Author Topic: Unidentified Process  (Read 18863 times)

0 Members and 1 Guest are viewing this topic.

Offline King_Yoshi

  • Full Member
  • ***
  • Posts: 76
    • View Profile
Unidentified Process
« on: September 22, 2009, 11:16:08 PM »
I noticed that my firewall (Online Armor) was displaying internet usage, but it didn't show any process that was using the internet. So I went and downloaded a program that my friend had told me about called Netbalancer. (From: http://seriousbit.com/netbalancer/) I found a unidentified process that was using bandwidth. The odd thing though is that, that process does not show up on my Process List.
When i tried pulling up more information on it, the only thing I got was that its parent was "System Idle Process".

I had run my usual virus scans, and found nothing unusual, so I wanted to post this here. Maybe one of you have seen this before, or could explain to me what this is.

Below is the screenshot I took of the "Unidentified" Process I saw in Netbalancer.


Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Unidentified Process
« Reply #1 on: September 23, 2009, 01:05:29 AM »
Hi, King_Yoshi.  This Wiki writeup should be helpful: System Idle Process.  Does Task Manager show similar information to the image shown there?  If you show processes from all users in Task Manager, what does it indicate for System Idle Process?


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline King_Yoshi

  • Full Member
  • ***
  • Posts: 76
    • View Profile
Re: Unidentified Process
« Reply #2 on: September 23, 2009, 02:55:59 AM »
It shows the system Idle Process, however it does not show the "unknown" process.

Offline King_Yoshi

  • Full Member
  • ***
  • Posts: 76
    • View Profile
Re: Unidentified Process
« Reply #3 on: September 23, 2009, 04:34:54 PM »
The "System Idle" Process does NOT show a child process named "unknown".

Offline Aaron Hulett

  • Administrator
  • Hero Member
  • *****
  • Posts: 1450
  • Schrödinger's cat walks into a bar... and doesn't.
    • View Profile
    • My Site
Re: Unidentified Process
« Reply #4 on: September 23, 2009, 08:03:14 PM »
I'll jump in with some comments and questions to help the thread along and then disappear back into the fog.

Given there's no Process ID, the parent is System Idle Process and there's no image (the path), we're chasing a ghost.

How much confidence is there that this unidentified process is A) actually is/was a process and B) has System Idle Process as its parent?  In other words, how much confidence is there that this program is correctly reporting?  Or, what is this program's default behavior if it identifies traffic but cannot tie to the associated process - does it ignore the traffic - does it place it in this "unidentified" bucket?

Very very hard to diagnose remotely.  Even then, the only real way to dive into this that immediately comes to mind would be to shut down absolutely every other program that talks across the LAN/WAN and start sniffing packets from a separate machine.

Did Online Armor have any details on the communication, such as what remote IP address this involved?

//A

Offline King_Yoshi

  • Full Member
  • ***
  • Posts: 76
    • View Profile
Re: Unidentified Process
« Reply #5 on: September 23, 2009, 08:22:07 PM »
The "unidentified" process does not even come up on "online Armor" or process guard. But I have noticed that when I have no programs connected to the internet. (I shut down all programs that connect to the internet, that I know of) Online armor will still show that something is using the internet bandwidth. Even though none of the programs displayed on Online Armor show any activity. It was not untill I installed Netbalancer that this "unknown" factor appeared.

I had noticed in the past that my internet seemed a bit slower, but nothing drastic.

I also am unsure of how to trace where the packets are coming from or going to, since Netbalancer was the first program to ever pick up the anomaly.


However, I noticed something strange, when I start up the computer. I usually get a Internet Explorer popup that asks if I want to view "secure" material. My first guess was that I had some spywear, but after scanning with the usual Malwarebytes etc. nothing came up.

Offline Temmu

  • The Assimilator
  • Hero Member
  • *****
  • Posts: 5404
    • View Profile
    • gooooooooogle
Re: Unidentified Process
« Reply #6 on: September 23, 2009, 09:02:52 PM »
simplest fist.

buy a router that comes with nat / firewall.  most do these days.
yours may already have that.  prolly does.  log onto it and see.
that said,
most home users should not have a software firewall.
it's too much to keep up with & they end up allowing stuff they shouldn't, anyway.

hosts file.
read about and get yours from the microsoft mvps - google mvp hosts file.

msconfig.
disable most of that garbage that starts up.
you'll end up with 1 to 3 items you want to leave selected.

uninstall programs you don't ever use anyway.
stuff that begins with hp this or that, dell this or that, gateway this or that
are prime suspects.  it's crapware, malware, and sucks-up-cpu-cycle ware.  did i say worthless?

disable useless services.  google them and decide.

ram, anyone?  buy as much as you can afford.

ok, now your pc is 50 times faster that it was.

still wanna know what packets are coming and going? 


