SoFunction
Updated on 2025-04-08

How to cleverly judge viruses and *s from the process

Any virus and * that exist in the system cannot completely separate itself from the process. Even if hidden technology is used, clues can still be found in the process. Therefore, checking the active processes in the system has become our most direct way to detect virus *s. However, there are so many processes running at the same time in the system. Which are normal system processes and which are * horse processes? What role does the system processes that are often faked by viruses and *s play in the system? Please read this article.

Three ways to hide virus process

When we confirm that there is a virus in the system, but when we view the processes in the system through the "Task Manager", we cannot find any unusual processes, which shows that the virus has adopted some hidden measures. There are three methods to summarize:

1. Use fake to make real

The normal processes in the system include:,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, Compare, do you find the difference? This is a trick that viruses often use, with the purpose of confusing users' eyes. Usually they will change the normal process name o in the system to 0, l to i, i to j, and then become their own process name. The difference is only one word, but the meaning is completely different. Or one more letter or one less letter, for example, it is easy to get confused with it, and it will be even more confusing if it appears again. If the user is not careful, it will usually ignore it and the virus process will escape.

2. Replace the pillars

If the user is more careful, then the above trick will be useless and the virus will be corrected on the spot. So, the virus also learned to be smart and understood the trick of replacing the pillars. If the name of a process is, it is exactly the same as that of a normal system process. So is this process safe? No, it actually only takes advantage of the defect that the "task manager" cannot view the corresponding executable file of the process. We know that the executable file corresponding to the process is located in the directory "C:\WINDOWS\system32" (Windows2000 is the directory C:\WINNT\system32). If the virus copies itself to "C:\WINDOWS\" and renames it, after running, what we see in the "Task Manager", is the same as normal system processes. Can you tell which of them is the process of the virus?

3. Resurrection by borrowing corpses

In addition to the two methods mentioned above, the virus also has an ultimate method - resurrecting the soul through corpses. The so-called resurrection of the corpse is that the virus uses process insertion technology to insert the dll files required for the virus to run into the normal system process. On the surface, there is no suspicious situation. In fact, the system process has been controlled by the virus. Unless we use professional process detection tools, it is difficult to discover the virus hidden in it.

System process solves doubts

The above mentioned many system processes. What are the functions of these system processes and what are their operating principles? Below we will explain these system processes one by one. I believe that after being familiar with these system processes, we can successfully crack the virus's "false fakes and real ones" and "stolen the pillars".

 

The processes that are often impersonated by viruses are:,. With the increasing number of Windows system services, in order to save system resources, Microsoft has made many services in a sharing way and handed over to the process to start. System services are implemented in the form of dynamic link library (DLL). They point executable programs to scvhost, and cvhost calls the dynamic link library of the corresponding service to start the service. We can open "Control Panel" → "Administrative Tools" → Services, double-click the "ClipBook" service, and in its properties panel, you can find that the corresponding executable file path is "C:\WINDOWS\system32\". Double-click the "Alerter" service and you will find that its executable file path is "C:\WINDOWS\system32\ -k LocalService", while the executable file path of the "Server" service is "C:\WINDOWS\system32\ -k netsvcs". It is through this kind of call that a lot of system resources can be saved, so multiple appearing in the system are actually just system services.

There are generally two processes in Windows 2000 system, one is the RPCSS (RemoteProcedureCall) service process, and the other is a shared by many services; while in Windows XP, there are generally more than 4 service processes. If the number of processes is more than 5, be careful. It is likely that it is a fake virus and the detection method is very simple. Use some process management tools, such as the process management function of Windows Optimizer, to view the executable file path. If it is outside the "C:\WINDOWS\system32" directory, then it can be determined that it is a virus.

 

The processes that are often impersonated by viruses are:,. It is the "explorer" that we often use. If the process ends in "Task Manager", all the files including the taskbar, desktop, and open will disappear. Click "Task Manager" → "File" → "New Task". After entering "", the disappearing thing comes back. The role of a process is to let us manage resources in our computers.

The process is started with the system by default, and the path of the corresponding executable file is the "C:\Windows" directory, and it is a virus in addition.

 

The process names that are often impersonated by viruses include:, and the process is very similar to the process names mentioned above, so it is easier to get confused. In fact, it is a process generated by Microsoft Internet Explorer, which is the IE browser we usually use. It should be easier to identify after knowing the function. The beginning of the process name is "ie", which means IE browser.

The executable program corresponding to the process is located in the C:\ProgramFiles\InternetExplorer directory, and it is a virus in other directories unless you transfer the folder. In addition, sometimes we will find that without opening IE browser, processes still exist in the system. There are two situations: 1. The virus impersonates the process name. 2. The virus secretly does bad things in the background. Therefore, if you encounter this situation, use antivirus software to check and kill.

 

The processes that are often impersonated by viruses are: ,. The function in the system is to execute internal functions in the DLL file. The number of processes in the system indicates how many DLL files have been started. In fact, we often use it. It can control some dll files in the system. For example, enter " ,LockWorkStation" in the "Command Prompt". After pressing, the system will quickly switch to the login interface. The path is "C:\Windows\system32", and it can be determined to be a virus in other directories.

 

The processes that are often impersonated by viruses are: ,. It is an executable program corresponding to the system service "Print Spooler". Its function is to manage all local and network printing queues and control all printing work. If this service is disabled, printing on the computer will be unavailable and the process will disappear from the computer. If you don't have a printer device, then turn off this service to save system resources. After stopping and closing the service, if there are still processes in the system, this must be disguised by a virus.

Due to space limitations, the introduction to common processes ends here. If we find suspicious when checking the process, we only make a judgment based on two points: 1. Carefully check the process's file name; 2. Check its path. Through these two points, the general virus process will definitely be exposed.

Find a good helper for managing the process

The built-in "task manager" function in the system is too weak and is definitely not suitable for detecting and killing viruses. Therefore we can use professional process management tools such as Procexp. Procexp can distinguish between system processes and general processes, and distinguish them in different colors, leaving virus processes that impersonate system processes nowhere to hide.

After running Procexp, the process will be divided into two major pieces. The process under "System Idle Process" belongs to the system process.

"The subordinate processes belong to the general process. The system processes and other systems we have introduced are all affiliated with "System Idle Process". If you find it in "", then needless to say, it must be a virus that is pretending.

As for the "borrowing the corpse and resurrection" method used by the virus - DLL insertion technology, we have explained the cracking method. Just check the signature of its dll file. This can also be done in Procexp and will not be explained here.

Tips: In the main interface of the software, we may not see the process name and the executable file corresponding to the process. We can click on its "View" menu → "Select Column", check "Process Name" and "Image Path" and confirm to save.

Recommend a good site

System Process Network
/