Ran Kaspersky Rescue 10 overnight and the system came out clean, except for an obscure shortcut (one amongst hundreds). Kaspersky reports the trojan as:
trojan-downloader.win32.pif.xx
and according to this Microsoft link, Kaspersky could indeed have found a valid infection. I have carefully checked the .lnk file in a binary editor and in Notepad, with nothing obviously suspicious.
Virus scanners use various sophisticated heuristics (such as SHA256 hashes) to detect infections, but these are susceptible to false positives. Is there any manual way to determine definitively if the shortcut is infected or whether Kaspersky has just stumbled on a (rare) false positive?
UPDATE
I found this online scanner. After uploading my .lnk file, Kaspersky again found the above-mentioned trojan...but 55 other scanners found nothing. The shortcut was running this command:
%SystemRoot%\system32\cmd.exe /c start "Send USB" /min /low C:\Batch\SendToUSB.bat
After making one trivial change of removing /low
from the above command, every scanner now shows the shortcut as clean including Kaspersky. I also scanned cmd.exe
, the batch file itself and a few other shortcuts with similar commands. Nothing detected.
With a high degree of confidence, this appears to be a false positive.