7

The name of the service is a 32-digit hex number. It might be randomly generated, since a Google search on the number did not find anything. It points to an EXE file which also has a hex number as name, in a folder which also have a hex number as name.

I suspect this could some kind of malware, since the naming looks so strange, but a malware scan did not flag it. It might also be legitimate software which just have strange names for some reason.

In the Details-tab of the EXE file properties, the file description is blank, but there is a product version ("3.13.11.3") and Copyright ("Copyright (C) 2014") which doesn't help me a lot.

The question is: How do I identify what program the service actually is, since the file names do not give any clue?

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
JacquesB
  • 173
  • 1
  • 5
  • The properties of the .exe file should show some information about the author, name, version etc. in the Details tab ... at least for legitimate applications. – Gerald Schneider Apr 26 '17 at 08:35
  • 3
    Maybe try this https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx and see which process is using that .exe? – Mugurel Apr 26 '17 at 08:36
  • @Mugurel: Thank you for the suggestion, but I have stopped and disabled the service until I am sure it is legitimate software. – JacquesB Apr 26 '17 at 08:52
  • @GeraldSchneider: File description is blank, but there is a product version and copyright which doesn't tell me a lot. – JacquesB Apr 26 '17 at 08:57
  • If it's a CLSID, you can search for it in the registry. A CLSID looks like this: ED7BA470-8E54-465E-825C-99712043E01C – Diogenes deLight Apr 26 '17 at 08:59
  • 5
    It sounds very suspicious ... if I were you I'd [nuke the server from orbit](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) and restore backups. – Gerald Schneider Apr 26 '17 at 09:25
  • Did you try uploading the file to virustotal.com for a broader scan? But in general I agree with Gerald Schneider. Take the server off the network, restore it and check other Servers / Clients for suspicious files / processes and activities. – adiuva Apr 26 '17 at 09:54
  • 2
    @adiuva: Thanks, this helped me identify the software - it was a well-known adware. If you write this as an answer I will accept. – JacquesB Apr 26 '17 at 10:14
  • I suggest trying to decompile the EXE to search for more details using something like Resource Hacker http://www.angusj.com/resourcehacker/ – mrTomahawk May 03 '17 at 14:51

1 Answers1

16

Did you try uploading the file to virustotal.com for a broader scan?
But in general I agree with Gerald Schneider. Take the server off the network, restore it and check other Servers / Clients for suspicious files / processes and activities.

adiuva
  • 394
  • 2
  • 7