Malicious startup programs

From: tvfun (tvfun_at_sbcglobal.net)
Date: 01/04/05 

Date: Tue, 04 Jan 2005 00:33:51 GMT

A malicious program keeps re-inserting itself in my start-up list.

I've "Startup Control Panel 2.8 by Mike Lin" which conventiently displays
startup items in a tabbed interface.

The following is a real bugger.

In HKLM/Run I have an item named '4GDY2Ml296K6CX' with path
C:\WINDOWS\SYSTEM\Xej7.exe

If tried to uncheck it but doing that resulted in it creating a duplicate
entry immediately with the other one checked! Trying to uncheck the other
one resulted in an error message "There is already and enabled/disabled
entry with the same name..." and a simple OK button. Hit OK and the second
duplicated entry remains checked.

I cannot delete Xej7.exe because it is "in use"

I've had this problem repeatedly. Last time I finally rebooted in safe mode,
made sure nothing extra was loaded and deleted Xej7.exe (actually a
precursor), removed all entries from startup and searched windows registry
for it and deleted anything that was connected to it.

Within a day or so it returned. Not the same name but something like it. I
think it was named 'AOzdf.exe'. I could tell was the same thing because it
acted the same.

It looks like something is lurking somewere on my system and it checks to
see if it's exe is there and in startup and if not creates it and adds it to
the start up list. Question is how do I find it.

In other words something created/wrote Xej7.exe and set it up to load at
startup. That something is lurking somewhere on my system. This exe gets
recreated even if I disconnect the wire to the internet.

I have Spy Bot Search and Destroy and Add Aware and run them on a schedule.
I have anti virus software. All of this has failed to get rid of the
problem I describe.

The key is to find what is creating the 'Xej7.exe' and getting rid of that.

Any ideas on how to diagnose this.