Security Tips: Identify Malware Hiding in Windows' System Folders

Illustration by Stuart Bradford.
Illustration: Stuart Bradford

It's no fun to go into Task Manager and discover that a bunch of mysterious processes are running on your PC. In the case of the unknowns, you may ask yourself how much of this stuff you actually want. Or more seriously, if anything on your machine is actually doing harm.

Unfortunately, few of us have more than a passing familiarity with what's under Windows' hood: the programs that run it and that run alongside it. In this column, I'll explain how to identify most Windows system files (and to research an unknown file) so you can tell the good ones from the miscreants. I'll also show you how to trace every application running on your PC, including the newest menace to emerge--hidden rootkit files.

Of course, as with tremors on the San Andreas Fault, you can never know where or when the next security breach will open up and swallow your data whole. Even if you run a firewall, use up-to-date antivirus and anti-spyware scanners, and maintain strict download discipline, you can still end up with the latest and meanest infectious agents in your PC.

Antivirus and other security tools need frequent and detailed updates to work effectively; they can't block a piece of malware that they haven't seen before. Consequently, these programs always suffer a period of vulnerability between the time when source code for a new worm hits the Internet, for example, and the time when the antivirus definitions to block or clean the infection are available for download. Whether it's for a few minutes or for many days, that window always gapes open when new threats appear.

Fortunately, once identified, malware is usually fairly easy--albeit tedious--to clean up. So follow my detection procedures, and your PC will be in good shape.

Safety First

First, and most important, remember that this is the operating system you're dealing with, so don't leap into your system files, deleting things willy-nilly as soon as you suspect trouble. If you blow it, you may render Windows unbootable.

Second, cover your behind at every step. System Restore (in Windows XP and Me) can safely return you to the point just before you crashed. Click Start, Programs (All Programs in XP), Accessories, System Tools, System Restore, select Create a restore point, and step through the wizard. Make a new restore point before each change.

You may also need to make your system files visible. Open Explorer or any folder window, and click Tools, Folder Options, View. Click Show hidden files and folders, and make sure that both 'Hide extensions for known file types' and 'Hide protected operating system files (Recommended)' are unchecked. Click Yes if you see any Windows warnings. (More on warnings later.) Run your up-to-date antivirus and anti-spyware apps. Finally, delete a file only if you strongly believe it's part of a malware infestation. For example, don't use the following techniques to remove old DLLs from your system folders.

Subscribe to the Best of TechHive Newsletter

Comments