Hi, I recently found this file running in memory after I noticed that my PC wouldn't shutdown and Norton Internet Security 2004 had been disabled. I've deleted the registry key(s) that cause this Microsoft.exe (135kb) from starting (was tagged as being WindowsUpdate), and also moved the file from the Windows/system32 to another dir for testing. Now soon as this was done, and I had rebooted Norton Internet security would load again. I tested the file offline and clicked the .exe which caused the file to remove itself from my current dir and place itself back into the Windows/system32 dir, the registry entries returned as well. Upon running the file it would shutdown Norton Internet Security with a Javascript error of somekind. I've scanned the file and my PC with NAV2004, ewido, Spybot, TDS3 and a few other programs and nothing detected the file as malicious even whilst it was running in memory. The only program to single it out was TrojanHunter, with the error message : unable to unpack UPX-packed file. Has anyone else encountered this file? What is it? And why aren't other programs be detecting it? Lots of questions. Any help appreciated
Maybe W32.HLLW.Gaobot.JB http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.jb.html
it is abrand new agobot version that that seems to have appeared yesterday samples have been sent to all the major antivirus vendors for updating it comes with it's partner scvhost.exe and if one is removed the other reinstalls it, so both need removing together or so it seems please follow instructions here https://www.wilderssecurity.com/showthread.php?t=15913 and post a hjt log in the hiajck forum