Re: aretzj.exe -- reappearing unknown system file

From: Jonathan Glass (jonathan.glass_at_gmail.com)
Date: 05/31/05

  • Next message: ttate_at_ctscorp.com: "Re: Mobile wireless users" 
    Date: Tue, 31 May 2005 08:47:19 -0400
To: Kevin Snively <kevinsnively@comcast.net>

    Download and run seccheck.exe from
    http://www.mynetwatchman.com/tools/sc/, or run it from the web page as
    an ActiveX. It will provide you with ALL running processes, and the
    registry keys and folders commonly used to kick 'em off.

    Jonathan Glass

    Kevin Snively wrote:

    >I've come across, on a client's machine, a reappearing / self propogating
    >read only system file. The box is running a copy of XP pro fully patched.
    >
    >c:\windows\system32\aretzj.exe
    >
    >When Internet explorer is brought up this program (aretzj.exe) asks for
    >internet access via ZoneAlarm. When deleted it reappears at bootup and even
    >if the computer has not been restarted.
    >
    >I can not find any reference in Technet or any of the search engines. It is
    >read only and when deleted the XP claims it is a system file. I tried about
    >20+ search engines. One mentioned a Name an author of a book published in
    >1935 - author ha'aretz (without the "j").
    >
    >
    >What I have done to try and identify the source:
    >
    >1. looked for other "unknown" files inside of system32, including checking
    >dates of files such as the KERNEL and KERNEL32 and looked for "suspicious"
    >files. No results except aretzj.exe
    >
    >2. cleaned out the [prefetch] folder (no positive results)
    >
    >3. [Downloaded prgram files] is and was empty
    >
    >4. Checked c:\program files\internet explorer
    >Looked for suspicous or unknown folders in common files.
    >
    >5 Spent an almost inordinate amoutn of time poking around in general looking
    >for clues, identifying plugins, checking system and hidden folders to no
    >avail.
    >
    >I am not sure what it is but as I renamed the file to a .txt extension and
    >read through the "readable" portion of the binary file hoping for some hook
    >on identifying it.
    >
    >At this point I am concerned as it is "unidentifable" the terminology inside
    >the binary file might be construed with "data mining" and the client does
    >run propriatary databases - Oh Yes, and I have checked with the vendor of
    >the clients database software. They tell me nothing is stored on the PC nor
    >is anything except a browser required to view the database.
    >
    >We are now using firefox but the unknown file continues to reappear. The
    >only solution I have come up with is to wipe everything reinstall and
    >restore actual data from a backup.
    >
    >Any help or suggestions will be greatly appreciated.
    >Or has anyone run across this culprit?
    >
    >Sincerely,
    >Kevin Snively
    >
    >The HelpDesk Inc ®
    >kevin@thehelpdeskinc.com
    >615-781-1922 (office)
    >615-582-0877 (Mobile)
    >
    >
    >
    >

  • Next message: ttate_at_ctscorp.com: "Re: Mobile wireless users"
    • Quantcast