TWO STRANGE ITEMS IN MSCONFIG

[Guest]

I noticed two strange processes when I looked at startup tab via MSCONFIG:
QLNJERD and XFZYXTK -- both are in the WINDOWS\SYSTEM32 folder according to
MSCONFIG

Should I stop them from starting up? I looked on Google and there are no
hits for these two names.

Please advise.
Thanks.
Tony

 

[David H. Lipman]

From: "Tony V" <[email protected]>

| I noticed two strange processes when I looked at startup tab via MSCONFIG:
| QLNJERD and XFZYXTK -- both are in the WINDOWS\SYSTEM32 folder according to
| MSCONFIG
|
| Should I stop them from starting up? I looked on Google and there are no
| hits for these two names.
|
| Please advise.
| Thanks.
| Tony

You really have provided insuffiecienty inforamtion.
What are QLNJERD and XFZYXTK in c:\windows\system32 ?

Are they EXE files ?
How are they being loaded ?

If they are EXE file thety are SURELY malicious with randomized names such as those used !

Those line items should be diabled and the computer rebooted and the following performed.

For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
http://security.kolla.de/
http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
http://www.superantispyware.com/superantispywarefreevspro.html

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon

http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[karl levinson, mvp]

| I noticed two strange processes when I looked at startup tab via
MSCONFIG:
| QLNJERD and XFZYXTK -- both are in the WINDOWS\SYSTEM32 folder according
to
| MSCONFIG

What are QLNJERD and XFZYXTK in c:\windows\system32 ?

Are they EXE files ?
How are they being loaded ?

If they are EXE file thety are SURELY malicious with randomized names such
as those used !

Agreed... although the best way to identify and remove viruses and most
malware is with antivirus first.

The first thing I would be doing is making sure your antivirus software is
enabled, working and up to date. http://free.grisoft.com is free antivirus,
I recommend it.

You might also submit those two files, once you find out where exactly they
are located, via www.virustotal.com With that web page, you'll receive your
scan results of those two files in a few seconds. If you suspect your
antivirus isn't working or you have no antivirus,
http://housecall.antivirus.com might also be useful, as it scans your entire
system for a second opinion.

 

[Guest]

Please let the forum know if the solutions posted here worked for you. In my
experience, these files - with nonsensical names - usually appear to run for
a temporary period of time (so that a system snapshot, such as a HijackThis
log may miss them), and they may be possibly related to malwares. I had a
hard time removing them from a friend's computer, which I finally did, using
an assortment of tools - some of which the earlier posters have mentioned.

 

[Guest]

Thanks for your help. I stopped both files from starting, ran a complete
anti-virus scan, and purchased Spy Sweeper. Ran a complete scan using that.

System appears to be clean and stable.
Again, thanks for your help!

 

[Guest]

Thanks for your help. I stopped the two files from running, ran a complete
anti-virus scan, and bought Spy Sweeper.

System appears to be fine and stable. Thanks again.