Malware uses many tricks to hide its process, and one of the most common is known as RunPE. Essentially this involves starting a known and trusted process - Explorer.exe, say - then replacing its code with the malware's own.

Phrozen RunPE Detector is a free tool which scans the headers of your processes in memory, and compares them to their disk images. If a process has been exploited by RunPE then there should be a difference, and you'll see an alert.

Phrozen RunPE Detector can even try to remove whatever malware it detects, although we wouldn't rely on it being successful: if you find something, then we'd recommend using a full-strength antivirus engine to investigate further.

The other small bonus here is that Phrozen RunPE Detector allows you to close multiple processes in a single operation (right-click, Kill...).

Note also that the program can't yet scan 64-bit processes (though it can check 32-bit processes on 64-bit Windows).


Phrozen RunPE Detector doesn't do very much, but it really can identify RunPE-based malware, and as it's both a) quick and b) no-strings free we'd recommend grabbing a copy for your security toolkit.