Peek-a-Boo, I See You

 

David Shamah, The Jerusalem Post, October 1, 2004

 

The paths I tread as I traverse my computer are twisted and gnarly. Like in California, there is no "there" there. I can't begin to tell you how many times I started out writing about A and ended up with a story about Q.

 

Like today. I was all set to write about a lovely tool that can make your life a bit easier, the Microsoft Keyboard Layout Creator, which can be used to create custom keyboards out of characters or icons.

 

I installed it and tried to run it, but I got an error relating to the Microsoft .Net environment, which it requires in order to work. I've been trying to avoid .Net, but finally having no choice – after all, this is a Microsoft product – I broke down and installed it, necessitating a restart of my XP laptop.

 

So, I watched as the .Net stuff downloaded and installed itself, and kept looking at the screen as the computer restarted. And then I saw something I wasn't supposed to see.

 

What I wasn't supposed to see was a bar that displayed itself for a few seconds and displayed a graphic showing a process that was trying to finish itself off, in preparation for the reboot. Not an unusual thing, I thought to myself, until I saw the name of the process. It was called, believe it or not, "Should Not See Me."

 

Huh? "Should Not See Me?!" What kind of name is that for a program? I never installed anything that even remotely had such a name; and what software author would name his or her program that, anyway? This sounded bad; it must be some kind of hacker/virus type of joke, with some "luzer" script kiddie guffawing over his clever conundrum.

 

Google is my friend, so I asked him what he thought, and he helped me discover hundreds – nay, thousands – of others like me with the same scary problem! Where did it come from? Who put it there? How come all the vaunted spyware and virus programs I've been using didn't detect "Should Not See Me" if it really was a threat?

 

Fortunately, the consensus among users seems to be that it this program is not a virus or spyware; it is a Microsoft program that has to do with installing third party software, and can be gotten rid of by updating some DLLs. Apparently, the name "Should Not See Me" is some clever Miscrosoft in-joke for a process that is supposed to be completely transparent, but apparently isn't.

 

So, it turned out to be a false alarm. But then I got to wondering; What about all those other processes and background programs running on my computer? Just what do they do? Is there any way to differentiate between "good" processes and "bad" processes – bad ones being processes associated with spyware, viruses, etc.?

 

So, that keyboard utility story is just going to have to wait. Processes, while more techno-babbly than keyboards, are part of the guts of your operating system, and in order to protect yourself, you need to understand what they do – and how to defend yourself against processes that are not supposed to in your system.

 

A process is a task that your computer is carrying out. Processes could be initiated by an application you are running, or they could be part of the operating system, running in the background, keeping things running smoothly. They are managed by the operating system, which ensures that each one runs for the amount of time it is needed and is able to use the computer's resources effectively. In a sense, processes are little "programs" running in your PC, and they keep whole applications and other services going.

 

All this is very interesting, I'm sure, but most people take a "don't tell, don't ask" attitude to processes. They do their thing and leave us alone, and we don’t bother them when they are running. At least, that's the way it's supposed to be.

 

Until your computer starts "acting up;" the mouse makes funny, jerking movements, the PC takes a long time to do simple tasks, and ominous looking messages and dialog boxes fleetingly display themselves. First, you think your hard drive needs defragmenting; when that doesn't help, you begin to suspect a virus. But which virus? How do you figure out what you've contracted? You could try running your antivirus program, but that doesn't always do the job.

 

So, what's next? Reformatting your drive? No; the thing to do is check the processes that are running on your computer, by clicking the control-alt-delete  key combination an looking at the Process Manager. Note the names of the process and then check them against the very complete process list at a site like the Answers That Work Process List http://www.answersthatwork.com/Tasklist_pages/tasklist.htm, which has a very thorough list of processes and recommendations on how to handle them.

 

For example, you might look at your list and see a process called carpserv.exe (sounds fishy!). A check on the ATW list told me that this process is managed by 56K Connexant chip-based modems. However, the site said, "We are not sure as to what this task does, so can only recommend to leave it alone." In some cases, such as RuLaunch.exe, the site recommends that you (and tells you how to) disable the process, which is part of Mcafee VirusScan v6.x, with which there "so many problems that the last thing you want is a VirusScan background task doing badly in the background what you can do manually yourself." And, the list also contains rogue processes: If you have the Rundil16.exe you have the W32.Gaobot.ZX\ Backdoor.Agobot.IQ virus. One thing to watch out for are virus processes that have similar names to legitimate ones, to fool you into leaving them alone – for example, there is a real Windows process called Rundll and Rundll32.exe.

 

Many of the processes in your system are better left alone, as they are sometimes needed for applications, even if Answers That Work lists it as annoying. If you've got a virus or Trojan, though, you'll want to get rid of it post-haste.

 

But many viruses are survivors and take steps to defend themselves. If you don't know the name of the virus process running, you can't take steps to deal with it, like searching for removal instructions at http://www.trendmicro.com/vinfo/virusencyclo, the Trend Micro virus encyclopedia. Many times, these rogue processes will shut down the Process Manager seconds after you open it – essentially "killing" the process responsible for displaying the process list, so you can’t identify the process responsible for your woes.

 

Now what? There are several ways to deal with this, but I recommend you download and install a great tool called CurrProcess (http://www.nirsoft.net/utils/cprocess.html), which will show you detailed information on all processes and related activity (like which system files and DLLs are running along with the process). Because it's a different process than the Windows process list tool (taskmgr.exe), viruses should leave it alone.

 

One problem with getting rid of a virus is that you have to disable it in order to remove the offending executable file, which the virus guys usually put in a Windows system folder, like C:\Windows\System32. Once you've figured out which .exe is guilty, you have to stop it from running to dump it – and since these viruses are usually configured to run on startup, you usually have to start the computer in safe mode and then get rid of it.

 

Or, you could use CurrProcess' Kill Process function, which will stop the process in place, freeing up the executable for disposal. In addition, you can get details about each process, including the name of the manufacturer, a description of what it does, and the amount of memory it uses. Excessive memory use could indicate a problem with the application and might be responsible for slow system performance, as well. CurrProcess can also beep when a new process starts up, and will highlight "secret" processes that contain no contact or description information. "Secret processes" – it almost sounds like someone is organizing a conspiracy against your computer! I still don't know what to make of "Should Not See Me," but with CurrProcess, I can see him or her if I want to.

 

ds@newzgeek.com