How the pros sniff out a malware infection

You can't be certain your system is malware-free unless you reformat and reinstall -- and you'll get a superclean PC in the process

In my last column, I talked about making online shopping safer, starting with ensuring your computer isn't already infected with some devious malware. But I didn't tell readers how to confirm that their computer wasn't maliciously compromised from the start.

Let me give it a shot. First, the reality is that without extreme measures (such as comparing every file on your computer to the vendor's known, legitimate checksum), you can't have absolute assurance that your computer is malware-free. If you want that, format your computer's hard drive and reinstall everything from vendor-distributed media and content -- then disable the network card and never connect to the Internet.

[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. | Keep up with key security issues with InfoWorld's Security Central newsletter. ]

Unreasonable advice aside, here's how to determine with some degree of assurance that your computer is malware-free, even after you've surfed the Internet. This column contains the steps I take when I try to verify my own computers (or those of my friends or neighbors) aren't infected.

Prime suspect: Suspicious autostarting programs
The first thing I do is to look for suspicious autostarting programs. Several programs are available to aid in your search, including Silent Runners and HijackThis. I prefer Autoruns, which has an excellent and easy-to-use GUI, allows you to make (and undo) modifications very quickly, and offers a range of choices to verify found executables.

Usually I look for any entries without a verified publisher. Malware sometimes has a verified publisher, but it often doesn't. Next, I search out executables with extremely random names (for example, xy3Wfi9sh~.exe) located in Windows/System32. Next, I single out executables I don't recognize or executables related to publishers I don't recognize. Then I research every last unknown executable and publisher. If I can't confirm there's a need for an executable, I prevent it from autostarting and reboot.

Look for unneeded browser add-ons
Using the autostart searching tools mentioned in the previous section or the browser's own management menus, I review installed browser add-ons and remove any I don't recognize or don't need.

Target unexplained network connections
From there, I close all software that might possibly connect to the Internet, starting with the browser, social network tools, or other memory resident-tools that may connect to the Internet.

Then I start a program that will show me all the active network connections to the Internet and what programs, services, and processes are involved. With Microsoft Windows, you can use the built-in command-line program netstat.exe -ano if you don't have anything else. I prefer Microsoft's TCPView, but any tool that does the same thing can be used.

1 2 Page
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies