Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Amlafvc.exe?

from [dave_mikesch] Network Security [Permanent Link]
Subject: Re: Amlafvc.exe?
Date: Wed, 17 Nov 2004 08:15:56 -0600 
I'd be willing to bet you have a virus that creates it's own random file
name. I run into this more often than I care to!

My quickest solution:
1) Take the hard drive out and connect as a slave to another computer.
2) Go to Trendmicro.com and run their free virus scan.

When you hook the drive up as a slave, it won't load the infecting file so
you can safely delete it.



Best Regards,

Dave Mikesch
Sr. Technical Analyst, Desktop Support



                                                                                
                                                       
                      "Ansgar -59                                               
                                                       
                      cobalt- Wiechers"        To:       
forensics@securityfocus.com                                                   
                      <bugtraq@planetco        cc:                              
                                                       
                      balt.net>                Subject:  Re: Amlafvc.exe?       
                                                       
                                                                                
                                                       
                      11/16/2004 07:39                                          
                                                       
                      AM                                                        
                                                       
                                                                                
                                                       
                                                                                
                                                       




On 2004-11-15 Jim McBurnett wrote:

Ok, I have a machine that has this program running under any user that
logs into the machine.
This process spawns anywhere from 1- 10 times, and uses up to 60% of the
Processor...
Antivirus found nothing(on the machine and from a web version), Spybot
found nothing,
And all web searches prove useless.


The filename may be chosen randomly.


I cannot terminate it as it spawns and vanishes constantly changing the
process ID..
It is listed in the registry


By "listed in the registry" you mean one of the "run" keys?


as Microsoft Update machine.


There's no such thing.


BUT there is nothing on the Microsoft website about it.

And is is located in the windows\system32 folder as an EXE file and a
folder called c:\windows\prefetch as a .pf file.


Submit it to the AV vendors. Nick FitzGerald more or less regularly
posts a list of e-mail addresseses the AV vendors provide for this
purpose. Have a look at the archive of the Incidents list.


It sounds like it may be a Microsoft component, but I just do not know..
It is not on 3 other Windows XP machines in the office..
The system is running SP1


Have a look at the file's properties. Run strings [1] against it. Maybe
that will give you some clues.

Also have a look at Harlan Carvey's page [2].

HTH

[1] http://www.sysinternals.com/ntw2k/source/misc.shtml#strings
[2] http://www.windows-ir.com/

Regards
Ansgar Wiechers
--
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com






The information transmitted is intended only for the person(s)or entity 
to which it is addressed and may contain confidential and/or legally 
privileged material. Delivery of this message to any person other than 
the intended recipient(s) is not intended in any way to waive privilege 
or confidentiality. Any review, retransmission, dissemination or other 
use of , or taking of any action in reliance upon, this information by 
entities other than the intended recipient is prohibited. If you 
receive this in error, please contact the sender and delete the 
material from any computer.

For Translation:

http://www.baxter.com/email_disclaimer


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Amlafvc.exe?, H Carvey
Next by Date:  Re: Amlafvc.exe?, Jon O.
Previous by Thread:  Re: Amlafvc.exe?, H Carvey
Next by Thread:  Floppy diskettes - a few questions, Michael Edwards
Indexes:  [Date] [Thread] [Top] [All Lists]