In-Reply-To: <5432D045DAFD8040BCE549749263BD0023AB69@testsystem2.tga.local>
Ok, I have a machine that has this program running under any user that
logs into the machine.
I think you need to be more specific...and yes, you can. ;-) I know you're
probably shaking your head, but here's the distinction...are you saying that
this program runs regardless of which user is logged in, be it a user or an
admin? Once you answer that question, try to look at the 'how'...is there an
entry in the HKLM\..\Run key, or in the "All Users" startup directory?
This process spawns anywhere from 1- 10 times, and uses up to 60% of the
Processor...
Antivirus found nothing(on the machine and from a web version), Spybot
found nothing,
Not surprising. However, is your A/V (which product??) up to date? When was
it last updated (engine *and* signatures)? I went to the SARC site and found
several entries (including GAOBot) for worms that create a "Microsoft Update"
entry in the Run key (below).
And all web searches prove useless.
Again, not surprising. The filename doesn't look regular...I wouldn't think
that you'd find anything, but it was worth a shot.
I cannot terminate it as it spawns and vanishes constantly changing the
process ID..
I'm guessing that you're doing this via the Task Manager. There may be some
other process that is responsible for maintaining this one, or it may be part
of the code itself...when it receives the command to terminate, it launches
itself again.
It is listed in the registry as Microsoft Update machine.
Where in the Registry?
BUT there is nothing on the Microsoft website about it.
Ok.
And is is located in the windows\system32 folder as an EXE file and a
folder called c:\windows\prefetch as a .pf file.
I'd be more concerned with the EXE file.
It sounds like it may be a Microsoft component, but I just do not know..
What makes you say that? Have you tried to get file version information from
it, and found that it says it's a Microsoft file?
Here's what I recommend that you do...get a copy of tlist.exe from the
Microsoft Debugging Tools (*not* the Resource Kit). Run it with the "-c", "-t"
and "-s" switches, redirecting the output to different files. Then get a copy
of autorunsc.exe from SysInternals and run it, saving the output to a file with
the .csv extension. Do the same thing with listdlls.exe and handle.exe (also
from SysInternals). Then go to DiamondCS (http://www.diamondcs.com.au) and get
a copy of openports.exe and run it, redirecting the output to a file. Then go
to NTSecurity.nu and get a copy of pmdump.exe, and use it to dump the contents
of the process memory to a file. Save all of this information, as well as a
copy of the EXE itself, off to another system (or CD, thumb drive, etc), and
shut the system down.
Analyze the data to determine the issue, as well as your next course of action.
If you'd like some assistance, let me know.
H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
