【 Weak current College 】 ingenious from process determine virus Trojan horse

Any viruses and Trojans exist in the system, are unable to complete and process from the relationship, even with the hidden technology, but also was able to find clues from the process, therefore, review the system of active processes become we detect virus Trojan horse is the most direct way. But the system processes running at the same time, which is normal for a system process, which is the Trojan process, but often viruses Trojans impersonate system processes in the system and what role play? please see this article.

Virus process hidden three method

When we confirm the presence of virus in the system, but through the "task manager" view system processes is also not find unusual process, indicating that the virus has some hidden measures, summed up with three methods:

1. confused as real ones

The normal process in the system are: svchost.exe, explorer.exe, winlogon.exe iexplore.exe, and so on, can you find a system that processes: svch0st.exe, explore.exe, iexplorer.exe, winlogin.exe. Contrast differences found? this is the virus frequently used the trick, the purpose is to confuse the users eyes. Usually they will system normal process name of o to change to 0, I, l I changed to j, and then become their process name, only the difference between a Word, the meaning is completely different. Or, much less a letter or a letter, such as explorer.exe and iexplore.exe is easily confused, then appears a iexplorer.exe becomes even more confusing. If users are not careful, general neglect, virus process escaped death.

2. quick lift

If the user more observant, so the above it is useless, the virus will be in place at onset. Thus, the virus also wise, learned to covertly this trick. If a process name to svchost.exe, and normal system process status without difference. This process is safe? no, in fact it just use the "task manager" will be able to view the process executable file corresponding to the defect. We know that svchost.exe process the corresponding executable file is located in "C:\WINDOWS\system32" folder (Windows2000 is C:\WINNT\system32 directory), if the virus copies itself to the "C:\WINDOWS\" and renamed svchost.exe, runs, we in the "task manager" is also seen in svchost.exe, and the normal system processes. You can tell which one is a virus process?

3. in a new guise

In addition to the above two methods, the virus is still a ultimate Dafa — in a new guise. The so-called new guise is the virus has adopted the process into the technology, the virus runs the required dll file into the normal system processes, seemingly without any suspicious circumstances, essentially a system process has been virus control, unless we use professional process detection tools, to discover hidden in one of the virus is very difficult.

System process-shooting

Mentioned a lot of system processes, system processes, what role, its operating principle? the following we will make the system process, believe in the one on the well known these system processes, you can successfully solve virus "confused as real ones" and "quick lift".

svchost.exe

Often viruses pretend to have the process name: svch0st.exe, schvost.exe, scvhost.exe. With Windows system services continue to increase, in order to save system resources, Microsoft put a lot of services into a shared way to start the svchost.exe process. While system service is a dynamic-link library (DLL) forms, they point to the executable program from cvhost scvhost calls the appropriate service dynamic-link library to start the service. We can open the "Control Panel" → "management tools" → services, double-click the "ClipBook" services, in the properties panel, you can find the corresponding executable path to the "C:\WINDOWS\system32\clipsrv.exe". And then double-click the "Alerter" service, you can find the executable path to the "C:\WINDOWS\system32\svchost.exe-kLocalService" but the "Server" service executable path to the "C:\WINDOWS\system32\svchost.exe-knetsvcs". It is through this call, you can save a lot of system resources, so the system appears more svchost.exe, in fact, the only system of services.

In Windows2000 and normal exist in the system, a svchost.exe process is RPCSS (RemoteProcedureCall) service process, another is shared by many of the services of a svchost.exe in WindowsXP, you usually have more than four svchost.exe service process. If you have xp and previous svchost.exe process in the system of more than five, we must be careful, it may be viruses fake. But Vista and Windows7 era, 8-12 svchost process are normal! Is a system the normal process of detection method is simple, use a number of process management tool, such as Vista optimization guru of process management capabilities, see svchost.exe executable path, if in "C:\WINDOWS\system32" directory, you can determine is the virus.