Process called " system:8 " is listening on all kinds of ports on GFI Mail Essentials for Exchange box on my DMZ. What is this process?

I need to know what this process is.  Found it after running Sysinternals TCPView.

NOTE:

1)  Recently had a virus storm on the network which has been handled now.

2) Queue folder on the GFI Mail Essentials for Exchange box is overflowing with items.  Averaging about 20,000 items at any given time on a 200 computer network.  Seems like the items are being created about 1-5 every minute.  Having to stop and start the SMTP service once in a while or mail seems to stop or come back undeliverable.

3) I think this machine (or another) may have a mass mailer of some kind, but Norton Corporate Edition is not detecting anything on the network machines.


Is the process "system:8" related to the overflowing  queue folder?

JUST A HEADS UP:                  I didn't install the Mail Essentials or the Exchange and I am no expert on either of them.
NCSOAsked:
Who is Participating?
 
NetExpertConnect With a Mentor Commented:
SysInternal has another product name Process Explorer which I am using. Try that and you will see all hidden process listed (with provider name, explanation, etc). Sorry but your screenshot in insufficient and I can't say anything about it except your system looks suspicious (lots of outgoing connection to smtp).

System is your system process, and 8 is its PID, that's how you have system:8. There is no such thing as system:8.exe.
System is a parent process which include lots of child process underneath, including things like svchost.exe, lsass.exe etc. You can't find it on google anyway.

Port explorer is for finding virus by examining port, but since you have mail server, looking at your process and try to scan for virus is a better way.

My conclusion is: you have a virus on your mailing system and it's using system process to sending mail out. Norton is not a very reliable tool when it comes to fixing virus. Try something else (McAffee) and Windows repairing feature, or re-install the mail server.

0
 
DVation191Commented:
Download Port Explorer.
http://www.diamondcs.com.au/portexplorer/index.php?page=download

It will tell you which process is opening ports on your PC.

Screenshots...
http://www.diamondcs.com.au/portexplorer/index.php?page=screenshots
0
 
NCSOAuthor Commented:
I already know what process is opening ports.  That is what the TCPView told me.  A process called system:8 is using a large number of ports.  They actually vary from Listening to Established to Time_Wait.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
DVation191Commented:
"I need to know what this process is." ... "I already know what process is opening ports." ... okay, I'm confused =)

system:8.exe is not a valid file name in windows. are you trying to say there is a process called system using port 8 that you suspect is sending out all these emails?
0
 
tomv011397Commented:
Can you cut a screen shot of the Netstat output? It should look like this (but bigger)

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    darlington:echo        darlington.USA411.com:0  LISTENING
  TCP    darlington:discard     darlington.USA411.com:0  LISTENING
  TCP    darlington:daytime     darlington.USA411.com:0  LISTENING
  TCP    darlington:qotd        darlington.USA411.com:0  LISTENING
  TCP    darlington:chargen     darlington.USA411.com:0  LISTENING
  TCP    darlington:ftp         darlington.USA411.com:0  LISTENING
  TCP    darlington:smtp        darlington.USA411.com:0  LISTENING
  TCP    darlington:http        darlington.USA411.com:0  LISTENING

Tom
0
 
NCSOAuthor Commented:
OK....  I installed and ran Sysinternals' program called TCPView.  This program gives a real time view of all open ports on a PC.  When I run it, there is an item called " system:8 " in the column called " process " that is opening, using and or listening on a large number of ports.  I should have said that I need to know what program or virus or exploit this "process" is related to.  Please note that this "process" called "system:8" does not appear anywhere in Task Manager or the registry or as a file on the hard drive.

I suspect that "system:8" is possibly part of a mass mailer but I can not find any info on it on any search engine.

