Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: Strange *.exe files in WinPatrol services tab?

1 view
Skip to first unread message
Message has been deleted
Message has been deleted
Message has been deleted

David H. Lipman

unread,
Feb 12, 2008, 5:01:28 PM2/12/08
to
From: "Manatee Memories" <royalfeline!REMOVE!@hotmail.com>


|
| Have you considered submitting any or all of them to 1 or more of the
| major anti-virus labs (Kaspersky comes immediately to mind)?

It would be easier and *better* to submit them to Virus Total...

http://www.virustotal.com/flash/index_en.html
The submission(s) will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it/them and all samples are
provided to associated anti virus vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:sc...@virustotal.com?subject=SCAN

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


MoiMoi

unread,
Feb 12, 2008, 6:40:56 PM2/12/08
to
In article <YGosj.44$ph.26@trnddc06>, DLipman~nospam~@Verizon.Net
says...

> From: "Manatee Memories" <royalfeline!REMOVE!@hotmail.com>
>
>
> |
> | Have you considered submitting any or all of them to 1 or more of the
> | major anti-virus labs (Kaspersky comes immediately to mind)?
>
> It would be easier and *better* to submit them to Virus Total...
>
> http://www.virustotal.com/flash/index_en.html
> The submission(s) will then be tested against many different AV vendor's scanners.
> That will give you an idea what it is and who recognizes it/them and all samples are
> provided to associated anti virus vendors.
>
> You can also submit a suspect, one at a time, via the following email URL...
> mailto:sc...@virustotal.com?subject=SCAN

Dang, y'all.
He's said TWICE he can't find the files.

MM

Message has been deleted

Dustin Cook

unread,
Feb 12, 2008, 7:08:43 PM2/12/08
to
Pegleg <Peg...@usnavyret.mil> wrote in
news:1pj3r3du4p1kgj2uk...@4ax.com:

> WinPatrol shows the following files in the services tab. Message also
> says "local file not found" and when going to the path WP provides the
> files are not there. I have "show hidden files' selected.
>
> I have run numerous additional av/antispyware programs and run NOD32,
> PCTools Firewall, SpySweeper and PCTools Spyware Dr. all the time.
They
> have revealed nothing.
>
> Any idea what they are? A Google search has turned up nothing.
>
> HCMGJDYZLMDBDVC.exe
> JOJTZ.exe
> WOLUPNX.exe
>
> TIA

By name alone, I have no idea what they are.
Samples of them are most welcome tho. :)
instructions available on site.

You can also submit them to:
http://virusscan.jotti.org/
http://scanner.virus.org/
http://www.virustotal.com/


--
Regards,
Dustin Cook - http://bughunter.it-mate.co.uk
BugHunter v2.2e AntiMalware Removal Utility

Dustin Cook

unread,
Feb 12, 2008, 7:09:24 PM2/12/08
to
Pegleg <Peg...@usnavyret.mil> wrote in
news:d344r3dqmda5ljbpr...@4ax.com:

> On Tue, 12 Feb 2008 18:57:30 GMT, Manatee Memories
> <royalfeline!REMOVE!@hotmail.com> wrote:
>
>>On Tue, 12 Feb 2008 08:54:34 -0800, Pegleg <Peg...@usnavyret.mil>
wrote,
>>by way of <1pj3r3du4p1kgj2uk...@4ax.com>, in
>>alt.comp.virus -->


>>
>>>WinPatrol shows the following files in the services tab. Message also
>>>says "local file not found" and when going to the path WP provides
the
>>>files are not there. I have "show hidden files' selected.
>>>
>>>I have run numerous additional av/antispyware programs and run NOD32,
>>>PCTools Firewall, SpySweeper and PCTools Spyware Dr. all the time.
They
>>>have revealed nothing.
>>>
>>>Any idea what they are? A Google search has turned up nothing.
>>>
>>>HCMGJDYZLMDBDVC.exe
>>>JOJTZ.exe
>>>WOLUPNX.exe
>>

>>Have you considered submitting any or all of them to 1 or more of the
>>major anti-virus labs (Kaspersky comes immediately to mind)?
>

> I would like to but...
> As stated in the first paragraph the files do not appear in the folder
> specified by WinPatrol and WinPatrol says "Local File Not Found".
>

Oh.. Oops!

Either the files really aren't present, or they are but hidden while
windows is running thanks to a stealthy driver...

Have a bart disc?

David H. Lipman

unread,
Feb 12, 2008, 7:48:32 PM2/12/08
to
From: "MoiMoi" <moi...@example.com>

|
| Dang, y'all.
| He's said TWICE he can't find the files.
|
| MM

That's true but I wan't responding to the OP. I responded directly to the statement...

"Have you considered submitting any or all of them to 1 or more of the major anti-virus labs
(Kaspersky comes immediately to mind)?"


I did respond to Pegleg in another post since this was Multi-Posted. That response had
nothing to do with submitting samples.

Next time I will try to word my reply such that there be less misinterpretation. Sorry!

David H. Lipman

unread,
Feb 12, 2008, 7:57:44 PM2/12/08
to
From: "Dustin Cook" <bughunte...@gmail.com>


| Oh.. Oops!
|
| Either the files really aren't present, or they are but hidden while
| windows is running thanks to a stealthy driver...
|
| Have a bart disc?
|

In another thread Pegleg was asked if an anti RootKit tool was used.

The reply was vague. The suggested anti RootKit utility is Gmer and I don't know if Pegleg
ran this.

Jim

unread,
Feb 12, 2008, 8:36:36 PM2/12/08
to

"Dustin Cook" <bughunte...@gmail.com> wrote in message
news:Xns9A42C4A24AA...@69.28.186.121...
I don't know how the OP could submit files that he cannot find....

Is it possible that the presence of the entries in the services tab merely
means an incomplete removal?

Jim


Dustin Cook

unread,
Feb 12, 2008, 8:39:53 PM2/12/08
to
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:cgrsj.39$Cs.34@trnddc04:

> From: "Dustin Cook" <bughunte...@gmail.com>
>
>
>| Oh.. Oops!
>|
>| Either the files really aren't present, or they are but hidden while
>| windows is running thanks to a stealthy driver...
>|
>| Have a bart disc?
>|
>
> In another thread Pegleg was asked if an anti RootKit tool was used.
>
> The reply was vague. The suggested anti RootKit utility is Gmer and I
> don't know if Pegleg ran this.
>
>

Oops. I didn't see that one either, sorry. I'm practically Bugeyed as I
type right now. :) Gmer is a great antirootkit program.

Would be wise for him to run it and let us know how it goes.

Dustin Cook

unread,
Feb 12, 2008, 8:42:50 PM2/12/08
to
"Jim" <j...@nospam.com> wrote in
news:EQrsj.10024$Ch6....@newssvr11.news.prodigy.net:

I know, my bad, I missed that part of the OP.


> Is it possible that the presence of the entries in the services tab
> merely means an incomplete removal?

Possible, certainly.

Wouldn't hurt to run Gmer tho, as David already suggested.

I'm used to doing it the bart way, but the Gmer tool is better suited for
this specific task, and it doesn't require the user have a cd/dvd burner.
<g>

Message has been deleted
Message has been deleted

David H. Lipman

unread,
Feb 12, 2008, 9:05:21 PM2/12/08
to
From: "Pegleg" <Peg...@usnavyret.mil>


|
| What exactly is the "bart way"?
|
| Looking for Gmer now.
|
| TIA

http://www.gmer.net/index.php

Dustin Cook

unread,
Feb 12, 2008, 10:01:31 PM2/12/08
to
Pegleg <Peg...@usnavyret.mil> wrote in
news:btj4r3p3vk7h4mlct...@4ax.com:

> On Wed, 13 Feb 2008 01:42:50 GMT, Dustin Cook
> <bughunte...@gmail.com> wrote:
>
>>I'm used to doing it the bart way, but the Gmer tool is better suited
>>for this specific task, and it doesn't require the user have a cd/dvd
>>burner. <g>
>

> What exactly is the "bart way"?

http://www.nu2.nu/pebuilder/

Creating that disc, and using it to explore the system without the host OS
running.

Message has been deleted

David H. Lipman

unread,
Feb 12, 2008, 10:14:22 PM2/12/08
to
From: "Pegleg" <Peg...@usnavyret.mil>

|
| Just finished running GMER and have submitted the log for analysis.

OK. Thanx for the update.

Message has been deleted

foghollow

unread,
Feb 13, 2008, 4:06:38 AM2/13/08
to
In article <cgrsj.39$Cs.34@trnddc04>, DLipman~nospam~@Verizon.Net
says...

> From: "Dustin Cook" <bughunte...@gmail.com>
>
>
> | Oh.. Oops!
> |
> | Either the files really aren't present, or they are but hidden while
> | windows is running thanks to a stealthy driver...
> |
> | Have a bart disc?
> |
>
> In another thread Pegleg was asked if an anti RootKit tool was used.
>
> The reply was vague. The suggested anti RootKit utility is Gmer and I don't know if Pegleg
> ran this.
>
>
>
Ah, that's what gmer is! I noticed the files on my drive but couldn't remember why I'd put them
there!
--
Snob? Were I a snob, I wouldn't be talking to you.
Message has been deleted
Message has been deleted
Message has been deleted

David H. Lipman

unread,
Feb 13, 2008, 5:26:33 PM2/13/08
to
From: "Pegleg" <Peg...@usnavyret.mil>

< snip >

|
| Received the following reply back from submitting my GMER Log:
|
| "Hi,
|
| Log is clean - no signs of infection.
|
| Cheers
| -Przemek"
|
| So....don't know what is left that I can do. I have run everything I
| can fine to run.
|
| Thanks for everyone's help and suggestions!

OK. That's good.

Now assuming these are NT Services which are supposed to load EXE files that no longer
exist, the I suggest using the SC.EXE command to remove the NT Services related to entries
referening these entries.

Or you can use AutoRuns from Microsoft/SysInternals to remove these NT Services.

Message has been deleted

David H. Lipman

unread,
Feb 13, 2008, 7:16:46 PM2/13/08
to
From: "Pegleg" <Peg...@usnavyret.mil>

|
| The "services" tab of Autoruns does not show the files.

No, No...

Not the files, the services themselves !

Message has been deleted
0 new messages