Honing Computer Forensics Skills with Process Explorer

Need to cleanse a malware infected Windows system? Learning to use a free and handy tool called Process Explorer is an essential first step.


You Can't Detect What You Can't See: Illuminating the Entire Kill Chain

On-Demand Webinar

Posted December 24, 2008

Lyne Bourque

(Page 1 of 2)

So how do you actually go about removing malware?

The reality is that most detection software, even after all this time, is still in the growing stage. Depending on whom you ask, the proactive success rate is potentially as low as 40 percent (or a detection failure rate as high as 60 percent). Which means detection primarily happens after a system has been infected.

The challenge is how to deal with systems that have been infected and remove those nasties when the virus or malware prevents antivirus software from actively quarantining or removing it, or when it prevents the operating system from getting security fixes to address it.

The only way to ensure a clean system is a fresh install of the operating system. This isn't always an option and should only be a last resort. As with any system, you should have valid and working backups to minimize any data loss when this option is the last recourse on a system.

Process Explorer

Last month I talked about some of the tools that you can use for forensic purposes on a system infected or compromised. One of those tools is very helpful in regards to removing nasties: Process Explorer. I've used Process Explorer for at least the last five years to troubleshoot Windows processes.

One of the first things you should have is an idea of what is normal in your list of process. Looking at the screenshot below, I can see that my system is running fine.

Process Explorer - Forensics

This happens to be my virtual machine as identified by the processes listed near the 1. All other processes are normal running processes. If anything appears out of the ordinary, then I can be concerned. So when I look at it again, oh no!

Process Explorer - Forensics

I see three processes dc.exe, Fun.exe and SVIQ.EXE that are running now. As it turns out, an application called Spyware Terminator, a rogue version of the malware protection suite, infected my system.

Well, time to remove them.

Page 1 of 2

1 2
Next Page

Comment and Contribute


(Maximum characters: 1200). You have characters left.



IT Management Daily
Don't miss an article. Subscribe to our newsletter below.

By submitting your information, you agree that datamation.com may send you Datamation offers via email, phone and text message, as well as email offers about other products and services that Datamation believes may be of interest to you. Datamation will process your information in accordance with the Quinstreet Privacy Policy.