Computer viruses and other kinds of malware can wreak havoc on your computer. Viruses can grind your computer’s performance to a crawl and they can cause system instability or crashes. Despite the obvious effects malware can have on your PC, the most insidious viruses are the ones that remain undetected. Malware that prefers to remain quiet are the ones that steal your private information, spy on your web browsing and collect your passwords.
Antivirus programs are a good start to protecting your PC, but they are limited in their ability to detect viruses that have infected your computer. When you think you have a virus, sometimes you have to go with your gut and start poking around in the dark corners of your operating system. While there is a plethora of tools on the internet you can use to aid you in your task of uncovering hidden malware on your computer, a handful of them are available on pretty much every version of Windows. Here are five essential tools you can use to expose viruses hiding on your PC.
Tasklist can be found on all Microsoft Windows operating systems from Windows XP on. This command is crucial because it allows you to see a list of currently running processes on your computer. The default output will show you the names of the processes running, their process id (PID), and how much memory they are taking up. From this basic output it is possible to find malware running on your computer by searching for processes that have been misspelled, such as “svchostt.exe”, instead of “svchost.exe”.
There are additional options you can enable when running the tasklist command that will give more information about the programs running on your computer. By running “tasklist -v”, you will get the verbose output. The verbose version of tasklist will give you information on the user who started the process, how long the process has been running, and the title of the window if the process has a GUI.
Another useful option tasklist has is the -svc option. This will display which service the program is running under, which can assist you in tracking down additional components of the malware that has potentially infected your computer.
This command will display your current network connections, as well as open ports. The “-n” option will display the addresses and port numbers numerically, which cuts down on the time the command takes to display your results. The “-a” option is necessary because without it netstat will not show you all of the active TCP connections, as well as the listening TCP and UDP ports. Finally, the -o option will display the process id of each connection. This is important because you can now correlate an open connection with the process, which can help you track down backdoors or remote access tools implanted on your computer.
Driverquery will display all drivers on your computer. The “-v” option will show you verbose information including module name, display names, the drivers’ descriptions, driver types, start mode and current states. This information is incredibly helpful when tracking down sophisticated malware like keyloggers and kernel-mode rootkits.
This command will display the user accounts currently on your computer. This command is helpful when you are trying to track down a rogue user account a hacker has created. Some remote access tools will create accounts on the infected PC as an alternate access to the computer in case the malware gets deleted.
Malware usually finds a way to survive reboots, so that you can’t get rid of it by pulling the plug. One of the most common ways they do this is by embedding themselves in certain registry keys. There are a handful of keys in the registry that Windows looks at when it starts up, called the “Run keys”. Windows will fire up any program located in the Run Keys each time it reboots. A couple of the run keys are below:
These are just a couple of the more popular keys malware uses to stay alive on your computer. You can inspect these keys by using the reg query command, with the specific registry key path in quotes following it. This command will display the contents of a given key, which will allow you to inspect it for suspicious programs. The command will also give you the path of the program, so that you can navigate to its location on disk and inspect it further.
By including the commands above in your toolkit, you can manually uncover malware infections that slipped past your antivirus scanner. Happy hunting!