mystery services found on my xp pro machine

[Guest]

I found the following services in my Services.msc snap-in:

NJND
PEFEJJ
JIEHGOWNLWY
EGW
NOVAVFKT

I have disabled all of them and deleted the files (all the files where
located in my user temp directory)...

Does anyone know what these are? I have searched all the sites I know for
info to see if they are viruses but I haven't found anything... My virus
scan doesn't report anything (I've made sure I'm updated) and I can't find
them listed as viruses on any sites (MS or Norton).

-d

 

[Wesley Vogel]

If you have used RootkitRevealer, it adds a random named *.exe file and a
random named service and runs as that service. The random named *.exe file
will show up in %homepath%\Local Settings\Temp folder. Every time you run
RootkitRevealer it adds another random service to services.msc. The
randomly named *.exe file will be deleted, but the registry settings are
left behind.

[[The reason that there is no longer a command-line version is that malware
authors have started targeting RootkitRevealer's scan by using its
executable name. We've therefore updated RootkitRevealer to execute its scan
from a randomly named copy of itself that runs as a Windows service.]]
http://www.sysinternals.com/Utilities/RootkitRevealer.html

RootkitRevealer leaves references to these random named *.exe files behind
so that you see strange service names in services.msc.

You'll find the left behind services here...

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Locate the service(s) in the list. ImagePath should point to
Local Settings\Temp folder, as a double check.

Delete them and reboot.

[[Important This article contains information about modifying the registry.
Before you modify the registry, make sure to back it up and make sure that
you understand how to restore the registry if a problem occurs. For
information about how to back up, restore, and edit the registry, click the
following article number to view the article in the Microsoft Knowledge
Base: 256986 Description of the Microsoft Windows Registry]]
http://support.microsoft.com/default.aspx?kbid=256986

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Mike Fields]

I found the following services in my Services.msc snap-in:

NJND
PEFEJJ
JIEHGOWNLWY
EGW
NOVAVFKT

I have disabled all of them and deleted the files (all the files where
located in my user temp directory)...

Does anyone know what these are? I have searched all the sites I know for
info to see if they are viruses but I haven't found anything... My virus
scan doesn't report anything (I've made sure I'm updated) and I can't find
them listed as viruses on any sites (MS or Norton).

-d

Generally when you find something like that that has either none
or a couple of hits on google, you have one of my favorites that
start a clone of themselves at start time with a random combination
of letters/numbers etc so if you find it, all you did was get the
current copy not the real one that is lurking. Try snooping with
Hijackthis and see what you find that is getting started. Be
vewy vewy vewy suspicious of things that get started from the
temp folders. Also, try doing this in safe mode - there are a
number of "thingies" out there that can mask themselves when
running normally. Also run Adaware and Spybot to see what
they pick up.

mikey

 

[David H. Lipman]

From: "d. bennett" <d. (e-mail address removed)>

| I found the following services in my Services.msc snap-in:
|
| NJND
| PEFEJJ
| JIEHGOWNLWY
| EGW
| NOVAVFKT
|
| I have disabled all of them and deleted the files (all the files where
| located in my user temp directory)...
|
| Does anyone know what these are? I have searched all the sites I know for
| info to see if they are viruses but I haven't found anything... My virus
| scan doesn't report anything (I've made sure I'm updated) and I can't find
| them listed as viruses on any sites (MS or Norton).
|
| -d


I hope you ran the following commands...

sc delete NJND
sc delete PEFEJJ
sc delete JIEHGOWNLWY
sc delete EGW
sc delete NOVAVFKT

I suggest you perform the following ASAP !

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[Guest]

Thanks Wesley... Yes I had run RootkitRevealer but had failed to fully read
the docs...

thanks for the links and info.

-d

If you have used RootkitRevealer, it adds a random named *.exe file and a
random named service and runs as that service. The random named *.exe file
will show up in %homepath%\Local Settings\Temp folder. Every time you run
RootkitRevealer it adds another random service to services.msc. The
randomly named *.exe file will be deleted, but the registry settings are
left behind.

[[The reason that there is no longer a command-line version is that malware
authors have started targeting RootkitRevealer's scan by using its
executable name. We've therefore updated RootkitRevealer to execute its scan
from a randomly named copy of itself that runs as a Windows service.]]
http://www.sysinternals.com/Utilities/RootkitRevealer.html

RootkitRevealer leaves references to these random named *.exe files behind
so that you see strange service names in services.msc.

You'll find the left behind services here...

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Locate the service(s) in the list. ImagePath should point to
Local Settings\Temp folder, as a double check.

Delete them and reboot.

[[Important This article contains information about modifying the registry.
Before you modify the registry, make sure to back it up and make sure that
you understand how to restore the registry if a problem occurs. For
information about how to back up, restore, and edit the registry, click the
following article number to view the article in the Microsoft Knowledge
Base: 256986 Description of the Microsoft Windows Registry]]
http://support.microsoft.com/default.aspx?kbid=256986

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

I found the following services in my Services.msc snap-in:

NJND
PEFEJJ
JIEHGOWNLWY
EGW
NOVAVFKT

I have disabled all of them and deleted the files (all the files where
located in my user temp directory)...

Does anyone know what these are? I have searched all the sites I know for
info to see if they are viruses but I haven't found anything... My virus
scan doesn't report anything (I've made sure I'm updated) and I can't find
them listed as viruses on any sites (MS or Norton).

-d

 

[Wesley Vogel]

Keep having fun.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

Thanks Wesley... Yes I had run RootkitRevealer but had failed to fully
read the docs...

thanks for the links and info.

-d

If you have used RootkitRevealer, it adds a random named *.exe file and a
random named service and runs as that service. The random named *.exe
file will show up in %homepath%\Local Settings\Temp folder. Every time
you run RootkitRevealer it adds another random service to services.msc.
The randomly named *.exe file will be deleted, but the registry settings
are left behind.

[[The reason that there is no longer a command-line version is that
malware authors have started targeting RootkitRevealer's scan by using
its executable name. We've therefore updated RootkitRevealer to execute
its scan from a randomly named copy of itself that runs as a Windows
service.]] http://www.sysinternals.com/Utilities/RootkitRevealer.html

RootkitRevealer leaves references to these random named *.exe files
behind so that you see strange service names in services.msc.

You'll find the left behind services here...

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Locate the service(s) in the list. ImagePath should point to
Local Settings\Temp folder, as a double check.

Delete them and reboot.

[[Important This article contains information about modifying the
registry. Before you modify the registry, make sure to back it up and
make sure that you understand how to restore the registry if a problem
occurs. For information about how to back up, restore, and edit the
registry, click the following article number to view the article in the
Microsoft Knowledge Base: 256986 Description of the Microsoft Windows
Registry]] http://support.microsoft.com/default.aspx?kbid=256986

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

I found the following services in my Services.msc snap-in:

NJND
PEFEJJ
JIEHGOWNLWY
EGW
NOVAVFKT

I have disabled all of them and deleted the files (all the files where
located in my user temp directory)...

Does anyone know what these are? I have searched all the sites I know
for info to see if they are viruses but I haven't found anything... My
virus scan doesn't report anything (I've made sure I'm updated) and I
can't find them listed as viruses on any sites (MS or Norton).

-d