View Full Version : advice needed.
December 22nd, 2008, 12:28 PM
i have recently come across these services on my vista machine.
as i was trimming/checking the auto starts and setting some things to manual,
something i do quite regularly is check that they have remained on manual .. whilst checking i came across these 4 services .. i hadnt noticed them before and 99% sure they appeared about 2 months ago.
AHZQZXQN Disabled Local System
TQFPCWYBNJE Disabled Local System
UHWX Disabled Local System
FAVYPXOB Disabled Local System
i have tried all kinds of search engines but cannot locate any trace of them .. nor can i find out any details from my machine..
does anyone else have any uniquely named services on their machines similar please,
they were set to manual so i disabled them 1 at a time for about a week each with no detrimental effects .. so i then set all to disabled and still no problem .
my fear is i may have picked up a rootkit..
i only run nod32 and windows firewall .. however i have a small army of on-line antispyware and virus scanners to hand if needed.
they found nothing but a few FPs same as the freebie and several free trial AS/s.
any ideas anyone.
December 22nd, 2008, 01:00 PM
The service names were clearly automatically generated and registered by something else running. Open up services.msc and look at one of these entries' properties to see what the path to the executable is and Google that, it might give you a better idea of what got on there.
If you disabled UAC, it would be worth seriously considering turning it back on.
December 22nd, 2008, 01:10 PM
no i havent disabled uac .. uac is the reason i dont run an antispyware anymore.
service and display names are the same .. no description and no path to executables.
also no dependencies.
December 22nd, 2008, 01:15 PM
sorry windows defender is running aswell.
December 22nd, 2008, 01:16 PM
If they aren't pointed to an executable then you are pretty much at a dead-end. You can use the command "sc delete [servicename]" in an admin command line prompt to remove them if you want. I would try running something like Blacklight rootkit revealer to see if something in hiding in an alternative data stream and check over your hklm\Software\Microsoft\Windows\CurrentVersion\Run entries to make sure nothing shady is showing up there.
If you're really concerned about rootkits though, your best bet is to pull the drive out of the system and mount in in another computer and scan from there.
December 22nd, 2008, 02:27 PM
blacklight came up empty as have 3 or 5 other rootkit revealers.
thank for your time much appreciated.
its a puzzle and i would like to know program they are associated with.
how can i find out the last time they ran.
December 22nd, 2008, 02:58 PM
You can check through the event log and look for the start controls for the rouge services, but by default the log has a max size and will start dropping old entries when it hits that limit. If this popped up several months ago then I doubt they will still be there.
December 22nd, 2008, 04:13 PM
i deleted them in command prompt.
am i right in thinking that if they were connected to a current program
that it will not work now or will it renew those services for similarly obscurely named replacements.
thanks for your time m8.
December 22nd, 2008, 04:32 PM
Odds are if you had to do some malware cleanup in the past this is just some leftover garbage from it. If something is active on the system you will most likely see similar services start to pop up at which point I would start digging deeper for an active infection.
December 22nd, 2008, 04:41 PM
yeah i think so to..
just curious as to their origins.
i dont get to overly worried these days about security .. i follow set proceedures when surfing and downloading etc .. been doing this along time now .. you have to be pretty dumb to let most of the stuff/trojans etc install and execute on your machine
thanks m8. .. safe surfing.
January 8th, 2009, 12:33 AM
If you like, you can download a copy of ESET SysInspector (http://www.eset.com/download/sysinspector.php) from ESET, create a log file and mail it to email@example.com (firstname.lastname@example.org) along with a link to this message thread for analysis by a support engineer.
That should help determine if there anything still present which needs to be removed.
January 15th, 2009, 07:09 PM
thanks i already have it .. so i will do that.
vBulletin® Copyright ©2000-2014, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2014, Wilders Security Forums