HELP: Three unknown services K.EXE, GXF.EXE and FRLCT.EXE - anyone

HELP: Three unknown services K.EXE, GXF.EXE and FRLCT.EXE - anyone

Post by c3QuZGFuaW » Wed, 30 Nov 2005 10:02:02


Have you heard about root-kits? Google SONY cd
 
 
 

HELP: Three unknown services K.EXE, GXF.EXE and FRLCT.EXE - anyone

Post by c3QuZGFuaW » Wed, 30 Nov 2005 10:06:01

See this. May be nothing, but should be known.

http://www.yqcomputer.com/

 
 
 

HELP: Three unknown services K.EXE, GXF.EXE and FRLCT.EXE - anyone

Post by Carol Hayn » Wed, 30 Nov 2005 10:29:05

Yep - I have done Rootkit scans (using the Sysinternals tool and another
tool) and none show up.

Thanks
 
 
 

HELP: Three unknown services K.EXE, GXF.EXE and FRLCT.EXE - anyone

Post by TWlrZ » Wed, 30 Nov 2005 11:07:13

Take a look at these sites
http://www.yqcomputer.com/
http://www.yqcomputer.com/
http://www.yqcomputer.com/
It looks like you might have a keylogger or trojan on your system.
 
 
 

HELP: Three unknown services K.EXE, GXF.EXE and FRLCT.EXE - anyone

Post by Carol Hayn » Wed, 30 Nov 2005 12:28:29

hat's what I thought too ... but when I looked at what was likely to be
found with these issues non of the other traces were found. Unfortunately
auditmypc doesn't give any detail, but the problems described are listed on
numerous other sites (for k.exe) when a whole pile of extra files and
registry entries were listed as associated to k.exe. Unfortunately none of
those files or registry entries were present on my system (and k.exe was not
actually present). There was a process called K which referenced a file in
my temp folder called k.exe but it had already been deleted.

To check again I have downloaded SpyWare Doctor which includes keylogger
detection, but how many of these products can you run before your system
becomes completely unusable - and you spend all your time running constant
scans ?

I should have said I am also behind a router firewall. I have a wireless
network running with WEP encryption (one network device doesn't support
WPA), but I live in a remote rural area where outside hacking is extremely
unlikely.

Cheers

Carol

"Mike" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...


 
 
 

HELP: Three unknown services K.EXE, GXF.EXE and FRLCT.EXE - anyone

Post by Wesley Vog » Wed, 30 Nov 2005 13:49:00

f you have used RootkitRevealer, it adds a random named service and runs as
that service. Every time you run RootkitRevealer it adds another service to
services.msc. Have you run RootkitRevealer three times?

[[The reason that there is no longer a command-line version is that malware
authors have started targeting RootkitRevealer's scan by using its
executable name. We've therefore updated RootkitRevealer to execute its scan
from a randomly named copy of itself that runs as a Windows service.]]
http://www.sysinternals.com/Utilities/RootkitRevealer.html

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news: XXXX@XXXXX.COM ,
Carol Haynes < XXXX@XXXXX.COM > hunted and pecked:

 
 
 

HELP: Three unknown services K.EXE, GXF.EXE and FRLCT.EXE - anyone

Post by Carol Hayn » Wed, 30 Nov 2005 22:12:26

hanks Wesley,

Yes I have run it three times !! If this has cracked it then I am very
grateful and much relieved!

Does it leave the registry entries behind after it has finished it's scan?
If so why doesn't it delete them again to save confusion?

Cheers

Carol Haynes

"Wesley Vogel" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...


 
 
 

HELP: Three unknown services K.EXE, GXF.EXE and FRLCT.EXE - anyone

Post by R. McCart » Wed, 30 Nov 2005 22:18:46

ou can locate the RootKitRevealer service(s), by examining the
Non Plug-&-Play category of Device Manager. It is necessary to
tic/check the View option "Show Hidden Devices". Likely you'll
have several instances of RKReveal --- with a 3-digit number that
is appended to the name. I usually just uninstall the remnants from
the NP&P after running RKRevealer.

"Carol Haynes" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...


