My suggestion would be to upload to a temporary directory then check the file size and contents using a virus scan and only then copy it to the proper location.
Technically there is no 'sure fire' way to control what the user is uploading. For example while you might want to restrict a user to only upload a JPG or PNG, they could simply rename a infected file to have a .png or .jpg suffix. Only once the file is uploaded can you confirm its contents.
For JPG, PNG and BMP files you can read the first few bytes of the uploaded file to confirm the file type, then run whatever anti-virus software you want on the file before accepting it. For example if you use Avast as your anti-virus the command ashCmd.exe can be used to scan a specific file and report its findings.