HELP: Three unknown services K.EXE, GXF.EXE and FRLCT.EXE - anyone any ideas?

C

Carol Haynes

I have spotted two unknown services listed GXF.EXE and FRLCT.EXE.

Both point to files which were in the Local Settings\Temp folder (but no
longer exist).

Has anyone any idea what these are? Google etc. and antispyware/AV sites
come up with no info on either.

I also recently found a similar service, K.EXE, which similarly referenced a
file in the temp folder (which was no longer there). Various sites suggested
it could have been a trojan, but none of the tojan 'specs' matched those
listed on Symantec and other sites (ie. the other files/registry entries
which were supposed to be present in a trojan infection were not there at
all).

Any help on this would really be appreciated - I am beginning to get very
worried that something sinster is going on.

I have done a complete antivirus scan and multiple anti malware scans
without showing up anything, and I have done a system search for these 3
files and can't find them anywhere on my system.

My system setup is:

Windows XP SP2 (fully up to date)
NOD32 AntiVirus
Sygate Pro Firewall (yes I know I need to change this as Symantec have
effectively made it abandonware recently)

I also constantly run ProcessGuard (which stops unknown programs starting
without permission), WebRoot SpySweeper and MS AntiSpyware

I have also scanned my system with AdAwareSE Pro and SpyBot Search & Destroy
which shoed up no issues.

Am I missing something here? How can services appear and disappear like
this?
 
P

Pegasus \(MVP\)

Carol Haynes said:
I have spotted two unknown services listed GXF.EXE and FRLCT.EXE.

Both point to files which were in the Local Settings\Temp folder (but no
longer exist).

Has anyone any idea what these are? Google etc. and antispyware/AV sites
come up with no info on either.

I also recently found a similar service, K.EXE, which similarly referenced a
file in the temp folder (which was no longer there). Various sites suggested
it could have been a trojan, but none of the tojan 'specs' matched those
listed on Symantec and other sites (ie. the other files/registry entries
which were supposed to be present in a trojan infection were not there at
all).

Any help on this would really be appreciated - I am beginning to get very
worried that something sinster is going on.

I have done a complete antivirus scan and multiple anti malware scans
without showing up anything, and I have done a system search for these 3
files and can't find them anywhere on my system.

My system setup is:

Windows XP SP2 (fully up to date)
NOD32 AntiVirus
Sygate Pro Firewall (yes I know I need to change this as Symantec have
effectively made it abandonware recently)

I also constantly run ProcessGuard (which stops unknown programs starting
without permission), WebRoot SpySweeper and MS AntiSpyware

I have also scanned my system with AdAwareSE Pro and SpyBot Search & Destroy
which shoed up no issues.

Am I missing something here? How can services appear and disappear like
this?
Click to expand...

I have seen spyware that did pretty much the sort of thing
you describe.

Prevent the services from starting, then see what happens.
You should also scan your disk for the existence of these
files, then rename them. Do they regenerate themselves?
 
C

Carol Haynes

Yep - I have done Rootkit scans (using the Sysinternals tool and another
tool) and none show up.

Thanks
 
C

Carol Haynes

Pegasus (MVP) said:
I have seen spyware that did pretty much the sort of thing
you describe.

Prevent the services from starting, then see what happens.
You should also scan your disk for the existence of these
files, then rename them. Do they regenerate themselves?
Click to expand...

Thanks for responding,

I have repeatedly scanned my system for spyware, viruses, rootkits, trojans
etc. and nothing shows up at all.

In the case of GXF.EXE and FRLCT.EXE a google search show nothing at all,
and I have checked the usual places (Symantec Response etc) and they have no
references to these file names.

The services are already stopped as the .EXE files they point to do not
exist.

I have deleted the service entry points in the registry and they don't
regenerate.

Could they be hangovers from an installation program?
 
C

Carol Haynes

PS: Here is a sample Service Point Registry entry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FRLCT]
"Type"=dword:00000110
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):48,3a,5c,4c,4f,43,41,4c,53,7e,31,5c,54,65,6d,70,5c,46,52,4c,\
43,54,2e,65,78,65,00
"DisplayName"="FRLCT"
"ObjectName"="LocalSystem"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FRLCT\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FRLCT\Enum]
"0"="Root\\LEGACY_FRLCT\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
 
P

Pegasus \(MVP\)

Carol Haynes said:
Thanks for responding,

I have repeatedly scanned my system for spyware, viruses, rootkits, trojans
etc. and nothing shows up at all.

In the case of GXF.EXE and FRLCT.EXE a google search show nothing at all,
and I have checked the usual places (Symantec Response etc) and they have no
references to these file names.

The services are already stopped as the .EXE files they point to do not
exist.

I have deleted the service entry points in the registry and they don't
regenerate.

Could they be hangovers from an installation program?
Click to expand...

Your guess is as good (or probably better) than mine. I would
keep an eye on things, without worrying too much. Check out
the Startup tab of msconfig.exe once a week.
 
C

Carol Haynes

Pegasus (MVP) said:
Your guess is as good (or probably better) than mine. I would
keep an eye on things, without worrying too much. Check out
the Startup tab of msconfig.exe once a week.
Click to expand...
That's quite easy because I have a startup manager which moves most startup
items out of the usual places. I also use StartUp Control Panel (by mlin)
which shows just about all the startup registry entries.

Just strange that these are appearing as non-running services ???
 
C

Carol Haynes

That's what I thought too ... but when I looked at what was likely to be
found with these issues non of the other traces were found. Unfortunately
auditmypc doesn't give any detail, but the problems described are listed on
numerous other sites (for k.exe) when a whole pile of extra files and
registry entries were listed as associated to k.exe. Unfortunately none of
those files or registry entries were present on my system (and k.exe was not
actually present). There was a process called K which referenced a file in
my temp folder called k.exe but it had already been deleted.

To check again I have downloaded SpyWare Doctor which includes keylogger
detection, but how many of these products can you run before your system
becomes completely unusable - and you spend all your time running constant
scans ?

I should have said I am also behind a router firewall. I have a wireless
network running with WEP encryption (one network device doesn't support
WPA), but I live in a remote rural area where outside hacking is extremely
unlikely.

Cheers

Carol
 
W

Wesley Vogel

If you have used RootkitRevealer, it adds a random named service and runs as
that service. Every time you run RootkitRevealer it adds another service to
services.msc. Have you run RootkitRevealer three times?

[[The reason that there is no longer a command-line version is that malware
authors have started targeting RootkitRevealer's scan by using its
executable name. We've therefore updated RootkitRevealer to execute its scan
from a randomly named copy of itself that runs as a Windows service.]]
http://www.sysinternals.com/Utilities/RootkitRevealer.html

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
R

Ron Martell

Carol Haynes said:
Thanks for responding,

I have repeatedly scanned my system for spyware, viruses, rootkits, trojans
etc. and nothing shows up at all.

In the case of GXF.EXE and FRLCT.EXE a google search show nothing at all,
and I have checked the usual places (Symantec Response etc) and they have no
references to these file names.

The services are already stopped as the .EXE files they point to do not
exist.

I have deleted the service entry points in the registry and they don't
regenerate.

Could they be hangovers from an installation program?
Click to expand...

Many trojans and spyware items create their own executables using
randomly generated file names. Any time you find an executable or a
..DLL file for which a Google web search finds no references the
overwhelming odds are in favor of that item being virus/spyware/trojan
related. There is a slight possibility that the file might belong to
a custom programmed application, but that is the only other
substantive possibility.

Do a Google search for the three words virus random names to see just
how common this type of infection is becoming.

Good luck

Ron Martell Duncan B.C. Canada
 
C

Carol Haynes

Thanks Wesley,

Yes I have run it three times !! If this has cracked it then I am very
grateful and much relieved!

Does it leave the registry entries behind after it has finished it's scan?
If so why doesn't it delete them again to save confusion?

Cheers

Carol Haynes

Wesley Vogel said:
If you have used RootkitRevealer, it adds a random named service and runs
as
that service. Every time you run RootkitRevealer it adds another service
to
services.msc. Have you run RootkitRevealer three times?

[[The reason that there is no longer a command-line version is that
malware
authors have started targeting RootkitRevealer's scan by using its
executable name. We've therefore updated RootkitRevealer to execute its
scan
from a randomly named copy of itself that runs as a Windows service.]]
http://www.sysinternals.com/Utilities/RootkitRevealer.html

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
Carol Haynes said:
That's what I thought too ... but when I looked at what was likely to be
found with these issues non of the other traces were found. Unfortunately
auditmypc doesn't give any detail, but the problems described are listed
on numerous other sites (for k.exe) when a whole pile of extra files and
registry entries were listed as associated to k.exe. Unfortunately none
of
those files or registry entries were present on my system (and k.exe was
not actually present). There was a process called K which referenced a
file in my temp folder called k.exe but it had already been deleted.

To check again I have downloaded SpyWare Doctor which includes keylogger
detection, but how many of these products can you run before your system
becomes completely unusable - and you spend all your time running
constant
scans ?

I should have said I am also behind a router firewall. I have a wireless
network running with WEP encryption (one network device doesn't support
WPA), but I live in a remote rural area where outside hacking is
extremely
unlikely.

Cheers

Carol
Click to expand...
Click to expand...
 
R

R. McCarty

You can locate the RootKitRevealer service(s), by examining the
Non Plug-&-Play category of Device Manager. It is necessary to
tic/check the View option "Show Hidden Devices". Likely you'll
have several instances of RKReveal --- with a 3-digit number that
is appended to the name. I usually just uninstall the remnants from
the NP&P after running RKRevealer.

Carol Haynes said:
Thanks Wesley,

Yes I have run it three times !! If this has cracked it then I am very
grateful and much relieved!

Does it leave the registry entries behind after it has finished it's scan?
If so why doesn't it delete them again to save confusion?

Cheers

Carol Haynes

Wesley Vogel said:
If you have used RootkitRevealer, it adds a random named service and runs
as
that service. Every time you run RootkitRevealer it adds another service
to
services.msc. Have you run RootkitRevealer three times?

[[The reason that there is no longer a command-line version is that
malware
authors have started targeting RootkitRevealer's scan by using its
executable name. We've therefore updated RootkitRevealer to execute its
scan
from a randomly named copy of itself that runs as a Windows service.]]
http://www.sysinternals.com/Utilities/RootkitRevealer.html

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
Carol Haynes said:
That's what I thought too ... but when I looked at what was likely to be
found with these issues non of the other traces were found.
Unfortunately
auditmypc doesn't give any detail, but the problems described are listed
on numerous other sites (for k.exe) when a whole pile of extra files and
registry entries were listed as associated to k.exe. Unfortunately none
of
those files or registry entries were present on my system (and k.exe was
not actually present). There was a process called K which referenced a
file in my temp folder called k.exe but it had already been deleted.

To check again I have downloaded SpyWare Doctor which includes keylogger
detection, but how many of these products can you run before your system
becomes completely unusable - and you spend all your time running
constant
scans ?

I should have said I am also behind a router firewall. I have a wireless
network running with WEP encryption (one network device doesn't support
WPA), but I live in a remote rural area where outside hacking is
extremely
unlikely.

Cheers

Carol

Take a look at these sites
http://www.auditmypc.com/process/d--k.asp
http://www.auditmypc.com/process/k.asp
http://www.2-spyware.com/file-trojanspy-win32-keylogger-k-exe.html
It looks like you might have a keylogger or trojan on your system.

:

I have spotted two unknown services listed GXF.EXE and FRLCT.EXE.

Both point to files which were in the Local Settings\Temp folder (but
no
longer exist).

Has anyone any idea what these are? Google etc. and antispyware/AV
sites
come up with no info on either.

I also recently found a similar service, K.EXE, which similarly
referenced a
file in the temp folder (which was no longer there). Various sites
suggested
it could have been a trojan, but none of the tojan 'specs' matched
those
listed on Symantec and other sites (ie. the other files/registry
entries
which were supposed to be present in a trojan infection were not there
at all).

Any help on this would really be appreciated - I am beginning to get
very worried that something sinster is going on.

I have done a complete antivirus scan and multiple anti malware scans
without showing up anything, and I have done a system search for these
3
files and can't find them anywhere on my system.

My system setup is:

Windows XP SP2 (fully up to date)
NOD32 AntiVirus
Sygate Pro Firewall (yes I know I need to change this as Symantec have
effectively made it abandonware recently)

I also constantly run ProcessGuard (which stops unknown programs
starting without permission), WebRoot SpySweeper and MS AntiSpyware

I have also scanned my system with AdAwareSE Pro and SpyBot Search &
Destroy
which shoed up no issues.

Am I missing something here? How can services appear and disappear
like
this?
Click to expand...
Click to expand...
Click to expand...
 
C

Carol Haynes

R. McCarty said:
You can locate the RootKitRevealer service(s), by examining the
Non Plug-&-Play category of Device Manager. It is necessary to
tic/check the View option "Show Hidden Devices". Likely you'll
have several instances of RKReveal --- with a 3-digit number that
is appended to the name. I usually just uninstall the remnants from
the NP&P after running RKRevealer.
Click to expand...

Can't see any in there - but then I did manually remove the service registry
entries.

I'll carry on investigating this as I have used two other RootKit scanners
to check my system. Maybe one of those has also used this method to scan.
Certainly one of them managed to complete its scan a number of times but the
GUI hung on exit ... trouble is having used three tools I can't remember
which on had the problem ...
 
W

Wesley Vogel

Hi Carol,

Yes, leaves them behind in the registry. Who knows why. The folks at
System Internals are sharp folks, but a bug is a bug. ;-)

You'll find the left behind services here...

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Locate the service in the list. ImagePath should point to Local
Settings\Temp folder, as a double check.

Delete them and reboot.

[[Important This article contains information about modifying the registry.
Before you modify the registry, make sure to back it up and make sure that
you understand how to restore the registry if a problem occurs. For
information about how to back up, restore, and edit the registry, click the
following article number to view the article in the Microsoft Knowledge
Base:
256986 Description of the Microsoft Windows Registry]]
http://support.microsoft.com/default.aspx?kbid=256986

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
Carol Haynes said:
Thanks Wesley,

Yes I have run it three times !! If this has cracked it then I am very
grateful and much relieved!

Does it leave the registry entries behind after it has finished it's scan?
If so why doesn't it delete them again to save confusion?

Cheers

Carol Haynes

Wesley Vogel said:
If you have used RootkitRevealer, it adds a random named service and runs
as
that service. Every time you run RootkitRevealer it adds another service
to
services.msc. Have you run RootkitRevealer three times?

[[The reason that there is no longer a command-line version is that
malware
authors have started targeting RootkitRevealer's scan by using its
executable name. We've therefore updated RootkitRevealer to execute its
scan
from a randomly named copy of itself that runs as a Windows service.]]
http://www.sysinternals.com/Utilities/RootkitRevealer.html

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
Carol Haynes said:
That's what I thought too ... but when I looked at what was likely to be
found with these issues non of the other traces were found.
Unfortunately auditmypc doesn't give any detail, but the problems
described are listed on numerous other sites (for k.exe) when a whole
pile of extra files and registry entries were listed as associated to
k.exe. Unfortunately none of
those files or registry entries were present on my system (and k.exe was
not actually present). There was a process called K which referenced a
file in my temp folder called k.exe but it had already been deleted.

To check again I have downloaded SpyWare Doctor which includes keylogger
detection, but how many of these products can you run before your system
becomes completely unusable - and you spend all your time running
constant
scans ?

I should have said I am also behind a router firewall. I have a wireless
network running with WEP encryption (one network device doesn't support
WPA), but I live in a remote rural area where outside hacking is
extremely
unlikely.

Cheers

Carol

Take a look at these sites
http://www.auditmypc.com/process/d--k.asp
http://www.auditmypc.com/process/k.asp
http://www.2-spyware.com/file-trojanspy-win32-keylogger-k-exe.html
It looks like you might have a keylogger or trojan on your system.

:

I have spotted two unknown services listed GXF.EXE and FRLCT.EXE.

Both point to files which were in the Local Settings\Temp folder (but
no
longer exist).

Has anyone any idea what these are? Google etc. and antispyware/AV
sites
come up with no info on either.

I also recently found a similar service, K.EXE, which similarly
referenced a
file in the temp folder (which was no longer there). Various sites
suggested
it could have been a trojan, but none of the tojan 'specs' matched
those
listed on Symantec and other sites (ie. the other files/registry
entries
which were supposed to be present in a trojan infection were not there
at all).

Any help on this would really be appreciated - I am beginning to get
very worried that something sinster is going on.

I have done a complete antivirus scan and multiple anti malware scans
without showing up anything, and I have done a system search for these
3
files and can't find them anywhere on my system.

My system setup is:

Windows XP SP2 (fully up to date)
NOD32 AntiVirus
Sygate Pro Firewall (yes I know I need to change this as Symantec have
effectively made it abandonware recently)

I also constantly run ProcessGuard (which stops unknown programs
starting without permission), WebRoot SpySweeper and MS AntiSpyware

I have also scanned my system with AdAwareSE Pro and SpyBot Search &
Destroy
which shoed up no issues.

Am I missing something here? How can services appear and disappear
like this?
Click to expand...
Click to expand...
Click to expand...
 
C

Carol Haynes

Thanks yes - I got there before actually, but a better way for Windows XP is
to use SC.EXE from the Windows 2003 Resource Kit (free download from MS
downloads).

