|
Posted by Volodymyr Shcherbyna on January 25, 2008, 10:49 am
If you were Registered and logged in, you could reply and use other advanced thread options
You can download more advanced tool which shows the path for a processes
here: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
regarding svchost.exe problem, read for TaskManager limitation in Windows
XP:
http://msmvps.com/blogs/v_scherbina/archive/2007/12/20/the-case-of-task-manager-that-does-not-kill.aspx
--
V
This posting is provided "AS IS" with no warranties, and confers no
rights.
> Hi David, After reading your answer to this post i went to Task Manger
> and found five (5) svchost.exe services running - 3 Network Services ,
> and 2 System. Now after seeing your answer and checking
> Process Library and finding out this svchost.exe could be used by a
> Trojan, How can i find out the path's of these services in Task Manger
> like in your example? Thanks Ron (Defender)
>
> "David H. Lipman" wrote:
>
>>
>> | Hi,
>> | my question is how to know that a trojan is comunicating with it's
>> owner?
>> | I'm using TCP view. Wich files are present on infected pc and are they
>> | visible trough tcp view?
>> | Can a trojan use legitimate files like firefox.exe and sends data
>> trough
>> | different ports? Please give me an example of tipical trojan
>> connection?
>> |
>> | Thanks.
>>
>> TCPView helps but not completely.
>>
>> Individual files by themsleves may show communication "home" or to peers.
>> However, some
>> malware can hook directly into the OS such that a particular EXE file
>> will not be indicated,
>> it will appear the OS is communicating to the malicious third part web
>> sites.
>>
>>
>> Trojans can use legit files by patching the legit files with malicious
>> code. Additionally,
>> malware often uses the EXE name of legit files such as firefox.exe
>> however what is important
>> is the Fully Qualified Name (FQN) and path to the EXE file.
>>
>> For example:
>> c:\windows\system32\svchost.exe is legit
>> C:\Program Files\Common Files\System\svchost.exe is NOT legit !
>>
>>
>> --
>> Dave
>> http://www.claymania.com/removal-trojan-adware.html
>> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>>
>>
>>
| 
XML site map