Malicious startup programs

Discussion in 'Computer Security' started by tvfun, Jan 4, 2005.

  1. tvfun

    tvfun Guest

    A malicious program keeps re-inserting itself in my start-up list.

    I've "Startup Control Panel 2.8 by Mike Lin" which conventiently displays
    startup items in a tabbed interface.

    The following is a real bugger.

    In HKLM/Run I have an item named '4GDY2Ml296K6CX' with path
    C:\WINDOWS\SYSTEM\Xej7.exe

    If tried to uncheck it but doing that resulted in it creating a duplicate
    entry immediately with the other one checked! Trying to uncheck the other
    one resulted in an error message "There is already and enabled/disabled
    entry with the same name..." and a simple OK button. Hit OK and the second
    duplicated entry remains checked.

    I cannot delete Xej7.exe because it is "in use"

    I've had this problem repeatedly. Last time I finally rebooted in safe mode,
    made sure nothing extra was loaded and deleted Xej7.exe (actually a
    precursor), removed all entries from startup and searched windows registry
    for it and deleted anything that was connected to it.

    Within a day or so it returned. Not the same name but something like it. I
    think it was named 'AOzdf.exe'. I could tell was the same thing because it
    acted the same.

    It looks like something is lurking somewere on my system and it checks to
    see if it's exe is there and in startup and if not creates it and adds it to
    the start up list. Question is how do I find it.

    In other words something created/wrote Xej7.exe and set it up to load at
    startup. That something is lurking somewhere on my system. This exe gets
    recreated even if I disconnect the wire to the internet.

    I have Spy Bot Search and Destroy and Add Aware and run them on a schedule.
    I have anti virus software. All of this has failed to get rid of the
    problem I describe.

    The key is to find what is creating the 'Xej7.exe' and getting rid of that.

    Any ideas on how to diagnose this.
    tvfun, Jan 4, 2005
    #1
    1. Advertising

  2. In article <PvlCd.4817$>, on Tue, 04 Jan 2005 00:33:51 GMT,
    "tvfun" <> wrote:

    | A malicious program keeps re-inserting itself in my start-up list.
    |
    | I've "Startup Control Panel 2.8 by Mike Lin" which conventiently displays
    | startup items in a tabbed interface.
    |
    | The following is a real bugger.
    |
    | In HKLM/Run I have an item named '4GDY2Ml296K6CX' with path
    | C:\WINDOWS\SYSTEM\Xej7.exe

    <http://www.google.co.uk/search?q=Xej7+removal>

    <davidp />

    --
    DavidPostill
    David Postill, Jan 4, 2005
    #2
    1. Advertising

  3. tvfun

    Jim Watt Guest

    On Tue, 04 Jan 2005 00:33:51 GMT, "tvfun" <> wrote:

    >A malicious program keeps re-inserting itself in my start-up list.


    Then its still running. Kill its process and then remove its
    startup entry.
    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Jan 4, 2005
    #3
  4. tvfun

    Sasquatch Guest

    Do like Jim suggested. Kill the process and then get rid of the file
    Xej7.exe. Be forewarned though, that many of these nasties are set to auto
    download/repair themselves if you should remove their key files. Ensure you
    dump all temp files as well as checking the following keys in the registry:

    Start-->Run-->Regedit
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Run
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\RunOnce

    Delete anything that may reference Xej7.exe

    Download and use Spybot Search and Destroy ***AND*** Ad Aware. Both find
    things the other misses.

    Once accomplished, stop using IE and start using Mozilla Firefox.




    "tvfun" <> wrote in message
    news:pvlCd.4817$...
    > A malicious program keeps re-inserting itself in my start-up list.
    >
    > I've "Startup Control Panel 2.8 by Mike Lin" which conventiently displays
    > startup items in a tabbed interface.
    >
    > The following is a real bugger.
    >
    > In HKLM/Run I have an item named '4GDY2Ml296K6CX' with path
    > C:\WINDOWS\SYSTEM\Xej7.exe
    >
    > If tried to uncheck it but doing that resulted in it creating a duplicate
    > entry immediately with the other one checked! Trying to uncheck the other
    > one resulted in an error message "There is already and enabled/disabled
    > entry with the same name..." and a simple OK button. Hit OK and the second
    > duplicated entry remains checked.
    >
    > I cannot delete Xej7.exe because it is "in use"
    >
    > I've had this problem repeatedly. Last time I finally rebooted in safe

    mode,
    > made sure nothing extra was loaded and deleted Xej7.exe (actually a
    > precursor), removed all entries from startup and searched windows registry
    > for it and deleted anything that was connected to it.
    >
    > Within a day or so it returned. Not the same name but something like it. I
    > think it was named 'AOzdf.exe'. I could tell was the same thing because it
    > acted the same.
    >
    > It looks like something is lurking somewere on my system and it checks to
    > see if it's exe is there and in startup and if not creates it and adds it

    to
    > the start up list. Question is how do I find it.
    >
    > In other words something created/wrote Xej7.exe and set it up to load at
    > startup. That something is lurking somewhere on my system. This exe gets
    > recreated even if I disconnect the wire to the internet.
    >
    > I have Spy Bot Search and Destroy and Add Aware and run them on a

    schedule.
    > I have anti virus software. All of this has failed to get rid of the
    > problem I describe.
    >
    > The key is to find what is creating the 'Xej7.exe' and getting rid of

    that.
    >
    > Any ideas on how to diagnose this.
    >
    >
    Sasquatch, Jan 5, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. miss calm

    malicious forged posts in my name

    miss calm, Aug 6, 2003, in forum: Computer Support
    Replies:
    13
    Views:
    654
    Mellowed
    Aug 10, 2003
  2. bjones

    Malicious websites

    bjones, Dec 8, 2003, in forum: Computer Support
    Replies:
    27
    Views:
    932
    trout
    Dec 9, 2003
  3. Ionizer

    Malicious JPEG vulnerability

    Ionizer, Sep 16, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    565
    Ionizer
    Sep 17, 2004
  4. boomo

    please help, malicious file, i think

    boomo, May 15, 2005, in forum: Computer Support
    Replies:
    13
    Views:
    961
    ellis_jay
    May 18, 2005
  5. Lew
    Replies:
    6
    Views:
    508
Loading...

Share This Page