Andrew Brandt
From the July 2005 issue of PC World magazine
It's no fun to go into Task Manager and discover that a bunch of mysterious
processes are running on your PC. In the case of the unknowns, you may ask
yourself how much of this stuff you actually want. Or more seriously, if
anything on your machine is actually doing harm.
Unfortunately, few of us have more than a passing
familiarity with what's under Windows' hood: the programs that run it and that
run alongside it. In this column, I'll explain how to identify most Windows
system files (and to research an unknown file) so you can tell the good ones
from the miscreants. I'll also show you how to trace every application running
on your PC, including the newest menace to emerge--hidden rootkit files.
Of course, as with tremors on the
Antivirus and other security tools need frequent and
detailed updates to work effectively; they can't block a piece of malware that
they haven't seen before. Consequently, these programs always suffer a period of
vulnerability between the time when source code for a new worm hits the
Internet, for example, and the time when the antivirus definitions to block or
clean the infection are available for download. Whether it's for a few minutes
or for many days, that window always gapes open when new threats appear.
Fortunately, once identified, malware is usually fairly
easy--albeit tedious--to clean up. So follow my detection procedures, and your
PC will be in good shape.
First, and most important, remember that this is the
operating system you're dealing with, so don't leap into your system files,
deleting things willy-nilly as soon as you suspect trouble. If you blow it, you
may render Windows unbootable.
Second, cover your behind at every step. System Restore
(in Windows XP and Me) can safely return you to the point just before you
crashed. Click Start, Programs (All Programs in XP), Accessories,
System Tools, System Restore, select Create a restore point, and step
through the wizard. Make a new restore point before each change.
You may also need to make your system files visible. Open
Explorer or any folder window, and click Tools, Folder Options, View.
Click Show hidden files and folders, and make sure that both 'Hide
extensions for known file types' and 'Hide protected operating system files
(Recommended)' are unchecked. Click Yes if you see any Windows warnings.
(More on warnings later.) Run your up-to-date antivirus and anti-spyware apps.
Finally, delete a file only if you strongly believe it's part of a malware
infestation. For example, don't use the following techniques to remove old DLLs
from your system folders.
Now you're ready to determine what programs and services
are currently running on your PC. Windows' Task Manager can't authenticate each
of your running apps, so download a copy of the free Process
Explorer from Sysinternals.
Unzip the procexpnt.zip file, and then double-click the
file named procexp.exe. Process Explorer is the sumo wrestler of Task Manager
replacements: It may not look pretty, but it's dependable and very effective.
And unlike the top sumo pros, it does its job for free.
Some of Process Explorer's most useful info is hidden by
default. To see it, right-click a column name and then choose Select Columns.
Both 'Process Name' and 'Description' should be checked already, but make sure
to check Company Name and Command Line as well. Click the DLL
tab, check Path, and click OK. Next, click View and make
sure that 'Show Lower Pane' is checked. Last of all, click View, Lower Pane
View, DLLs (see Figure
1).
With these Process Explorer options on, you can select
any process and see listed in the lower pane the DLLs that the program uses. The
Command Line column shows the hard-drive location of every running program,
or--in the case of services (which sometimes run under svchost.exe)--it
identifies which instance of svchost.exe invoked that service.
Any processes running from the
Temp folder should raise a red flag. Spyware tends to install itself in and run
from such out-of-the-way nooks as the Temp folder. Likewise, if a running
process points to a DLL in the Temp folder, be wary. The only
occasion when something should be running from the Temp folder is when you are
installing an application that uses an installer program such as InstallShield.
In addition to Explorer.exe, Windows XP users will likely find other processes
running, including smss.exe, winlogon.exe, services.exe, alg.exe, and lsass.exe.
All of these are critical Windows files. Don't nix any of them.
One legitimate Windows file that bears a little more
scrutiny when found in the running-processes list is rundll32.exe. Some forms of
malware, distributed as DLL files, hide themselves by using this program as a
launching pad. Task Manager indicates only that the rundll32 program is running,
but Process Explorer's Command Line field shows you which DLL rundll32 is
associated with. Still, keep in mind that some device drivers use rundll32 for
legitimate purposes, so before killing the process, make sure it's actually
doing damage. The folder name at the end of the file path should give you a clue
about the process's legitimacy.
