Step 2: Identify Malicious Processes and Drivers
After an infected computer is disconnected from the network, the next step in the disinfection process is to identify any malicious processes. This involved looking for telltale signs such as:
- Processes without custom icons.
- Processes that have no description or company name associated with them.
- Files that represent themselves as being from Microsoft, but donâ€™t have digital signatures.
- Unfamiliar processes running from the Windows directory.
- Files that are packed, which means that they have been compressed or encrypted. Most malware files are packed by their distributors in an effort to make them more difficult for security software to identify.
- Strange URLs in strings embedded in files.
- Processes with open TCP/IP endpoints.
- Processes that host suspicious dynamic-link libraries (DLLs) or services.
By themselves, these signs do not conclusively indicate a malicious process; for example, many legitimate executables and other files are packed, and many legitimate processes run without custom icons. Additionally, not all malware files and processes exhibit all the signs listed here. Overall, though, these signs can serve as useful clues for tracking down malware on an infected computer. A Sysinternals tool called Process Explorer can help a troubleshooter spot them.