===========================

wireshark.

load it on the offended pc.

on the capture item, choose your network card.
unselect "capture packets in promiscuous mode"
you want a capture filter:
not  src net 192.168.1.0 mask 255.255.255.0 and not dst net 192.168.1.0 mask 255.255.255.0

(i assume that your network is 192.168.1.0, like 99.95% of all home users...)

if you don't see your trouble,
run again with no capture filter.

you can "capture files" to a file on your hard drive.

when done capturing - say 15 minutes,
you can go to capture, stop.

statistics, conversations
statistics, endpoints

may be a good place to start.

google wireshark + your questions.









Offline King_Yoshi

  • Full Member
  • ***
  • Posts: 76
    • View Profile
Re: Unidentified Process
« Reply #7 on: September 23, 2009, 10:00:09 PM »
Within the last month I have move into a college dorm room, and am running off of the school's internet. Would I still legally be allowed to do packet capturing, as I technically do not own the internet here?

Offline Aaron Hulett

  • Administrator
  • Hero Member
  • *****
  • Posts: 1450
  • Schrödinger's cat walks into a bar... and doesn't.
    • View Profile
    • My Site
Re: Unidentified Process
« Reply #8 on: September 24, 2009, 12:26:15 AM »
Probably, but it might not hurt to check.

Given Internet Explorer is launching like that, it might help to know what causes that.  I see you ahve Process Explorer.  Are you familiar with Process Monitor?  If so, use that to monitor your startup.  Under Options, make sure Enable Boot Logging is on and then reboot.  After you get the Internet Explorer Window, launch Process Monitor again and go through the log to see what may have started it.

Only other comment I have is on this:

Quote
The "unidentified" process does not even come up on "online Armor" or process guard.
We don't know that.  Given this tool marks it as unidentified and provides no PID, it may or may not be seen in other tools.  To put it another way, if another tool correctly identified the process and logs the traffic accordingly, there's no way to easily map that to this unidentified one.  Make sense?

//A

Offline Eric the Red

  • ISO/IEC 27001:2013
  • Administrator
  • Hero Member
  • *****
  • Posts: 1618
  • Would somebody please pass me a beer!
    • View Profile
Re: Unidentified Process
« Reply #9 on: September 24, 2009, 09:18:06 PM »
Within the last month I have move into a college dorm room, and am running off of the school's internet. Would I still legally be allowed to do packet capturing, as I technically do not own the internet here?

You could be skating on thin ice as it is most likely that your internet traffic will be passing through the school's proxy gateway. If I were you I'd seek authority from the IT/IS department first or you may find yourself having to defend a charge of hacking (have you read the School's acceptable use policy?)
"The time to start running is around about the "e" in "Hey, you!" "

The information I provide is provided "AS IS" without warranty, and confers no rights.

Offline King_Yoshi

  • Full Member
  • ***
  • Posts: 76
    • View Profile
Re: Unidentified Process
« Reply #10 on: September 27, 2009, 11:34:43 PM »
I asked them about it, and they said I was not allowed to do packet sniffing... Is there another way of trying to figure out what is causing the discrepancy. (If there even is one?)


Additionally I installed Process Monitor, but am a bit overwhelmed at the amount of information it gives..

Offline King_Yoshi

  • Full Member
  • ***
  • Posts: 76
    • View Profile
Re: Unidentified Process
« Reply #11 on: September 30, 2009, 06:28:11 PM »
Usually I don't do this but....  *BUMP*

Offline Temmu

  • The Assimilator
  • Hero Member
  • *****
  • Posts: 5404
    • View Profile
    • gooooooooogle
Re: Unidentified Process
« Reply #12 on: September 30, 2009, 11:17:45 PM »
you have malware.

in ie, go to tools, manage add-ons, enable or disable add-ons.
show:  add-ons currently loaded in internet explorer.
you can select everything and click (o) disable.
(you have not removed anything, just prevented it from running.)

ok, close ie, reboot.
upon boot does ie open of its own accord?

if so, do what you just did, but choose show: add-ons that run without requiring permission
select everything, disable.

ok, close ie, reboot.
upon boot does ie open of its own accord?

if so, again, but show: downloaded active x controls (32-bit)
ok, close ie, reboot.
upon boot does ie open of its own accord?

if so, again, but show: add-ons that have been used by internet explorer

let us know.

failing that,
http://images.malwareremoval.com/random/RSIT.exe
use it and post.


Offline Temmu

  • The Assimilator
  • Hero Member
  • *****
  • Posts: 5404
    • View Profile
    • gooooooooogle
Re: Unidentified Process
« Reply #13 on: September 30, 2009, 11:19:08 PM »
ensure you select everything, then select disable, then ok, then exit ie. 

Offline King_Yoshi

  • Full Member
  • ***
  • Posts: 76
    • View Profile
Re: Unidentified Process
« Reply #14 on: October 12, 2009, 06:10:45 PM »
I use firefox, and NEVER use iexplorer..

I am considering running Combofix... Because I know if it does not pick anything up, I am dealing with a unknown Malware/Virus/Trojan OR it was just a false positive.