Windows – How to identify this thesterious Windows service

malwarewindows

The name of the service is a 32-digit hex number. It might be randomly generated, since a Google search on the number did not find anything. It points to an EXE file which also has a hex number as name, in a folder which also have a hex number as name.

I suspect this could some kind of malware, since the naming looks so strange, but a malware scan did not flag it. It might also be legitimate software which just have strange names for some reason.

The question is: How do I identify what program the service actually is, since the file names do not give any clue?

Best Answer

Did you try uploading the file to virustotal.com for a broader scan?
But in general I agree with Gerald Schneider. Take the server off the network, restore it and check other Servers / Clients for suspicious files / processes and activities.

Related Solutions

Windows – How to find what process is holding a file open in Windows

I've had success with Sysinternals Process Explorer. With this, you can search to find what process(es) have a file open, and you can use it to close the handle(s) if you want. Of course, it is safer to close the whole process. Exercise caution and judgement.

To find a specific file, use the menu option Find->Find Handle or DLL... Type in part of the path to the file. The list of processes will appear below.

If you prefer command line, Sysinternals suite includes command line tool Handle, that lists open handles.

Examples

c:\Program Files\SysinternalsSuite>handle.exe |findstr /i "e:\" (finds all files opened from drive e:\"
c:\Program Files\SysinternalsSuite>handle.exe |findstr /i "file-or-path-in-question"

Windows – Adding Dependency to a Service After Installation

This can also be done via an elevated command prompt using the sc command. The syntax is:

sc config [service name] depend= <Dependencies(separated by / (forward slash))>

Note: There is a space after the equals sign, and there is not one before it.

Warning: depend= parameter will overwrite existing dependencies list, not append. So for example, if ServiceA already depends on ServiceB and ServiceC, if you run depend= ServiceD, ServiceA will now depend only on ServiceD. (Thanks Matt!)

Examples

Dependency on one other service:

sc config ServiceA depend= ServiceB

Above means that ServiceA will not start until ServiceB has started. If you stop ServiceB, ServiceA will stop automatically.

Dependency on multiple other services:

sc config ServiceA depend= ServiceB/ServiceC/ServiceD/"Service Name With Spaces"

Above means that ServiceA will not start until ServiceB, ServiceC, and ServiceD have all started. If you stop any of ServiceB, ServiceC, or ServiceD, ServiceA will stop automatically.

To remove all dependencies:

sc config ServiceA depend= /

To list current dependencies:

sc qc ServiceA