List of Processes to flag potential dangers

My Os is win 10 prof 64 bit and I recently underwent a hacking and I am uncertain if the hacker had left any malware to come to live whenever the pc is booted on.  Hope if the Experts please take a look at the list of processes that are running and flag for me any potential threat that is still running.  Thank u. regards
3-List-of-Processes-running.JPG
4-List-of-Processes-runniing.JPG
1-List-of-processes-running.JPG
2---List-of-Prtocesses-running.JPG
jegajothyretiredAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
1. svchost is normal
2. WinZip and other Windows programs are normal
3. I see most of these in my / client machines.

A bad process can take a good name, but what you posted looks normal.
1
HackooCommented:
You can run this batch file to check and Find all instances and paths of svchost.exe
@echo off
Title Finding all instances and paths of "%ProcessName%" by Hackoo 2017
Set "ProcessName=SVCHOST"
Set "Tmp_Services=%Tmp%\%~n0.txt"
If Exist "%Tmp_Services%" Del "%Tmp_Services%"
Set "ProcessLog=%Tmp%\%ProcessName%.log"
If Exist "%ProcessLog%" Del "%ProcessLog%"
Set "Legits_Services_SVCHOST=%~dp0Legits_Services_%ProcessName%.txt"
Set "Legit_Location=%windir%\system32\svchost.exe"
Set "LogFile=%~dp0%ProcessName%_ProcessList.txt"
Set "Suspicious_LogFile=%~dp0%ComputerName%_%ProcessName%_Suspicious_Paths.txt"
If Exist "%LogFile%" Del "%LogFile%"
Set /A Counter=0
Taskkill /IM "SMSvcHost.exe" /F >nul 2>&1
Setlocal EnableDelayedExpansion
for /F "skip=1" %%a in ('WMIC Path win32_process where "name like '%%%ProcessName%%%'" get commandline') do (
    for /F "delims=" %%b in ("%%a") do (
        Color 0A
        set /A Counter+=1
        set "p=%%b"
        for /f %%f in ('echo !p! ^|Findstr /LI "%Legit_Location%"') do (
            echo [!Counter!] : !p!
        )
            ( echo "!p!" )>>"%LogFile%"
    )
)
 
Powershell.exe Get-WmiObject Win32_Process ^| select ProcessID,ProcessName,Handle,commandline,ExecutablePath ^| Out-File -Append "%ProcessLog%" -Encoding ascii
Type "%ProcessLog%" | find /i "%Legit_Location%" > "%Tmp_Services%"
 
(
    echo(
    echo Those are legitimes services of "%ProcessName%.exe"
    Tasklist /SVC /FO TABLE /FI "IMAGENAME eq %ProcessName%.exe"
)>con
 
(
    echo(
    echo Those are legitimes services of "%ProcessName%.exe"
    Tasklist /SVC /FO TABLE /FI "IMAGENAME eq %ProcessName%.exe"
)>> "%Tmp_Services%"
CMD /U /C Type "%Tmp_Services%" > "%Legits_Services_SVCHOST%"
echo(
Echo All instances of "%ProcessName%" in this path "%Legit_Location%" are legitimes services
echo(
echo Hit any key to look for a suspicious "%ProcessName%" paths
Findstr /LVI "%Legit_Location%" "%LogFile%" > "%Suspicious_LogFile%"
pause>nul
Start "" "%Suspicious_LogFile%"
Start "" "%Legits_Services_SVCHOST%"

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Andrew LeniartSenior EditorCommented:
jegajothy,

My Os is win 10 prof 64 bit and I recently underwent a hacking and I am uncertain if the hacker had left any malware to come to live whenever the pc is booted on.

By "hacking", do you mean a hacker gained control of your computer?

If so, then you are wise to be suspicious and should consider restoring from a known good backup image, or if you don't have a backup available, backup your data and consider wiping and reinstalling Windows 10.  

The problem with cleaning up after a take over control hack has happened is that you can never be certain that a rootkit or time activated malware hasn't been left behind, which won't necessarily show up in your running processes.

I'm not a big fan of recommending re-installs, but in cases like a hacker gaining access to your system, it really is the only way to be "certain" that you are safe. With that said;

Hope if the Experts please take a look at the list of processes that are running and flag for me any potential threat that is still running.

I see nothing of concern in any of your posted screenshots and I concur with John, all the running processes look normal to me.

Hope that's helpful.
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

dbruntonQuid, Me Anxius Sum?  Illegitimi non carborundum.Commented:
SmileBoxTray could be malware.  Some Google links flag it as such.

Will do more research on this.
0
HackooCommented:
Scan_Registry_Run_Keys.bat is a batch file to get informations about your running keys on the registry and to check all your startup items that starts with windows, all running processes with their commands lines, all connections (established and in listening)
  • Startup items
  • Process list
  • Services List
  • Scheduled task list
  • File Hosts's contents
  • All Network connections
  • DNS Cache
So you should, copy and paste this code with your notepad and save it as Scan_Registry_Run_Keys.bat and execute it as administrator to generate a text report that you can join it on the http://pastebin.com and post its link here in your next reply !
0
dbruntonQuid, Me Anxius Sum?  Illegitimi non carborundum.Commented:
SmileBoxTray could be malware.  Some Google links flag it as such.

Will do more research on this.

Have a read of  https://www.file.net/process/smileboxtray.exe.html  and  https://www.cnet.com/forums/discussions/smilebox-tray-exe-591706/  to help you decide if SmileBoxTray is malware or not.  You can submit the executable to any of the online virus scanners to check.

Now there are about 3 anti-virus scanners running on your machine; Avast, Hitman and MalwareBytes.  You normally only use one as more than one slows the whole system down.
0
serialbandCommented:
If you've been hacked previously, you really should reinstall your OS and restore your data from backup.  If you have to ask about running processes, then you don't really know enough to figure out which ones are bad and which ones are good.  If you are still infected, then you're just wasting time while the hacker is grabbing more data from you.

If you somewhat know what you're doing, you'd have already take the system offline and started a scan of the disk from another known good working system first.  Once it's cleaned, you would still boot up disconnected from any network and then start your diagnosis completely offline.  These are just the first steps.  Unless you're doing forensics, this is a waste of time and you should really reinstall the system.

While the processes may look normal, you can't know without checking more deeply.  Micosoft's built in Task Manager is inadequate for this.  If you don't know how to do that already, it's time to reinstall and restore your data from backup.  A reinstall is the only way to be certain that whatever was on there is no longer there.
0
JohnBusiness Consultant (Owner)Commented:
Yes and this question is a follow on from the author's first question on this where we did suggest reinstalling the OS.
0
jegajothyretiredAuthor Commented:
thank u.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.