Explain Running Process

[Frankster]

I have a number of XP Pro boxes (some original load, some upgraded from W2K
Pro). All of them exhibit this same thing. This was not happening with
W2K.

Each box almost always has ONE process running that I cannot account for. It
is a process that ALWAYS has an ALL CAPS name, 6 characters, mixture of
Alpha numeric and is an EXE.

Eg. of filenames... seemingly random.
BOE3D6.EXE
APE4DC.EXE
BO4TYC.EXE
HID4CH.EXE

etc, etc...

The physical file is in the %systemroot%\temp directory. I can delete it
and a new one, of different name, will be auto-generated on next boot.

Occasionally, after reboots or shutdowns, upon restart I get an error saying
this file cannot write to memory (or similar). It always shows mem
locations such as "0000000x".

This semingly has NEVER caused any problem. I just click on OK and say
"geeze"!

Does anyone know what could be causing this?

-Frank

 

[John John]

Sounds like a virus or spyware. About:blank has a similar behaviour.
Look in the start locations to see what seems out of place. Autoruns by
Sysinternals might reveal the parent source.

John

 

[Frankster]

Okay, I will check this out. I run an always updated AV. This file scans
fine. Ad Aware does not pick it up.

However, one thing you said has me curious. About:blank. I purposely
choose about:blank for my home page. I don't want IE searching for a
website every time I open IE. Adaware always warns that is a possible
hijacking attempt. I always override Adaware and do not delete this home
page setting. You have me a little confused about about:blank.

Can you expound a little on that?

-Frank

 

[Frankster]

Concerned about the about:blank virus/spyware, I changed my home page to
msn.net. It holds fine. Rebooted, still fine. My home page settings
operate as designed. No popups, no changing of home page settings, nothing
unusual.

However, I STILL have that 6 character executable running (different name
after reboot). I just don't see any ill effects. Not sure what the
about:blank virus/spyware does, but my home page setting operates normally,
I think.

-Frank

 

[Jud]

SNIP
It is spyware, Adaware wont get rid of it, but Spyhunter has better luck, I
had a similar and found that starting in safe mode and deleting the program
file worked,
It was something like Webadvertising or similar.

Jud

 

[Rick]

It is spyware, Adaware wont get rid of it, but Spyhunter has better luck, I
had a similar and found that starting in safe mode and deleting the program
file worked,
It was something like Webadvertising or similar.

It should also be noted that AdAware is not a trojan/worm/
virus remover. This executable could just as easily be one of
these and not spyware.

 

[John John]

Well then that is (most likely) exactly it! It's an insidious thing to
get rid of! People are pulling their hair out trying to rid themselves
of this pest, some go to the extreme of reinstalling their OS. Being
that you intentionally set it as your homepage I hope you like it.
Tools and removal techniques are constantly evolving to help in its
removal but about:blank always seems to be one step ahead of the tools.
The naming pattern that you have described seems to be a new one.
Simply put it's a Browser Helper Object. Others call it a highjacker,
spyware or that cursed !@@#%! thing. Now go stand in the corner with
that pointy hat on your head... (just kidding).

I don't understand what you mean when you say "...I don't want IE
searching for a website every time I open IE." What website? If you
set IE to a friendly website it shouldn't go looking for another
website, unless it got highjacked by a BHO, like About:blank. If you're
worried about browser security and BHOs there are other browsers that
are way more secure than IE.

John

 

[John John]

Keep your fingers crossed. Jud has suggested that it may be another
spyware of some kind. It could be because the naming pattern doesn't
seem to follow the about : blank method. But this thing reincarnates
itself quite often, that's why you don't get any hits when you do a net
search for the executable. Good luck.

John

 

[John John]

By the way, these BHO hyjackers & spyware don't usually go about
changing your homepage, that would be too obvious. They lurk in the
background waiting to pounce. In the case of true spyware they keep
track of your surfing habits then "call home" and report their findings.
Some people only notice that their web surfing seems slower than
normal as the spyware is using a "pipe" to its home while you surf.
Others notice that there seems to be activity when none should be going
on. Good firewalls can usually detect this. In the case of BHO
highjackers just try doing a search and see what happens. They redirect
you to their search engine or spew out their search results, not the
results you would expect from legit search engines like MSN, Yahoo or
Google etc.

John

 

[Keith W]

It should also be noted that AdAware is not a trojan/worm/
virus remover. This executable could just as easily be one of
these and not spyware.

Might I suggest that cwsshredder and/or highjackthis might be worth
downloading and running (both free for personal use). It is never safe to
rely on a single safety net 'cos the writers of the virus/worm/whatever will
try to get around the ones they know about.

