[SkyBum]

I've been cleaning up my sister's family PC from spyware etc. (Adaware came up with 768 entries!!!) anyway, got that all under control.

There is an application listed in windows startup called tft4dmod.exe which I can't find any information on at all. I've tried multiple search engines but they all come back with no results. Under the startup tab in System Configuration Utility it shows up like this:

Startup Item: tft4dmod
Command: tft4dmod.exe
Location: HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/Run

One other thing that seems strange to me is that if I run a file search (including hidden files) no results are found. How can this be? The application is running at startup!

Can anyone ID this app? And how can there be no info on this .exe through the search engines? Sorta makes me suspicious of it.

PC is an eMachine T2692

[PangingJr]

will try to get an info of the file,
here's thing you can do at your end D/L and run the win32 version of this program "Autoruns"
( http://www.sysinternals.com/ntw2k/fr...autoruns.shtml ), the autoruns.exe,
it'll give you the discription and location (image path) of the file. post back the info you find out.

[pr0digal jenius]

is it by any chance a TFT lcd monitor, Toshiba makes one called a TFT and the last portion fo the product ID if 4D?

that's all i can come with, but i'll keep looking

[SkyBum]

"is it by any chance a TFT lcd monitor?"

That occured to me as well but the monitor is just a basic 15" flat screen. The system has never had anything else.


Ctrl-Alt-Del: I'm on it, will post back shortly...

[SkyBum]

Ran Autoruns.

The last entry under HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/Run was for: Z0o4RjNFi, no Description, no Publisher, but the image path said: file not found: tft4dmod.exe, can I assume that Ad-Aware or Spybot S&D must have removed this file?

I did a quick search on Google for Z0o4RjNFi and came up with only one link: http://castlecops.com/check60483previous.html, which made reference to Z0o4RjNFi along with tscnetsh.exe

What do you suppose we are dealing with here?

[pr0digal jenius]

looks like something that syware removal removed the file and nto the reference, perhaps?

[SkyBum]

Quote:

Originally Posted by pr0digal jenius

looks like something that syware removal removed the file and nto the reference, perhaps?

That would be my guess, I'm just curious what such an obscure executable like that was up to......could have been harmless as well but it just makes me wonder...

[pr0digal jenius]

plotting world domination for some pimply faced socially detractive college student no doubt

[PangingJr]

it is a bad Run registry.

place the folder "autoruns" anywhere you like or move it to your \Program Files,
create a shortcut to the "autoruns.exe", this will set the program's registry settings for you, just to make sure it'll work correctly.

then reopen the program, and uncheck the box in front of that line. close the program and reboot your PC. once you are in Windows, recheck in the autoruns.exe, to see if any new entry has been added, if none, R-click on the line and select Delete,
you can Export the registry entry before deleting it if you like.

[Prime2515102]

Just a quick question here...

Wouldn't there be an error message when you boot up saying the file in autorun couldn't be found if it didn't exist?

Prime

[PangingJr]

you probably won't get any error message at bootup if the image path is missing fron the Run registry, whether the .exe file does exist or not.

if the file didn't exist but the image path is still in registry, in this case you will get an error message that says the file couldn't be found.

[Prime2515102]

Ahh ok, thanks

Prime

[SkyBum]

Not getting any error messages at all....

[PangingJr]

that's why i told you it was a bad registry..
since only the registry value data (it was the image path in this case) had been removed, but the value name was still existing.
so i liked to see whether or not the .exe file still in your system, sometimes it's there but it does not have ability to write a new autorun registry by itself.

-----------------

and without a good Run registry key the .exe cannot be started.

if none of the 3rd party programs that you previously used could not locate the leftover file (if any), or not all of them, then the method that i've mentioned would be a way that you can use to find out or it can help you locate the file.


-

[refraction]

it probably was spyware, i have had that file before, altho i think the letters are random on the filename, it probably was a bit of spyware, but due to you running ad-aware it god rid of most of it.



if you did the smart scan best idea is to run the full scan and see if there are any bits left anywhere.