Process Explorer highlights packed processes with purple (violet) color.
Note: very often the packed processes are malicious.

procexp-purple

Check for file/process signature.

Process Explorer has an option called “Verify Image Signatures“. This option automatically checks the CRL (Certificate Revocation List) of the file’s signature. It allows verifying whether that file is valid and if it has not been tampered since being signed.

Note: Almost all verified, signed files can be likely considered as trusted and excluded from the list during the research. The option “View > Select Columns …> Verified Signer” is required to show the result of signature verification.

Check AutoStart Location

Malicious processes very often mimic the names of legitimate processes, which can make them difficult to identify just by the filename. There is an option called “AutoStart Location” in View > Select Columns menu. It allows displaying a registry location from which that process has been executed.

Note: In that case a process can have the same name as valid svchst.exe; however its AutoStart location pointing to different folder than system32 may indicate that this file is likely malicious etc.

Check DLL View

View > Show Lower Pane (This option must be selected)
View > Lower Pane View > DLLs.

This option allows seeing the list of .DLLs loaded by a particular process. If you know the purpose of these DLLs you may guess what given application can potentially do.

Find Handle or DLL

If we know the name of malicious .dll file, we may check which process or processes have loaded that dll. (These processes can lock this file and prevent the deletion)

Check Process Strings

Process’s properties > Strings

This option allow to check the strings … example, you may like to search for “http” string within given application in order to check whether it will potentially connect trough that protocol to a server … and then get the server name from there in order to block it on the firewall.

Additionally you may compare Strings from memory with application Strings, they should be pretty much the same. Huge difference may indicate that the execute version got tampered.

Find Window’s process (drag over a window)

If you have a joke window popping-up; however you are not sure which process is responsible for displaying that window … you may use the option “Find Window’s process” by dragging it over the joke window. Process explorer will automatically highlight associated process name on the list

Suspend malicious processes in order to stop them.

Some processes cannot be simply stopped as there are other processes which are looking after themselves and restring them automatically once one of them gets stopped. You must identify all of them and then suspend them before killing.

Once all of them are suspended, they think that they are still working; however they cannot monitor other processes state as they are suspended. This gives you the possibility to kill them all.

Search Online

Process’s properties > Search Online

You may search for the name of the process on the internet in order to get more information (This is risky; however might be useful in some cases)

Ref:

http://www.microsoft.com/security/sir/strategy/default.aspx#!malwarecleaning_explorer
http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-2-Process-Explorer

Kind Regards,
Witold Lawacz (Ławacz)