I did a little Google digging and came up with this: http://www.windowsstartup.com/wso/detail.php?id=4239
Filename: expander.exe Program Title: HiJaak Expander Rating: 3 (application need to be run at startup, but is not system critical) Comments: Part of the HiJaak graphics tools. There were a number of hits (even things like Stuffit Expander), which could be related. What caught my eye about this one is the "HiJaak graphics tools". Hijack? Graphics? Sound fitting. =) -- Peace. ~G On 17 Sep 2004 17:49:04 -0400, Byron Copeland <[EMAIL PROTECTED]> wrote: > All, > > Just got an attachment in this afternoon. The zipped file conatins 3 > files: > > 1. foto.jpeg > 2. foto.html > 3. expander.exe > > that will extract to its own foto directory when clicked on. Also, when > clicked on, the foto (not bad :) ) will be shown while the file > expander.exe is being installed. > > Here is the result: > > expander.exe places itself in the C:\winnt directory as hidden. > > 2 Keys are added to the registry: > > 1. HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run > SVCHOST value=c:\winnt\expander.exe > > 2.HKEY_USERS\5-1-5-21-579898441-688789844-1957994488-500\software\microsoft\windows\currentversion\run > > SVCHOST value=c:\winnt\expander.exe > > It does install and run as a service. > > It doesn't seem to have any listeners running. > > I've look on McAfee and Symantec sites for this one, doesn't seem to be > there. > > Anyone have an idea of what this is? I'd appreciate any feedback. > > If anyone wants this attachment, let me know. > > Thanks > -b > > -- > > -- Unix is sexy. "find", "talk", "unzip", "strip", "touch", "finger", > "mount", "split", "unmount", "sleep". _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
