Welcome Guest.   Make a donation to an author on the site April 23, 2014, 06:08:27 AM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
The N.A.N.Y. Challenge 2014! Download dozens of custom programs!
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1] 2 Next   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: Unknown service (can't find relevant info on the web)  (Read 6736 times)
Carol Haynes
Waffles for England (patent pending)
Global Moderator
*****
Posts: 7,919



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« on: November 24, 2005, 06:07:19 PM »

I discovered an unknown service present on my system (not good) and can't find any relevant info on the web.

The service is simply called 'K' and referrs to the file Local Settings\Temp\K.EXE

Unfortunately I had deleted K.EXE by the time I found it so can't send it off for analysis.

I have done websearches on K.EXE but haven't found any references that seem to refer to the same thing (there are some finds but the other parts of their descriptions aren't found on my system).

K.EXE had three associated registry entries (Control Set\Service entries) similar to this:

[copy or print]
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\K]
"Type"=dword:00000110
"Start"=dword:00000004
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):48,3a,5c,4c,4f,43,41,4c,53,7e,31,5c,54,65,6d,70,5c,4b,2e,65,\
  78,65,00
"DisplayName"="K"
"ObjectName"="LocalSystem"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\K\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\K\Enum]
"0"="Root\\LEGACY_K\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


Anyone else experienced this or can shed light on it.

I have written to ESET (NOD32) support to ask for advice but without the K.EXE file I doubt they can help much.
Logged

mouser
First Author
Administrator
*****
Posts: 32,691



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #1 on: November 24, 2005, 08:10:11 PM »

have you searched for the actual k.exe file - finding that and looking at it might shed some light.
Logged
Carol Haynes
Waffles for England (patent pending)
Global Moderator
*****
Posts: 7,919



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #2 on: November 25, 2005, 03:11:07 AM »

have you searched for the actual k.exe file - finding that and looking at it might shed some light.

Quote
Unfortunately I had deleted K.EXE by the time I found it so can't send it off for analysis.

Trouble is there are threats on the internet that contain a K.EXE file but none of the other symptoms exist on my system (I have been checking associated files and registry entries but none seem to exist). I could try finding a copy of K.EXE on the web but there is no way of knowing if it is the same file ???
Logged

mouser
First Author
Administrator
*****
Posts: 32,691



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #3 on: November 25, 2005, 03:19:08 AM »

try recyle bin to undelete it?
Logged
Innuendo
Charter Member
***
Posts: 1,856

View Profile Give some DonationCredits to this forum member
« Reply #4 on: November 26, 2005, 07:57:28 PM »

Well, here's the first result I found...

http://www.auditmypc.com/process/k.asp
Logged
mouser
First Author
Administrator
*****
Posts: 32,691



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #5 on: November 26, 2005, 09:40:37 PM »

does anyone know of  a good webpage about "what to do AFTER you find a virus/trojan on your computer" ?

i've been lucky enough not to find myself in this position, but if i ever found a trojan or virus on my computer i would consider the system compromised and do a very thorough check of everything.

i would assume that any trojan found was not the only one present and would consider it important to figure out exactly how it got on my machine; if i couldn't trace back the origin and convince myself that there were no more present i would strongly lean towards restoring the machines to a known good backup.

yet another reason and reminder to do monthly drive image backups.
Logged
Innuendo
Charter Member
***
Posts: 1,856

View Profile Give some DonationCredits to this forum member
« Reply #6 on: November 26, 2005, 10:25:22 PM »

Obviously what you do is clean the machine. Now whether that be by a specialized tool especially programmed to remove that trojan/virus or a more general purpose tool like Kaspersky or TDS3 is up to the individual.

