It's no fun to go into Task Manager and discover a load of mysterious processes running on your PC. In the case of the unknowns, you may ask yourself how much of this stuff you want. Or, more pertinently, if anything on your machine is doing harm.
Unfortunately, few of us have more than a passing familiarity with what's under Windows' hood: the programs that run it and those that run alongside it. In this section, we'll tell you how to identify most Windows system files and research an unknown file, so you can tell the good ones from the miscreants. And we'll show you how to trace every application running on your PC.
You never know where or when the next security breach will open up and swallow your data whole. Even if you run a firewall, up-to-date antivirus and antispyware scanners and maintain strict download discipline, you can still end up with the latest and meanest infectious agents on your PC. Here's how to see if malware is lurking on your system.
1. Cover your back at every step. System Restore can return you to the point just before you crashed. Click Start-All Programs-Accessories-System Tools-System Restore, select 'Create a restore point' and go through the wizard. Create a restore point before each change outlined in this walkthrough.
2. You need to make your system files visible. Open Explorer and click Tools-Folder Options-View. Click Show hidden files and folders, then ensure Hide extensions for known file types and Hide protected operating system files are unchecked. Click Yes to any warnings and delete only files you strongly believe to be malware.
3. Use Process Explorer (www.sysinternals.com/utilities/processexplorer.html). Right-click a column and choose Select Columns, ticking Company Name and Command Line. Click the DLL tab, check Path and click OK. Choose View and ensure Show Lower Pane is checked. Finally, click View-Lower Pane View-DLLs.
4. Any processes running from the Temp folder should raise a red flag. If a running process points to a DLL (dynamic link library) in the Temp folder, be wary. In addition to Explorer.exe, XP users will find processes such as smss.exe, winlogon.exe, services.exe, alg.exe and lsass.exe. These are all critical files - don't touch any of them.
5. You will have several Windows program files running as well as these OS files. These normally start with 'Windows'. Examine the Description, Company Name and Command Line information for each process. You should be able to identify most of the programs associated with processes as software installed on your PC.
6. If you suspect a DLL might be bogus, the first place to check is Microsoft's DLL Help Database (support.microsoft.com/dllhelp), which lets you search for information about a DLL by name - handy if you suspect a file to be malware related. Another great resource is the Pest Encyclopedia at http://research.pestpatrol.com.
TIPS & TRICKSHELD AT RANSOM
Ransomware attacks are still very uncommon, but more are starting to appear, particularly from Russia and Asia.
If you're unlucky enough to fall victim to this type of cybercrime, do not pay the kidnappers and be sure to contact the police straight away. Make a note of the details of the ransom note and any other messages you've received. From an uninfected PC, run a Web search using these details. It's possible you could even find the password online. Finally, you could use an undelete program such as PC Inspector File Recovery (free; www.pcinspector.de/file_recovery/uk/welcome.htm) to recover some files, although it is very likely that you will find not everything can be restored.
HELPFUL DOWNLOADSROOTKITS REVEALED, PART I
Rootkit Revealer is a free alternative to programs such as F-Secure's BlackLight. It scans for Registry discrepancies that may suggest the presence of a rootkit. However, if rootkit makers do nothing to hide their malware, it doesn't always pick them up. www.sysinternals.com/utilities/rootkitrevealer.html
ROOTKITS REVEALED, PART II
With all due respect to Rootkit Revealer, IceSword is considered the toughest rootkit scanner. In fact, the creators of the Hacker Defender rootkit made it their goal to defeat the program; so far, they've failed. It comes in the .rar format, so you may need to download WinRAR from http://www.rarlabs.com. www.xfocus.org
FIND HIDDEN FILES
Hook Explorer can tell if a file has hidden itself behind legitimate programs. A file hooked into the Windows program winlogon.exe could record your keystrokes as you type your system password - if you tried to kill such a program, you'd crash your system. http://labs.idefense.com/releases/previews/HookExplorer
SiteAdvisor is a free plug-in for IE and Firefox that colour-codes search results and sponsored links in Google, MSN and Yahoo. A red icon indicates spam, malware and links to other malicious sites. Yellow means the site is questionable; green means it's clean. And if there's a grey symbol, it's unknown. www.siteadvisor.com