System process killing virus Trojan

Source: Internet
Author: User

Doubt your computer in the Trojan, from the process can you see it? Of course, as long as you have mastered some computer knowledge, you can quickly identify. Ctrl+alt+del Open your computer process and study together.

1. Cynical

If the user compares forestall, then above this trick is useless, the virus will be on the spot FA-rectification. As a then, the virus also learn clever, understand the cynical this trick. If the name of a process is svchost.exe, it is no worse than the normal system process birthright. So is the process safe? No, actually, it just took advantage of the task manager's inability to see the flaw in the process's corresponding executable file. We know that the executable file for the Svchost.exe process is located in the "C:windowssystem32" directory (Windows2000 is the C:winntsystem32 directory), and if the virus replicates itself to "c:windows", and renamed to Svchost.exe, after running, we see in the "Task Manager" is also svchost.exe, and normal system process is no different. Can you tell which is the process of the virus?

2. The Genuine

The normal processes in the system are: Svchost.exe, Explorer.exe, Iexplore.exe, Winlogon.exe, and so on, you may have found such a process in the system: Svch0st.exe, Explore.exe, Iexplorer.exe, Winlogin.exe. Do you see the difference? This is a trick the virus often uses to confuse the user's eyes. Usually they change the name of the normal process in the system to 0,l to I,i to J, then become their own process name, only a word difference, meaning is completely different. or more than one letter or one letter, such as Explorer.exe and Iexplore.exe would have been easy to confuse, and then the emergence of a iexplorer.exe is even more confusing. If the user is not careful, generally ignored, the process of the virus escaped a robbery.

3. Reincarnated

In addition to the two methods above, the virus also has a trick of the ultimate Dafa-reincarnated. The so-called reincarnated is that the virus uses process insertion technology, insert the DLL files needed to run the virus into a normal system process, seemingly without any suspicious conditions, essentially the system process has been controlled by the virus, unless we use professional process detection tools, it is difficult to find the virus hidden in it.

There are a number of system processes mentioned above, what are the functions of these system processes and what are their operating principles? We will explain these system processes one by one, we believe that after familiar with these system processes, we will be able to successfully solve the virus's "genuine" and "cynical".

Viruses are often impersonating the process name: Svch0st.exe, Schvost.exe, Scvhost.exe. As Windows system services continue to increase, in order to save system resources, Microsoft has a lot of services into a shared way, to the Svchost.exe process to start. The system services are implemented as dynamic-link libraries (DLLs), which point the executable program to Scvhost, and the cvhost invokes the corresponding service's dynamic link library to start the service. We can open "control Panel" → "Administrative Tools" → services, double-click the "ClipBook" service, in its properties panel can find the corresponding executable path is "C:windowssystem32clipsrv.exe". Double-click the "Alerter" service to find that its executable path is "C:windowssystem32svchost.exe-klocalservice" and the "Server" service has an executable path of "C: Windowssystem32svchost.exe-knetsvcs ". It is through this call, you can save a lot of system resources, so the system appears a number of svchost.exe, in fact, just system services.

There are generally 2 svchost.exe processes in the Windows2000 system, one is the RPCSS (remoteprocedurecall) service process, the other is a svchost.exe shared by many services, and in Windows XP, There are generally more than 4 Svchost.exe service processes. If the number of svchost.exe processes is more than 5, be careful, most likely the virus is fake, the detection method is also very simple, using some process management tools, such as the Windows Optimizer master's process management capabilities, to view the Svchost.exe executable path, if the "C: WINDOWSsystem32 "directory, then it can be judged to be a virus.

Viruses are often impersonating the process name: Iexplorer.exe, Expiorer.exe, Explore.exe. Explorer.exe is the "explorer" that we often use. If the Explorer.exe process ends in Task Manager, the taskbar, the desktop, and the open files all disappear, click task Manager → file → new task, and when you enter "Explorer.exe", the disappearing thing comes back again. The role of the Explorer.exe process is to let us manage the resources in our computers.

The Explorer.exe process is initiated with the system by default, and the path to the corresponding executable file is the "c:windows" directory, in addition to the virus

Iexplore.exe

The process names that are often impersonated by viruses are: iexplorer.exe, Iexploer.exeiexplorer.exe processes are similar to the Explorer.exe process names above, so they are easier to confuse, In fact, Iexplorer.exe is the process produced by Microsoftinternetexplorer, which is our usual use of IE browser. Know the role of identification should be easier, Iexplorer.exe process name at the beginning of "ie", ie is the meaning of the browser.

The executable program for the Iexplore.exe process is located in the C:programfilesinternetexplorer directory, and in other directories it is a virus unless you transfer the folder. In addition, sometimes we find that without the Internet Explorer, the iexplore.exe process still exists in the system, which can be divided into two cases: 1. Virus fake Iexplore.exe process name. 2. The virus secretly in the background through iexplore.exe do bad things. So this situation is still quickly use anti-virus software to kill it.

rundll32.exe

The process names that are often posed by viruses are: Rundl132.exe, Rundl32.exe. The role of rundll32.exe in the system is to execute internal functions in the DLL file, and how many Rundll32.exe processes exist in the system, indicating how many DLL files Rundll32.exe started. In fact rundll32.exe we will often use, he can control some of the system's DLL files, for example, at the command prompt to enter "Rundll32.exeuser32.dll,lockworkstation", after the carriage return, The system will quickly switch to the login interface. The Rundll32.exe path is "C:windowssystem32" and in other directories it can be determined to be a virus.

The process names that are often posed by viruses are: Spoo1sv.exe, Spolsv.exe. Spoolsv.exe is the executable program of the system service "Printspooler", which manages all local and network print queues and controls all printing work. If this service is deactivated, printing on your computer will not be available, and the Spoolsv.exe process will also disappear from your computer. If you don't have a printer device, turn off the service and save system resources. After stopping and shutting down the service, if the Spoolsv.exe process still exists in the system, it must be a virus disguise.

Limited to space, the introduction of common processes here, we usually in the process of inspection if found suspicious, as long as the basis of two points to judge:

1. Carefully check the filename of the process;

2. Check its path.

Through these two points, the general virus process will certainly show a slip.

Find a good helper for the management process.

The system's built-in task manager function is too weak to be a virus-killing device. So we can use professional process management tools, such as Procexp. Procexp can differentiate between system processes and general processes, and differentiate them in different colors, leaving the virus processes of counterfeit system processes nowhere to be hid.

After the procexp is run, the process is divided into two large chunks, and the "systemidleprocess" subordinate process belongs to the system process, and Explorer.exe "subordinate processes belong to the general process." We have introduced the system process Svchost.exe, Winlogon.exe and so on are subordinate to "systemidleprocess", if you are "explorer.exe" Found in the Svchost.exe, so needless to say, the virus is certainly fake. Through some of the above introduction. I believe that after the process of the virus and Trojan also has a lot of understanding, can also be used to kill the Trojan horse.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.