advice needed.

Discussion in 'ESET NOD32 Antivirus' started by laylow21, Dec 22, 2008.

Thread Status:
Not open for further replies.
  1. laylow21

    laylow21 Registered Member

    i have recently come across these services on my vista machine.

    as i was trimming/checking the auto starts and setting some things to manual,
    something i do quite regularly is check that they have remained on manual .. whilst checking i came across these 4 services .. i hadnt noticed them before and 99% sure they appeared about 2 months ago.

    AHZQZXQN Disabled Local System
    TQFPCWYBNJE Disabled Local System
    UHWX Disabled Local System
    FAVYPXOB Disabled Local System

    i have tried all kinds of search engines but cannot locate any trace of them .. nor can i find out any details from my machine..

    does anyone else have any uniquely named services on their machines similar please,

    they were set to manual so i disabled them 1 at a time for about a week each with no detrimental effects .. so i then set all to disabled and still no problem .

    my fear is i may have picked up a rootkit..

    i only run nod32 and windows firewall .. however i have a small army of on-line antispyware and virus scanners to hand if needed.

    they found nothing but a few FPs same as the freebie and several free trial AS/s.

    any ideas anyone.
  2. SmackyTheFrog

    SmackyTheFrog Registered Member

    The service names were clearly automatically generated and registered by something else running. Open up services.msc and look at one of these entries' properties to see what the path to the executable is and Google that, it might give you a better idea of what got on there.

    If you disabled UAC, it would be worth seriously considering turning it back on.
  3. laylow21

    laylow21 Registered Member

    no i havent disabled uac .. uac is the reason i dont run an antispyware anymore.

    service and display names are the same .. no description and no path to executables.
    also no dependencies.
  4. laylow21

    laylow21 Registered Member

    sorry windows defender is running aswell.
  5. SmackyTheFrog

    SmackyTheFrog Registered Member

    If they aren't pointed to an executable then you are pretty much at a dead-end. You can use the command "sc delete [servicename]" in an admin command line prompt to remove them if you want. I would try running something like Blacklight rootkit revealer to see if something in hiding in an alternative data stream and check over your hklm\Software\Microsoft\Windows\CurrentVersion\Run entries to make sure nothing shady is showing up there.

    If you're really concerned about rootkits though, your best bet is to pull the drive out of the system and mount in in another computer and scan from there.
  6. laylow21

    laylow21 Registered Member

    blacklight came up empty as have 3 or 5 other rootkit revealers.

    thank for your time much appreciated.

    its a puzzle and i would like to know program they are associated with.

    how can i find out the last time they ran.
  7. SmackyTheFrog

    SmackyTheFrog Registered Member

    You can check through the event log and look for the start controls for the rouge services, but by default the log has a max size and will start dropping old entries when it hits that limit. If this popped up several months ago then I doubt they will still be there.
  8. laylow21

    laylow21 Registered Member

    i deleted them in command prompt.
    am i right in thinking that if they were connected to a current program
    that it will not work now or will it renew those services for similarly obscurely named replacements.

    thanks for your time m8.
  9. SmackyTheFrog

    SmackyTheFrog Registered Member

    Odds are if you had to do some malware cleanup in the past this is just some leftover garbage from it. If something is active on the system you will most likely see similar services start to pop up at which point I would start digging deeper for an active infection.
  10. laylow21

    laylow21 Registered Member

    yeah i think so to..

    just curious as to their origins.

    i dont get to overly worried these days about security .. i follow set proceedures when surfing and downloading etc .. been doing this along time now .. you have to be pretty dumb to let most of the stuff/trojans etc install and execute on your machine

    thanks m8. .. safe surfing.
  11. agoretsky

    agoretsky Eset Staff Account


    If you like, you can download a copy of ESET SysInspector from ESET, create a log file and mail it to along with a link to this message thread for analysis by a support engineer.

    That should help determine if there anything still present which needs to be removed.


    Aryeh Goretsky
  12. laylow21

    laylow21 Registered Member

    thanks i already have it .. so i will do that.
Thread Status:
Not open for further replies.