 
 
 

HELP: Three unknown services K.EXE, GXF.EXE and FRLCT.EXE - anyone

Post by Carol Hayn » Wed, 30 Nov 2005 23:05:55


Can't see any in there - but then I did manually remove the service registry
entries.

I'll carry on investigating this as I have used two other RootKit scanners
to check my system. Maybe one of those has also used this method to scan.
Certainly one of them managed to complete its scan a number of times but the
GUI hung on exit ... trouble is having used three tools I can't remember
which on had the problem ...
 
 
 

HELP: Three unknown services K.EXE, GXF.EXE and FRLCT.EXE - anyone

Post by R. McCart » Wed, 30 Nov 2005 23:12:43

From your description, I doubt these services are related to the
RootKitRevealer. Could you download ProcessExplorer from
SysInternals & run. Once populated, click File, Save As. Email
me the log and I'll take a look at it for you.
http://www.yqcomputer.com/
 
 
 

HELP: Three unknown services K.EXE, GXF.EXE and FRLCT.EXE - anyone

Post by Carol Hayn » Thu, 01 Dec 2005 00:04:36


Thanks - Replied by email.
 
 
 

HELP: Three unknown services K.EXE, GXF.EXE and FRLCT.EXE - anyone

Post by Wesley Vog » Thu, 01 Dec 2005 01:02:19

i Carol,

Yes, leaves them behind in the registry. Who knows why. The folks at
System Internals are sharp folks, but a bug is a bug. ;-)

You'll find the left behind services here...

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Locate the service in the list. ImagePath should point to Local
Settings\Temp folder, as a double check.

Delete them and reboot.

[[Important This article contains information about modifying the registry.
Before you modify the registry, make sure to back it up and make sure that
you understand how to restore the registry if a problem occurs. For
information about how to back up, restore, and edit the registry, click the
following article number to view the article in the Microsoft Knowledge
Base:
256986 Description of the Microsoft Windows Registry]]
http://support.microsoft.com/default.aspx?kbid=256986

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news: XXXX@XXXXX.COM ,
Carol Haynes < XXXX@XXXXX.COM > hunted and pecked:

 
 
 

HELP: Three unknown services K.EXE, GXF.EXE and FRLCT.EXE - anyone

Post by Carol Hayn » Thu, 01 Dec 2005 04:37:02

hanks yes - I got there before actually, but a better way for Windows XP is
to use SC.EXE from the Windows 2003 Resource Kit (free download from MS
downloads).

In a DOS window: SC.EXE DELETE <service_name>

Saves having to fiddle with the registry (safer) and is quicker.

Cheers

Carol

"Wesley Vogel" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...


 
 
 

HELP: Three unknown services K.EXE, GXF.EXE and FRLCT.EXE - anyone

Post by Carol Hayn » Thu, 01 Dec 2005 04:41:56

Thanks for your help ...

I have been chatting on Sysinternals Forum about this.

The service name generated is any number of characters long (and as far as i
can tell just capital letters).

I tried RootKit Revealer again and let it scan my registry and my C: drive,
after that I aborted and closed the window.

A randomly named .EXE file was produced in my Local Settings\Temp folder,
and run as a service (I monitored the folder, services and TaskScheduler
while RR was executing).

On exit the file was deleted but not the service name or the service related
registry settings. It can't run 'cos the file doesn't exist.

This is definitely a bug, and (at least to my satisfaction) clearly explains
what has been happening on my system (huge sigh of relief).

Strange thing is that RR doesn't exhibit this behaviour on all systems.

Thanks all for the help sorting this out and giving me a good nights sleep
tonight ;-)

Carol
 
 
 

HELP: Three unknown services K.EXE, GXF.EXE and FRLCT.EXE - anyone

Post by Wesley Vog » Thu, 01 Dec 2005 12:42:52

i Carol,

No need for the Windows 2003 Resource Kit, SC.EXE is part of XP.

Type SC in the Search box in Help and Support.

Or Start | Run | Paste this in the box and hit Enter...

hh ntcmds.chm::/sc.htm

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news:Oo%23$ XXXX@XXXXX.COM ,
Carol Haynes < XXXX@XXXXX.COM > hunted and pecked: