Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Amlafvc.exe?

from [Robert J. Wright] Network Security [Permanent Link]
Subject: RE: Amlafvc.exe?
Date: Tue, 16 Nov 2004 08:23:52 -0500 
Hi Jim,

I haven't heard of this file before, but that doesn't mean its legit... In
this case I would obtain something towards the effect of the program "Open
Ports" to see if its accepting outside connections... I would also use my
firewall and capture the traffic to and from that box, (you can also use
tcpdump)... The reason im focusing my thoughts towards the network, is that
it sounds like its probably a bot or worm of some sort and would be easily
detected via one of the above methods.

Robert J. Wright
Network Administrator
Zollinger, D'Atri, Gruber, Thomas & Co.

-----Original Message-----
From: Jim McBurnett [mailto:jim@tgasolutions.com] 
Sent: Monday, November 15, 2004 8:49 AM
To: forensics@securityfocus.com
Subject: Amlafvc.exe?

Ok, I have a machine that has this program running under any user that
logs into the machine.
This process spawns anywhere from 1- 10 times, and uses up to 60% of the
Processor...
Antivirus found nothing(on the machine and from a web version), Spybot
found nothing,
And all web searches prove useless.

I cannot terminate it as it spawns and vanishes constantly changing the
process ID..
It is listed in the registry as Microsoft Update machine.
BUT there is nothing on the Microsoft website about it.

And is is located in the windows\system32 folder as an EXE file and a
folder called c:\windows\prefetch as a .pf file.


It sounds like it may be a Microsoft component, but I just do not know..
It is not on 3 other Windows XP machines in the office..
The system is running SP1


IDEAS?


Thanks,
Jim

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: MD5 Collisions and Evidence Integrity, Gary Kessler
Next by Date:  Re: Amlafvc.exe?, Ansgar -59cobalt- Wiechers
Previous by Thread:  Amlafvc.exe?, Jim McBurnett
Next by Thread:  Re: Amlafvc.exe?, Ansgar -59cobalt- Wiechers
Indexes:  [Date] [Thread] [Top] [All Lists]