How to define - a malicious program or not

Download and install the System Explorer.
Run it and go to the tab Processes.
Select a suspicious process, click on it by right-click, on the shortcut menu select File Check - Virustotal.com as shown below.

File upload to Virustotal.com and opens a browser window with information about this file.

On this page you will see a list of antivirus software, and in front of their verdict on this file.
If the majority of antivirus programs define it as malicious, you can safely delete it.
Do not forget that to remove a trojan or other malicious programs must not only memory but also from the disk where it stores its own copy, and startup.

General information about viruses and trojans

All malwares have common characteristics.
Firstly, they should leave a copy on your computer.
Secondly, they are added to Startup.
Thirdly, they are staying in the process and at first glance does not bother me. But we know that they are spying on you and send useful information to the owner of a virus or trojan. It could be passwords, numbers of credit cards, mail and more other things.


Here I will list the disk space where most malware leave their copy.
At the root of C:\ drive
In the system folders:
C:\Windows\
C:\Windows\System\
C:\Windows\System32\
C:\Windows\System32\drivers\
C:\Program Files\
C:\Documents and Settings\All Users\
C:\Documents and Settings\All Users\Application Data\
C:\Documents and Settings\<UserName>\Application Data\
C:\Documents and Settings\<UserName>\Local Settings\Application Data\
C:\Documents and Settings\<UserName>\Local Settings\Application Data\Temp\
C:\Documents and Settings\<UserName>\Local Settings\Temp\
C:\Documents and Settings\<UserName>\Local Settings\Temporary Internet Files\


They can also create shortcuts on the desktop, Start menu, Start menu - Programs, Start menu - Programs - Startup.


Next I will list how to add programs to autostart.
Some worms make a copy of your disk space and is an additional file autorun.inf in the root of all drives. It provides a malicious program to run in the opening drive. Autorun.inf file is responsible for the startup disk drives, not only the CD DVD, but the hard drive and flash drives. So if you find such a file in the root of any drive - delete it immediately.
The second way - it is adding a file or shortcut in the Start menu - Programs - Startup.
The third method, and the most popular - adding to the register.


Now I will list the registry key to viruses and Trojans that might be specified at boot time operating system be automatically run.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce


These branches are the keys which is prescribed path to the program.
Does it look like this:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
lsssass = "%AppData%\Install\lsssass.exe"
Where lsssass - the key name which contains the path to the program.
%AppData% - a signature of hard disk space: C:\Documents and Settings\<UserName>\Local Settings\Application Data\


WARNING! Be careful editing the registry so as not to harm your computer. If you are not confident in your abilities, better ask the one who is more versed in operating systems.

How to kill malicious processes

Typically, antivirus and antimalware applications ( like Trojan-Killer ) kills malicious processes automatically once detected. That is a preferred way, as these tools know how to precisely recognize bad processes. However, under certain circumstances processes need killing before running scan:

You want to delete malware manually

Malware processes block removers from execution or updating their database

You can not download anti-malware tools

Malware tools do not have particular version of parasite in database yet and can not detect it.

It is important to know, that this important first step will stop symptoms for this reboot only, you will need to proceed with removal steps for completely cleaning the PC.

In case you fail to launch Spyware Doctor or any other program, first try rightclicking on them and running as administrator (on windows 7 or Vista).

Using safe mode

Most of malicious processes are inactive when PC operates in safe mode with networking. To reach safe mode with networking, do following:

1. Reboot
2. Press F8 early on (you can press F8 couple times)
3. Choose Safe mode with networking (preferably) or safe mode from menu
4. On success you should not see any alerts that bother you under normal mode continue to next steps of malware removal.

This will not work if malicious process is launched using drivers, master boot record or (in safe mode with networking) launched together with browser. Also, Safe mode might be disabled.

Killing processes using task manager

The benefit of using task manager is that you do not need to download anything. Task manager is present in all windows computers, though it might be disabled and provides little control

1. Open task manager by either pressing ctrl+shift+esc or pressing ctrl+alt+del and choosing from menu. For best results, try doing so just after windows login, while other processes are still loading
2. If it fails, go to go to Start->Run and type taskmgr
3. If this fails, go to C:\Windows\System32, copy taskmgr and rename it to 1.scr , 1.com or other random name. Launch that file. You can try right-clicking on it and choosing Run as administrator on Windows Vista or Windows 7
4. Choose process TAB, choose to see processes of all users (optional)
5. Choose malicious process from the list, right click on it
6. Press End process

On successful stop of malicious processes alerts should disappear and you can continue to next steps of malware removal.

Sometimes task manager is disabled by malware. A workaround would be to go to C:\Windows\System32, Make copy of taskmgr.exe and rename it to 1.exe or iexplore.exe . Launch the file.

Killing processes using process explorer

Process explorer provides more information on how the processes were launched. Also it is not blocked together with Task Manager. If it is blocked from execution, try saving it as 1.scr, 1.com or iexplore.exe before execution.

1. Download Process explorer from here : http://download.sysinternals.com/Files/ProcessExplorer.zip and unzip.
2. Launch process explorer (procexp.exe)
3. Select malicious process and press DEL.

On successful stop of malicious processes alerts should disappear and you can continue to next steps of malware removal.