I will be happy to post a screen shot if someone will tell me how.  I am new to EE.
0
 
DVation191Commented:
If you could, can you download Port Explorer (posted above) and see if it reports that same process file name?
0
 
NCSOAuthor Commented:
If you go here you can at least look at the interface I am seeing.  "system:8" is showing up in the left-most column, labeled "process".   http://www.sysinternals.com/ntw2k/source/tcpview.shtml
0
 
NCSOAuthor Commented:
Yes , I will try to get Port Explorer.
0
 
NCSOAuthor Commented:
I downloaded and installed Port Explorer Demo, but it requires a reboot and I am not comfortable with that at this point.  The last time it was rebooted, I think it had an issue coming back up.
0
 
NCSOAuthor Commented:
[URL=http://www.imagevenue.com/my.php?loc=web2/&image=55d42_TCPView.JPG][IMG]http://www.imagevenue.com/host/web2/th_55d42_TCPView.JPG[/IMG][/URL]

Hope this works.  This is screen shot of the "process" in question.
0
 
NCSOAuthor Commented:
Didn't work.
0
 
NCSOAuthor Commented:
0
 
NCSOAuthor Commented:
OK that worked.  The list is a lot longer than the screen shot will allow.
0
 
NCSOAuthor Commented:
Port Explorer did run without a reboot and after running it, I too determined that "system:8" was a misnomer.  Port explorer just shows it as "system" and a process ID of 8.
0
 
DVation191Commented:
well that only kind-of clears things up hehe. where is system.exe located on your box?
I would be skeptical of this process. put system.exe into google and you'll see nothing but pages and pages of references to viruses. If you run Process Explorer ... do you have any System.exe processes running? Or is there only one, call System, with no .exe extension?
To my knowledge there is no system.exe installed with 2000 Server. I just searched my exchange box and found nothing. Even searched a 2000 pro and XP pro machine...no system.exe

So does process explorer show a system.exe or just system?
0
 
NCSOAuthor Commented:
Don't have PE, but the only "system" process running in task manager is "system" with no extension.  I too was aware of the system.exe virus issue due to a recent infection.  I have become pretty familiar with what is normal for processes running in task manager.  As a matter of fact one of the first steps I took was to either rule out or look up every process running on the machine.  I will get the PE just to be sure though.
0
 
DVation191Commented:
Free Systernals Download (Process Explorer)
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml download at the bottom
0
 
NCSOAuthor Commented:
I got it.  PE also only shows "system" with no extension.
0
 
DVation191Commented:
The system process contains system threads, which are kernel mode threads. Windows and various device drivers create system process threads for various reasons. For example, the memory manager creates system threads for performing virtual memory tasks, the cache manager uses system threads for managing cache memory, and the floppy disk driver uses a system thread to monitor the floppy drives. I don't know how this will help figure out why there are so many instances of System. If I think of anything else I'll post back again.
0
 
NetExpertCommented:
That's ok,
First, there should be a '+' sign on the left of 'system' process (using PE to view). Click it and PE will list all child process under system control. See if any thing odd, and try to kill unknown process to see if you still have problem with mail (there will be explanation next to each process).

Or click on 'system' process. There will be a small frame below the navigation window showing things used by 'system', with type and name (such as Directory, Event, File, Key, Thread, Process etc). Have a close look at that (especially at the File reference), and you may find something that is not yours (quite hard to see, but it's time to get used to your system :) ). For anything suspicious, search google for a virus reference.

Anyway, I think you'd better try another virus scanner, malware and trojan scanner. Even verify the integrity of your system and mail server. As far as I know, Norton is no used again trojan and mass mailer.

Good luck again.
0
 
NCSOAuthor Commented:
Running two spyware scanners against it now.  Don't know why I didn't think to do that before.
0
 
DVation191Commented:
Which two are you running? Might want to give it another virus scan..just in case...
http://housecall.antivirus.com/housecall/start_frame.asp
0
 
NCSOAuthor Commented:
AdAware and Spysweeper and also ran another virus scan.  Only found Alexa Toolbar and the usual cookies.  I think I am going to start from scratch on this box.  After talking to GFI I need to update the ME software anyway, which will require a scratch load.  Thanks for all the help everyone!
0
 
DVation191Commented:
You accepted an answer but you gave no solution. What was causing the email flood?
0
 
NCSOAuthor Commented:
Everyone helped, but NetExpert got the points because he picked up on the fact that system:8 was not actually a "process".
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.