Unknown process running  
Author Message
Moore's





PostPosted: Fri Nov 12 05:59:15 CST 2004 Top

Security >> Unknown process running

I have a process running that I have never seen before called HOKHIDK.EXE
can anyone tell me what it is?

Windows OS324  
 
 
Dave





PostPosted: Fri Nov 12 05:59:15 CST 2004 Top

Security >> Unknown process running not even google knows this one. that means it is likely a randomly
generated virus file name. make sure your virus scanner is up to date
(today's date, not yesterday or last week) and then scan with everything
else you can find if that doesn't work.



> I have a process running that I have never seen before called HOKHIDK.EXE
> can anyone tell me what it is?
>
>
>


 
 
Tim





PostPosted: Fri Nov 12 07:32:54 CST 2004 Top

Security >> Unknown process running Done everything, virus scan, adaware scan spybot scan cwsshredder scan
cannot find anything wrong


> not even google knows this one. that means it is likely a randomly
> generated virus file name. make sure your virus scanner is up to date
> (today's date, not yesterday or last week) and then scan with everything
> else you can find if that doesn't work.
>


>> I have a process running that I have never seen before called HOKHIDK.EXE
>> can anyone tell me what it is?
>>
>>
>>
>
>
>



 
 
Dave





PostPosted: Fri Nov 12 11:22:25 CST 2004 Top

Security >> Unknown process running then search your hd for it and see what folder its in, maybe that will tell
you what it is for. also try to right click and check properties and see if
the revision info says what its for. if its nothing that you recognize or
have installed recently try stopping the process and see what breaks.



> Done everything, virus scan, adaware scan spybot scan cwsshredder scan
> cannot find anything wrong


> > not even google knows this one. that means it is likely a randomly
> > generated virus file name. make sure your virus scanner is up to date
> > (today's date, not yesterday or last week) and then scan with everything
> > else you can find if that doesn't work.
> >


> >> I have a process running that I have never seen before called
HOKHIDK.EXE
> >> can anyone tell me what it is?
> >>
> >>
> >>
> >
> >
> >
>
>
>


 
 
Karl





PostPosted: Fri Nov 12 22:44:21 CST 2004 Top

Security >> Unknown process running Then do a second opinion scan by going to http://housecall.antivirus.com
and/or submit the file to your anti-virus vendor using the instructions on
their site or the anti-virus vendor submission email addresses given here in
a previous post. Most likely either your anti-virus vendor needs to add a
new signature by inspecting a copy of the file, or something has caused your
anti-virus to fail to work correctly, possibly a virus that carefully
cripples anti-virus. You can also go to www.eicar.com and download the safe
eicar anti-virus test file and see if your anti-virus detects that.




> Done everything, virus scan, adaware scan spybot scan cwsshredder scan
> cannot find anything wrong


> > not even google knows this one. that means it is likely a randomly
> > generated virus file name. make sure your virus scanner is up to date
> > (today's date, not yesterday or last week) and then scan with everything
> > else you can find if that doesn't work.
> >


> >> I have a process running that I have never seen before called
HOKHIDK.EXE
> >> can anyone tell me what it is?
> >>
> >>
> >>
> >
> >
> >
>
>
>


 
 
Tim





PostPosted: Sat Nov 13 05:04:53 CST 2004 Top

Security >> Unknown process running Hi Karl,
It wouldnt allow me to run the housecall it said applet crashed so how do I
check?
I have also tried running a search for the file but it doesnt appear to be
there
It seems to have mysteriuosly disappeared


> Then do a second opinion scan by going to http://housecall.antivirus.com
> and/or submit the file to your anti-virus vendor using the instructions on
> their site or the anti-virus vendor submission email addresses given here
> in
> a previous post. Most likely either your anti-virus vendor needs to add a
> new signature by inspecting a copy of the file, or something has caused
> your
> anti-virus to fail to work correctly, possibly a virus that carefully
> cripples anti-virus. You can also go to www.eicar.com and download the
> safe
> eicar anti-virus test file and see if your anti-virus detects that.
>
>


>> Done everything, virus scan, adaware scan spybot scan cwsshredder scan
>> cannot find anything wrong


>> > not even google knows this one. that means it is likely a randomly
>> > generated virus file name. make sure your virus scanner is up to date
>> > (today's date, not yesterday or last week) and then scan with
>> > everything
>> > else you can find if that doesn't work.
>> >


>> >> I have a process running that I have never seen before called
> HOKHIDK.EXE
>> >> can anyone tell me what it is?
>> >>
>> >>
>> >>
>> >
>> >
>> >
>>
>>
>>
>
>
>



 
 
Karl





PostPosted: Sat Nov 13 08:12:11 CST 2004 Top

Security >> Unknown process running


> Hi Karl,
> It wouldnt allow me to run the housecall it said applet crashed so how do
I
> check?

There are also on-line virus scanners here:

http://security2.norton.com
http://www.kasperskylabs.com/remoteviruschk.html

> I have also tried running a search for the file but it doesnt appear to be
> there
> It seems to have mysteriuosly disappeared

Is it still listed in the list of running processes?

