HELP: Three unknown services K.EXE, GXF.EXE and FRLCT.EXE - anyone any ideas?

[Carol Haynes]

Thanks for your help ...

I have been chatting on Sysinternals Forum about this.

The service name generated is any number of characters long (and as far as i
can tell just capital letters).

I tried RootKit Revealer again and let it scan my registry and my C: drive,
after that I aborted and closed the window.

A randomly named .EXE file was produced in my Local Settings\Temp folder,
and run as a service (I monitored the folder, services and TaskScheduler
while RR was executing).

On exit the file was deleted but not the service name or the service related
registry settings. It can't run 'cos the file doesn't exist.

This is definitely a bug, and (at least to my satisfaction) clearly explains
what has been happening on my system (huge sigh of relief).

Strange thing is that RR doesn't exhibit this behaviour on all systems.

Thanks all for the help sorting this out and giving me a good nights sleep
tonight ;-)

Carol

 

[Wesley Vogel]

Hi Carol,

No need for the Windows 2003 Resource Kit, SC.EXE is part of XP.

Type SC in the Search box in Help and Support.

Or Start | Run | Paste this in the box and hit Enter...

hh ntcmds.chm::/sc.htm

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

Thanks yes - I got there before actually, but a better way for Windows XP
is to use SC.EXE from the Windows 2003 Resource Kit (free download from MS
downloads).

In a DOS window: SC.EXE DELETE <service_name>

Saves having to fiddle with the registry (safer) and is quicker.

Cheers

Carol

Hi Carol,

Yes, leaves them behind in the registry. Who knows why. The folks at
System Internals are sharp folks, but a bug is a bug. ;-)

You'll find the left behind services here...

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Locate the service in the list. ImagePath should point to Local
Settings\Temp folder, as a double check.

Delete them and reboot.

[[Important This article contains information about modifying the
registry.
Before you modify the registry, make sure to back it up and make sure
that you understand how to restore the registry if a problem occurs. For
information about how to back up, restore, and edit the registry, click
the
following article number to view the article in the Microsoft Knowledge
Base:
256986 Description of the Microsoft Windows Registry]]
http://support.microsoft.com/default.aspx?kbid=256986

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

Thanks Wesley,

Yes I have run it three times !! If this has cracked it then I am very
grateful and much relieved!

Does it leave the registry entries behind after it has finished it's
scan?
If so why doesn't it delete them again to save confusion?

Cheers

Carol Haynes

If you have used RootkitRevealer, it adds a random named service and
runs
as
that service. Every time you run RootkitRevealer it adds another
service
to
services.msc. Have you run RootkitRevealer three times?

[[The reason that there is no longer a command-line version is that
malware
authors have started targeting RootkitRevealer's scan by using its
executable name. We've therefore updated RootkitRevealer to execute its
scan
from a randomly named copy of itself that runs as a Windows service.]]
http://www.sysinternals.com/Utilities/RootkitRevealer.html

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In Carol Haynes <[email protected]> hunted and pecked:
That's what I thought too ... but when I looked at what was likely to
be
found with these issues non of the other traces were found.
Unfortunately auditmypc doesn't give any detail, but the problems
described are listed on numerous other sites (for k.exe) when a whole
pile of extra files and registry entries were listed as associated to
k.exe. Unfortunately none of
those files or registry entries were present on my system (and k.exe
was
not actually present). There was a process called K which referenced a
file in my temp folder called k.exe but it had already been deleted.

To check again I have downloaded SpyWare Doctor which includes
keylogger
detection, but how many of these products can you run before your
system
becomes completely unusable - and you spend all your time running
constant
scans ?

I should have said I am also behind a router firewall. I have a
wireless
network running with WEP encryption (one network device doesn't
support WPA), but I live in a remote rural area where outside hacking
is extremely
unlikely.

Cheers

Carol

Take a look at these sites
http://www.auditmypc.com/process/d--k.asp
http://www.auditmypc.com/process/k.asp
http://www.2-spyware.com/file-trojanspy-win32-keylogger-k-exe.html
It looks like you might have a keylogger or trojan on your system.

:

I have spotted two unknown services listed GXF.EXE and FRLCT.EXE.

Both point to files which were in the Local Settings\Temp folder
(but no
longer exist).

Has anyone any idea what these are? Google etc. and antispyware/AV
sites
come up with no info on either.

I also recently found a similar service, K.EXE, which similarly
referenced a
file in the temp folder (which was no longer there). Various sites
suggested
it could have been a trojan, but none of the tojan 'specs' matched
those
listed on Symantec and other sites (ie. the other files/registry
entries
which were supposed to be present in a trojan infection were not
there
at all).

Any help on this would really be appreciated - I am beginning to get
very worried that something sinster is going on.

I have done a complete antivirus scan and multiple anti malware
scans without showing up anything, and I have done a system search
for these
3
files and can't find them anywhere on my system.

My system setup is:

Windows XP SP2 (fully up to date)
NOD32 AntiVirus
Sygate Pro Firewall (yes I know I need to change this as Symantec
have
effectively made it abandonware recently)

I also constantly run ProcessGuard (which stops unknown programs
starting without permission), WebRoot SpySweeper and MS AntiSpyware

I have also scanned my system with AdAwareSE Pro and SpyBot Search &
Destroy
which shoed up no issues.

Am I missing something here? How can services appear and disappear
like this?

 

[Guest]

Absolutely Great Job, All!

 

[Carol Haynes]

Thanks - seems to work fine (sorry been a couple of days since I was
online).

Thanks to everyone for their contributions - it really is appreciated.

Carol