Prefetch (also called Scenario) File:
Prefetch files are essentially a resource list. Any time a program is executed,
Windows XP will attempt to find a pre-existing prefetch file, and if it's
available, it will use it to make the application load up faster. The file will
also be updated after it is accessed, so that the more an application is used,
the bigger the drop in loading time (to a point). If the application doesn't
already have an associated prefetch file, Windows XP will create one. Those
files are stored in the \%windir%\prefetch directory. One important note is
that the process depends on the Task Scheduler service. If the Task Scheduler
service isn't running, the prefetch mechanism isn't used and the files won't be
read or updated.
Load fport and check if the process is tied to a port communicating somewhere,
and you'll have to do all the basic forensic details to find more information
about this rogue process.
Eduardo
-----Original Message-----
From: Jim McBurnett [mailto:jim@tgasolutions.com]
Sent: Monday, November 15, 2004 7:49 AM
To: forensics@securityfocus.com
Subject: Amlafvc.exe?
Ok, I have a machine that has this program running under any user that
logs into the machine.
This process spawns anywhere from 1- 10 times, and uses up to 60% of the
Processor...
Antivirus found nothing(on the machine and from a web version), Spybot
found nothing,
And all web searches prove useless.
I cannot terminate it as it spawns and vanishes constantly changing the
process ID..
It is listed in the registry as Microsoft Update machine.
BUT there is nothing on the Microsoft website about it.
And is is located in the windows\system32 folder as an EXE file and a
folder called c:\windows\prefetch as a .pf file.
It sounds like it may be a Microsoft component, but I just do not know..
It is not on 3 other Windows XP machines in the office..
The system is running SP1
IDEAS?
Thanks,
Jim
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
***************************************************************************************************
The information in this email is confidential and may be legally privileged.
Access to this email by anyone other than the intended addressee is
unauthorized. If you are not the intended recipient of this message, any
review, disclosure, copying, distribution, retention, or any action taken or
omitted to be taken in reliance on it is prohibited and may be unlawful. If
you are not the intended recipient, please reply to or forward a copy of this
message to the sender and delete the message, any attachments, and any copies
thereof from your system.
***************************************************************************************************
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
