Windows Security Tips

Finding malware in system folders.

Andrew Brandt

Andrew Brandt is a PC World senior associate editor and author of the monthly Privacy Watch column.

It's no fun to go into the Windows Task Manager (Ctrl-Alt-Delete) and discover that a bunch of mysterious processes are running on your PC. You may ask yourself how much of this stuff you actually want running. Or more seriously, if anything running on your machine is doing harm.

Unfortunately, few of us have more than a passing familiarity with what's under Windows' hood. I'll explain how to identify most Windows system files (and to research an unknown file) so you can tell the good ones from the miscreants.

Even if you run a firewall, use up-to-date antivirus and anti-spyware scanners, and maintain strict download discipline, you can still end up with the latest and meanest infectious agents in your PC. Antivirus and other security tools need frequent and detailed updates to work effectively; they can't block a piece of malware that they haven't seen before.

Fortunately, once identified, malware is usually fairly easy--albeit tedious--to clean up. So follow some detection procedures, and your PC will be in good shape.

Safety First

First, and most important, remember this is your PC's operating system you're dealing with, so don't leap into your system files, deleting things willy-nilly as soon as you suspect trouble. If you blow it, you may render Windows unbootable.

Second, cover your behind at every step. System Restore (in Windows XP and Me) can safely return you to the point just before you crashed. Click Start, Programs (All Programs in XP), Accessories, System Tools, System Restore, select "Create a restore point," and step through the wizard. Make a new restore point before each change.

You may also need to make your system files visible. Open Explorer or any folder window, and click Tools, Folder Options, View. Click "Show hidden files and folders," and make sure that both "Hide extensions for known file types" and "Hide protected operating system files (Recommended)" are unchecked. Click Yes if you see any Windows warnings. (More on warnings later.) Run your up-to-date antivirus and anti-spyware apps. Delete a file only if you strongly believe it's part of a malware infestation.

Find Out What's Running

Now you're ready to determine what programs and services are currently running on your PC. Windows' Task Manager can't authenticate each of your running apps, so download and install a copy of the free Process Explorer from Sysinternals. Process Explorer is the sumo wrestler of Task Manager replacements: It may not look pretty, but it's dependable and very effective. And it does its job for free.

With Process Explorer, you can select any process and see the dynamic link libraries that the program uses. DLLs are executable functions or data used by Windows programs--including malware. You can also find out the hard-drive location of every running program.

Any processes running from the Temp folder should raise a red flag. Spyware tends to install itself in and run from such out-of-the-way nooks as the Temp folder. Likewise, if a running process points to a DLL in the Temp folder, be wary. The only occasion when something should be running from the Temp folder is when you are installing an application that uses an installer program such as InstallShield. In addition to Explorer.exe, Windows XP users will likely find other processes running, including smss.exe, winlogon.exe, services.exe, alg.exe, and lsass.exe. All of these are critical Windows files. Don't delete any of them.

Identify Mystery Processes

You likely have several other Windows program files running in addition to these OS files, including ones for applications and services running in the background, and drivers for your hardware. These files normally start up when Windows does. Examine the Description, Company Name, and Command Line information for each process. You should be able to identify most of the programs associated with processes as software you installed or that was preinstalled on your PC.

Follow these steps to identify all of your running services and background apps. The tricky part comes when something you find doesn't identify itself and doesn't seem to serve a purpose. That's when it's time to look to the Internet for answers.

If I suspect a DLL might be bogus, the first place I check is Microsoft's DLL Help Database, which lets me search for information about a DLL by name. If I suspect a file may be connected to spyware, I'll dig around in Computer Associates' Spyware Information Center. Another great resource is the Pest Encyclopedia at the PestPatrol Center for Pest Research, which provides information about more than 27,000 forms of malware.

If I can't tell whether a file is legitimate, I check the Task List Programs pages at AnswersThatWork.com for info about legitimate software as well as spyware and viruses. Tools such as WinPatrol and Uniblue's WinTasks 5 Professional offer insight into whether a program or DLL is malware. Both offer an online database containing information about thousands of DLLs and apps you might encounter, though WinTasks also can "blacklist" specific processes so that they can't run again.

If you hunt for malware on a regular basis, Neuber Software's Security Task Manager lets you evaluate every executable, driver, or DLL, whether or not it's running.

You can't always trust the first few results when you research an unknown file on the Web. Even if a hundred small sites post data about a suspected piece of malware, one page on a Microsoft site that explains the legitimate use of the file can trump those analyses. The more you find out about a file before you search online, the less likely it is that you'll kill a legitimate program or DLL.