Security Basics mailing list archives
RE: aretzj.exe -- reappearing unknown system file
From: Joe George <j.george () conservation org>
Date: Tue, 31 May 2005 15:00:18 -0400
Kevin, We use a very powerful anti-spyware application called Xoftspy (http://www.paretologic.com). Not to sound like an advertisement, but I've had about 98% success using it to detect and permanently remove MalWare processes, reg values/keys and Trojans. Of course, it isn't free though. It's a nice tool to have at least one or two licenses handy for this sort of thing. Winternals ProcMon is fantastic to use to study any processes that look suspicious when you fail to turn anything up from searches on the Internet. Aretzj.exe seems like an anomaly to me. If you really want to have some fun and spend time and study it in detail, I'd recommend backing up your client's data and deleting it from the WINNT\S32 or renaming it aretzj.old. Good luck, Joe G. ----- Original Message ----- From: "Kevin Snively" <kevinsnively () comcast net> To: <security-basics () securityfocus com> Sent: Friday, May 27, 2005 6:27 AM Subject: aretzj.exe -- reappearing unknown system file
I've come across, on a client's machine, a reappearing / self
propogating
read only system file. The box is running a copy of XP pro fully
patched.
c:\windows\system32\aretzj.exe When Internet explorer is brought up this program (aretzj.exe) asks
for
internet access via ZoneAlarm. When deleted it reappears at bootup and
even
if the computer has not been restarted. I can not find any reference in Technet or any of the search engines.
It is
read only and when deleted the XP claims it is a system file. I tried
about
20+ search engines. One mentioned a Name an author of a book published
in
1935 - author ha'aretz (without the "j"). What I have done to try and identify the source: 1. looked for other "unknown" files inside of system32, including
checking
dates of files such as the KERNEL and KERNEL32 and looked for
"suspicious"
files. No results except aretzj.exe 2. cleaned out the [prefetch] folder (no positive results) 3. [Downloaded prgram files] is and was empty 4. Checked c:\program files\internet explorer Looked for suspicous or unknown folders in common files. 5 Spent an almost inordinate amoutn of time poking around in general
looking
for clues, identifying plugins, checking system and hidden folders to
no
avail. I am not sure what it is but as I renamed the file to a .txt extension
and
read through the "readable" portion of the binary file hoping for some
hook
on identifying it. At this point I am concerned as it is "unidentifable" the terminology
inside
the binary file might be construed with "data mining" and the client
does
run propriatary databases - Oh Yes, and I have checked with the vendor
of
the clients database software. They tell me nothing is stored on the
PC nor
is anything except a browser required to view the database. We are now using firefox but the unknown file continues to reappear.
The
only solution I have come up with is to wipe everything reinstall and restore actual data from a backup. Any help or suggestions will be greatly appreciated. Or has anyone run across this culprit? Sincerely, Kevin Snively The HelpDesk Inc (r) kevin () thehelpdeskinc com 615-781-1922 (office) 615-582-0877 (Mobile)
Current thread:
- RE: aretzj.exe -- reappearing unknown system file Joe George (Jun 01)
- <Possible follow-ups>
- re: aretzj.exe -- reappearing unknown system file Harlan Carvey (Jun 01)