February 17, 2008 6:55 PM   Subscribe

I have a mysterious service listed.... It has the name ZPIXLKJXJ; the path to the executable is C:\DOCUME~1\User\LOCALS~1\Temp\ZPIXLKJXJ.exe . The description in the column in the Services window is blank, the status is stopped, it's manual, and "log on as" is local system. A Google search turns up "no matching documents"; Norton AV says it doesn't find anything untoward, as does Spysweeper, Ad-Aware, and Spybot. What in the world?
posted by Kronos_to_Earth to Computers & Internet (22 answers total) 15 users marked this as a favorite
Bought any digital picture frames from China recently? The malware installed by the latest and greatest ones apparently is named randomly.
posted by ikkyu2 at 6:57 PM on February 17, 2008

yeah, lots of malware spawns processes with randomized naming. Norton Antivirus is arguably the worst product on the market; I suggest downloading a 30-day trial of Eset NOD32, which has heuristics that'll likely catch and kill whatever is infecting your system.
posted by killdevil at 7:05 PM on February 17, 2008

I suggest downloading and running "Blacklight" from the downloads section at the bottom of this page.
posted by krisjohn at 7:49 PM on February 17, 2008 [1 favorite]

Seconding the Norton hate. Norton AV used to be good but over the last few years their consumer edition has turned into total crap, Norton Corp. edition is still kinda OK, but we dropped it a while ago anyway. I recommend AVG myself, as it's free for home use. Between that and a couple of anti-spyware packages I feel reasonably OK.
posted by barc0001 at 8:44 PM on February 17, 2008 [1 favorite]

Seconding Eset NOD32, but does anyone have a recommendation for a Mac sweeper?
posted by Arch1 at 8:46 PM on February 17, 2008

ClamAv for the mac.
posted by iamabot at 8:58 PM on February 17, 2008

Run strings on the executable and see if this gets you any further info.
posted by jeffamaphone at 9:18 PM on February 17, 2008

No legitimate startup app/service will ever be installed in temp. Temp is tempting to malware writers to dump things because its usually always writable and never cleaned out.

Remove it from your startup. Assume your system is compromised in some fashion. I'd also do a get a 2nd opinion from a different antivirus. Trend still does free over the web scans with their housecall product.
posted by damn dirty ape at 9:40 PM on February 17, 2008

Response by poster: Thank you, krisjohn, for the Blacklight link. I downloaded and ran it; it says there were no hidden items.
posted by Kronos_to_Earth at 9:40 PM on February 17, 2008

Also, there is no reason to believe av vendors will find all malware. I could sit down and write an app that extracts all the links you visit and make it send me this data. If I distribute this program as greetingcards.exe and send it out to 1,000 people, well, the chances of Norton finding it is pretty low. If I send it out to 100 people then the chances are zil.

AV vendors only find the big popular malware. Who knows what you have. You may never know.
posted by damn dirty ape at 9:44 PM on February 17, 2008

Or avast 4 home is a pretty good virus scanner
Free for home users.
But yeah, you have a virus

Second, third, forth, and fifth on norton being a piece of bloatie shite.
posted by mattoxic at 9:51 PM on February 17, 2008

Response by poster: Remove it from your startup.

I just did. I'm going to try the Trend scan next. Thanks!
posted by Kronos_to_Earth at 9:59 PM on February 17, 2008

From your last comment is sounds like you have Trend AV installed? If so it is your Trend anti-virus. We use this at work; the Trend process is started with a randomly generated executable name in order to foil malware that will try to kill av processes by name. Try rebooting, if the executable has a new name then it is Trend.

If not, yeah you probably have something on your machine. And yes, the consumer Norton AV sucks, ESET NOD32 is excellent.
posted by volition at 10:14 PM on February 17, 2008 [1 favorite]

Kronos, I'd suggest downloading HijackThis or System Repair Engineer and going in and deleting the references to that file. You should try to get rid of references to other suspicious files, but be careful not to get rid of something you actually need (System Repair Engineer helps with this). The thing is going to keep popping up in your startup list under various names; you may need to go into Safe Mode and delete all of its various incarnations if you can't delete it because the service is still running.
posted by pravit at 10:29 PM on February 17, 2008 [1 favorite]

Also, at sites like CastleCops people sit around all day helping people who get infected with malware - they may be able to give better advice (and look at your HijackThis logs).
posted by pravit at 10:31 PM on February 17, 2008

NOD32 was good, but it caused Flash applications on my computer to be much less stable and crash prone. I assume that's due to some invasive memory scanning it does or something like that.

McAfee is provided to me by my school and it's worked great.
posted by anifinder at 11:21 PM on February 17, 2008

It's possible that there are other parts of your system that are compromised but that will not show up in a scan.

Backup your data. Reinstall your system. Next time run as non-admin and this will be less likely to happen.
posted by grouse at 1:51 AM on February 18, 2008

A quick and dirty test is to try and stop the service. If it: a) automatically restarts, or b) (and more likely) another randomly named service appears and starts up, you know you've got some cleaning up to do...
posted by benzo8 at 2:11 AM on February 18, 2008

Look, this is just basic truth. You need to hear this, and you need to pay very close attention.

Once your system has been compromised, there is no way to know it's truly clean again without a full reformat/reinstall. Well, okay, if you're an expert in forensics and have a good, LONG time to spend examining the hard drive from another computer, you might be able to safely pronounce it clean.

Assuming you're not such an expert -- and the fact that you're posting this question would be a pretty strong indicator that you aren't -- there is no program you can run that will reliably clean your machine 100% of the time. Even if you think you know what the virus is, and even if you think you know how to remove it, it's possible that it brought another payload with it that you can't see.

It's quite possible for viruses to hide themselves in a zillion different ways, to the point that even a serious computer jock can't tell it's there from the console of the machine itself. Some proof-of-concept viruses hoist themselves into virtualization space, where they are entirely, 100% invisible to the OS. They are still, however, lurking, and can still record all your keystrokes and send your banking information to offshore hackers, Antivirus software won't make a peep, because it can't see a virus that's not running in the OS.

You must back up your data and reformat your machine if you ever want it to be truly trustworthy again. Doing anything less is foolish and risky. Ignore anyone telling you that it's safe to just run an antivirus and you're done. They are ignorant and should be giving you no such advice. You must nuke it from orbit to be sure.

This is not negotiable if you want a trustworthy computer again.
posted by Malor at 3:21 AM on February 18, 2008 [4 favorites]

volition might be correct that the random filename you are seeing is actually a feature of Trend Micro in order to fool spyware/malware that attempts to kill anti-virus processes.

Even so,...... I'd be HIGHLY suspicious of any randomly named service that starts in the \Temp folder. Almost always that is some sort of infection. (If it IS TrendMicro, why not create the randomly named process in C:\Program Files\TrendMicro ??)

What I would do (besides the variety of malware scanners already suggested) is to download Sysinternals "Process Explorer" and use it to find the questionable process and watch that processes system calls to see if that tells you more about what its doing.

The next thing I (personally) would do is uninstall and ditch Trend Micro and use NOD32.
posted by jmnugent at 4:12 AM on February 18, 2008 [1 favorite]

Response by poster: I'm using Norton, not Trend Micro. I've disabled the suspicious service, rebooted, and it hasn't come back re-enabled or with a different (random) name. I have a copy of Process Explorer; I didn't think to check with it before I disabled the service, but I have since, and haven't found it as a separate entry or running inside one of the instances of svchost. I'm a little afraid to re-enable it and check again.
posted by Kronos_to_Earth at 7:48 AM on February 18, 2008

Again: once you have been compromised, you can never trust the machine again. Period. You have to wipe and reinstall to be sure.
posted by Malor at 12:06 PM on February 18, 2008

« Older How to poll the public on the Web?   |   Speeding Up the Sullivan Co. Real Estate Closing... Newer »
This thread is closed to new comments.