Task Manager>Processes>End Process>Program keeps coming back renamed

I have a pc which I am positive has spyware and perhaps more.  I have the usual arsenal of tools to do scans, etc.  The issue is that when I boot into safe mode and look at the processes running, there is one exe running that has random letters followed by .exe.  When I highlight and end process, another exe pops up to replace the previous one with a new random set of characters.  This happens over and over.

What is this an indication of, and how can I stop this exe from reappearing?
lloydr1lAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Hello there,

Download Adaware SE Perosnal
http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10399602.html?tag=lst-0-1

Download Spybot S&D
http://www.download.com/Spybot-Search-Destroy/3000-8022_4-10401314.html?tag=lst-0-1

Also download hijackthis
http://www.download.com/HijackThis/3000-8022_4-10379544.html?tag=lst-0-1

When you have done a scan on your computer with this program go to this site and post your results
www.hijackthis.de

Also Download Ewido, http://www.ewido.net/en/download/

Hope this helps

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Will SzymkowskiSenior Solution ArchitectCommented:
Also you might want to turn off system restore when you are doing this.

Hope this helps
lloydr1lAuthor Commented:
Thanks for the reply speco1.  I have and use as part of my spycleaning routine every single one of those programs.  But it concerns me that there is a program running in memory, in safe mode, that might interfere with these scans.
Virus Depot: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. View our webinar recording to learn how to best defend against these attacks!

abujananCommented:
This is often indicative of a program running from "services" which you may (or, may not want to turn-off).
Download this utility from http://www.sysinternals.com/Utilities/ProcessExplorer.html and you'll be able to identify the source.
lloydr1lAuthor Commented:
Hey abujanan,
I have it.  I run it about half the time, and will use it on this pc.
yuriskCommented:
To check with Autorun whether it is being loaded on startup through
common places would be a good idea as well
http://www.sysinternals.com/Utilities/Autoruns.html

Have you checked for open ports? This tool will do
http://www.foundstone.com/knowledge/proddesc/fport.html
or at least >netstat -an

What version of Windows do you have (98/Me/2000/XP/2003)?
rpggamergirlCommented:
If you still have problem with the unknown exe popping up;
Hijackthis log is a good diagnostic tool where bad entries/processes normally shows up.

Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet, just upload the logfile created, go here and paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or copy and paste the log at;
http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Post the link to the saved list here.
alexisvCommented:

In safe mode ,
Get the name of the program from the task manager, leave it running

If the program name is ABCDE.exe

1)  from the root drive do the following
Dir c:\ABCDE.exe /S

2) if this does not show the program , do this
Dir c:\ABCDE.exe /S  /AH /AS


This will probably tell you where is the file located.
3) go into the registry and do a FIND for the directory in which the file was located and delete that key
4) if not in the registry go into the C:\windows
and type FINDSTR "<name of the directory>" *.ini
lloydr1lAuthor Commented:
Thought I better give out some points before they get spread too thin.  I ended up solving my own problem by doing what I normally would do, which is what spec01 suggested.  So I gave him the bulk of the points because that turned out to be the solution.

I also split some points between yurisk and alexisv for information that I did not know, and that is much appreciated.

yurisk...thanks for the link to the fport program and web site.
alexisv...thanks for the instructions.  I would like to have tried that out before running the above scans to see how it worked out, but I'll try next time (sure there will be one).

Thanks to all.
rpggamergirlCommented:
>>I also split some points between yurisk and alexisv for information that I did not know, and that is much appreciated.<<

I'm afraid you clicked on my name by mistake and the points didn't go to yurisk, can you please come back and we'll re-open this thread.
lloydr1lAuthor Commented:
Thank you for pointing this out.  How do I re-open?
rpggamergirlCommented:
No problem, glad it's all sorted out, :)

Best wishes!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Fonts Typography

From novice to tech pro — start learning today.