Sunday, February 24, 2013

Virus Hunting

    Where do you look for virii?  Simple, you look in computer memory (RAM).  Computer programs of any kind have to be loaded into memory to work at all.  Windows uses the name "Process" for each  piece of programming loaded into RAM.   Process Explorer is a freeware program that lists all the processes loaded into memory.  It can be downloaded from the web.  Just Google for "Process Explorer" to find a site to down load it from.
    When running, Process Explorer displays a list of all programs loaded in memory, and thus runnable.  A typical computer will have about 30 processes loaded.  Most of these processes are parts of Windows and are supposed to be there.  But if you have a virus, it will show up in the Process Explorer. 
   So how does one tell the harmless and necessary parts of Windows from virii?  Just right click on the process name and Process Explorer will Bing (Microsoft's Google competitor) the internet for information on the program name.  Cool.  You will get dozens of hits on every process name.
   You want to read a number of them.  Many of the hits are from websites offering magical Windows Washing programs.  I don't trust  magical Windows Washers, they can be virii themselves, or they can break your computer.  But postings from, Da Tech Guy, Bleeping Computer, CNET and many others are reliable.  Take a preponderance of evidence.  If all the posts say it's part of windows, or all the posts say it's a virus, you know where you are at.  If most of the posts are wishy-washy, and the single post that calls it a virus sounds like a rant,  then it means no one really knows what it is. 
  So what do you do when you find a virus lurking in RAM?  It only gets into RAM by loading itself off disk at boot time.  You have to use Windows Explorer to find it on disk and zap it. In fact just to make sure it's really gone, I'd empty the trash after deleting the file. 
   This is hand-to-hand virus fighting.  You only need get  into this sort of thing after your anti virus program[s] have failed to kill. 

No comments: