Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Malicious startup programs

Reply
Thread Tools

Malicious startup programs

 
 
tvfun
Guest
Posts: n/a
 
      01-04-2005
A malicious program keeps re-inserting itself in my start-up list.

I've "Startup Control Panel 2.8 by Mike Lin" which conventiently displays
startup items in a tabbed interface.

The following is a real bugger.

In HKLM/Run I have an item named '4GDY2Ml296K6CX' with path
C:\WINDOWS\SYSTEM\Xej7.exe

If tried to uncheck it but doing that resulted in it creating a duplicate
entry immediately with the other one checked! Trying to uncheck the other
one resulted in an error message "There is already and enabled/disabled
entry with the same name..." and a simple OK button. Hit OK and the second
duplicated entry remains checked.

I cannot delete Xej7.exe because it is "in use"

I've had this problem repeatedly. Last time I finally rebooted in safe mode,
made sure nothing extra was loaded and deleted Xej7.exe (actually a
precursor), removed all entries from startup and searched windows registry
for it and deleted anything that was connected to it.

Within a day or so it returned. Not the same name but something like it. I
think it was named 'AOzdf.exe'. I could tell was the same thing because it
acted the same.

It looks like something is lurking somewere on my system and it checks to
see if it's exe is there and in startup and if not creates it and adds it to
the start up list. Question is how do I find it.

In other words something created/wrote Xej7.exe and set it up to load at
startup. That something is lurking somewhere on my system. This exe gets
recreated even if I disconnect the wire to the internet.

I have Spy Bot Search and Destroy and Add Aware and run them on a schedule.
I have anti virus software. All of this has failed to get rid of the
problem I describe.

The key is to find what is creating the 'Xej7.exe' and getting rid of that.

Any ideas on how to diagnose this.


 
Reply With Quote
 
 
 
 
David Postill
Guest
Posts: n/a
 
      01-04-2005
In article <PvlCd.4817$(E-Mail Removed)>, on Tue, 04 Jan 2005 00:33:51 GMT,
"tvfun" <(E-Mail Removed)> wrote:

| A malicious program keeps re-inserting itself in my start-up list.
|
| I've "Startup Control Panel 2.8 by Mike Lin" which conventiently displays
| startup items in a tabbed interface.
|
| The following is a real bugger.
|
| In HKLM/Run I have an item named '4GDY2Ml296K6CX' with path
| C:\WINDOWS\SYSTEM\Xej7.exe

<http://www.google.co.uk/search?q=Xej7+removal>

<davidp />

--
DavidPostill
 
Reply With Quote
 
 
 
 
Jim Watt
Guest
Posts: n/a
 
      01-04-2005
On Tue, 04 Jan 2005 00:33:51 GMT, "tvfun" <(E-Mail Removed)> wrote:

>A malicious program keeps re-inserting itself in my start-up list.


Then its still running. Kill its process and then remove its
startup entry.
--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
Sasquatch
Guest
Posts: n/a
 
      01-05-2005
Do like Jim suggested. Kill the process and then get rid of the file
Xej7.exe. Be forewarned though, that many of these nasties are set to auto
download/repair themselves if you should remove their key files. Ensure you
dump all temp files as well as checking the following keys in the registry:

Start-->Run-->Regedit
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\RunO nce

Delete anything that may reference Xej7.exe

Download and use Spybot Search and Destroy ***AND*** Ad Aware. Both find
things the other misses.

Once accomplished, stop using IE and start using Mozilla Firefox.




"tvfun" <(E-Mail Removed)> wrote in message
newsvlCd.4817$(E-Mail Removed) ...
> A malicious program keeps re-inserting itself in my start-up list.
>
> I've "Startup Control Panel 2.8 by Mike Lin" which conventiently displays
> startup items in a tabbed interface.
>
> The following is a real bugger.
>
> In HKLM/Run I have an item named '4GDY2Ml296K6CX' with path
> C:\WINDOWS\SYSTEM\Xej7.exe
>
> If tried to uncheck it but doing that resulted in it creating a duplicate
> entry immediately with the other one checked! Trying to uncheck the other
> one resulted in an error message "There is already and enabled/disabled
> entry with the same name..." and a simple OK button. Hit OK and the second
> duplicated entry remains checked.
>
> I cannot delete Xej7.exe because it is "in use"
>
> I've had this problem repeatedly. Last time I finally rebooted in safe

mode,
> made sure nothing extra was loaded and deleted Xej7.exe (actually a
> precursor), removed all entries from startup and searched windows registry
> for it and deleted anything that was connected to it.
>
> Within a day or so it returned. Not the same name but something like it. I
> think it was named 'AOzdf.exe'. I could tell was the same thing because it
> acted the same.
>
> It looks like something is lurking somewere on my system and it checks to
> see if it's exe is there and in startup and if not creates it and adds it

to
> the start up list. Question is how do I find it.
>
> In other words something created/wrote Xej7.exe and set it up to load at
> startup. That something is lurking somewhere on my system. This exe gets
> recreated even if I disconnect the wire to the internet.
>
> I have Spy Bot Search and Destroy and Add Aware and run them on a

schedule.
> I have anti virus software. All of this has failed to get rid of the
> problem I describe.
>
> The key is to find what is creating the 'Xej7.exe' and getting rid of

that.
>
> Any ideas on how to diagnose this.
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
malicious script? Jack Mahon HTML 3 03-28-2006 02:05 AM
Malicious programs that are installed via HTML. Lew Computer Security 6 02-02-2006 09:42 PM
Malicious TAGS adyda HTML 3 09-25-2005 10:04 AM
ActiveX apologetic Larry Seltzer... "Sun paid for malicious ActiveX code, and Firefox is bad, bad bad baad. please use ActiveX, it's secure and nice!" (ok, the last part is irony on my part) fernando.cassia@gmail.com Java 0 04-16-2005 10:05 PM
preventing malicious user input Stimp ASP .Net 1 09-15-2004 03:25 AM



Advertisments