In a DOS window: SC.EXE DELETE <service_name>

Saves having to fiddle with the registry (safer) and is quicker.

Cheers

Carol

Wesley Vogel said:
Hi Carol,

Yes, leaves them behind in the registry. Who knows why. The folks at
System Internals are sharp folks, but a bug is a bug. ;-)

You'll find the left behind services here...

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Locate the service in the list. ImagePath should point to Local
Settings\Temp folder, as a double check.

Delete them and reboot.

[[Important This article contains information about modifying the
registry.
Before you modify the registry, make sure to back it up and make sure that
you understand how to restore the registry if a problem occurs. For
information about how to back up, restore, and edit the registry, click
the
following article number to view the article in the Microsoft Knowledge
Base:
256986 Description of the Microsoft Windows Registry]]
http://support.microsoft.com/default.aspx?kbid=256986

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
Carol Haynes said:
Thanks Wesley,

Yes I have run it three times !! If this has cracked it then I am very
grateful and much relieved!

Does it leave the registry entries behind after it has finished it's
scan?
If so why doesn't it delete them again to save confusion?

Cheers

Carol Haynes

Wesley Vogel said:
If you have used RootkitRevealer, it adds a random named service and
runs
as
that service. Every time you run RootkitRevealer it adds another
service
to
services.msc. Have you run RootkitRevealer three times?

[[The reason that there is no longer a command-line version is that
malware
authors have started targeting RootkitRevealer's scan by using its
executable name. We've therefore updated RootkitRevealer to execute its
scan
from a randomly named copy of itself that runs as a Windows service.]]
http://www.sysinternals.com/Utilities/RootkitRevealer.html

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In Carol Haynes <[email protected]> hunted and pecked:
That's what I thought too ... but when I looked at what was likely to
be
found with these issues non of the other traces were found.
Unfortunately auditmypc doesn't give any detail, but the problems
described are listed on numerous other sites (for k.exe) when a whole
pile of extra files and registry entries were listed as associated to
k.exe. Unfortunately none of
those files or registry entries were present on my system (and k.exe
was
not actually present). There was a process called K which referenced a
file in my temp folder called k.exe but it had already been deleted.

To check again I have downloaded SpyWare Doctor which includes
keylogger
detection, but how many of these products can you run before your
system
becomes completely unusable - and you spend all your time running
constant
scans ?

I should have said I am also behind a router firewall. I have a
wireless
network running with WEP encryption (one network device doesn't support
WPA), but I live in a remote rural area where outside hacking is
extremely
unlikely.

Cheers

Carol

Take a look at these sites
http://www.auditmypc.com/process/d--k.asp
http://www.auditmypc.com/process/k.asp
http://www.2-spyware.com/file-trojanspy-win32-keylogger-k-exe.html
It looks like you might have a keylogger or trojan on your system.

:

I have spotted two unknown services listed GXF.EXE and FRLCT.EXE.

Both point to files which were in the Local Settings\Temp folder (but
no
longer exist).

Has anyone any idea what these are? Google etc. and antispyware/AV
sites
come up with no info on either.

I also recently found a similar service, K.EXE, which similarly
referenced a
file in the temp folder (which was no longer there). Various sites
suggested
it could have been a trojan, but none of the tojan 'specs' matched
those
listed on Symantec and other sites (ie. the other files/registry
entries
which were supposed to be present in a trojan infection were not
there
at all).

Any help on this would really be appreciated - I am beginning to get
very worried that something sinster is going on.

I have done a complete antivirus scan and multiple anti malware scans
without showing up anything, and I have done a system search for
these
3
files and can't find them anywhere on my system.

My system setup is:

Windows XP SP2 (fully up to date)
NOD32 AntiVirus
Sygate Pro Firewall (yes I know I need to change this as Symantec
have
effectively made it abandonware recently)

I also constantly run ProcessGuard (which stops unknown programs
starting without permission), WebRoot SpySweeper and MS AntiSpyware

I have also scanned my system with AdAwareSE Pro and SpyBot Search &
Destroy
which shoed up no issues.

Am I missing something here? How can services appear and disappear
like this?
Click to expand...
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Unknown User in User Profiles? 5
IE Defender HELP 3
any ideas about what has happened here please? 9
Unknown item found in Services 4
Trojan and popup infection 1
Screen saver and unknown process 7
Have results from Hijackthis. Don't understand them!!! 1st half 19
Think you've got spyware or a virus - here are REAL VENDOR LINKS 1

Top