RE: aretzj.exe -- reappearing unknown system file

From: Nick Duda (nduda_at_VistaPrint.com)
Date: 05/31/05

  • Next message: Miguel Dilaj: "RE: DNS cache poisoning and pharming" 
    Date: Tue, 31 May 2005 09:09:52 -0400
To: "Michael Painter" <tvhawaii@shaka.com>, <security-basics@securityfocus.com>

    Have you tried to search the web for a matching MD5sum? Maybe its
    something older under a different name.

    -----Original Message-----
    From: Michael Painter [mailto:tvhawaii@shaka.com]
    Sent: Monday, May 30, 2005 9:44 PM
    To: security-basics@securityfocus.com
    Subject: Re: aretzj.exe -- reappearing unknown system file

    Fwiw, I searched my XP Pro/IE box and don't find this file. I'd try
    running Hijack This and see what it says.

    --Michael

    ----- Original Message -----
    From: "Kevin Snively" <kevinsnively@comcast.net>
    To: <security-basics@securityfocus.com>
    Sent: Friday, May 27, 2005 6:27 AM
    Subject: aretzj.exe -- reappearing unknown system file

    > I've come across, on a client's machine, a reappearing / self
    propogating
    > read only system file. The box is running a copy of XP pro fully
    patched.
    >
    > c:\windows\system32\aretzj.exe
    >
    > When Internet explorer is brought up this program (aretzj.exe) asks
    for
    > internet access via ZoneAlarm. When deleted it reappears at bootup and
    even
    > if the computer has not been restarted.
    >
    > I can not find any reference in Technet or any of the search engines.
    It is
    > read only and when deleted the XP claims it is a system file. I tried
    about
    > 20+ search engines. One mentioned a Name an author of a book published
    in
    > 1935 - author ha'aretz (without the "j").
    >
    >
    > What I have done to try and identify the source:
    >
    > 1. looked for other "unknown" files inside of system32, including
    checking
    > dates of files such as the KERNEL and KERNEL32 and looked for
    "suspicious"
    > files. No results except aretzj.exe
    >
    > 2. cleaned out the [prefetch] folder (no positive results)
    >
    > 3. [Downloaded prgram files] is and was empty
    >
    > 4. Checked c:\program files\internet explorer
    > Looked for suspicous or unknown folders in common files.
    >
    > 5 Spent an almost inordinate amoutn of time poking around in general
    looking
    > for clues, identifying plugins, checking system and hidden folders to
    no
    > avail.
    >
    > I am not sure what it is but as I renamed the file to a .txt extension
    and
    > read through the "readable" portion of the binary file hoping for some
    hook
    > on identifying it.
    >
    > At this point I am concerned as it is "unidentifable" the terminology
    inside
    > the binary file might be construed with "data mining" and the client
    does
    > run propriatary databases - Oh Yes, and I have checked with the vendor
    of
    > the clients database software. They tell me nothing is stored on the
    PC nor
    > is anything except a browser required to view the database.
    >
    > We are now using firefox but the unknown file continues to reappear.
    The
    > only solution I have come up with is to wipe everything reinstall and
    > restore actual data from a backup.
    >
    > Any help or suggestions will be greatly appreciated.
    > Or has anyone run across this culprit?
    >
    > Sincerely,
    > Kevin Snively
    >
    > The HelpDesk Inc (r)
    > kevin@thehelpdeskinc.com
    > 615-781-1922 (office)
    > 615-582-0877 (Mobile)
    >

  • Next message: Miguel Dilaj: "RE: DNS cache poisoning and pharming"
    • Quantcast