Teach you to judge the existence of a virus Trojan from the process

Teach you to judge the existence of a virus Trojan from the process

Any virus and Trojan exists in the system, can not be completely and process out of the relationship, even if the use of hidden technology, but also can find clues from the process, so, to see the process of activity in the system is the most direct way to detect the virus Trojan. However, the system running at the same time, which is the normal system process, which is the Trojan horse process, and often by the virus Trojan fake system process in the system and play what role? Please read this article.

Three methods of virus process hiding

When we confirm that there is a virus in the system, but through the Task Manager to view the process in the system and can not find a strange process, which indicates that the virus has adopted a number of hidden measures, summed up there are three methods:

1. The Genuine

The normal processes in the system are: Svchost.exe, Explorer.exe, iexplore.exe, Winlogon.exe, etc., you may have discovered that there are processes in the system: Svch0st.exe, Explore.exe, Iexplorer.exe, Winlogin.exe. Compare, do you find the difference? This is a trick that the virus often uses to confuse the user's eyes. Usually they will change the normal process name o in the system to 0,l to I,i to J, and then become their own process name, with only one word difference, but the meaning is completely different. Or perhaps one more letter or one letter, such as Explorer.exe and Iexplore.exe, would have been easy to confuse, and a iexplorer.exe would have been more chaotic. If the user is not careful, generally ignored, the virus process has escaped a robbery.

2. Rescue

If users compare cautious, then the above trick is useless, the virus will be in-situ FA-rectification. As a rescue, the virus learns to be smart and understands the trick. If the name of a process is svchost.exe, and the normal system process is not bad. So is the process safe? No, actually, it just took advantage of the task manager's inability to see the process corresponding to the executable file. We know that the executable file for the Svchost.exe process is in the "C:\WINDOWS\system32" directory (Windows2000 is the C:\WINNT\system32 directory), and if the virus copies itself into "C:\WINDOWS\" , and renamed Svchost.exe, after the run, we see in the "Task Manager" is also svchost.exe, and normal system process is the same. Can you tell which one is the process of the virus?

3. Reincarnated

In addition to the two methods above, the virus also has a trick of the ultimate Dafa-reincarnated. The so-called reincarnated is the virus using process insertion technology, the virus to run the necessary DLL files into the normal system process, the surface of no suspicious situation, in essence, the system process has been virus control, unless we rely on professional process detection tools, it is difficult to find the virus hidden in it.

System process doubts

The above mentioned a lot of system processes, what is the role of these system processes, and how it works? We will explain the process of these systems, we believe that after familiar with these system processes, we can successfully crack the virus "genuine" and "rescue".

Svchost.exe

The process names that are often impersonated by viruses are: Svch0st.exe, Schvost.exe, Scvhost.exe. With the increasing number of Windows system services, in order to save system resources, Microsoft has made a lot of services into a shared way, by the Svchost.exe process to start. System services are implemented in the form of dynamic-link libraries (DLLs) that point the executable to Scvhost, which is invoked by Cvhost to invoke the service's dynamic-link library. We can open the "control Panel" → "Administrative Tools" → services, double-click on the "ClipBook" service, in its properties panel can find the corresponding executable file path is "C:\WINDOWS\system32\clipsrv.exe". Double-click the Alerter service to find that its executable path is "C:\WINDOWS\system32\svchost.exe-k LocalService" and the executable path for the "Server" service is "C:\WINDOWS\ System32\svchost.exe-k Netsvcs ". It is through this call, can save a lot of system resources, so there are multiple svchost.exe system, in fact, only the system services.

There is a normal svchost.exe process in the Windows2000 system, one is the RPCSS (remoteprocedurecall) service process, The other is a svchost.exe shared by many services, while in WindowsXP, there are generally more than 4 Svchost.exe service processes. If the number of svchost.exe processes in XP and previous systems is more than 5, be careful, it is possible that the virus is counterfeit. But by the time of Vista and Windows7, 8-12 svchost processes are normal! It is also very simple to detect the normal process of the system, using some process management tools, such as Vista Optimizer's process management function, to view the Svchost.exe executable path, if it is outside the "C:\WINDOWS\system32" directory, it can be determined that the virus.

Teach you to judge the existence of a virus Trojan from the process