It could be that the file was actually removed by something you did, or it
is using ADS to conceal itself from the completely inadequate utilities
Microsoft gave you with Windows like Windows Explorer that as recently as
Windows 2003 still hides ADS from you due to poor planning and lack of
foresight. You may be able to see ADS files starting up in the Registry by
using something like MSCONFIG [which doesn't exist in Windows 2000] or
better yet, use both silent runners from www.silentrunners.org and
Autostart Explorer from www.trojanhunter.com/products. ADS is usually
shown in the Registry as c:\folder\filename1:filename2

ADS can also be seen by using a tool like LADS, although note that Windows
uses ADS to hide files relating to image thumbnails and XP SP2 AES security
settings, even though hiding files from the user has proven to be a
monumentally bad security problem.

http://www.heysoft.de/nt/ep-lads.htm or another similar tool is from
www.foundstone.com/knowledge

It could also be that a Windows root kit like Hacker Defender is being used
to hide the file from you. Such root kits can be seen if you download and
run RKDETECT [which can be found by searching www.google.com] You can also
see root kits if you boot to another OS such as the Linux rescue disk from
www.bitdefender.com, or if you scan the computer from another computer via
Windows networking, or if you take the hard drive and slave it in another
windows computer, though these are generally more difficult than running RKD
ETECT.


 
 
Tim





PostPosted: Sat Nov 13 16:44:21 CST 2004 Top

Security >> Unknown process running Karl this is ridiculous, it is back again, I havent installed anything new
except Opera browser 7.6. I asked them on the Opera chat if they knew what
HOKHIDK.EXE was and they have no idea. I have just cancelled the process but
it appears when I restart the system.
Something is stopping AV scanners doing thier job, I could only install
Norton online virus scan after I had ended the process, trouble is I cannot
find it to stop what ever it does


>


>> Hi Karl,
>> It wouldnt allow me to run the housecall it said applet crashed so how do
> I
>> check?
>
> There are also on-line virus scanners here:
>
> http://security2.norton.com
> http://www.kasperskylabs.com/remoteviruschk.html
>
>> I have also tried running a search for the file but it doesnt appear to
>> be
>> there
>> It seems to have mysteriuosly disappeared
>
> Is it still listed in the list of running processes?
>
> It could be that the file was actually removed by something you did, or it
> is using ADS to conceal itself from the completely inadequate utilities
> Microsoft gave you with Windows like Windows Explorer that as recently as
> Windows 2003 still hides ADS from you due to poor planning and lack of
> foresight. You may be able to see ADS files starting up in the Registry
> by
> using something like MSCONFIG [which doesn't exist in Windows 2000] or
> better yet, use both silent runners from www.silentrunners.org and
> Autostart Explorer from www.trojanhunter.com/products. ADS is usually
> shown in the Registry as c:\folder\filename1:filename2
>
> ADS can also be seen by using a tool like LADS, although note that Windows
> uses ADS to hide files relating to image thumbnails and XP SP2 AES
> security
> settings, even though hiding files from the user has proven to be a
> monumentally bad security problem.
>
> http://www.heysoft.de/nt/ep-lads.htm or another similar tool is from
> www.foundstone.com/knowledge
>
> It could also be that a Windows root kit like Hacker Defender is being
> used
> to hide the file from you. Such root kits can be seen if you download and
> run RKDETECT [which can be found by searching www.google.com] You can
> also
> see root kits if you boot to another OS such as the Linux rescue disk from
> www.bitdefender.com, or if you scan the computer from another computer via
> Windows networking, or if you take the hard drive and slave it in another
> windows computer, though these are generally more difficult than running
> RKD
> ETECT.
>
>
>



 
 
Tim





PostPosted: Sat Nov 13 17:04:56 CST 2004 Top

Security >> Unknown process running I have now run every scanner here and it shows no infection but the process
still keeps coming back what the hell is it?


>


>> Hi Karl,
>> It wouldnt allow me to run the housecall it said applet crashed so how do
> I
>> check?
>
> There are also on-line virus scanners here:
>
> http://security2.norton.com
> http://www.kasperskylabs.com/remoteviruschk.html
>
>> I have also tried running a search for the file but it doesnt appear to
>> be
>> there
>> It seems to have mysteriuosly disappeared
>
> Is it still listed in the list of running processes?
>
> It could be that the file was actually removed by something you did, or it
> is using ADS to conceal itself from the completely inadequate utilities
> Microsoft gave you with Windows like Windows Explorer that as recently as
> Windows 2003 still hides ADS from you due to poor planning and lack of
> foresight. You may be able to see ADS files starting up in the Registry
> by
> using something like MSCONFIG [which doesn't exist in Windows 2000] or
> better yet, use both silent runners from www.silentrunners.org and
> Autostart Explorer from www.trojanhunter.com/products. ADS is usually
> shown in the Registry as c:\folder\filename1:filename2
>
> ADS can also be seen by using a tool like LADS, although note that Windows
> uses ADS to hide files relating to image thumbnails and XP SP2 AES
> security
> settings, even though hiding files from the user has proven to be a
> monumentally bad security problem.
>
> http://www.heysoft.de/nt/ep-lads.htm or another similar tool is from
> www.foundstone.com/knowledge
>
> It could also be that a Windows root kit like Hacker Defender is being
> used
> to hide the file from you. Such root kits can be seen if you download and
> run RKDETECT [which can be found by searching www.google.com] You can
> also
> see root kits if you boot to another OS such as the Linux rescue disk from
> www.bitdefender.com, or if you scan the computer from another computer via
> Windows networking, or if you take the hard drive and slave it in another
> windows computer, though these are generally more difficult than running
> RKD
> ETECT.
>
>
>



 
 
Dave





PostPosted: Sun Nov 14 06:26:53 CST 2004 Top

Security >> Unknown process running its one of many infections that disables virus scanners. try rebooting to
safe mode, kill any unknown process you may find there, and then run a scan.
some of these things install a service that looks like a normal window
service like scvhost instead of svchost or other similar masquerades in
addition to the one you are noticing... kill one and the other restarts
it... sometimes with a randomly generated file name... or sometimes with a
real windows name but out of the wrong folder... svchost from the c:\winnt
instead of c:\winnt\system32... very sneaky and very tough to get rid of.
some of them are even more fun, they close down task manager, regedit,
msconfig and other tools as fast as you open them. you may want to ask in
a virus specific group, they may have more direct fixes.



> I have now run every scanner here and it shows no infection but the
process
> still keeps coming back what the hell is it?


> >


> >> Hi Karl,
> >> It wouldnt allow me to run the housecall it said applet crashed so how
do
> > I
> >> check?
> >
> > There are also on-line virus scanners here:
> >
> > http://security2.norton.com
> > http://www.kasperskylabs.com/remoteviruschk.html
> >
> >> I have also tried running a search for the file but it doesnt appear to
> >> be
> >> there
> >> It seems to have mysteriuosly disappeared
> >
> > Is it still listed in the list of running processes?
> >
> > It could be that the file was actually removed by something you did, or
it
> > is using ADS to conceal itself from the completely inadequate utilities
> > Microsoft gave you with Windows like Windows Explorer that as recently
as
> > Windows 2003 still hides ADS from you due to poor planning and lack of
> > foresight. You may be able to see ADS files starting up in the Registry
> > by
> > using something like MSCONFIG [which doesn't exist in Windows 2000] or
> > better yet, use both silent runners from www.silentrunners.org and
> > Autostart Explorer from www.trojanhunter.com/products. ADS is usually
> > shown in the Registry as c:\folder\filename1:filename2
> >
> > ADS can also be seen by using a tool like LADS, although note that
Windows
> > uses ADS to hide files relating to image thumbnails and XP SP2 AES
> > security
> > settings, even though hiding files from the user has proven to be a
> > monumentally bad security problem.
> >
> > http://www.heysoft.de/nt/ep-lads.htm or another similar tool is from
> > www.foundstone.com/knowledge
> >
> > It could also be that a Windows root kit like Hacker Defender is being
> > used
> > to hide the file from you. Such root kits can be seen if you download
and
> > run RKDETECT [which can be found by searching www.google.com] You can
> > also
> > see root kits if you boot to another OS such as the Linux rescue disk
from
> > www.bitdefender.com, or if you scan the computer from another computer
via
> > Windows networking, or if you take the hard drive and slave it in
another
> > windows computer, though these are generally more difficult than running
> > RKD
> > ETECT.
> >
> >
> >
>
>
>


 
 
Karl





PostPosted: Sun Nov 14 11:23:06 CST 2004 Top

Security >> Unknown process running


> its one of many infections that disables virus scanners. try rebooting to
> safe mode, kill any unknown process you may find there, and then run a
scan.
> some of these things install a service that looks like a normal window
> service like scvhost instead of svchost or other similar masquerades in
> addition to the one you are noticing... kill one and the other restarts
> it...

Agreed. Often there are two or more services. I'm surprised the web-based
scanners didn't detect anything. If you can find that file [it might now
have a new random file name], submit it to one or more anti-virus vendors.
If you can't find that file, try running RKDETECT and Silent Runners [the
latter can be gotten from www.silentrunners.org]

If there is a root kit, you may be able to find the file by making a new
copy of CMD.EXE or COMMAND.COM or EXPLORER.EXE in the root of your C:\
drive, then rename it to the name of the hidden file with a 1 after it [such
as HOKHIDK1.EXE or also try HXDEF1.EXE] then press the F5 key to refresh
the window. If the file disappears, you probably have a root kit. You can
still run the file by clicking Start, Run, typing C:\HOKHIDK1.EXE or
whatever and clicking OK. You should then get a black DOS command prompt
where the root kit files will not be hidden from you or from any command or
program you start from this window. You should then be able to copy the
file to a floppy, run anti-virus, stop the service using the NET START and
then NET STOP [servicename] commands, use MSCONFIG to disable the services
in question from re-starting at startup, etc. etc.