You likely have several other Windows program files
running in addition to these OS files, including ones for applications and
services running in the background, and drivers for your hardware. These files
normally start with Windows. Examine the Description, Company Name, and Command
Line information for each process. You should be able to identify most of the
programs associated with processes as software you installed or that was
preinstalled on your PC.
When a software maker has failed to include a Description
and/or Company Name for its program, you'll need to dig a little deeper.
Right-click its entry in Process Explorer's list, and choose Properties.
If the information under the Image tab leaves you scratching your head, click
the Services tab. Some legitimate services that are listed in the
indented column below 'services.exe' in Process Explorer's main window (without
text in their Description field) will appear under this tab.
For example, Process Explorer once showed two processes
running on my PC without Description or Company Name entries. One was
'slee81.exe' (see Figure
2); when I looked at the process's entry under the Services tab, it
identified the file as Steganos Live Encryption Engine. I had installed the
Steganos software myself, so I wasn't surprised to find its components running
in the background. This isn't a security threat, but unless I'm using Steganos
to encrypt and decrypt files, I can save some CPU cycles by turning the service
off until I need it.
The second file, 'WLTRYSVC.EXE', was even easier to
puzzle out from its Services entry. While the name of the process ('WLTRYSVC
service') isn't any more illuminating than its file name, a slightly indented
file sits just below it in Process Explorer's main window, which means that 'WLTRYSVC'
launched another app, called 'BCMWLTRY.EXE'. That file is identified as the 'Broadcom
Wireless Network Tray Applet,' which I installed to display Wi-Fi signal
strength. Since I'm likely to be using my Wi-Fi connection frequently, that's a
process I want to keep.
Follow these steps to identify all of your running
services and background apps. The tricky part comes when something you find
doesn't identify itself and doesn't seem to serve a purpose. That's when it's
time to look to the Internet for answers.
Online Vermin Trackers
If I suspect a DLL might be bogus, the first place I
check is Microsoft's DLL
Help Database (see Figure
3), which lets me search for information about a DLL by name. If I suspect a
file may be connected to spyware, I'll dig around in Computer Associates' Spyware
Information Center. Another great resource is the Pest
Encyclopedia at the
If I can't tell whether a file is legitimate, I check the
Task List Programs pages at AnswersThatWork.com
(see Figure
4) for info about legitimate software as well as spyware and viruses. Tools
such as WinPatrol
and Uniblue's WinTasks
5 Professional offer insight into whether a program or DLL is malware. Both
offer an online database containing information about thousands of DLLs and apps
you might encounter, though WinTasks also can "blacklist" specific
processes so that they can't run again.
If you hunt for malware on a regular basis, Neuber
Software's Security
Task Manager lets you evaluate every executable, driver, or DLL, whether or
not it's running.
Bottom Line: You can't always trust the first few
results when you research an unknown file on the Web. Even if a hundred small
sites post data about a suspected piece of malware, one page on a Microsoft site
that explains the legitimate use of the file can trump those analyses. The more
you find out about a file before you search online, the less likely it is that
you'll kill a legitimate program or DLL.
Security Toolbox: Hunting Hidden Files
The last stop on our processes tour concerns a new breed
of malware called kernel-level rootkits. These tools permit malicious hackers to
hide their tracks (and files) on an infected PC. Fortunately, several available
programs will help you spot, and in one case, remove, these dangerous rootkit
files.
For sheer analytical power, no competing rootkit remover
can outperform Sysinternals' RootkitRevealer,
which ferrets out files and Registry keys that might be associated with rootkits.
The program is far from foolproof, however: Not all of the items it uncovers are
malware. Learn
how RootkitRevealer works, and how to use it effectively.
For point-and-click ease, F-Secure's BlackLight
tool (free while it's in beta) puts the antivirus company's knowledge to use in
a rootkit scanner that finds and disarms rootkit files on your hard drive.
Though spartan in design, the tool won't leave a hidden Trojan horse in place.
Illustration by: Stuart Bradford
Related Topics: Adware,
Maintenance/Management,
Tips: Windows Tips, Maintenance/Management,
Tips, Spyware