A manual cleaning can sometimes be an option, but it can be a very involved complicated process with some of the nasties that are out and about.
Logged
mouser
First Author
Administrator
*****
Posts: 32,691



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #7 on: November 26, 2005, 10:28:52 PM »

yes but carol's experience shows the danger of just reflexively "cleaning the machine" -
because in deleting the file she also deleted her hope of determining for sure if she did in fact have a trojan, and perhaps figuring out how.

i say treat a possible infection as if it was an indication of a security problem - your first goal should not be to remove it and destroy any clues.  your first goal should be identify the cause of your problem and how it got in, then proceed to cleaning.
Logged
Carol Haynes
Waffles for England (patent pending)
Global Moderator
*****
Posts: 7,919



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #8 on: November 27, 2005, 04:16:52 AM »

Well, here's the first result I found...

http://www.auditmypc.com/process/k.asp

Thanks.

Yes I saw the TKBOT worm when I did a websearch but according to Symmantec etc. there are a number of characteristsics (in terms of other files/registry entries) and none of those seemed to be present.
Logged

koncool
Charter Member
***
Posts: 29


View Profile Give some DonationCredits to this forum member
« Reply #9 on: November 27, 2005, 07:50:27 AM »

TKBOT? Was K.EXE over 600kb? If so, that's it, and it got through weak netbios shares most probably.
Logged
Carol Haynes
Waffles for England (patent pending)
Global Moderator
*****
Posts: 7,919



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #10 on: November 27, 2005, 08:25:22 AM »

Don't know because I don't have the file to look at.

I have a few shared folders on my local Wireless Network - how can I beef up security to stop it happening again?

I am in a remote area - so it is unlikely anyone is hacking into my network via the wireless connection, so it must be arriving from the internet ... I have Sygate Firewall/NOD32 AV/Various antispyware apps some of which are actively monitoring my system usually when I am on line.
Logged

Innuendo
Charter Member
***
Posts: 1,856

View Profile Give some DonationCredits to this forum member
« Reply #11 on: November 27, 2005, 10:33:12 AM »

mouser,
I misunderstood your question. You are right. It's best not to just do a knee-jerk reaction of deleting the file. Running anti-trojan programs and research on a search engine are definitely the first steps towards education and eventual eradication.
Logged
Innuendo
Charter Member
***
Posts: 1,856

View Profile Give some DonationCredits to this forum member
« Reply #12 on: November 27, 2005, 10:49:12 AM »

Carol,
You may have been (un)lucky enough to get a new variant of that trojan. Perhaps one that wasn't coded right & didn't deploy properly. That happens all the time.

As far as wireless security, you are going to be wanting to run some kind of WPA encryption over there at the very least. WPA2 if your equipment offers it. If your equipment only offers WEP encryption then you should think about replacing it as WEP is an easily compromised algorithm.

NOD32 is a very capable anti-virus program. The anti-spyware apps are great to run as well, but I see nothing for trojan detection. That's not as important if you are able stop everything at the front door. You may want to start shopping around for a new firewall program. Sygate's product has got some bugs & it's been discontinued by the company. You're at a dead end, programming-wise.

I'm going to resist pitching Ad Muncher to you again, but I will point out that lots of individuals use Java, JavaScript & ActiveX to deploy viruses and trojans across the internet. Usually they are hidden in pop-ups and banners and such. To your system, your firewall, your anti-spyware apps,and your anti-virus they all look like standard web traffic.
Logged
Carol Haynes
Waffles for England (patent pending)
Global Moderator
*****
Posts: 7,919



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #13 on: November 27, 2005, 11:35:13 AM »

Interesting about Sygate - it would have been nice if they told their customers that they had sold out to Symantec (I have come to the conclusion that Symantec are a giant vacuum cleaner - it sucks up all the goodies and everything that then comes out of the bag is covered in crap).

Interestingly though:

Quote
Symantec will continue to sell the current Sygate solutions under the Sygate brand. In the next six months, the company expects to rebrand the next version of the products and include additional functionality. Thereafter, Symantec plans to integrate the Sygate technology into the company's existing enterprise security products.

that was posted on 10th October ...

