How to find viruses and Trojans from the process

　　any viruses and Trojans exist in the system, can not completely and process out of the relationship, even if the use of hidden technology, but also can find clues from the process, therefore, viewing the process of the system activity is the most direct way to detect the virus Trojan. but the system runs at the same time so many processes, which is the normal system process, which is the process of Trojans, and often the virus Trojan fake system process in the system and play what role? Please read this article.

　　One, the virus process hides three methods

When we confirm that there is a virus in the system, but look through the process in the system through "task Manager" can not find a different process, which means that the virus has taken some hidden measures, summed up three methods:

　　1.1 The Genuine

The normal processes in the system are: Svchost.exe, Explorer.exe, Iexplore.exe, Winlogon.exe, and so on, you may have found such a process in the system: Svch0st.exe, Explore.exe, Iexplorer.exe, Winlogin.exe. Do you see the difference? This is a trick the virus often uses to confuse the user's eyes. Usually they change the name of the normal process in the system to 0,l to I,i to J, then become their own process name, only a word difference, meaning is completely different. or more than one letter or one letter, such as Explorer.exe and Iexplore.exe would have been easy to confuse, and then the emergence of a iexplorer.exe is even more confusing. If the user is not careful, generally ignored, the process of the virus escaped a robbery.

　　1.2 Cynical

If the user compares forestall, then above this trick is useless, the virus will be on the spot FA-rectification. As a then, the virus also learn clever, understand the cynical this trick. If the name of a process is svchost.exe, it is no worse than the normal system process birthright. So is the process safe? No, actually, it just took advantage of the task manager's inability to see the flaw in the process's corresponding executable file. We know that the executable file for the Svchost.exe process is located in the "C:windowssystem32" directory (Windows2000 is the C:winntsystem32 directory), and if the virus replicates itself to "c:windows", and renamed to Svchost.exe, after running, we see in the "Task Manager" is also svchost.exe, and normal system process is no different. Can you tell which is the process of the virus?

　　1.3 Reincarnated

In addition to the above two methods, the virus also has a recruit the ultimate ******** reincarnated. The so-called reincarnated is that the virus uses process insertion technology, insert the DLL files needed to run the virus into a normal system process, seemingly without any suspicious conditions, essentially the system process has been controlled by the virus, unless we use professional process detection tools, it is difficult to find the virus hidden in it.

　　Ii. System Process FAQ

There are a number of system processes mentioned above, what are the functions of these system processes and what are their operating principles? We will explain these system processes one by one, we believe that after familiar with these system processes, we will be able to successfully solve the virus's "genuine" and "cynical".

　　2.1 Svchost.exe

Viruses are often impersonating the process name: Svch0st.exe, Schvost.exe, Scvhost.exe. As Windows system services continue to increase, in order to save system resources, Microsoft has a lot of services into a shared way, to the Svchost.exe process to start. The system services are implemented as dynamic-link libraries (DLLs), which point the executable program to Scvhost, and the cvhost invokes the corresponding service's dynamic link library to start the service. We can open "control Panel" → "Administrative Tools" → services, double-click the "ClipBook" service, in its properties panel can find the corresponding executable path is "C:windowssystem32clipsrv.exe". Double-click the "Alerter" service to find that its executable path is "C:windowssystem32svchost.exe-k LocalService" and the "Server" service has an executable path of "C: Windowssystem32svchost.exe-k Netsvcs ". It is through this call, you can save a lot of system resources, so the system appears a number of svchost.exe, in fact, just system services.

There are generally 2 svchost.exe processes in the Windows2000 system, one is the RPCSS (remoteprocedurecall) service process, the other is a svchost.exe shared by many services, and in Windows XP, There are generally more than 4 Svchost.exe service processes. If the number of svchost.exe processes is more than 5, be careful, most likely the virus is fake, the detection method is also very simple, using some process management tools, such as the Windows Optimizer master's process management capabilities, to view the Svchost.exe executable path, if the "C: WINDOWSsystem32 "directory, then it can be judged to be a virus.

　　2.2 Explorer.exe

Viruses are often impersonating the process name: Iexplorer.exe, Expiorer.exe, Explore.exe. Explorer.exe is the "explorer" that we often use. If the Explorer.exe process ends in Task Manager, the taskbar, the desktop, and the open files all disappear, click task Manager → file → new task, and when you enter "Explorer.exe", the disappearing thing comes back again. The role of the Explorer.exe process is to let us manage the resources in our computers.

The Explorer.exe process is initiated with the system by default, and the path to the corresponding executable file is the "c:windows" directory, in addition to the virus.