Proccesses Ip Ports & Bd

mihai_romanian

I recently found out that some serious threaths can install themselfs and run as proccesses with names of other well known proccesses like the svchost.exe proccesses which are ussually more then 1.Since there are some that even BD can't find i was wondering how can i find out which are actually viruses worms or trojans and which proccesses are actually legit?I am currently using WinTasks Pro 5 but even with this tool,which shows the patch of the proccess among other things,i still don't know if i should trust a proccess or another.Anyways the majority of trojans try to use the net so i was wondering how can i stop attacks by carefully choosing which ports to open and which ones to close for a aplication?

An example of proccess which i don't trust:C:\Windowse\system32\svchost.exe or C:\Windowse\System32\svchost.exe(i don't know which one is legit).About ip ports i know that worm blaster for example uses some specific ports to take over your net.All my concern is dat although i have BD AV vs 10 Plus my net lately started degrading more and more giving me ping values i never experienced before.

My OS is Windowse XP Pro,with net framework 2(and net framework 3 installed at the same time,btw is dat normal?),and i have cable connection and i'm using a PPPOE(protocol???) firewalled.Any advice on how to make my system more safe and make the net go back as it was a month ago?

Niels

Hello mihai_romanian

svchost.exe is a legit windows file but scvhost.exe is related to a worm.

That is a trick that most malware uses to let people think that it's a legit operating system file.

But some malware can inject svchost.exe so you must see what services are loaded.

To see what services are currently loaded under svchost do this go to start,run,type cmd press enter,type

TaskList /SVC and press enter.

The best way is entering the process name on this website: It is normal that you see so many entries of svchost running take a look here:

To check the items that automatically start with windows you can enter them on this website First you have to navigate to start,run,type msconfig press enter. Enter the name that you find under item for start up (boot) on the website if you see an X or ? then it mostly malware and you should uncheck the item. Do that also for the other locations start,all programs,startup delete the malicious entry. Finally check the registry: start,run,type regedit press on the +-icon before hkey_local_machine,open the following folders and subfolders: software,microsoft,windows,currentversion,run at you rightside you find startup items enter the also on the website so you can determine if the process is malicious or not.

Regards

Niels

mihai_romanian

Thanks for the advice,i shall try it.

AndreiASM

Almost every "modern" worms or trojans either inject their code under critical processes like explorer.exe or winlogon.exe, either they load themself with the name of other OS files. WIN32.Sohanad is such an example. It replaces lsass.exe, and other worms create files like "C:\windows\svchost.exe" or "C:\windows\system32\svhost32.exe", which are not legit files, but a user may believe they are belonging to Windows.

Injecting code intro other programs makes some trojans tough to eliminate. Special procedures must be taken. Many times, only killing the related process won't help.

All you have to do is make sure that you have updated av, and anytime you find a suspect process, which's .exe file is located elsewhere that the original location, to take measures.

Andrei

Niels

Hello mihai_romanian

Glad that I could help you.

Regards

Niels