On 2004-11-15 Jim McBurnett wrote:
Ok, I have a machine that has this program running under any user that
logs into the machine.
This process spawns anywhere from 1- 10 times, and uses up to 60% of the
Processor...
Antivirus found nothing(on the machine and from a web version), Spybot
found nothing,
And all web searches prove useless.
The filename may be chosen randomly.
I cannot terminate it as it spawns and vanishes constantly changing the
process ID..
It is listed in the registry
By "listed in the registry" you mean one of the "run" keys?
as Microsoft Update machine.
There's no such thing.
BUT there is nothing on the Microsoft website about it.
And is is located in the windows\system32 folder as an EXE file and a
folder called c:\windows\prefetch as a .pf file.
Submit it to the AV vendors. Nick FitzGerald more or less regularly
posts a list of e-mail addresseses the AV vendors provide for this
purpose. Have a look at the archive of the Incidents list.
It sounds like it may be a Microsoft component, but I just do not know..
It is not on 3 other Windows XP machines in the office..
The system is running SP1
Have a look at the file's properties. Run strings [1] against it. Maybe
that will give you some clues.
Also have a look at Harlan Carvey's page [2].
HTH
[1] http://www.sysinternals.com/ntw2k/source/misc.shtml#strings
[2] http://www.windows-ir.com/
Regards
Ansgar Wiechers
--
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
