How To Identify Computer Virus Process

Menu

Home
Identify Virus Process
Stop Virus Process
Delete Virus Files
Stop and Kill
Protect Your Computer
FAQ

Amazon Antivirus Software
Amazon Antivirus Books

So how do you know if a process is virus? If your anti-virus software identifies some .exe as a virus, then you know. If your anti-virus software identifies the DLL the virus is using, then you can find out the .exe using it in command line (FAQ). If not, then there must be something that leads you to believe you have a virus running. In Process Explorer (if you haven't so google and download it!) you can see Company Name. A virus generally doesn't have a value there. Also its process name sounds weird, unlike notepad.exe or iexplore.exe. However there are many weird sounding names that are actually core system processes that must be running. Unless you are an expert you cannot easily tell which process is virus. Here is a list of legitimate processes you shouldn't mess with:

* svchost.exe
* lsass.exe
* taskmgr.exe
* smss.exe
* csrss.exe
* winlogon.exe
* TCPSVCS.EXE
* mdm.exe
* wdfmgr.exe
* usnsvc.exe
* explore.exe
* iexplore.exe
In Process Explorer, you can see the icon next to the .exe and you should know if it's a program you are using right now (e.g. notepad, acrobat reader, internet explorer). Keep in mind that you can stop any process you want even if it is a critical system process, because even if something bad happens, you can reboot your PC and all critical processes will be running again.

You should be able to find the absolute path of the virus .exe by looking at Command Line column in Process Explorer (e.g. C:\WINDOWS\system32\iAmAVirus.exe). However, it is not necessarily the virus .exe; it could very well be a legitimate .exe that the virus dll is hiding from. If that's the case, go to section Stop And Kill.

By now, if you identified .exe only, you may feel bummed that you only found out what .exe is the virus, but don't be. If you kill the .exe successfully, your computer will never run the virus process again, and therefore even if there are bad DLLs lying around, they won't hurt. If you identified .exe as well as the DLLs it depends on, then you can remove them all. You can try to delete them now, but chances are you will see the following error message:



This is because the file you are trying to delete is used by some running process. If this process is the virus process, you can stop it. If this process is actually a legitimate process like explore.exe and winlogon.exe, then you need to handle it with some finesse. You may find it surprising, but a tricky virus DLL can hide behind any legitimate process. If that's the case, go to section Stop And Kill.

◀ HomeStop Virus Process ▶