Keith

 

[Frankster]

I have an enterprise firewall at the Internet connection and a personal
firewall on each computer. I don't think this is an about:blank issue. I
watch my firewall logs and don't see any undesired outbound or inbound
connections. I really think this may be "normal". It wouldn't surprise me
if this is some kind of auto-update thingy from some legit app. What
bothers me is that I cannot track it down so any app!

One thing I would like someone to confirm for me. I am SUPPOSED to have the
option of setting my homepage in IE6 to "blank", right? And when you do
that, it is SUPPOSED to result in text saying about:blank in the URL window,
right? Everybody is acting as if that is a problem. I think it is by
design. Right?

-Frank

 

[Gary H]

I have an enterprise firewall at the Internet connection and a personal
firewall on each computer. I don't think this is an about:blank issue. I
watch my firewall logs and don't see any undesired outbound or inbound
connections. I really think this may be "normal". It wouldn't surprise me
if this is some kind of auto-update thingy from some legit app. What
bothers me is that I cannot track it down so any app!

One thing I would like someone to confirm for me. I am SUPPOSED to have the
option of setting my homepage in IE6 to "blank", right? And when you do
that, it is SUPPOSED to result in text saying about:blank in the URL window,
right? Everybody is acting as if that is a problem. I think it is by
design. Right?

-Frank

Windows does have a file called "blank.html".

--
23 days until the winter solstice celebration

"In all affairs it's a healthy thing now and then to
hang a question mark on the things you have long taken
for granted." -- Bertrand Russell

 

[Frankster]

I don't want it searching for ANY website. So when I disconnect it from the
internet I don't have to wait for a timeout to use the web browser.

Are you telling me that your system does not allow you to:

IE/Tools/Internet Options/Homepage=Use Blank? That's not available on your
system? If is it available, what's wrong with using it?

-Frank

 

[Frankster]

Okay group. Thanks for all the suggestions. Turns out it is not really a
problem and has nothing to do with any about:blank page.

It is a routine function of my AV program (Micro Trend OfficeScan - I love
it, BTW).

Anyway, it is the "watchdog service", designed to foil malicious attempts to
stop the AV program. Specifically, the random filename come from the
"anti-hacking" setting. The idea is that if the watchdog service uses a
random filename, it will prevent viruses from identifying it by the service
name. Of course, it also prevented me from identifying it by the service
name too... for a long while

From the docs...

-----------------------------
Reserved Disk Space and Watchdog Settings

Trend Micro recommends enabling the client watchdog service to help ensure
that OfficeScan client is protecting your client computers. If OfficeScan
client unexpectedly terminates, which could happen if the client is under
attack from a hacker, the watchdog service restarts OfficeScan client.

Enable the OfficeScan client watchdog service: Select this check box to have
the watchdog service attempt to restart the client program. Specify the
number of times it will check the client status and try to restart the
client program.

Enable anti-hacking mode: Select this check box to give the Watchdog service
a random name. This helps prevent any virus or other type of threat from
identifying the service and terminating it.

Reserve { } MB of disk space for updates: Select this check box to allot a
certain amount of space on clients' hard disks for hot fixes, pattern files,
scan engines, and program updates. OfficeScan reserves 20MB of space by
default.

 

[Gary Smith]

I have an enterprise firewall at the Internet connection and a personal
firewall on each computer. I don't think this is an about:blank issue. I
watch my firewall logs and don't see any undesired outbound or inbound
connections. I really think this may be "normal". It wouldn't surprise me
if this is some kind of auto-update thingy from some legit app. What
bothers me is that I cannot track it down so any app!

Yes, yes, and yes. Confusion arises because some malware uses the name
"about:blank" for the fake home page it displays. About:blank isn't the
problem, it's the hijacking of about:blank that's the problem.

 

[John John]

Yes you can set your browser page to about:blank that is perfectly fine,
it just displays a blank page, no voodoo about that. You'll have to
investigate deeper to find out what causes the random exe's. I suggest
Autoruns and Process Explorer by Sysinternals, very good tools for this
kind of troubleshooting. Let us know what you find out, I for one am
curious as to what the parent is.

John

 

[John John]

Thank you for telling us what it was, now when others posts with the
same problem we can point them to a possible cause. I guess we got
mixed up with about:blank thrown in there. As I had mentioned earlier
it behaves in the same manner, but from the start I thought the .exe
names were out of character for the malware version of about:blank.

John

 

[Luke MacNeil]

I've had good luck latley by searching the registry for the process
name to find where its called from.. its almost always set with -rerun
so it respanwns. Then under safe mode I go in and blast the files. Has
worked on a few machines so far. The executables were waveplay.exe and
runsrv32.exe