With the rise in cyber threats, learning to recognize the signs of a hacked computer has become essential for everyone, from everyday users to IT professionals. Here’s an in-depth guide on spotting indicators of compromise (IOCs) and using effective tools to investigate. By following these steps, you can gain insight into whether your system has been compromised and what actions to take next.

1. Identify Initial Signs of Compromise

Spotting suspicious behavior on your computer is the first step in detecting potential threats. Here are some key red flags to watch for:

• Unexpected pop-ups and ads: If your screen is flooded with intrusive ads, especially when you aren’t browsing the web, it’s a warning sign.
• Slow system performance: A significant slowdown in your computer’s performance, including lagging or crashing applications, can indicate malicious processes.
• Unauthorized changes: Look out for unrecognized software installations, modified browser settings, or new desktop icons.
• Abnormal data usage: Unexplained data usage spikes or frequent data transfers may be a sign of unauthorized access.
• Disabled antivirus software: Some malware types will disable your security software, leaving your system vulnerable.

If you experience one or more of these symptoms, proceed with the investigative steps below to verify if your system has been compromised.

2. Check Running Processes with Task Manager

The Task Manager provides a snapshot of your system’s performance and active processes. Identifying unknown or suspicious processes can reveal malware.

• Steps:
  1. Open Task Manager by pressing Ctrl + Shift + Esc.
  2. Navigate to the Processes tab.
  3. Check CPU, Memory, and Disk columns to spot processes using high resources.
• Analyzing Processes:
  • Research unfamiliar processes: Right-click each process and select Properties to view the location and description.
  • Use VirusTotal: If you suspect a process, upload the file to VirusTotal to check if it’s recognized as malware.

VirusTotal: VirusTotal Website
Upload suspicious files for a multi-engine scan and threat analysis.

3. Examine Startup Programs with Task Manager and Autoruns

Malicious software often configures itself to launch at startup to ensure persistence. Identifying and disabling unrecognized startup entries can prevent malware from reinitializing.

• Using Task Manager:
  1. Go to Task Manager’s Startup tab.
  2. Review each program and disable anything that looks suspicious or unneeded.
• Using Autoruns for Advanced Analysis:
  • Autoruns by Sysinternals offers a comprehensive view of all startup entries.
  • Download Autoruns here: Autoruns Download
  • How to Use:
    • Look through entries under Logon, Scheduled Tasks, and Services.
    • Right-click entries to research them online or check on VirusTotal.

Autoruns provides a powerful way to dig into startup programs and detect hidden malware. Be cautious when disabling startup programs, as some may be essential to your system’s operation.

4. Inspect Active Services Using Autoruns

Services running in the background can include unauthorized programs designed to go unnoticed. Using Autoruns, you can analyze these services more effectively than through Task Manager alone.

• Steps:
  • In Autoruns, go to the Services tab.
  • Look for services with vague or unfamiliar names, right-click on them, and select Properties to investigate further.
  • Submit suspicious files to VirusTotal for a second opinion.

5. Analyze Network Connections with Command Prompt and Wireshark

Malware often communicates with external servers, transferring stolen data or receiving commands from the attacker. Use netstat and Wireshark to monitor network activity.

• Using Command Prompt:
  1. Open Command Prompt.
  2. Type netstat -an to list all active network connections.
  3. Look for unusual IP addresses or ports, particularly for connections you didn’t initiate.
• Using Wireshark for Advanced Network Analysis:
  • Download Wireshark here: Wireshark Download
  • How to Use: Start capturing network traffic and look for unusual data flows, unfamiliar IPs, or large transfers when your system should be idle.

Wireshark is powerful but can be complex for beginners. It allows you to apply filters to narrow down traffic, making it easier to spot anomalies in your network connections.

6. Review Scheduled Tasks for Malicious Activity

Cybercriminals often set up scheduled tasks to run malicious scripts periodically, gaining access and collecting data over time. Checking these scheduled tasks can reveal ongoing threats.

• Steps:
  1. Open Task Scheduler.
  2. Check for tasks with names you don’t recognize or didn’t create.
  3. Disable suspicious tasks and research their origins.

Regularly reviewing scheduled tasks can prevent malware from repeatedly launching at specified intervals. For a more detailed overview, Autoruns can also list scheduled tasks.

7. Advanced Tools for Comprehensive Analysis

Several tools provide in-depth inspection capabilities, including checking files, memory dumps, and sandboxing unknown software.

• VirusTotal: Submit files for a multi-engine antivirus scan. VirusTotal Website
• Intezer Analyze: Uses genetic code analysis to detect malware by comparing your files against known threats.
  • Access Intezer here: Intezer Analyze
• Sandboxing with Any.Run: Sandboxing tools allow you to test files in isolated environments. Upload files to Any.Run to observe their behavior without risking your system.
  • Try Any.Run here: Any.Run

For deeper analysis, consider Volatility for memory forensics, allowing you to capture a memory dump and look for anomalies. Volatility offers detailed analysis for advanced users with experience in digital forensics.

8. Use System Monitors to Detect Unauthorized Activity

System monitoring tools like Process Hacker and GlassWire offer real-time insights into active processes, network connections, and resource usage.

• Process Hacker: Provides detailed control over system processes and services.
  • Download here: Process Hacker
• GlassWire: Monitors your network activity and alerts you to unusual activity.
  • Download here: GlassWire

These tools are user-friendly and provide additional details beyond Task Manager, making it easier to spot suspicious activity.

9. Check Your Security Software for Disablement or Compromise

Some malware disables or bypasses antivirus software to evade detection. Confirm that your security tools, including antivirus and firewalls, are enabled and functioning.

• Steps:
  1. Check your antivirus software’s status and update it if necessary.
  2. Open Windows Security > Virus & Threat Protection to review recent scans and ensure that real-time protection is active.
  3. Run a full system scan.

If you notice your antivirus turning off automatically or being unresponsive, this could indicate malware. Consider using a second-opinion scanner, like Malwarebytes or HitmanPro, for an additional layer of security.

10. Perform a System Backup and Secure Sensitive Data

If you detect signs of compromise, consider backing up your files before taking further action to protect your data. In severe cases, a full system reinstallation may be the most effective way to eliminate malware and start fresh.

• Backup Tips:
  • Use an external drive or a secure cloud storage provider.
  • Disconnect the backup drive from the system after transferring data to prevent malware from spreading to the backup.

Regular backups are a preventive measure that ensures you can restore your data in case of a severe attack.