• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 495
  • Last Modified:

Strange process running on XP SP3

Hey guys,

We found a strange process yesterday on one of our corporate machines (mine).  Being the usual process-id nut (I wanna know what's running and why), I found a strange 2500kb 5-6 random alpha-numeric process that is completely benign.  I did a walk-around and found that a similar process is running on all our machines in our area (meaning it’s probably corporate wide).

1. Process can be killed by a regular ‘user’ (non-admin) account.
2. Logging out and in again, process doesn’t return.
3. Rebooting restarts the process
4. Process changes name every reboot, using a 5 or 6 random alpha-numeric password, all UPPERCASE, I.E. AWB1AF.EXE)
5. Using process monitor – it shows up nothing.

We’re scanning it right now with our network comms team – so far, its doing nothing.
We’re using Trend Micro 6.2.1016/1076 engine, 9.100.1001/6.951.00 dat file. Nothing is being reported from our infrastructure and network monitoring or detection/intrusion systems (it’s very extensive).

Anyone else have this issue?
5 Solutions
May be a spyware program of sorts. You can run Startup Control Panel found at site below, this will tell you what is starting when the machine boots up.

Process Monitor

Since the TM can see it, Proces Explorer will as well. Double click it, to find the source, and in the lower pane, you might be able to see what reg key/files have open handles to it.....

Also Autoruns

Look through there with a fine toothed comb.....
Managed Security Services Webinar - March 15

Selecting the right managed security services platform to grow your business can be a huge undertaking. Join WatchGuard and Frost & Sullivan in an upcoming webinar as we dive into the key elements of selecting a vendor platform and partnership to fuel a successful MSSP business.

1) Submit the file to (virustotal.com) and see if it's detected by any AV product

2) Submit the file to TrendMicro (http://subwiz.trendmicro.com/SubWiz/Default.asp)

3) Submit the file to the following online Sandbox services:

- http://www.threatexpert.com/submit.aspx
- http://www.sunbeltsecurity.com/sandbox/
- http://anubis.iseclab.org/

Once you collect all logs/reports, attach them here for analysis/recommendations.

Good luck
PengrowthAuthor Commented:
Thanks for the tips guys.  Found what was causing it.  It seems there is a 'watchdog' process TRENDMICRO runs that in case a virus/bot kills or goes after the main anti-virus engine, the watchdog (which changes its name every reboot) process will report its activities.

Good tips though on the other ideas. We were headed that route.
PengrowthAuthor Commented:
Solution found.
You said you have Trend, this is the scanning process and it is Ok to leave it running, otherwise you will not be protected.

It starts as a randomly-named process - I have seen it before.  It is probably running on all your machines as  a differently-name process.  You can't kill it unless you remove Trend Micro.
Shoot I was just a few mins too late :)
Glad to know you've found the solution..

A few of these solutions in EE's database, here's 2.
2006 - Strange process names:

2006 - random filenames in window\temp folder:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now