A Virus or a Malware can turns your computer into a breeding ground for various unwanted activities. Moreover, it might not reveal its presence or even the symptoms of such an infection may be very limited, and as a result you might not realize that your system is infected with a virus. However, there are still a few anomalies that may finally bring to your notice that something isn't quite right. Here are a few primary indicators that can reveal signs that your computer might be infected:

· The computer runs comparatively slowly than normal
· The computer stops responding or freezes up often

. Unusual network activity/traffic even when you are not doing anything
· The computer crashes and restarts suddenly
· There are unusual error messages popping out every now and then
· Suddenly you see distorted menus and dialog boxes

. Features like Task Manager, Registry Editors, Folder Options getting disabled

. Presence of unknown toolbars in the browser

. Title bar of browsers suddenly changed

. Browsers automatically getting redirected to unknown websites

These are some common signs of infection—but some of these might also indicate hardware or software problems. Hence, identifying the reason of such anomalies should be properly identified.

It is recommended that you purchase a licensed copy of an AV Client and keep it updated with the daily definition updates. If your computer shows symptoms of virus infection and your AV Software is not showing anything then follow the below steps:

· Update the Antivirus software in your computer
· Disable System Restore (if Windows XP)
· Run a full system scan from Safe Mode
· Delete all the threats identified
· Also you can get a free virus scan from the normal mode with the Windows Live OneCare scanner for safety
  Windows Live OneCare Online Scanner link: http://www.microsoft.com/protect/products/computer/safetyscanner.mspx
· Restart the system
· Check if infection is there. If infected files are still there, then do the previous steps all over again.

· If infection is cleaned/deleted, enable System Restore (if Windows XP)

If infected files are still there, then do the previous steps all over again.

Before we set out to identify the process that we are suspecting is running in our system without getting detected by the AV Software or Anti Spyware Software, we will take a look at some of the applications, using which we can detect these processes and get sure that the problem is happening because of them. But before I proceed, I would like to discuss in brief about a few details about these Malwares and the applications we would use to identify them.

Most of the Malwares these days get detected by the Antivirus software, Spyware removal applications and other similar tools. However, this protection is not always enough and there are times when a small, benign looking binary sneak through all these levels of protection and compromises the system and the users data. Here we will try to analyze and determine if an executable \ process \ binary running in the system is a harmful Malware.

We will learn to do the analysis by analyzing it in a controlled environment without the use of antivirus software, debuggers or any other sophisticated tools or applications. However, we would take the help of certain freely available tools and utilities to fulfill our requirements.

For ease of understanding, we will break up this article on Malware Analysis in a few parts:

. Observing the symptoms and making a note of the symptoms

. Identifying the malicious process and deleting/archiving t for later analysis

. Static/Dynamic analysis of the Malware binary

. Documenting the findings in a detailed manner

Before I begin, I will introduce you to a few famous and very handy applications.

. SysInternals Process Explorer: To find out what files, registry keys and other objects the running processes have opened, which DLLs they have loaded, and more.

. SysInternals AutoRuns: To see what programs are configured to startup automatically when your system boots and you login. Autoruns also shows you the full list of Registry and file locations where applications can configure auto-start settings.

. SysInternals FileMon: This monitoring tool lets us see all file system activity in real-time.

. SysInternals RegMon: This monitoring tool lets you see all Registry activity in real-time.

. SysInternals Process Monitor: This is an advanced monitoring tool for Windows that shows real-time file system, Registry and Process/thread activity.

Descriptions about these applications have been taken from the authors website to avoid ambiguity.

SysInternals Process Explorer: Process Explorer shows you information about which handles and DLLs processes have opened or loaded.

The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.

Process Explorer works on Windows 9x/Me, Windows NT 4.0, Windows 2000, Windows XP, Server 2003, and 64-bit versions of Windows for x64 and IA64 processors, and Windows Vista.

SysInternals AutoRuns: This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them. These programs include ones in your startup folder, Run, RunOnce, and other Registry keys. You can configure Autoruns to show other locations, including Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond the MSConfig utility bundled with Windows Me and XP. Autoruns cover most of all the auto startup locations mentioned in this link AutostartLocations

Autoruns'  can also Hide Signed Microsoft Entries and this option helps you to zoom in on third-party auto-starting images that have been added to your system and it has support for looking at the auto-starting images configured for other accounts configured on a system.

Autoruns works on all versions of Windows including 64-bit versions.

SysInternals FileMon: FileMon monitors and displays file system activity on a system in real-time. Its advanced capabilities make it a powerful tool for exploring the way Windows works, seeing how applications use the files and DLLs, or tracking down problems in system or application file configurations. Filemon's time stamping feature will show you precisely when every open, read, write or delete, happens, and its status column tells you the outcome. FileMon is so easy to use that you'll be an expert within minutes. It begins monitoring when you start it, and its output window can be saved to a file for off-line viewing. It has full search capability, and if you find that you're getting information overload, simply set up one or more filters.

FileMon works on NT 4.0, Windows 2000, Windows XP, Windows XP and Windows Server 2003 64-bit Edition, Windows 2003 Server, Windows 95, Windows 98 and Windows ME.

SysInternals RegMon: RegMon is a Registry monitoring utility that will show you which applications are accessing your Registry, which keys they are accessing, and the Registry data that they are reading and writing - all in real-time. This advanced utility takes you one step beyond what static Registry tools can do, to let you see and understand exactly how programs use the Registry. With static tools you might be able to see what Registry values and keys changed. With RegMon you'll see how the values and keys changed.

RegMon works on Windows NT/2000/XP/2003, Windows 95/98/Me and Windows 64-bit for x64.

SysInternals Process Monitor: Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, FileMon and RegMon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and Malware hunting toolkit.

FileMon and RegMon have been replaced by Process Monitor on versions of Windows starting with Windows 2000 SP4, Windows XP SP2, Windows Server 2003 SP1, and Windows Vista. FileMon and RegMon remain for legacy operating system support, including Windows 9x.

Process Monitor runs on Windows 2000 SP4 with Update Rollup 1, Windows XP SP2, Windows Server 2003 SP1, and Windows Vista as well as x64 versions of Windows XP, Windows Server 2003 SP1 and Windows Vista.

Read the Part2 here