temporarily disable the resident real-time scanner while performing the on-demand scans. Sometimes, a particular infection requires the on-demand scanners be installed – and run – in Safe Mode.)

    Reply
  8. Turn on via LAN(Or ‘Wake up via LAN’) is where if you put your computer to sleep(i think it only applies to that), you can turn it back on with another device. For me though, I look at how my computer acts – if it’s super slow, or is unstable. Or i’ll look at the hard drive activity light. that’s a few ways i do it.

    Reply
  9. I have found an unauthorized password protected network has been set up on my computer by a housemate. How does this happen? Can it be accidental, somehow? Appears to be from their laptop, but I have had other people access my wifi without a network being set up. Whay can cause this and what can I do about it?
    Did a search on AskLeo and brought me to this page, which did not answer my question. Can u?

    Reply
  10. What is the best software to prevent computer has been hacked or not. It become busy and difficult to download data for research articles. Thank you

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.