Whatever, I now need to look for a new Firewall - I don't want to be dependent on Symantec again. The question is am I entitled to a refund on my Sygate subscription (which has over 12 months to run)?

Unfortunately I have Netsys wireless kit and most will support WPA2 but not all ... particulalry my wireless booster upstairs which only supports WEP (most of the repeaters only seem to support WEP that I could find when I looed recently)

Part of the problem is being in the UK ... there doesn't seem as much choice over here for wireless gear. Given that what I have is less than a year old I don't feel inclined to throw it away.

Having said that I figure WEP is perfectly adequate - I have enough trouble getting a strong signal in my own property and neither of the neighbouring properties are likely to be snooping (one is empty 90% of the time, and the other is a friend). I live in a tiny, remote village in a sprawling farm conversion complex - most of which is owned by retired 2nd home owners (and empty most of the year) - so I don't think wireless instrusion is at all likely any time soon.

I have to confess to installing AdMuncher - I did it pretty much as an experiment and have decided to use it after all. Actually I have had pretty agressive anti-popup stuff installed for a long time (mainly because I hate unwanted windows open) and I never allow ActiveX controls to install unless I know what they are!
Logged

Innuendo
Charter Member
***
Posts: 1,856

View Profile Give some DonationCredits to this forum member
« Reply #14 on: November 27, 2005, 10:39:46 PM »

Carol, love your quote by Symantec. When they exclusively licensed AtGuard from WRQ they said the exact same thing. Before Symantec got their hands on it AtGuard was less than 3 MB in installer form and had a very small footprint when running. After Symantec got ahod of it they turned it into the lumbering behemoth that is Norton Internet Security.

I rarely praise & evangelize programs. Ad Muncher is one of the very few I think that is top notch & that I'll sound out and recommend. The author is top-notch & not only is his program better than other ad blockers he sells his for cheaper than all the others as well. I've just been waiting for a discount...which Mouser soundly secured for us all.
Logged
Carol Haynes
Waffles for England (patent pending)
Global Moderator
*****
Posts: 7,919



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #15 on: November 28, 2005, 07:16:45 PM »

I have now spotted two new unknown services listed GXF.EXE and FRLCT.EXE.

Both point to files which were in the Local Settings\Temp folder (but no
longer exist).

Has anyone any idea what these are? Google etc. and antispyware/AV sites
come up with no info on either.

Any help on this would really be appreciated - I am beginning to get very
worried that something sinster is going on.

I have done a complete antivirus scan and multiple anti malware scans
without showing up anything, and I have done a system search for these 3
files and can't find them anywhere on my system. (I used FileLocator Pro set to search all hard discs/folders etc. and inside .CAB, .ZIP and .RAR files)

My system setup is:

Windows XP SP2 (fully up to date)
NOD32 AntiVirus
Sygate Pro Firewall (yes I know I need to change this as Symantec have
effectively made it abandonware recently - according to Sygate/Symantec it is being supported until the end of November and my last update was fairly recent)

I also constantly run ProcessGuard (which stops unknown programs starting
without permission), WebRoot SpySweeper and MS AntiSpyware

I have also scanned my system with AdAwareSE Pro and SpyBot Search & Destroy
which shoed up no issues.

Am I missing something here? How can services appear and disappear like
this?




Logged

mouser
First Author
Administrator
*****
Posts: 32,691



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #16 on: November 28, 2005, 07:23:54 PM »

it does sound like you might have a trojan creating these..
Logged
Carol Haynes
Waffles for England (patent pending)
Global Moderator
*****
Posts: 7,919



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #17 on: November 28, 2005, 07:39:04 PM »

Presumably the only real solution is a complete reinstall ???

