Anyone seen this before?

["Michael B. Morell" <MMorell () vdat com>]

I found a odd application running on a 2k server box that I have not seen
before, or is at least not
obvious to me.

In task mgr, The application 'address' (w/o quotes) is running and is linked
to the explorer.exe proc.

<!--begin the obvious-->
I verified that the explorer.exe was the correct size.  There was only 1
running with a normal
thread count.

I checked hklm...\currentversion\run(run once,services) and nothing was in
it.  Stat up, same, nothing.

I ran fport and fscan and nothing out of the ordinary popped up; netstat -a
also
did not show anything out of the ordinary.  I also ran several other
scanners against the
machine and no known vulns that were unexpected popped up.

IIS, Index service, etc are not running. All mappings removed, services
disabled. Sp2, all app
hotfixes installed.  Pretty secure machine when run against normal audits.
It is facing the public
so the standard extra precautions have been taken.
<!--end the obvious-->

If anyone has seen this before please let me know.  A search on google did
not provide
any solid leads.  I did follow thru on checking for known code
red/nimda/things that were
close but not really leads.

I appreciate any insight from the list.

Oh, and please don't bother to tell me to blow away the OS and start from
scratch.
While I appreciate the suggestion, i'm looking for leads, not the obvious.

Thanks,

Mike

--------------------------------------------------------
\Your mission is to destroy users will to use bandwidth/
--------------------------------------------------------

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com