Cameras
Camcorders
Cell Phones
Components
Desktops
HDTV
Home Theater
GPS
Laptops
Monitors
MP3 Players
Networking &
Printers
Storage
Find Out What's Running
Now you're ready to determine what programs and services are currently running on your PC. Windows' Task Manager can't authenticate each of your running apps, so download a copy of the free Process Explorer from Sysinternals.
Unzip the procexpnt.zip file, and then double-click the file named procexp.exe. Process Explorer is the sumo wrestler of Task Manager replacements: It may not look pretty, but it's dependable and very effective. And unlike the top sumo pros, it does its job for free.
Some of Process Explorer's most useful info is hidden by default. To see it, right-click a column name and then choose Select Columns. Both 'Process Name' and 'Description' should be checked already, but make sure to check Company Name and Command Line as well. Click the DLL tab, check Path, and click OK. Next, click View and make sure that 'Show Lower Pane' is checked. Last of all, click View, Lower Pane View, DLLs (see Figure 1).
With these Process Explorer options on, you can select any process and see listed in the lower pane the DLLs that the program uses. The Command Line column shows the hard-drive location of every running program, or--in the case of services (which sometimes run under svchost.exe)--it identifies which instance of svchost.exe invoked that service.
Any processes running from the Temp folder should raise a red flag. Spyware tends to install itself in and run from such out-of-the-way nooks as the Temp folder. Likewise, if a running process points to a DLL in the Temp folder, be wary. The only occasion when something should be running from the Temp folder is when you are installing an application that uses an installer program such as InstallShield. In addition to Explorer.exe, Windows XP users will likely find other processes running, including smss.exe, winlogon.exe, services.exe, alg.exe, and lsass.exe. All of these are critical Windows files. Don't nix any of them.
One legitimate Windows file that bears a little more scrutiny when found in the running-processes list is rundll32.exe. Some forms of malware, distributed as DLL files, hide themselves by using this program as a launching pad. Task Manager indicates only that the rundll32 program is running, but Process Explorer's Command Line field shows you which DLL rundll32 is associated with. Still, keep in mind that some device drivers use rundll32 for legitimate purposes, so before killing the process, make sure it's actually doing damage. The folder name at the end of the file path should give you a clue about the process's legitimacy.
Identify Mystery Processes
You likely have several other Windows program files running in addition to these OS files, including ones for applications and services running in the background, and drivers for your hardware. These files normally start with Windows. Examine the Description, Company Name, and Command Line information for each process. You should be able to identify most of the programs associated with processes as software you installed or that was preinstalled on your PC.
When a software maker has failed to include a Description and/or Company Name for its program, you'll need to dig a little deeper. Right-click its entry in Process Explorer's list, and choose Properties. If the information under the Image tab leaves you scratching your head, click the Services tab. Some legitimate services that are listed in the indented column below 'services.exe' in Process Explorer's main window (without text in their Description field) will appear under this tab.
For example, Process Explorer once showed two processes running on my PC without Description or Company Name entries. One was 'slee81.exe' (see Figure 2); when I looked at the process's entry under the Services tab, it identified the file as Steganos Live Encryption Engine. I had installed the Steganos software myself, so I wasn't surprised to find its components running in the background. This isn't a security threat, but unless I'm using Steganos to encrypt and decrypt files, I can save some CPU cycles by turning the service off until I need it.
The second file, 'WLTRYSVC.EXE', was even easier to puzzle out from its Services entry. While the name of the process ('WLTRYSVC service') isn't any more illuminating than its file name, a slightly indented file sits just below it in Process Explorer's main window, which means that 'WLTRYSVC' launched another app, called 'BCMWLTRY.EXE'. That file is identified as the 'Broadcom Wireless Network Tray Applet,' which I installed to display Wi-Fi signal strength. Since I'm likely to be using my Wi-Fi connection frequently, that's a process I want to keep.
Follow these steps to identify all of your running services and background apps. The tricky part comes when something you find doesn't identify itself and doesn't seem to serve a purpose. That's when it's time to look to the Internet for answers.
Online Vermin Trackers
If I suspect a DLL might be bogus, the first place I check is Microsoft's DLL Help Database (see Figure 3), which lets me search for information about a DLL by name. If I suspect a file may be connected to spyware, I'll dig around in Computer Associates' Spyware Information Center. Another great resource is the Pest Encyclopedia at the PestPatrol Center for Pest Research, which provides information about more than 27,000 forms of malware.
If I can't tell whether a file is legitimate, I check the Task List Programs pages at AnswersThatWork.com (see Figure 4) for info about legitimate software as well as spyware and viruses. Tools such as WinPatrol and Uniblue's WinTasks 5 Professional offer insight into whether a program or DLL is malware. Both offer an online database containing information about thousands of DLLs and apps you might encounter, though WinTasks also can "blacklist" specific processes so that they can't run again.
If you hunt for malware on a regular basis, Neuber Software's Security Task Manager lets you evaluate every executable, driver, or DLL, whether or not it's running.
Bottom Line: You can't always trust the first few results when you research an unknown file on the Web. Even if a hundred small sites post data about a suspected piece of malware, one page on a Microsoft site that explains the legitimate use of the file can trump those analyses. The more you find out about a file before you search online, the less likely it is that you'll kill a legitimate program or DLL.
