Three unknown services K.EXE, GXF.EXE and FRLCT.EXE - anyone any ideas?

Three unknown services K.EXE, GXF.EXE and FRLCT.EXE - anyone any ideas?

Post by MV » Wed, 30 Nov 2005 10:12:07



a
suggested
Destroy

I have seen spyware that did pretty much the sort of thing
you describe.

Prevent the services from starting, then see what happens.
You should also scan your disk for the existence of these
files, then rename them. Do they regenerate themselves?
 
 
 

Three unknown services K.EXE, GXF.EXE and FRLCT.EXE - anyone any ideas?

Post by Carol Hayn » Wed, 30 Nov 2005 10:35:34


Thanks for responding,

I have repeatedly scanned my system for spyware, viruses, rootkits, trojans
etc. and nothing shows up at all.

In the case of GXF.EXE and FRLCT.EXE a google search show nothing at all,
and I have checked the usual places (Symantec Response etc) and they have no
references to these file names.

The services are already stopped as the .EXE files they point to do not
exist.

I have deleted the service entry points in the registry and they don't
regenerate.

Could they be hangovers from an installation program?

 
 
 

Three unknown services K.EXE, GXF.EXE and FRLCT.EXE - anyone any ideas?

Post by Carol Hayn » Wed, 30 Nov 2005 10:37:12

PS: Here is a sample Service Point Registry entry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FRLCT]
"Type"=dword:00000110
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):48,3a,5c,4c,4f,43,41,4c,53,7e,31,5c,54,65,6d,70,5c,46,52,4c,\
43,54,2e,65,78,65,00
"DisplayName"="FRLCT"
"ObjectName"="LocalSystem"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FRLCT\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FRLCT\Enum]
"0"="Root\\LEGACY_FRLCT\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
 
 
 

Three unknown services K.EXE, GXF.EXE and FRLCT.EXE - anyone any ideas?

Post by MV » Wed, 30 Nov 2005 10:43:06


trojans
no

Your guess is as good (or probably better) than mine. I would
keep an eye on things, without worrying too much. Check out
the Startup tab of msconfig.exe once a week.
 
 
 

Three unknown services K.EXE, GXF.EXE and FRLCT.EXE - anyone any ideas?

Post by Carol Hayn » Wed, 30 Nov 2005 10:50:12


That's quite easy because I have a startup manager which moves most startup
items out of the usual places. I also use StartUp Control Panel (by mlin)
which shows just about all the startup registry entries.

Just strange that these are appearing as non-running services ???
 
 
 

Three unknown services K.EXE, GXF.EXE and FRLCT.EXE - anyone any ideas?

Post by Ron Martel » Wed, 30 Nov 2005 17:34:23


Many trojans and spyware items create their own executables using
randomly generated file names. Any time you find an executable or a
.DLL file for which a Google web search finds no references the
overwhelming odds are in favor of that item being virus/spyware/trojan
related. There is a slight possibility that the file might belong to
a custom programmed application, but that is the only other
substantive possibility.

Do a Google search for the three words virus random names to see just
how common this type of infection is becoming.

Good luck

Ron Martell Duncan B.C. Canada
--
Microsoft MVP (1997 - 2006)
On-Line Help Computer Service
http://www.yqcomputer.com/