Multiple instances of unknown icon appearing in taskbar

awwsomeim

New Member
For couple of weeks now, I am getting an unknown icon that appears in the taskbar (running apps). When I open the taskbar icon, I can see multiple instances but after opening they close quickly. I am not sure what it is.

Any sort of help would be great.

Screenshot-1030-LI.jpg
 

Neemobeer

Cyber Security Engineer
Staff member
I would either run export a list of running processes from powershell.
Get-Process | Select Name,Path | Export-Csv "$($env:userprofile)\Desktop\process.csv" -NoTypeInformation
and upload it to look at or

Download Procexp and run it and select Process > Check VirusTotal and if there's anything malicious it should ID it for you alternately in procexp look at process icons for those strange icons and that will likely help you ID them too.
 

awwsomeim

New Member
I would either run export a list of running processes from powershell.
Get-Process | Select Name,Path | Export-Csv "$($env:userprofile)\Desktop\process.csv" -NoTypeInformation
and upload it to look at or

Download Procexp and run it and select Process > Check VirusTotal and if there's anything malicious it should ID it for you alternately in procexp look at process icons for those strange icons and that will likely help you ID them too.
I download Procexp and ran it to see all the processes. However, it didn't show me the processes icon that I have attached earlier in the thread. To my surprise when I opened the taskbar (running apps), there were around 20 instances running and they all closed within a second but I was able to capture a few.

I'll try to record a video next time. This has started to freak me out now.

Screenshot-1032.png
 

Neemobeer

Cyber Security Engineer
Staff member
Could be some kind of crypto miner malware.
In proxexp there should be an option to turn off the refresh so it should capture the processes and not refresh when the processes close
 

awwsomeim

New Member
I ran the following script to document all the processes that are running in the system each minute.

I got surprising results from my analysis. The multiple instances don't appear in the processes list at all. However, two processes "smartscreen.exe" and "SystemIdleCheck.exe" started immediately after the closing of instances of this unknown process. Both "smartscreen.exe" and "SystemIdleCheck.exe" were purportedly closed by malware earlier. My analysis is, that somehow this process is able to hide it from the process managers.

Please suggest what should I do. This is driving me crazy.


:start
set /a var+=1
if %var% EQU 100000 goto end
echo %var%
tasklist > c:\process_dump\process_list_%var%.txt
timeout 60 > NUL
goto start

:end
echo var has reached %var%.
pause
exit
 

Neemobeer

Cyber Security Engineer
Staff member
That is possible, typical of rootkits. Probably will need to boot into safe mode and scan or take it to a shop to get it cleaned up.
 
Top