Here's something you or anyone can do to review your system for persistent malware in the home user (or even professional) Windows world. DISCLAIMER: If these instructions scare you, or you are uncomfortable performing them, or you don't understand the results, stop clicking buttons and ask. These are powerful tools. When used for good, they eliminate malware. When used incorrectly, they could cause problems up to and including a 'no boot' situation. These instructions are for y'all who know how to use Windows pretty good, but don't know how to hunt malware that won't go away.
Run Autoruns as admin.
Hit Escape to cancel the scan.
Click Options.
Click Scan Options.
Ensure 'Check VirusTotal.com' and 'Verify Code Signatures' are both enabled. You can choose to 'Submit Unknown Images' if you wish.
Hit f5 to refresh the scan.
WHAT THIS GETS YOU: Autoruns lists everything that starts up when your computer does. The Virus Total integration will send the HASH identifier of each file that starts when your computer does up to Virus total, to get an opinion of 70 or so AV engines as to whether malware is detected. You'll see the results in a VirusTotal column on the right hand side with lots of 0/74, 0/75, etc. "Unknown" means VT has never seen the file before, and that's where the "Submit Unknown Images" comes in. If you see any entries that are 1/74 or even 3/74 or 5/74, they are likely false positives, but you can click the number itself and read up on Virus Total to see whether it's being detected by Symantec and Microsoft, or BillyBob's Finest Antivirus, and make your own risk decision.
You can disable or delete Autoruns entries from the interface. Realize if you disable or delete the wrong thing, you can break the computer. Disabling (removing the check box) is preferable until you're sure you did the right thing.
ONLY disable or delete a thing if you're sure it's malware and you're a confident computer user who can adapt to unintended consequences.
Have a look at Process Explorer, and then REBOOT.
Run ProcExp as admin.
Click Options
Point to VirusTotal
Ensure 'Check VirusTotal.com' is selected. You can also choose 'Submit Unknown Images' if you wish.
WHAT THIS GETS YOU: Autoruns is for things that start when the computer does. ProcExp is for things running on your computer right now. Again, the application will submit all hashes running on your system to VirusTotal. Review them, and make your risk decisions based on the results.
Note: this is not a perfect review for malware or other unwanted software. It won't pick up malicious PowerShell or CMD execution as the hashes for those executables are legitimate.
If a thing is obviously malware, you can right click and kill the process. Be aware, it's possible to either reboot the computer or crash the computer by killing processes. MAKE SURE you did the AUTORUNS stuff first, because the autoruns stuff is what starts after a reboot or crash.
Process Explorer also won't pick up legitimate Windows processes that had malware injected into them after launch. In most cases the AUTOEXEC portion earlier will prevent the memory injection on next boot.
This is a good free way to get 70 AV opinions or so to see if you have any malware running on your system.
Here's something you or anyone can do to review your system for persistent malware in the home user (or even professional) Windows world. DISCLAIMER: If these instructions scare you, or you are uncomfortable performing them, or you don't understand the results, stop clicking buttons and ask. These are powerful tools. When used for good, they eliminate malware. When used incorrectly, they could cause problems up to and including a 'no boot' situation. These instructions are for y'all who know how to use Windows pretty good, but don't know how to hunt malware that won't go away.
Hop on over to http://live.sysinternals.com (It's a Microsoft website)
Download Autoruns.exe Download ProcExp.exe
Run Autoruns as admin. Hit Escape to cancel the scan. Click Options. Click Scan Options. Ensure 'Check VirusTotal.com' and 'Verify Code Signatures' are both enabled. You can choose to 'Submit Unknown Images' if you wish. Hit f5 to refresh the scan.
WHAT THIS GETS YOU: Autoruns lists everything that starts up when your computer does. The Virus Total integration will send the HASH identifier of each file that starts when your computer does up to Virus total, to get an opinion of 70 or so AV engines as to whether malware is detected. You'll see the results in a VirusTotal column on the right hand side with lots of 0/74, 0/75, etc. "Unknown" means VT has never seen the file before, and that's where the "Submit Unknown Images" comes in. If you see any entries that are 1/74 or even 3/74 or 5/74, they are likely false positives, but you can click the number itself and read up on Virus Total to see whether it's being detected by Symantec and Microsoft, or BillyBob's Finest Antivirus, and make your own risk decision.
You can disable or delete Autoruns entries from the interface. Realize if you disable or delete the wrong thing, you can break the computer. Disabling (removing the check box) is preferable until you're sure you did the right thing.
ONLY disable or delete a thing if you're sure it's malware and you're a confident computer user who can adapt to unintended consequences.
Have a look at Process Explorer, and then REBOOT.
Run ProcExp as admin. Click Options Point to VirusTotal Ensure 'Check VirusTotal.com' is selected. You can also choose 'Submit Unknown Images' if you wish.
WHAT THIS GETS YOU: Autoruns is for things that start when the computer does. ProcExp is for things running on your computer right now. Again, the application will submit all hashes running on your system to VirusTotal. Review them, and make your risk decisions based on the results. Note: this is not a perfect review for malware or other unwanted software. It won't pick up malicious PowerShell or CMD execution as the hashes for those executables are legitimate. If a thing is obviously malware, you can right click and kill the process. Be aware, it's possible to either reboot the computer or crash the computer by killing processes. MAKE SURE you did the AUTORUNS stuff first, because the autoruns stuff is what starts after a reboot or crash.
Process Explorer also won't pick up legitimate Windows processes that had malware injected into them after launch. In most cases the AUTOEXEC portion earlier will prevent the memory injection on next boot.
This is a good free way to get 70 AV opinions or so to see if you have any malware running on your system.
I hope this is helpful for you.