On 2004-11-15 Jim McBurnett wrote:
> Ok, I have a machine that has this program running under any user that
> logs into the machine.
> This process spawns anywhere from 1- 10 times, and uses up to 60% of the
> Processor...
> Antivirus found nothing(on the machine and from a web version), Spybot
> found nothing,
> And all web searches prove useless.
The filename may be chosen randomly.
> I cannot terminate it as it spawns and vanishes constantly changing the
> process ID..
> It is listed in the registry
By "listed in the registry" you mean one of the "run" keys?
> as Microsoft Update machine.
There's no such thing.
> BUT there is nothing on the Microsoft website about it.
>
> And is is located in the windows\system32 folder as an EXE file and a
> folder called c:\windows\prefetch as a .pf file.
Submit it to the AV vendors. Nick FitzGerald more or less regularly
posts a list of e-mail addresseses the AV vendors provide for this
purpose. Have a look at the archive of the Incidents list.
> It sounds like it may be a Microsoft component, but I just do not know..
> It is not on 3 other Windows XP machines in the office..
> The system is running SP1
Have a look at the file's properties. Run strings [1] against it. Maybe
that will give you some clues.
Regards
Ansgar Wiechers
--
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
> Ok, I have a machine that has this program running under any user that
> logs into the machine.
> This process spawns anywhere from 1- 10 times, and uses up to 60% of the
> Processor...
> Antivirus found nothing(on the machine and from a web version), Spybot
> found nothing,
> And all web searches prove useless.
The filename may be chosen randomly.
> I cannot terminate it as it spawns and vanishes constantly changing the
> process ID..
> It is listed in the registry
By "listed in the registry" you mean one of the "run" keys?
> as Microsoft Update machine.
There's no such thing.
> BUT there is nothing on the Microsoft website about it.
>
> And is is located in the windows\system32 folder as an EXE file and a
> folder called c:\windows\prefetch as a .pf file.
Submit it to the AV vendors. Nick FitzGerald more or less regularly
posts a list of e-mail addresseses the AV vendors provide for this
purpose. Have a look at the archive of the Incidents list.
> It sounds like it may be a Microsoft component, but I just do not know..
> It is not on 3 other Windows XP machines in the office..
> The system is running SP1
Have a look at the file's properties. Run strings [1] against it. Maybe
that will give you some clues.
Also have a look at Harlan Carvey's page [2].
HTH
[1] http://www.sysinternals.com/ntw2k/source/misc.shtml#strings
[2] http://www.windows-ir.com/
Regards
Ansgar Wiechers
--
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
[ reply ]