Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Msconfig Processes


  • Please log in to reply
9 replies to this topic

#1 ajetrumpet

ajetrumpet

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iowa City, IA
  • Local time:02:05 PM

Posted 02 June 2007 - 06:53 PM

Most files under processes are listed in your database as an "X". Is it possible that Trojan or spyware programs have a list of legitimate system files (dll's and such) and create unwanted files with those same names with the purpose of downloading on remote computers undetected?

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:05 PM

Posted 03 June 2007 - 02:17 PM

Absolutely, but these files typically are located in a different folders than the legitimate files. Due to this you should be able to spot them. For example, a lot of malware use the name svchost.exe which is a legitimate file found in the %System% folder. If you see a file of the same name found elsewhere, there is a good chance it is malware.

#3 ajetrumpet

ajetrumpet
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iowa City, IA
  • Local time:02:05 PM

Posted 04 June 2007 - 02:45 PM

I'm assuming the best way to detect any malware files is to search the disks for each one of them and identify the corresponding folders?
Is there any chance that these files could download themselves from say, the internet, into any one of the system folders (like system32)? If so, it might difficult to tell the difference! =)

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:05 PM

Posted 04 June 2007 - 03:07 PM

When using any startup database it is imperative that you match any "suspicious" files with their locations. There are tons of malware svchost.exe and explorer.exe files, and deleting the wrong one, will make your computer inoperable.

Yes, it is also not unheard of for a malware to replace a system file in the %System% folder. In situations like this you wont know that unless:

1. You have an antivirus software that can detect it.
2. Symptoms allow you to research that a problem exists.

#5 ajetrumpet

ajetrumpet
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iowa City, IA
  • Local time:02:05 PM

Posted 05 June 2007 - 09:13 PM

Say, for example I have bad files called svchost.exe and explorer.exe

If I run a search for these files and accidently delete the wrong ones, will I even be able to access a system backup file if I make one beforehand?

You say that the system will become inoperable. Isn't IE a program that is built into XP (unlike programs like Word or Excel)?
If so, I understand your comment. If I can't boot a windows OS without these sensitive files, what's the point in trying to search suspicious system files if there is too much risk in deleting them?

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:05 PM

Posted 06 June 2007 - 11:04 AM

Yes, if you delete those files, you will not be able to boot into windows, or have it function properly to repair it. Instead you will need use the Windows recovery console, or a bootdisk to replace the files.

There is only risk if you rush into it. The rule is:

If a malware is located in C:\Windows\Help and the same filename is found in C:\Windows, don't delete the one in C:\Windows just because its the same name.

#7 ajetrumpet

ajetrumpet
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iowa City, IA
  • Local time:02:05 PM

Posted 07 June 2007 - 02:24 PM

are there any certainties when it comes to deleting suspicious files?
example - if there is a recognizable system file name in a folder other than say system32 or even simply C:\Windows, is there ever a certainty there the file is really malware?

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:05 PM

Posted 07 June 2007 - 02:46 PM

The only way is to submit it to something like:

http://virusscan.jotti.org/

or

http://www.virustotal.com/en/indexx.html

#9 ajetrumpet

ajetrumpet
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iowa City, IA
  • Local time:02:05 PM

Posted 08 June 2007 - 08:29 PM

maybe I can simplify this.....

Can you give me a definite answer as to where (directory wise) necessary system files are always stored? Or, do they shift around? Or, would malware shift these things around? If these questions can be answered, I wouldn't be nervous about looking for malware files and deleting them based on the location.

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:05 PM

Posted 09 June 2007 - 10:18 PM

System files are typically stored under C:\Windows. Sometimes they are also stored in certain directory under C:\Program files like C:\Program Files\Internet Explorer or C:\Program Files\Common Files\.

For the most part it is rare for malware to replace system files because Windows will notice this and replace them automatically. I hope this helps answer you a bit, but there really is no definitive answer to this. We are, though, always willing to help you make sure that you are not deleting something that you are concerned about.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users