Windows: Hunt down a Malicious Program/Virus..

Computer viruses have been existing for ages now, they still do because they've learned to adapt. They give sleepless nights to users who own a personal computer. Computer Viruses exists in several forms and each of them have their own strategies of attacking personal data of a user. In its elementary form a virus is just a block of code written one of the several programming languages. For a virus, to do its dirty work it needs to be active, now that is the 'Virus Law' that I will exploit to hunt down a Malicious Program or a Virus. Remember not every malicious program is a virus and its just not the virus that we need to be concerned about. Trojans, Worms, Malware, Adware, bots and what not, hence I've used the term Malicious Program.Microsoft's Windows is the most widely used Operating System in the world and as a result it attracts more viruses. Users are left at the mercy of Anti virus Programs. I highly recommend anyone using Windows to have a well setup and updated Anti virus program running all the time as we have no other choice but thankfully these anti virus programs tend to detect virus many times. But what if a virus attacks (many these days do) your anti virus program!! The thought is scary and will send the shivers down to your spines. In this article I present to you my way of dealing with Malicious Programs or viruses.

This article requires that you have a medium to advanced expertise on using Windows environment, a little knowledge of Windows processes. Now enough of the talk lets now get our hands dirty. To begin with, we need weapons and they are as follows:

• Process Explorer, a tiny utility which can be downloaded from Sysinternals.
• Zone Alarm Pro, a firewall which you can purchase if you are gentleman or you get the idea :-)

Surprisingly we are not using any anti virus program at all. Trust me we don't need one. Start Process Explorer and have a look at its output, here is what mine looked like :

The reason why I had asked for a little knowledge of Windows processes will be justified if you go through each process and its description. Process Explorer is a great tool in an Windows Admin's hands and is much powerful and helpful than the one available by default in Windows: Task Manager.

Most malicious programs have a rule to obey : They need to be active to be able to cause destruction. Every active program (it can be a virus too) has its process running and hence when a virus is active its name is listed in the process list in the Process Explorer. We can identify it as a virus if we can identify system processes and application processes. Examples of system processes are svchots.exe, smss.exe, winlogon.exe etc. These are the processes that always run on your Windows machine, so to be smart you must know the names of the ones that run on your PC. All the remaining process that run and show up in your Process Explorer are the ones used by the applications that you've installed on your PC. Like for example, say you've installed Yahoo Messenger, a process called Ymsgr_tray.exe always runs on your PC. This way you should be able to identify all the processes as either system or application specific.

If you PC is infected with a malicious program, the process (many times itself) associated with it will be seen in the Process Explorer list. Now you can identify it as a malicious program because of its suspicious activity and also the fact that it is neither a system process or a process associated with any app that you've installed. With a process identified as Virus, our job is half done. Now open up Zone Alarm Pro, click the Program Control tab and select the Programs sub tab. Here is what this looks like on my machine :

The screenshot is itself self-explanatory. Zone Alarm can give or deny internet access to every process running on PC and also it can give trust level to every process. Trust level is what we will use to nab the malicious process. For the sake of this article I've deliberately put a process called as AutoHotKey. Some anti virus programs identify AutoHotKey as a Virus but this is actually a script that most of us don't need. So if you find this one in your startup and process list, go ahead and do what I do here.

AutoHotKey is a nasty script that has no business to irritate us. If you are infected with AutoHotKey, you will see it in Process Explorer. Now to nail the malicious process, you simply need to select it in the Programs list in Zone Alarm, click on it under the Trust Level column and select Kill. The screen below shows this :

Once that is done, no matter what Virus it is, its been nailed for ever!!

In my experience of dealing with all sorts of viruses esp those that come with USB drives, this method of hunting a Virus or any malicious program works like a charm. Always remember that most viruses disable your anti virus system once your PC is infected, hence this method should save your ass out of any such tricky situation and boy did I patent this method ;-)

Rule of Thumb: You've got internet on you PC, you must have a firewall and an properly configured and regularly updated anti virus systems running.