Identify virus hidden processes

There are so many processes in the system, the file name is long and ugly, so the virus tries to hide it and we don't know it.

Knowing that viruses often pretend to be system files, so that you can't prevent them. Therefore, we must know some of the process programs that are commonly used in the process and confuse everyone, so that we can prevent them and we must know. The following small examples are also common system files that several viruses like. No matter what, if you find that the computer is abnormal, first check your process and there is no problem. I have an article to teach you whether the computer is poisoned from the process. I believe you should get something.

svchost.exe

Process names that are often impersonated by viruses are: svch0st.exe, schvost.exe, scvhost.exe. With the increasing number of Windows system services, in order to save system resources, Microsoft has made many services into a shared mode, which is started by the svchost.exe process. The system services are implemented in the form of dynamic link libraries (DLLs), which point the executable program to scvhost, and cvhost calls the dynamic link library of the corresponding service to start the service. We can open the “ control panel & rdquo; & rarquo; & ldquo; management tools & rdquo; & rarquo; service, double-click the "ClipBook" service, in its properties panel can find the corresponding executable file path is "C: \\ WINDOWS \\ System32\\clipsrv.exe”. Double-click the “Alerter” service to find that the executable file path is “C:\\WINDOWS\\system32\\svchost.exe -k LocalService”, and the executable path of the “Server” service is “C:\\” WINDOWS\\system32\\svchost.exe -k netsvcs”. It is through this call that you can save a lot of system resources, so there are multiple svchost.exe in the system, which is actually only the system service.

There are two svchost.exe processes in the Windows2000 system, one is the RPCSS (RemoteProcedureCall) service process, and the other is a svchost.exe shared by many services; in Windows XP, there are generally More than 4 svchost.exe service processes. If the number of svchost.exe processes is more than 5, be careful, it is likely that the virus is faked, and the detection method is very simple. Use some process management tools, such as the process optimization function of Windows Optimizer, to view svchost.exe. The executable file path, if it is outside the directory ""C:\\WINDOWS\\system32”, then it can be determined that it is a virus.

explorer.exe

Process names that are often impersonated by viruses are: iexplorer.exe, expiorer.exe, explore.exe. Explorer.exe is the "resource manager" we often use. If the explorer.exe process ends in the "Task Manager", then the taskbar, desktop, and open files will disappear, click <;Task Manager”→“File”→ “New task”, after entering "explorer.exe", the disappeared things are back. The role of the explorer.exe process is to let us manage the resources in the computer.

The explorer.exe process is started by default with the system. The path to the executable file is "C:\\Windows"; otherwise, it is a virus.

iexplore.exe

Process names that are often impersonated by viruses are: iexplorer.exe, iexploer.exeiexplorer.exe process and the name of the explorer.exe process above are very similar, so it is easier to engage Mixed, in fact, iexplorer.exe is the process generated by Microsoft Internet Explorer, which is the IE browser we usually use. It is easier to identify it after knowing the effect. The name of the iexplorer.exe process starts with “ie”, which means IE browser.

The executable program corresponding to the iexplore.exe process is located in the C:\\Program Files\\Internet Explorer directory, and exists in other directories as a virus unless you have transferred the folder. In addition, sometimes we will find that the iexplore.exe process still exists in the system without opening IE browser. There are two cases: 1. The virus fakes the iexplore.exe process name. 2. The virus sneaked through the iexplore.exe in the background to do bad things. So if this happens, use the anti-virus software to check it out.

rundll32.exe

Process names that are often impersonated by viruses are: rundl132.exe, rundl32.exe. The role of rundll32.exe in the system is to execute the internal functions in the DLL file. How many Rundll32.exe processes exist in the system, which indicates how many DLL files are run by Rundll32.exe. In fact, rundll32.exe we will often use, he can control some dll files in the system, for example, enter "lddll; rundll32.exe user32.dll, LockWorkStation" in the "Command Prompt" After that, the system will quickly switch to the login screen. The path to rundll32.exe is “C:\\Windows\\system32”, in other directories, it can be determined to be a virus.

spoolsv.exe

Process names that are often impersonated by viruses are: spoo1sv.exe, spolsv.exe. Spoolsv.exe is the executable program for the system service "Print Spooler", which manages all local and network print queues and controls all print jobs. If this service is disabled, printing on the computer will not be available and the spoolsv.exe process will also disappear from the computer. If you don't have a printer device, turn it off and save system resources. After stopping and shutting down the service, if the spoolsv.exe process still exists in the system, this must be a virus masquerading.

Here are some common viruses that are liked by the process. Here, we usually make a judgment if we find suspicious when checking the process: first check the process file carefully. Name; then check its path. Through these two points, the general virus process will definitely show its feet.

The final judgment summary depends on it, so that you can easily solve the problem of hiding the virus in the process.