Saturday 22 September 2007

How to find out if a .exe process is spyware or virus

Windows XP has thousands and thousands of .exe files, and usually a lot of those executables are running at any given time. But are all of those .exe files legit or are they spyware/malware/viruses that are bad for your computer... I recommend you follow these instructions

First get the usual spyware finding stuff (if you don't have it already - DOWNLOAD IT!) like:
  1. Spybot Search and Destroy
  2. AdAware (the free version works fine...)
  3. Windows Defender

Any one or more (more = better) of the programs listed below should be downloaded and run in order to search for any viruses. If the programs above find something then bingo! You've found the culprit! If not you'll have to do more digging....

Download Process Explorer from Microsoft's website and unzip the stuff and open up procexp.exe. There look for the .EXE file that you had your doubts about and click on the entry corresponding that bears the name of the executable. If you don't know what that entry means just right click on it and click on 'Search Online...'

Now it's time time to see if there are any suspicious DLLs associated with it. So just press Ctrl+L and then Ctrl + D to take a look at all the DLLs that don't have 'Microsoft Corporation' under the company name. If you aren't sure about the DLL then you'll have to search for it online and see what you get.

You'll also want to double click on the process, go to the 'Performance Graph tab' and see how much memory it takes up. It its taking too much memory or hogging up all the resources in your computer, then its probably a virus and should be dealt with accordingly.

If it doesn't show any of the symptoms mentioned above then it's probably supposed to be there, so just let it be there. Remember to run AntiVirus and spyware checks all the time though, because only those checks will tell you if something is bad or not.

Another tip that I can offer is to use your AntiVirus scanner to scan the specific .exe file you are suspicious about. To figure out where the .exe file is stored on your computer - double click the process in Process Explorer > Under the 'Image' tab you should see the 'Path:' box which is going to tell you where the .exe file is stored. Just point your AntiVirus to that location so that it can figure out if the file is a virus or not.

If you find anything suspicious using the methods above (yes, using the methods above is a requirement) then please post about it in the comments. If you need help in figuring out if a process is malicious, feel free to email me, and I'll try to help.

Got a question, tip or comment? Send them to and we'll try to answer it in a blog post!


  1. Excellent Article. Any attempt to educate online users about the dangers of being online ranks high on my list.
    Well done.

  2. Thanks! I'm planning to write a lot more articles like this in order to help new users get rid of spyware and viruses in their Windows XP and Windows Vista Machines.

  3. Thanks much for the amazingly helpful information! I like to do all repairs and updates myself but i know nothing about computer programing or the tech lingo. So, after trying to download a file with a .exe extension, my computer suddenly got extremely slow. And, upon shutdown, received the 'sysfader' in the way message. So, i found your blog and downloaded the virus muck - they didn't find anything. So, i downloaded the Windows Defender. I saw that explorer.exe was gobbling 90% + of my cpu even when it was shut down!? So, i started pressing buttons - one was putting the curser over the explorer.exe line and right clicking - an option showed up that said 'debug' - why not try that? Immediately the cpu usage dropped to 0% - very groovy. So, my question is, did 'debug' actually see a problem and fix it? I know that that probably sounds stupid. But, like i said, i can infer what 'debug' means but in studying foreign languages, things that look like they should mean something often do not. : ) Thanks much!