sounds like a randomly named executable; hence no entry in search engines...
have you tried sysinternal's autoruns and process explorer?
(http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml) &
(http://www.sysinternals.com/ntw2k/freeware/procexp.shtml)
they are very good for finding spyware and 'unusual' programs running
on your system.
try uploading the program to my exe-investigator (or sending me a
copy, but rename the extension as gMail won't allow exe attachments);
it searches through a file for all sorts of readable strings
(http://www.puremango.co.uk/extract_readable.php)
On 5/27/05, Kevin Snively <kevinsnively@comcast.net> wrote:
I've come across, on a client's machine, a reappearing / self propogating
read only system file. The box is running a copy of XP pro fully patched.
c:\windows\system32\aretzj.exe
When Internet explorer is brought up this program (aretzj.exe) asks for
internet access via ZoneAlarm. When deleted it reappears at bootup and even
if the computer has not been restarted.
I can not find any reference in Technet or any of the search engines. It is
read only and when deleted the XP claims it is a system file. I tried about
20+ search engines. One mentioned a Name an author of a book published in
1935 - author ha'aretz (without the "j").
What I have done to try and identify the source:
1. looked for other "unknown" files inside of system32, including checking
dates of files such as the KERNEL and KERNEL32 and looked for "suspicious"
files. No results except aretzj.exe
2. cleaned out the [prefetch] folder (no positive results)
3. [Downloaded prgram files] is and was empty
4. Checked c:\program files\internet explorer
Looked for suspicous or unknown folders in common files.
5 Spent an almost inordinate amoutn of time poking around in general looking
for clues, identifying plugins, checking system and hidden folders to no
avail.
I am not sure what it is but as I renamed the file to a .txt extension and
read through the "readable" portion of the binary file hoping for some hook
on identifying it.
At this point I am concerned as it is "unidentifable" the terminology inside
the binary file might be construed with "data mining" and the client does
run propriatary databases - Oh Yes, and I have checked with the vendor of
the clients database software. They tell me nothing is stored on the PC nor
is anything except a browser required to view the database.
We are now using firefox but the unknown file continues to reappear. The
only solution I have come up with is to wipe everything reinstall and
restore actual data from a backup.
Any help or suggestions will be greatly appreciated.
Or has anyone run across this culprit?
Sincerely,
Kevin Snively
The HelpDesk Inc (r)
kevin@thehelpdeskinc.com
615-781-1922 (office)
615-582-0877 (Mobile)
--
Computing tools, PHP code, online tools and more at http://www.puremango.co.uk
