Identify Malware Process Manually

Windows Security Tutorials - Herong's Tutorial Examples

∟Malware (Adware, Spyware, Trojan, Worm, and Virus)

∟Identify Malware Process Manually

This section provides a summary of advices on how to identify malware process when malware symptom appears on a Windows system.

If you have to remove malware manually, the first thing you should do is to identify the malware process. Here are some advices you can follow.

When you see the malware symptom appearing on your Windows system, record as much as you can about the current state of the system, including:

If the symptom is visible, like a popup windows, take screenshots.
If you see any Web addresses in the browser address area, or in the browser status area when you mouse over some clickable links to images, record those Web addresses.
Record all application programs that are currently running.
Record all processes that are currently running on the system using the "Task Manager" tool.

Try to find out processes that are possibly related to the malware symptom from the process list, using various techniques:

Record all processes that uses more than 0% CPU time while malware symptom appearing on the system as suspicious processes.
If you see multiple processes with the same name, record them as suspicious processes.
If you see any deceptive process names like kerne132.exe, record them as suspicious processes.
Start to close all application programs. Record what processes are gone in "Task Manager", when you close each program. If the malware symptom disappears when an application is closed, record processes related to this application as suspicious processes.
Start to stop all system services using the system admin tool called "Services". This may cause your system to lose some functionalities, like Wi-Fi connections. Record what processes are gone in "Task Manager", when you stop each Service. If the malware symptom disappears when an application is closed, record processes related to this service as suspicious processes.
Start to review all startup programs using the system admin tool called "msconfig". Terminate the process that matches each startup program executable file. If the malware symptom disappears when a process is terminated, record this process as a suspicious process.

Review each of those recorded suspicious processes to identify which is truly related to the malware. Review detailed properties of the executable file of the suspicious process in the following areas:

If the file has no copyright information, it's likely a malware process.
If the file name consists of random letters, it's likely a malware process.
If the file create time was very recent, it's likely a malware process.
If the file is located in a folder with not many other files, it's likely a malware process.