Solved Strange Looking Services-ID'd in Autoruns

Micro-star international / Ms-7252
April 8, 2013 at 14:09:48
Specs: Windows XP, 2.009 GHz / 495 MB
Hi
I'm including 5 strange looking entries that I recently spotted in the Services tab, when I ran the program "Autoruns". Just wondering if they are legit,......or should I be concerned? They are:
sxexfgoafbpk c:\windows\system32\drivers\sxexfgoafbpk.sys
ygvaolatmqsf c:\windows\system32\drivers\ygvaolatmqsf.sys
ynhofaathfny c:\windows\system32\drivers\ynhofaathfny.sys
yugclfiwcteb c:\windows\system32\drivers\yugclfiwcteb.sys
yygwcgevlyia c:\windows\system32\drivers\yygwcgevlyia.sys

See More: Strange Looking Services-IDd in Autoruns

Report •

✔ Best Answer
April 9, 2013 at 18:38:05
Very odd. Best to drill down to the actual .sys files and see what size they are. If they are zero it should be safe enough to delete them. See also if there is any information when you right click them and look in properties.

Check all the dates and times - might tell you something. You could search the system by date to see what else was going on at that time.

You might get a clue if you change one of the extensions from .sys to .txt then double click it. Sometime in the junk you get, there are a few plain words of text which give a clue to their origin.



#1
April 8, 2013 at 14:18:25
Given the random nature of the names, I'd suspect viruses.

How To Ask Questions The Smart Way


Report •

#2
April 8, 2013 at 14:26:44
Try MalwareBytes freebie for starters:
http://www.filehippo.com/download_m...

Always pop back and let us know the outcome - thanks


Report •

#3
April 8, 2013 at 14:36:16
Thanks you two,....I've recently run a virus scan using AVG,...as well as an online scanner,.....and a Malware Bytes recently. But, I'll do it again, and post back.

Report •

Related Solutions

#4
April 9, 2013 at 18:30:51
Hi, Reporting back as promised. I ran a full Malwarebytes, and AVG AV scan,....and nothing was detected on either. So what now. Do you think it's ok to simply disable them for now? Thanks!

Pat


Report •

#5
April 9, 2013 at 18:38:05
✔ Best Answer
Very odd. Best to drill down to the actual .sys files and see what size they are. If they are zero it should be safe enough to delete them. See also if there is any information when you right click them and look in properties.

Check all the dates and times - might tell you something. You could search the system by date to see what else was going on at that time.

You might get a clue if you change one of the extensions from .sys to .txt then double click it. Sometime in the junk you get, there are a few plain words of text which give a clue to their origin.


Report •

#6
April 9, 2013 at 19:52:07
Hi Derek;
All 4 are 8.5 kb, and were created on the same day in March 2008. Either I've been infected for some time,.......or they're pretty inocuous.
Pat

Report •

#7
April 10, 2013 at 06:04:11
Wish I knew but in my opinion the likelihood of them being viral is low. It's hard to imagine a virus going totally unnoticed for over five years - they were nowhere near as sophisticated at hiding themselves in 2008 as they are now.

Did you manage to find any recognisable words in them when viewed in NotePad?

I've got a feeling it matters little whether they stay or go. I don't believe they currently are being used as drivers - might have been used for setting up something. The only hits I get on the file names when using Google are from this thread.

Always pop back and let us know the outcome - thanks


Report •

#8
April 10, 2013 at 06:35:56
I'm trying not to be as huge of a jerk these days, but . . .
Derek: the likelihood of them being viral is about zilch if they've hung around that long.
[citation needed]

How To Ask Questions The Smart Way


Report •

#9
April 10, 2013 at 11:53:47
Re #8

Fair point. I have no citation so have amplified/reworded that bit.

But I did only say "about" zilch LOL.

Always pop back and let us know the outcome - thanks


Report •

#10
April 10, 2013 at 16:44:20
Point is, I can only think of two instances where a random name shouldn't set off warning bells. One's for rootkit detection. The other's for temporary data files. Neither of which should be in the kernel.

Disable them if you can, and see what happens.

How To Ask Questions The Smart Way


Report •

#11
April 10, 2013 at 17:00:10
Virus was my initial reaction too - hence MWB.

Even though they have 2008 dates you could still do a date search and set the results in date order. Sometimes you can deduce something when you find another activity which was going on at the same (or very near) time.

Changing their extensions from sys to txt should disable them.

Always pop back and let us know the outcome - thanks


Report •

#12
April 11, 2013 at 12:16:53
Hi;
I've disabled them,......and (fingers crossed), there seems to be no ill effects. Thanks!

Pat


Report •

#13
April 11, 2013 at 12:25:01
Somehow I think you will be OK - thanks for feedback.

Always pop back and let us know the outcome - thanks


Report •

Ask Question