Strange process running on XP SP3

Hey guys,

We found a strange process yesterday on one of our corporate machines (mine).  Being the usual process-id nut (I wanna know what's running and why), I found a strange 2500kb 5-6 random alpha-numeric process that is completely benign.  I did a walk-around and found that a similar process is running on all our machines in our area (meaning it’s probably corporate wide).

Symptoms:
1. Process can be killed by a regular ‘user’ (non-admin) account.
2. Logging out and in again, process doesn’t return.
3. Rebooting restarts the process
4. Process changes name every reboot, using a 5 or 6 random alpha-numeric password, all UPPERCASE, I.E. AWB1AF.EXE)
5. Using process monitor – it shows up nothing.

We’re scanning it right now with our network comms team – so far, its doing nothing.
We’re using Trend Micro 6.2.1016/1076 engine, 9.100.1001/6.951.00 dat file. Nothing is being reported from our infrastructure and network monitoring or detection/intrusion systems (it’s very extensive).

Anyone else have this issue?
weirdprocess.JPG
PengrowthAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

houssam_balloutCommented:
0
jmcilhargeyCommented:
May be a spyware program of sorts. You can run Startup Control Panel found at site below, this will tell you what is starting when the machine boots up.

http://www.mlin.net/StartupCPL.shtml
0
johnb6767Commented:
Process Monitor
http://live.sysinternals.com/procexp.exe

Since the TM can see it, Proces Explorer will as well. Double click it, to find the source, and in the lower pane, you might be able to see what reg key/files have open handles to it.....

Also Autoruns
http://live.sysinternals.com/autoruns.exe

Look through there with a fine toothed comb.....
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

xmachineCommented:
1) Submit the file to (virustotal.com) and see if it's detected by any AV product

2) Submit the file to TrendMicro (http://subwiz.trendmicro.com/SubWiz/Default.asp)

3) Submit the file to the following online Sandbox services:

- http://www.threatexpert.com/submit.aspx
- http://www.sunbeltsecurity.com/sandbox/
- http://anubis.iseclab.org/

Once you collect all logs/reports, attach them here for analysis/recommendations.

Good luck
0
PengrowthAuthor Commented:
Thanks for the tips guys.  Found what was causing it.  It seems there is a 'watchdog' process TRENDMICRO runs that in case a virus/bot kills or goes after the main anti-virus engine, the watchdog (which changes its name every reboot) process will report its activities.

Good tips though on the other ideas. We were headed that route.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PengrowthAuthor Commented:
Solution found.
0
jameso99Commented:
You said you have Trend, this is the scanning process and it is Ok to leave it running, otherwise you will not be protected.

It starts as a randomly-named process - I have seen it before.  It is probably running on all your machines as  a differently-name process.  You can't kill it unless you remove Trend Micro.
0
jameso99Commented:
Shoot I was just a few mins too late :)
0
rpggamergirlCommented:
Glad to know you've found the solution..

A few of these solutions in EE's database, here's 2.
2006 - Strange process names:
http://www.experts-exchange.com/OS/Microsoft_Operating_S/Q_22061121.html 

2006 - random filenames in window\temp folder:
http://www.experts-exchange.com/Applications/Viruses/Q_21893162.html
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.