This case provided a good opportunity to use Sysinternal’s Autoruns to detect and remove some malware that had found its way onto one of our workstations. What was happening was that some unknown process on this workstation was going out to the Internet at the same time every hour and attempting to download a suspicious executable named Zl0.exe and drop in it the local temp folder for the user, which by default is C:\Documents and Settings\username\Local Settings\TEMP\ for Windows XP (actually, we redirect this to a custom folder).

We knew this because our virus protection had been configured to stop all unknown exe files from writing to or starting from from this location. The attempt to download the file was stopped by the host intrusion detection but the process responsible for trying to download it was undetected.

Before starting, I verified Zl0.exe was, in fact, malware by searching it on the Internet. A quick scan of the system’s running processes with Process Explorer didn’t reveal anything out of the ordinary. Since the download was taking place each hour, I assumed the Windows Task Scheduler job was involved. The Task Scheduler is actually a service hosted within svchost.exe, along with many other services, so killing the process was not really practical. Another advantage to relying on the Task Scheduler was that the suspicious process could be started by a legitimate process, run, attempt to do what it wants to do, stop, and when you go to investigate with process monitoring utilities, it is not detected.

To confirm my suspicion, I opened the Task Scheduler. However, there were no abnormal scheduled jobs, even after checking the View Hidden Tasks from the Advanced menu: