BJXNLKUR found in services

Discussion in 'Software' started by Kniht, Jan 11, 2006.

  1. Kniht

    Kniht Sergeant

    Like to go through services on my PC to see what is and is not running. Found a new one BJXNLKUR. Anybody have any idea what it is? Ran scans of Spybot, Adaware, Microsoft Antispyware, Spy Sweeper, NOD32, on line Trend Micro, Ewido, system is clean. Have ZoneAlarm firewall. The service is stopped, in fact I disabled it till I figure out what it is. No description as to what it is in services, properties shows no description. Has no dependencies, and nothing depends on it. Probably from some program I downloaded but have no more. Did a search of my PC, but no results. Got me baffled.:confused:
     
  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    This is probably an unnecessary or invalid service.

    Double click on the service and under where it says ""Path to executable", what is this file name and location.
     
  3. Kniht

    Kniht Sergeant

    bjgarrick - shows nothing in "Path to executable". By the way, thanks for the extremely quick reply. Just posted about 4 minutes ago!
     
  4. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Basically, everything is blank, no information anywhere?
     
  5. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Let's investigate this one!

    Please download RegSrch.zip

    Unzip the archive to your desktop and double click on the VBS file.
    (If your AntiVirus alerts, allow the script to run.

    Now enter BJXNLKUR and post back with the results in this thread (call it regsrch.txt).
     
  6. Kniht

    Kniht Sergeant

    Yeah, bjgarrick, everything is blank, no info anywhere. Ran RegSrch, came up with 28 entries. When I clicked on OK to view in wordpad, I was presented with an info box stating the following -

    Script: C:\Docume~1\Owner\Desktop\RegSrch\RegSrch.vbs
    Line: 76
    Char: 1
    Error: The system cannot find file specified
    Code: 80070002
    Source: (null)

    I do have wordpad on my system, what am I doing incorrectly? :confused:
     
  7. greenknight32

    greenknight32 Sergeant

    I had something very similar happen a few days ago, except I had 7 mystery services, and WinPatrol caught them installing. They were:
    DBGHQICHKYEBLS
    DPLIQDXY
    KCTVKYOJBZE
    XFHFZ
    XMWGOMG
    XTFOIUKUNL
    YYQMGQTO

    The first 2 appeared while I was on the computer, offline, I had to block them 2 or 3 times each before the window stopped popping up. I checked WinPatrol, they were listed in services, marked disabled, the path to the files was C:\Documents and Settings\Username\Local Settings\Temp... I looked in that folder, and there they were, DBGHQICHKYEBLS.exe and DPLIQDXY.exe. To try to find whatever had created those files, I did some scans with several AV and Antispyware apps, and Rootkit Revealer, but found nothing.

    The other 5 popped up the next day, while another user was on the computer, but they were still under my username. That evening, I booted up again and started investigating this some more, and found that the files for these "services" had disappeared. They were still listed in the services menu though, exactly as Kniht described (no properties, dependencies,etc). I figured they must still be in the registry, but CCleaner and EasyCleaner, didn't find them. So I did a reg scan with HDCleaner, and that did find them. It showed them as being created about the same time (?), and they were image path entries(??). Instead of just deleting them, I decided to take one more shot with the malware scans first.

    I rebooted into safe mode, and ran AVG Free and ewido free, but found nothing. So I booted back into normal mode, and ran the reg scan again. I found out those 7 weird entries had duplicated themselves! I freaked out, and just deleted them all without even backing them up.

    Since I still hadn't found what created those files in the first place, I ran a BitDefender online scan (about the only one I hadn't yet tried, 'cause it takes so long). It found a couple of suspicious files. Unfortunately, even though I'd ticked "Ask me for a prompt", it just deleted them. So I can't upload them to jotti.org, unless I do a system restore and bring them back, which I'm reluctant to do. Do you think that would be worth doing, or should I just wipe that restore point? This is what they were:
    C:\Program Files\JUSearch\Uninstall.exe
    Suspected of: Dropped:Generic.Malware.Ssp.6593C5BE

    C:\System Volume Information\_restore{C6BC4C73-2A31-435C-8036-64B5A54E4292}\RP211\A0049815.exe
    Suspected of: Dropped:Generic.Malware.Ssp.6593C5BE

    I've been puzzling about what to do about this, I'm not sure if it's a malware problem or just a glitch. When I saw somebody reporting apparently the same problem, I thought it would be a good place to tell my experience.

    Oh, and I removed the entries from the services menu with HijackThis' Delete an NT Service tool.
     
  8. Kniht

    Kniht Sergeant

    Well, greenknight32, sure am glad I'm not alone! Haven't had as many strange happenings as you have but one is enough. Maybe we stepped into the "Twilight Zone". I swear every time I see BJXNLKUR in my services, I can hear that theme song! Can't find any files anywhere in my system pertaining to this strange service. Waiting to hear from bjgarrick.
     
  9. Kniht

    Kniht Sergeant

    Another strange thing about BJXNLKUR, it's listed in Windows services but not in WinPatrol services. Just thought I'd throw that one in. Might be a clue for all I know.
     
  10. Insomniac

    Insomniac Billy Ray Cyrus #1 Fan

    Does it list a dependency in services?

    Have you done a search on your drive for it? (show hidden files and folders)

    Have you checked msconfig? (XP?)
     
  11. Kniht

    Kniht Sergeant

    Insomniac - BJXNLKUR is not listed in MsConfig, not in hidden files and folders, no dependencies either it depends on or depends on it. Maybe it's the "Outer Limits".
     
  12. Insomniac

    Insomniac Billy Ray Cyrus #1 Fan

    Have you tried a search in the Registry?


    If you can't see it listed in msconfig or program folders, see if there is anything suspicious which may give you clues?

    It's obviously Spyware or a virus, otherwise it wouldn't be trying to hide itself.
     
  13. Kniht

    Kniht Sergeant

    Yeah, Insomniac, there's 28 listings in the registry.
     
  14. Insomniac

    Insomniac Billy Ray Cyrus #1 Fan

    The registry entry should give you the path where the files are in program folders, which may reveal what this program is.

    As a last resort or something to be done later, I would back up the registry and delete all the entries.
     
  15. Kniht

    Kniht Sergeant

    OK, here's the latest on BJXNLKUR. Registry location is
    HKEY_LOCAL_MACHINE\system\controlset002\Enum\Root\LEGACY_BJXNLKUR
    Class: LegacyDriver
    Class GUID: {8ECC055D-047F-1101-A537-0000F8753ED1}
    DeviceDesc: BJXNLKUR

    Went ahead and saved to My Docs., tried to delete, would not allow me to due to some kind of error. Any ideas?
     
  16. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Attach the log from the RegSearch scan I requested previously.
     
  17. Insomniac

    Insomniac Billy Ray Cyrus #1 Fan

    It says it's some sort of legacy driver? It might not be suspicious, but it's very hard to say.

    Go into Device Manager and check your hardware's driver details and see if that gives you a clue.

    If you want to go ahead and delete it, right click the key, then permissions and give yourself admin privelages. (after making a backup off course)


    EDIT: Sorry BJ, didn't know you were around. I'll leave it to you.
     
  18. Kniht

    Kniht Sergeant

    Went to Device Manager > view > show hidden devices.

    Found BJXNLKUR in "Non plug and play drivers". Icon is greyed out so I know the device is no longer connected to my PC. Popped up properties and lo and behold the device is no longer connected to this computer. Have recently been going through hidden devices, backing up and uninstalling unnecessary drivers. Must have done something to make my PC place this device in services. Backed up all registry keys pertaining to BJXNLKUR. Ran ewido trial, and NOD32 directly on the backups with no detection of virus or spyware.
    As far as the log from RegSearch, ran the search came up with 26 entries (including MRU entries), clicked OK to place in wordpad, got an info box telling me could not find the file. Wordpad is in c:/program files/windowsNT on my system, so needless to say I couldn't post the results. I feel it has something to do with the device no longer connected to my computer, that's why no path, no nothing. What do y'all think?
     
  19. Insomniac

    Insomniac Billy Ray Cyrus #1 Fan

    I would do as much backing up as you could, ie backup registry key, create a restore point etc, then remove every instance of this file, and uninstall anything in Device Manager also.
     
  20. Kniht

    Kniht Sergeant

    Alright, ever since I uninstalled the driver to the device no longer connected to my PC, BJXNLKUR has disappeared from services. Seems situation is solved. Thanks bjgarrick and Insomniac for your help. By putting together the suggestions from both of you, I was able to figure out the problem. Now all I have to do is figure out how BJXNLKUR got in services to begin with. That sounds like another thread! I've always been a big supporter of "think tanks".
     
  21. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Glad I could be of some assistance, by the way Insomniac, I love your title ;) LOL!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds