Tags:






A phantom process was eating my CPU!
April 30, 2008 9:22 AM   RSS feed for this thread Subscribe

Has anyone ever heard of a Windows Server process called "daupbsvc.exe"? This was using a significant amount of processor time on a VMWare Windows 2003 server. Google and Microsoft return no results, as do all of the relevant support forums for the applications that server runs.

I seriously doubt it was a virus as that would've returned many search engine results, and that server doesn't contain any end user files nor is it used for any type of web browsing (though it can connect to the internet). I killed the process and it didn't come back. It also isn't showing up in any of the directories of that server, hidden or otherwise. Any ideas?
posted by Burhanistan to computers & internet (8 comments total)
I seriously doubt it was a virus as that would've returned many search engine results

Actually, many viruses will start up wtih a [random service name].exe to make detection and forensics more difficult. Not enough information to decide either way mind you. Upon reboot is there a different unknown process name (maybe of a similar XXXXsvc.exe name)?

I do information protection but malware and windows aren't among my specialties.
posted by These Premises Are Alarmed at 9:45 AM on April 30, 2008


No, the server was bounced a few times and seems fine now. I'm asking now not out of great need for problem resolution but just to address my "huh" moment with the thing?
posted by Burhanistan at 9:50 AM on April 30, 2008


Sounds like malware of some sort. Use Autoruns to see what processes your server runs at startup. Make sure that all of those processes are legitimate.
posted by shinybeast at 10:08 AM on April 30, 2008 [2 favorites has favorites]


Have you tried looking for the file in explorer and doing a properties on it? You might get more some information.
posted by mphuie at 10:42 AM on April 30, 2008


Yes, I tried searching the files on the harddrive to do just that and there wasn't a match.
posted by Burhanistan at 10:51 AM on April 30, 2008


Not being able to find the file would throw up a red flag for me. Try using Process Explorer to locate it.
posted by borkencode at 11:18 AM on April 30, 2008


Sounds like malware to me as well. These... has behavior I've seen numerous times explained well. I would watch for other processes that you dont recognize and investigate w/ Process Explorer.
posted by zennoshinjou at 11:22 AM on April 30, 2008


I am very suspicious - I just did a search of our internal KB's, support articles, solution fixes and email DL archives and could not find any reference to that executable. (Yes, I am "jkaczor of borg" and am here to assimilate you with occasional MeFi support....)

I third borkencode - Process Explorer *should* tell you where the executable is - unless you have been completely "root-kit'd".
posted by jkaczor at 5:05 AM on May 2, 2008


« Older Looking for an eco-friendly me...   |   My whole next week is basicall... Newer »
This thread is closed to new comments.