Re: mystery services found on my xp pro machine

If you have used RootkitRevealer, it adds a random named *.exe file and a
random named service and runs as that service. The random named *.exe file
will show up in %homepath%\Local Settings\Temp folder. Every time you run
RootkitRevealer it adds another random service to services.msc. The
randomly named *.exe file will be deleted, but the registry settings are
left behind.

[[The reason that there is no longer a command-line version is that malware
authors have started targeting RootkitRevealer's scan by using its
executable name. We've therefore updated RootkitRevealer to execute its scan
from a randomly named copy of itself that runs as a Windows service.]]
http://www.sysinternals.com/Utilities/RootkitRevealer.html

RootkitRevealer leaves references to these random named *.exe files behind
so that you see strange service names in services.msc.

You'll find the left behind services here...

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Locate the service(s) in the list. ImagePath should point to
Local Settings\Temp folder, as a double check.

Delete them and reboot.

[[Important This article contains information about modifying the registry.
Before you modify the registry, make sure to back it up and make sure that
you understand how to restore the registry if a problem occurs. For
information about how to back up, restore, and edit the registry, click the
following article number to view the article in the Microsoft Knowledge
Base: 256986 Description of the Microsoft Windows Registry]]
http://support.microsoft.com/default.aspx?kbid=256986

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news:B2BF3D67-D751-4537-B0E7-B2D158152F41@xxxxxxxxxxxxx,
d. bennett <d. bennett@xxxxxxxxxxxxxxxxxxxxxxxxx> hunted and pecked:
> I found the following services in my Services.msc snap-in:
>
> NJND
> PEFEJJ
> JIEHGOWNLWY
> EGW
> NOVAVFKT
>
> I have disabled all of them and deleted the files (all the files where
> located in my user temp directory)...
>
> Does anyone know what these are? I have searched all the sites I know for
> info to see if they are viruses but I haven't found anything... My virus
> scan doesn't report anything (I've made sure I'm updated) and I can't find
> them listed as viruses on any sites (MS or Norton).
>
> -d

.

Relevant Pages

  • Re: mystery services found on my xp pro machine
    ... MS-MVP Windows Shell/User ... Yes I had run RootkitRevealer but had failed to fully ... >> The randomly named *.exe file will be deleted, but the registry settings ...
    (microsoft.public.windowsxp.security_admin)
  • Re: mystery services found on my xp pro machine
    ... Yes I had run RootkitRevealer but had failed to fully read ... "Wesley Vogel" wrote: ... The random named *.exe file ... > [[Important This article contains information about modifying the registry. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Unusual service what is it?
    ... MS-MVP Windows Shell/User ... RootkitRevealer it adds another random service to services.msc. ... randomly named *.exe file will be deleted, ... If you do not want to mess in the registry, ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Unusual service what is it?
    ... MS-MVP Windows Shell/User ... RootkitRevealer it adds another random service to services.msc. ... randomly named *.exe file will be deleted, ... If you do not want to mess in the registry, ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Unusual service what is it?
    ... Heirloom, ... RootkitRevealer it adds another random service to services.msc. ... randomly named *.exe file will be deleted, ... If you do not want to mess in the registry, ...
    (microsoft.public.windowsxp.help_and_support)
Quantcast