Main Area and Open Discussion > Living Room
Unknown service (can't find relevant info on the web)
Carol Haynes:
They were registered services - present in the services list (but not running).
The service entry point in the registry had this for one of them (the others were very similar)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FRLCT]
"Type"=dword:00000110
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):48,3a,5c,4c,4f,43,41,4c,53,7e,31,5c,54,65,6d,70,5c,46,52,4c,\
43,54,2e,65,78,65,00
"DisplayName"="FRLCT"
"ObjectName"="LocalSystem"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FRLCT\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FRLCT\Enum]
"0"="Root\\LEGACY_FRLCT\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
Carol Haynes:
Trouble is I can't remember what the installed apps were (apart from MS VS Express 2005) as there have been quite a few, and not all of them required a reboot.
Quite a few apps leave installer leftovers in the TEMP folder (MS apps get quite upset if you delete the crap too).
This is what I have in terms of startup apps and services curently ... nothing seems particularly odd:
mouser:
i suppose the other thing to consider is it could be one of your many tools you are using to protect you doing this stuff on purpose - since im not familiar with some of those tools i suppose it could be one of them.
Carol Haynes:
I have also downloaded SpyWare Doctor as it had good recent reviews (since that is supposed to detect and remove K.EXE keylogger as well as worms/trojans). It too came up with nothing ???
There are no suspect services or processes running or listed this morning. I guess I had better just keep monitoring the situation everyday - and after I browse the web just in case something really sneaky is lurking that no one has met yet!
Carol Haynes:
???? Solved the problem ????
I also posted about these issues on the USNET support group: news://microsoft.public.windowsxp.general and got an interesting reply from Wesley Vogel MS-MVP. He pointed me at the Sysinternals Rootkit Revealer webpage. Note the introduction para 2:
The reason that there is no longer a command-line version is that malware authors have started targetting RootkitRevealer's scan by using its executable name. We've therefore updated RootkitRevealer to execute its scan from a randomly named copy of itself that runs as a Windows service. This type of execution is not conducive to a command-line interface. Note that you can use command-line options to execute an automatic scan with results logged to a file, which is the equivalent of the command-line version's behavior.
--- End quote ---
Apparently the registry entries for this service are left behind after the scan, and consequently you end up with apparently disconnected random services ....
It seems strange to me though that the software would use random names that match known malware (K.EXE), look like they are related to grafix packages (GXF.EXE) etc.
I think I will pop into the sysinternal forums and ask about this further ...
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version