Could these be hangovers from application installation where actions are required after a reboot?
Logged

mouser
First Author
Administrator
*****
Posts: 32,691



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #18 on: November 28, 2005, 07:43:10 PM »

when you say you discovered "two new unknown services" what exactly do you mean?
do you mean real registered services as in windows services..
or do you just mean programs that were set to run on reboot, which could in fact be what you say, temporary files run as part of an install or uninstall procedure.
Logged
mouser
First Author
Administrator
*****
Posts: 32,691



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #19 on: November 28, 2005, 07:45:43 PM »

i wouldnt do a complete reinstall just yet, but
i would if i couldn't track down those files and satisfy myself they are harmless.

maybe try uninstalling and reinstalling the recent apps that required a reboot, and try to find those files again before rebooting.
Logged
Carol Haynes
Waffles for England (patent pending)
Global Moderator
*****
Posts: 7,919



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #20 on: November 28, 2005, 07:45:53 PM »

They were registered services - present in the services list (but not running).

The service entry point in the registry had this for one of them  (the others were very similar)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FRLCT]
"Type"=dword:00000110
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):48,3a,5c,4c,4f,43,41,4c,53,7e,31,5c,54,65,6d,70,5c,46,52,4c,\
  43,54,2e,65,78,65,00
"DisplayName"="FRLCT"
"ObjectName"="LocalSystem"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FRLCT\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FRLCT\Enum]
"0"="Root\\LEGACY_FRLCT\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

Logged

Carol Haynes
Waffles for England (patent pending)
Global Moderator
*****
Posts: 7,919



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #21 on: November 28, 2005, 07:47:52 PM »

Trouble is I can't remember what the installed apps were (apart from MS VS Express 2005) as there have been quite a few, and not all of them required a reboot.

Quite a few apps leave installer leftovers in the TEMP folder (MS apps get quite upset if you delete the crap too).

This is what I have in terms of startup apps and services curently ... nothing seems particularly odd:


* startup-services.png (74.9 KB, 512x1782 - viewed 298 times.)

* startup-apps.png (98.01 KB, 1144x661 - viewed 303 times.)
« Last Edit: November 28, 2005, 08:02:47 PM by CarolHaynes » Logged

mouser
First Author
Administrator
*****
Posts: 32,691



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #22 on: November 29, 2005, 03:47:24 AM »

i suppose the other thing to consider is it could be one of your many tools you are using to protect you doing this stuff on purpose - since im not familiar with some of those tools i suppose it could be one of them.
Logged
Carol Haynes
Waffles for England (patent pending)
Global Moderator
*****
Posts: 7,919



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #23 on: November 29, 2005, 06:55:55 AM »

I have also downloaded SpyWare Doctor as it had good recent reviews (since that is supposed to detect and remove K.EXE keylogger as well as worms/trojans). It too came up with nothing ???

There are no suspect services or processes running or listed this morning. I guess I had better just keep monitoring the situation everyday - and after I browse the web just in case something really sneaky is lurking that no one has met yet!
« Last Edit: November 29, 2005, 06:57:41 AM by CarolHaynes » Logged

Carol Haynes
Waffles for England (patent pending)
Global Moderator
*****
Posts: 7,919



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #24 on: November 29, 2005, 07:19:56 AM »

???? Solved the problem ????

I also posted about these issues on the USNET support group: news://microsoft.public.windowsxp.general and got an interesting reply from Wesley Vogel MS-MVP. He pointed me at the Sysinternals Rootkit Revealer webpage. Note the introduction para 2:

Quote
The reason that there is no longer a command-line version is that malware authors have started targetting RootkitRevealer's scan by using its executable name. We've therefore updated RootkitRevealer to execute its scan from a randomly named copy of itself that runs as a Windows service. This type of execution is not conducive to a command-line interface. Note that you can use command-line options to execute an automatic scan with results logged to a file, which is the equivalent of the command-line version's behavior.

Apparently the registry entries for this service are left behind after the scan, and consequently you end up with apparently disconnected random services ....

It seems strange to me though that the software would use random names that match known malware (K.EXE), look like they are related to grafix packages (GXF.EXE) etc.

I think I will pop into the sysinternal forums and ask about this further ...
Logged

Pages: [1] 2 Next   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.049s | Server load: 0.13 ]