Ask Me Help Desk

Ask Me Help Desk (https://www.askmehelpdesk.com/forum.php)
-   Spyware, Viruses, etc. (https://www.askmehelpdesk.com/forumdisplay.php?f=477)
-   -   Processes good or bad (https://www.askmehelpdesk.com/showthread.php?t=333337)

  • Mar 24, 2009, 01:05 PM
    michaelmoran
    Processes good or bad
    Both svchost.exe and winlogon.exe are listed as being both good (microsoft ness) and bad (trojans) which is it and how do you tell which ones are the good ones?

    Thanks
  • Mar 24, 2009, 02:32 PM
    Scleros
    Quote:
    Originally Posted by michaelmoran View Post
    Both svchost.exe and winlogon.exe are listed as being both good (microsoft ness) and bad (trojans) which is it
    It can be both. For example, there could be the legit version in the Windows folder tree and a bogus one somewhere else in the file system.

    Quote:
    Originally Posted by michaelmoran View Post
    and how do you tell which ones are the good ones?
    One clue is the file's date and time or location - is it where it shouldn't be if it was the legit Microsoft version? Another is the process ID (PID) visible in the Task Manager - legit processes tend to have lower value PIDs than non-legit. A third is how the process gets executed - non-legits tend to be launched by the HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run registry keys. Generating a SHA or MD5 hash of the file with one of the freely available utilities and comparing to a hash made from a known good copy of the same file version from another system or extracted from the setup files on the Windows CD or last service pack can verify authenticity. Some files might have digital signatures.

    Resources:
    Wikipedia - Windows Resource Protection
    MSDN - Windows Resource Protection
    Wikipedia - System File Checker

    • All times are GMT -7. The time now is 07:48 PM.