Odd processes & MS firewall may be disabled

Okay, here goes. I noticed yesterday that my laptop has an odd process running on it. The name is very suspicious, a mix of letters and numbers. It doesn’t appear to consume process time; the task manager reports little in the way of IO occuring (very low IO read/writes … and the values have been steady since boot time, not increasing). As an example, right now, the process “FN83C9.exe” is running. I can kill it. Sometimes another one with a different name appears; sometimes not. I’ve seen F27F0C, CEA8A0, and a few others.

I’ve run Avast, and it reports no infections. I’ve run Adaware and Spybot Search & Destroy — all report that the system is clean. I even broke down and downloaded/ran the Microsoft malware removal tool and that reported a clean system, too. I’ve run HiJackThis and looked at the logs, and I don’t see anything odd. Same for StartupList … it doesn’t look like there’s anything suspicious running. I am getting these in the Windows/Prefetch area … but I can’t tell anything about them that would confirm that they are the result of something malicious.

As a side-effect, I think the MS Firewall has become disabled. The control panel reports that it is enabled, but … I don’t think it’s having any effect. When I first received the laptop a few months ago, I received popups indicating that some of my apps were attempting to communicate over the net. I added those as exceptions to the list. Now, however, I’ve disabled the exceptions (indeed, indicated that no exceptions are to be allowed), and yet I don’t get any of the dialog indicators, and the software connects and works just fine.

What could this be? And why would the firewall appear to be disabled? How can I find out what is spawning these processes?

Thanks!

j

Hi dr_j,

It’s most likely a Trojan or worm if it is malware. You’ve done a lot of checks for spyware- you can do online scans for Trojans and worms, and these scanners even remove some infections!

http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm

http://support.f-secure.com/enu/home/ols.shtml

http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

http://housecall.trendmicro.com/housecall/start_corp.asp

Another app I use to check processes is: Process Explorer (freeware)
And can be found here:

http://www.sysinternals.com/Utilities/ProcessExplorer.html#top

I’m running a Panda scan now. Currently says it found/cleaned 2 infected files, and has 48 suspicious ones. It’s still scanning; we’ll see what the log says when it’s done.

In the meantime, I killed one of the suspicous exes, and eventually another one showed up. RY1EC2.EXE. I’m looking at it with Process Explorer. If I’m right, it was spawned by NTRtScan, the Trend Micro antivirus software. Looking at the files it has open, it’s mostly the OfficeScan Client files, and the Windows/System32 directory. It has an “Event” value of “\BaseNamedObject\OFCDOGUNLOCKDONE”. It also say under the type of “Mutant”, “\BaseNamedObject<There is an ofcdog instance exist. Don’t create another.>”. The “Thread” type is "RY1EC2.EXE(1532):2896.

Could this really be a part of OfficeScan? I’m considering dumping OfficeScan in favor of Avast … OfficeScan was provided by my company, and I’m just not that happy with it.

Thanks!

j

Panda finished scanning; found some a trojan and a few viruses in some old emails, but that appears to be about it.

I’m going to check with some friends tomorrow to see if they have that same type of process running on their machines. Maybe even uninstall the Trend Micro OfficeScan in favor of Avast.

Thanks, all. I"ll let you know what I find out.

j

Well, I found this: http://dotnetjunkies.com/WebLog/anoras/archive/2004/11/19/32676.aspx

Looks like the odd process I found really is a part of OfficeScan.

Ah, well. Still glad I went through everything I did … I’ve bookmarked the site you guys provided, and ProcessExplorer will be very handy in the future.

j

Running two anti-virus programs is not advisable: they may conflict and cause problems. If it’s a company laptop, you should perhaps consult your network administrator or IT department- they may require you to comply with their chosen anti-virus solution.

Submit the file to JOTTI and let several av-softwares scan it in one go. :wink: