Back to list
Nov 15 2004 01:48PM
Jim McBurnett (jim tgasolutions com)
Nov 16 2004 09:59PM
Jeff Bryner (jbryner1 yahoo com)
Nov 17 2004 12:07AM
Jon O. (jono networkcommand com)
Nov 16 2004 08:30PM
KC Ferguson (4g-forensics 5834 net)
Nov 16 2004 01:39PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net)
On 2004-11-15 Jim McBurnett wrote:
> Ok, I have a machine that has this program running under any user that
> logs into the machine.
> This process spawns anywhere from 1- 10 times, and uses up to 60% of the
> Antivirus found nothing(on the machine and from a web version), Spybot
> found nothing,
> And all web searches prove useless.
The filename may be chosen randomly.
> I cannot terminate it as it spawns and vanishes constantly changing the
> process ID..
> It is listed in the registry
By "listed in the registry" you mean one of the "run" keys?
> as Microsoft Update machine.
There's no such thing.
> BUT there is nothing on the Microsoft website about it.
> And is is located in the windows\system32 folder as an EXE file and a
> folder called c:\windows\prefetch as a .pf file.
Submit it to the AV vendors. Nick FitzGerald more or less regularly
posts a list of e-mail addresseses the AV vendors provide for this
purpose. Have a look at the archive of the Incidents list.
> It sounds like it may be a Microsoft component, but I just do not know..
> It is not on 3 other Windows XP machines in the office..
> The system is running SP1
Have a look at the file's properties. Run strings  against it. Maybe
that will give you some clues.
Also have a look at Harlan Carvey's page .
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
[ reply ]
Nov 16 2004 01:23PM
Robert J. Wright (bwrig zdgt com)
Copyright 2010, SecurityFocus