Jump to content
mastermind007

Unknown process executing beneath everything....

Recommended Posts

Hello

 

For my own program debugging needs, I rely on a software utility named CurrPorts that provides a complete GUI view of all ports opened on a machine. Usually, entire path of executable is also shown.

 

For past two weeks, I have been noticing that CurrPorts consistently reports a process that has no PID and is showing word "Unknown" in its name. Needless to say, the path of executable is missing and Process ID is either 0 or blank.

 

The Remote IP address that this Unknown process is accessing keep shifting all the time. If another PC connects on the same wireless network, the Unknown process attempts to open a port on that new computer, so it is definitely monitoring the network very closely.

 

Running the avz utility (sent by Kaspesky support) provided revealed that Microsoft functions with names such as NtCreateProcess and NtCreateProcessEx were hooked and intercepted. Few functions such as NtTraceEvent NtRequestPort had their instructions substituted with jmp <somehexaddress>

 

Even after breaking the hooks, the unknown process continues to execute and continues to open and close the ports. Only difference is that I can see name of more remote machines more often than before.

 

P:S: Default Task Manager (Ctrl-Alt-Delete) does not show this Unknown process but more powerful task managers usually show it.

 

Share this post


Link to post

Try TCPView from Sysinternals. Now this is really not a Kaspersky issue and since you are working with support its probably be best to carry on through that channel.

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.