Most of the processes in Task Manager
will be legitimate as shown in these links.
Determining whether a file is malware or a legitimate process usually depends on the location
(path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file like svchost.exe. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. Another techinique is for the process to alter the registry and add itself as a Startup program
so that it can run automatically each time the computer is booted. Keep in mind that a legitmate file can also be infected by some types of malware such as Virut
which is a dangerous polymorphic file infector
. A file's properties may give a clue to identifying it. Right-click
on the file, choose Properties
and examine the General and Version tabs.
It is not uncommon to have a lot of running processes showing in Task Manager and utilzing system resources. I have 35 showing in my system at the moment including five instances of svchost.exe which are using over 550 MB.
For instance, Svchost.exe
is a generic host
process name for a group of services that are run from dynamic-link libraries (DLLs) and can run other services underneath itself. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. It is not unusual for multiple instances of Svchost.exe running at the same time
in Task Manager
in order to optimize the running of the various services. The process ID's (PID's) must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time. System Idle process
is used for measuring how much idle time the CPU is having at any particular time (100% minus the sum of all tasks CPU usage). It accounts for processor time when the system is not processing other threads and will display how much CPU resources, as a percentage are 'idle' and available for use. One instance of this process operates per CPU, and runs to occupy the processor when other threads are not running. System Idle process also issues HLT commands which put unused parts of the CPU into a suspend mode, thereby cooling the processor. Normally this process should take up at least 90%+
of processor time on average (this is the value in the CPU column). In non-technical terms, this figure represents how much CPU time has not been requested by anything else on your system. System
is a process in NT "kernel mode" that contains most of the system threads and handles various basic system functions. When Windows loads, the Windows kernel
starts and runs in kernel mode to set up paging and virtual memory. It then creates some system processes and allows them to run in "user mode" but restricts their access to critical areas of the operation system. The User mode processes must request use of the kernel by means of a system call
in order to perform privileged operations on their behalf. Kernel mode has full access to system resources and controls scheduling, thread prioritization, interrupt handlers, memory management and the interaction with hardware. The system process cannot be terminated. For more detailed information, refer to:
Tools to investigate running processes and gather additional information to identify them and resolve problems:These tools will provide information about each process, CPU usage, file description and its path location.
Anytime you come across a suspicious file or one that you do not recognize, search the name using Google <- click here for an example
Or search the following databases:
If you cannot find any information, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to Jotti's virusscan
. In the "File to upload & scan
" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
Edited by quietman7, 25 February 2010 - 01:06 PM.