Wed, Jul 29 2009 19:18
Know thy system
So the other day I noted on a server I have that there was a service called Windows service pack installer service and it wasn't running. Okay ... hummm I don't remember that service before so let's check my running service inventory. Nope, last time it wasn't there. So where did that come from. The file is an official one from Microsoft , but the name is Windows 2000 service pack installer service so what the heck is it doing on a Server 2003 box?
Others have seen it as well.
This where "know thy system" comes into play. The ONLY thing I changed on that box was that I ran a special install of Malwarebytes.org a few days ago just to ensure that it was malware free. Sometimes that cleans off more crud off a system that normal antivirus says is clean. So being in a paranoid frame of mind (with Blackhat in the works) I ran it on the box.
So let's uninstall that app and see if that goes away. And sure enough... and as reported in the software monitoring alerts... Application Malwarebytes' Anti-Malware (C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent) was removed from the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx and will no longer be run when a user logs into the system. Once I removed that application, that particular service went away.
Filed under: Security