• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1542
  • Last Modified:

Task Manager>Processes>End Process>Program keeps coming back renamed

I have a pc which I am positive has spyware and perhaps more.  I have the usual arsenal of tools to do scans, etc.  The issue is that when I boot into safe mode and look at the processes running, there is one exe running that has random letters followed by .exe.  When I highlight and end process, another exe pops up to replace the previous one with a new random set of characters.  This happens over and over.

What is this an indication of, and how can I stop this exe from reappearing?
0
lloydr1l
Asked:
lloydr1l
  • 4
  • 3
  • 2
  • +3
3 Solutions
 
Will SzymkowskiSenior Solution ArchitectCommented:
Hello there,

Download Adaware SE Perosnal
http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10399602.html?tag=lst-0-1

Download Spybot S&D
http://www.download.com/Spybot-Search-Destroy/3000-8022_4-10401314.html?tag=lst-0-1

Also download hijackthis
http://www.download.com/HijackThis/3000-8022_4-10379544.html?tag=lst-0-1

When you have done a scan on your computer with this program go to this site and post your results
www.hijackthis.de

Also Download Ewido, http://www.ewido.net/en/download/

Hope this helps
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Also you might want to turn off system restore when you are doing this.

Hope this helps
0
 
lloydr1lAuthor Commented:
Thanks for the reply speco1.  I have and use as part of my spycleaning routine every single one of those programs.  But it concerns me that there is a program running in memory, in safe mode, that might interfere with these scans.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
abujananCommented:
This is often indicative of a program running from "services" which you may (or, may not want to turn-off).
Download this utility from http://www.sysinternals.com/Utilities/ProcessExplorer.html and you'll be able to identify the source.
0
 
lloydr1lAuthor Commented:
Hey abujanan,
I have it.  I run it about half the time, and will use it on this pc.
0
 
yuriskCommented:
To check with Autorun whether it is being loaded on startup through
common places would be a good idea as well
http://www.sysinternals.com/Utilities/Autoruns.html

Have you checked for open ports? This tool will do
http://www.foundstone.com/knowledge/proddesc/fport.html
or at least >netstat -an

What version of Windows do you have (98/Me/2000/XP/2003)?
0
 
rpggamergirlCommented:
If you still have problem with the unknown exe popping up;
Hijackthis log is a good diagnostic tool where bad entries/processes normally shows up.

Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet, just upload the logfile created, go here and paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or copy and paste the log at;
http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Post the link to the saved list here.
0
 
alexisvCommented:

In safe mode ,
Get the name of the program from the task manager, leave it running

If the program name is ABCDE.exe

1)  from the root drive do the following
Dir c:\ABCDE.exe /S

2) if this does not show the program , do this
Dir c:\ABCDE.exe /S  /AH /AS


This will probably tell you where is the file located.
3) go into the registry and do a FIND for the directory in which the file was located and delete that key
4) if not in the registry go into the C:\windows
and type FINDSTR "<name of the directory>" *.ini
0
 
lloydr1lAuthor Commented:
Thought I better give out some points before they get spread too thin.  I ended up solving my own problem by doing what I normally would do, which is what spec01 suggested.  So I gave him the bulk of the points because that turned out to be the solution.

I also split some points between yurisk and alexisv for information that I did not know, and that is much appreciated.

yurisk...thanks for the link to the fport program and web site.
alexisv...thanks for the instructions.  I would like to have tried that out before running the above scans to see how it worked out, but I'll try next time (sure there will be one).

Thanks to all.
0
 
rpggamergirlCommented:
>>I also split some points between yurisk and alexisv for information that I did not know, and that is much appreciated.<<

I'm afraid you clicked on my name by mistake and the points didn't go to yurisk, can you please come back and we'll re-open this thread.
0
 
lloydr1lAuthor Commented:
Thank you for pointing this out.  How do I re-open?
0
 
rpggamergirlCommented:
No problem, glad it's all sorted out, :)

Best wishes!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 3
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now