what is it... a rootkit or wrong process information

xp sp3 pro
recently made change to computer

installed MSE instead of CIS AV and CIS firewall only, no D+( disabled permanently)

Please look at screen shot you can see two process with window operating system iname, with disticnt PID
shown in network connection window of CIS

below is output of netstat -ano 2

-you will not find PID of two windows operating system process shown above.

similarly in taskmanager and process explorer you can find these PID

question : is it internal hook by CIS or MSE to redirect network traffic or either of two is installing a rootkit which accidentally has been revealed…

and these process are persistent they are showing for whole session with two PID for WOSystem name

Help. please



[attachment deleted by admin]

of what I see it seems normal and nothing wrong. if i am not mistaking you used netstat - something as commando. it is normal that you see dublicates. if this would happen with an application that is not OS related then there would be a bug within firewall. use ipvoid to check ip addresses. robtex is another useful tool.

Valentin N

valentin N
you got me wrong
I am not concerned about Ip address, or two instance of a program.

what is my concern is ,if you look closely at images you will see that there are two process with same name and diffrent PID.

however on examining with task manager and process manager and tasklist.exe, I could not locate/find thse PID

It means two things
1; either CIS does not correctly shows PID
2 or It correctly shows the PID and this Process is hidden from normal windows tool.

the tools that you mention ipvoid and robtex they are websites giving extra information on IP address.

as far as i know( i am casual user) that WOS name is given to ntkrnlpa.exe

I posted these shots so that some body can help


I will look for some info okey? You can meanwhile have some fun with malware bytes and Hitmanpro

I am sorry if I misunderstood you

Valentin N

What you’re seeing is quite unusual.

As you probably know, the ‘Windows Operating System’ process doesn’t actually exist, it’s a pseudo-process used by CIS. The nearest analog in the OS is ‘System Idle Process’, which invariably has a PID of 0 (zero)

As far as I’m aware a single process cannot have more than a single PID. Even in multi-threaded applications, the parent process has a single PID and child processes, with the exception of the first, spawn with a different TIDs. The fact that your WOS process has two PIDs, neither of which is zero, would, in my opinion, warrant a little investigation.

how to proceed further …?
any idea…


It’s difficult to know what to tell you. Unfortunately, WOS is a Comodo construct, so you won’t find it listed in any other process viewer.

I’ve never personally seen anything like the screen shot you’ve posted, but I never use the connections viewer in CIS, either. That said, I can’t understand how a single process, other than svchost, can have two PIDs, unless CIS is doing something odd. Do these entries still appear?

I assume you’ve done all the usual checks for anything malicious?