Peek-a-Boo, I See You
David Shamah, The Jerusalem
Post, October 1, 2004
The paths I tread as I traverse my computer are
twisted and gnarly. Like in
Like today. I was all set to write about a lovely tool
that can make your life a bit easier, the Microsoft Keyboard Layout Creator,
which can be used to create custom keyboards out of characters or icons.
I installed it and tried to run it, but I got an
error relating to the Microsoft .Net environment, which it requires in order to
work. I've been trying to avoid .Net, but finally having no choice – after all,
this is a Microsoft product – I broke down and installed it, necessitating a
restart of my XP laptop.
So, I watched as the .Net stuff downloaded and
installed itself, and kept looking at the screen as the computer restarted. And
then I saw something I wasn't supposed to see.
What I wasn't supposed to see was a bar that
displayed itself for a few seconds and displayed a graphic showing a process
that was trying to finish itself off, in preparation for the reboot. Not an
unusual thing, I thought to myself, until I saw the name of the process. It was
called, believe it or not, "Should Not See Me."
Huh? "Should Not See Me?!" What kind of
name is that for a program? I never installed anything that even remotely had
such a name; and what software author would name his or her program that,
anyway? This sounded bad; it must be some kind of hacker/virus type of joke,
with some "luzer" script kiddie guffawing over his clever conundrum.
Google is my friend, so I asked him what he
thought, and he helped me discover hundreds – nay, thousands – of others like
me with the same scary problem! Where did it come from? Who put it there? How
come all the vaunted spyware and virus programs I've been using didn't detect
"Should Not See Me" if it really was a threat?
Fortunately, the consensus among users seems to be
that it this program is not a virus or spyware; it is a Microsoft program that
has to do with installing third party software, and can be gotten rid of by
updating some DLLs. Apparently, the name "Should Not See Me" is some
clever Miscrosoft in-joke for a process that is
supposed to be completely transparent, but apparently isn't.
So, it turned out to be a false alarm. But then I got
to wondering; What about all those other processes and
background programs running on my computer? Just what do they do? Is there any
way to differentiate between "good" processes and "bad"
processes – bad ones being processes associated with spyware, viruses, etc.?
So, that keyboard utility story is just going to have
to wait. Processes, while more techno-babbly than keyboards, are part of the
guts of your operating system, and in order to protect yourself, you need to
understand what they do – and how to defend yourself against processes that are
not supposed to in your system.
A process is a task that your computer is
carrying out. Processes could be initiated by an application you are running,
or they could be part of the operating system, running in the background,
keeping things running smoothly. They are managed by the operating system,
which ensures that each one runs for the amount of time it is needed and is
able to use the computer's resources effectively. In a sense, processes are
little "programs" running in your PC, and they keep whole
applications and other services going.
All this is very interesting, I'm sure, but most people
take a "don't tell, don't ask" attitude to processes. They do their
thing and leave us alone, and we don’t bother them when they are running. At
least, that's the way it's supposed to be.
Until your computer starts "acting up;" the
mouse makes funny, jerking movements, the PC takes a long time to do simple
tasks, and ominous looking messages and dialog boxes fleetingly display
themselves. First, you think your hard drive needs defragmenting;
when that doesn't help, you begin to suspect a virus. But
which virus? How do you figure out what you've contracted? You could try
running your antivirus program, but that doesn't always do the job.
So, what's next? Reformatting your drive? No;
the thing to do is check the processes that are running on your computer, by
clicking the control-alt-delete key combination an looking at the
Process Manager. Note the names of the process and then check them against the
very complete process list at a site like the Answers That Work Process List
http://www.answersthatwork.com/Tasklist_pages/tasklist.htm, which has a very
thorough list of processes and recommendations on how to handle them.
For example, you might look at your list and
see a process called carpserv.exe (sounds fishy!). A check on the ATW list told
me that this process is managed by 56K Connexant
chip-based modems. However, the site said, "We are not sure as to what
this task does, so can only recommend to leave it alone." In some cases,
such as RuLaunch.exe, the site recommends that you
(and tells you how to) disable the process, which is part of Mcafee VirusScan v6.x, with which
there "so many problems that the last thing you want is a VirusScan background task doing badly in the background
what you can do manually yourself." And, the list also contains rogue processes:
If you have the Rundil16.exe you have the W32.Gaobot.ZX\ Backdoor.Agobot.IQ virus. One thing to watch out for
are virus processes that have similar names to legitimate ones, to fool you
into leaving them alone – for example, there is a real Windows process called Rundll and Rundll32.exe.
Many of the processes in your system are
better left alone, as they are sometimes needed for applications, even if
Answers That Work lists it as annoying. If you've got a virus or Trojan,
though, you'll want to get rid of it post-haste.
But many viruses are survivors and take steps
to defend themselves. If you don't know the name of the virus process running,
you can't take steps to deal with it, like searching for removal instructions
at http://www.trendmicro.com/vinfo/virusencyclo, the Trend Micro virus
encyclopedia. Many times, these rogue processes will shut down the Process
Manager seconds after you open it – essentially "killing" the process
responsible for displaying the process list, so you can’t identify the process
responsible for your woes.
Now what? There are several ways to deal with
this, but I recommend you download and install a great tool called CurrProcess (http://www.nirsoft.net/utils/cprocess.html),
which will show you detailed information on all processes and related activity
(like which system files and DLLs are running along with the process). Because
it's a different process than the Windows process list tool (taskmgr.exe),
viruses should leave it alone.
One problem with getting rid of a virus is
that you have to disable it in order to remove the offending executable file,
which the virus guys usually put in a Windows system folder, like
C:\Windows\System32. Once you've figured out which .exe is guilty, you have to
stop it from running to dump it – and since these viruses are usually
configured to run on startup, you usually have to start the computer in safe
mode and then get rid of it.
Or, you could use CurrProcess'
Kill Process function, which will stop the process in place, freeing up the
executable for disposal. In addition, you can get details about each process,
including the name of the manufacturer, a description of what it does, and the
amount of memory it uses. Excessive memory use could indicate a problem with
the application and might be responsible for slow system performance, as well. CurrProcess can also beep when a new process starts up, and
will highlight "secret" processes that contain no contact or
description information. "Secret processes" – it almost sounds like
someone is organizing a conspiracy against your computer! I still don't know
what to make of "Should Not See Me," but with CurrProcess,
I can see him or her if I want to.
ds@newzgeek.com