Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Anyone Know What This Process Is?


  • Please log in to reply
6 replies to this topic

#1 essential

essential

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 15 March 2008 - 06:30 PM

Hello,

At my work computer, there is a process I catch running several times a day and have to manually terminate it through task manager. When I terminate it in task manager, it automatically deletes from the Temp folder, however it keeps coming back in the Windows/Temp folder on it's own randomly. As I said this is my work computer, so it's got me worried. It doesn't come up as a virus from the virus scanner we have, but I don't want to get in trouble later for it. I only go to safe sites at work (espn.com, comingsoon.net, engadet.com, etc). In fact, I go to all the same sites on my home computer and I've never seen this process.

The icon remains the same, but the name changes each time. I'm hoping someone can identify it from the icon. Hijackthis lists it as an unknown process. I don't know how to keeps generating itself after I terminate it, but I assume it has other files somewhere on the machine.

Thanks for any input.

images:
Posted Image
Posted Image
Posted Image

BC AdBot (Login to Remove)

 


m

#2 david28

david28

    Forum Member


  • Banned
  • 1,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:12 PM

Posted 15 March 2008 - 06:44 PM

I believe that "WGANotify.settings" is part of Visual Studio.

Which process is it in the task manager?

Edited by david28, 15 March 2008 - 06:46 PM.


#3 frankp316

frankp316

  • Members
  • 2,677 posts
  • OFFLINE
  •  
  • Local time:01:42 AM

Posted 15 March 2008 - 06:57 PM

WGANotify=Windows Genuine Advantage. In other words, it's Microsoft spying on you just like they spy on the rest of us to constantly verify that your copy of Windows is genuine. I don't know about the different file names but WGANotify is what all three pictures have in common.

#4 david28

david28

    Forum Member


  • Banned
  • 1,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:12 PM

Posted 15 March 2008 - 07:01 PM

Yes thats right the Windows Genuine Advantage Validation Tool. This tool is used so that people who are using counterfeit versions of XP or Vista, can't install certain Microsoft programs. It is kinda of like an anti-piracy system that MS use.

#5 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:01:42 AM

Posted 15 March 2008 - 07:09 PM

I believe that essential is referring to the files that change between each screenshot. They are:

AS80BC 169 KB Application 11/10/2006 1:15 AM
JNDA92 169 KB Application 11/10/2006 1:15 AM
ZV4376 169 KB Application 11/10/2006 1:15 AM

All are located in C:\WINDOWS\Temp

Anything that changes it's name, uses random characters, and doesn't change the date/timestamp is, IMO, highly suspicious.
First thing to do is to empty your Temp files because that's where it's sitting.
Next is to figure out what's causing it to load, and delete that (because there may be other things going on).
Finally, I'm going to move this thread over to the "Am I Infected" forum where you'll get some more expert help.

While you're waiting, I'd suggest cleaning out all of the temp files on your system using this free cleaner: http://www.ccleaner.com/download

Then I'd run several of these free, online scans to start cleaning your system:
Be advised that some of these scanners will pickup things in "quarantine" from other anti-virus programs - so review the results carefully:

http://housecall.trendmicro.com
http://www.pandasecurity.com/homeusers/solutions/activescan/
http://www.kaspersky.com/virusscanner
http://www.bitdefender.com/scan8/ie.html
http://support.f-secure.com/enu/home/ols.shtml
http://us.mcafee.com/root/mfs/default.asp
http://onlinescan.avast.com/
http://ca.com/us/securityadvisor/virusinfo/scan.aspx
http://www.eset.com/onlinescan/

<links compiled on 02/14/2008>
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#6 essential

essential
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 15 March 2008 - 08:00 PM

Next is to figure out what's causing it to load, and delete that (because there may be other things going on).


Yes, I am referring to:

AS80BC 169 KB Application 11/10/2006 1:15 AM
JNDA92 169 KB Application 11/10/2006 1:15 AM
ZV4376 169 KB Application 11/10/2006 1:15 AM

usasma, I use ccleaner 10 times a day at work, anytime I close IE and I have since the day I got my machine. This file is only in Temp, I can't delete it from Temp because it's "in use" but when I terminate it in Task Manager it automatically goes away in the Temp file.

I was hoping someone knew what that little dog icon was so I could investigate a certain program or look for other certain files. I can't figure what's causing it to load since there isn't much on the machine besides the OS, quickbooks, and microsoft office. Since this thing changes it's name every time I see it it's been hard to research.

So far the work anti-virus doesn't see it as a virus, and neither does spybot s&d but i'll have to try some other programs. I have to be careful though since it's a work machine, I don't know what is monitored, and if the IT guys can see I'm installing a bunch of stuff I might get questioned.

Thanks for the information so far.

Edited by essential, 15 March 2008 - 08:02 PM.


#7 essential

essential
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 16 March 2008 - 01:03 AM

I found an answer, I guess it's not a virus:

http://dotnetjunkies.com/WebLog/anoras/arc...1/19/32676.aspx
"Earlier this week one of my coworkers told me that he’d gotten some sort of virus or spyware that neither the virus scanner nor AdAware was able to detect.
He’d stumbled across the parasite by accident while using the task manager to monitor the memory and CPU usage of a service he was debugging. The parasite was an executable running as the SYSTEM account with a different name for the executable after every reboot.
To be on the safe side, I opened my task manager and found a process with a similar name and the exact same size running as the SYSTEM account.
The actual executable was located in the Windows\temp directory and had a cute little puppy as its icon. I made a copy of the file, before I killed the process.
Viruses often have messages hidden within them, so I opened the file in a hex viewer to take a closer look at it. I was both relived and surprised of what I found.
The file had a reference to a debug symbol database file named OfcDog.pdg (D:\OfficeScan\src\Client\OfcDog\Release\OfcDog.pdb). Trend Micro OfficeScan is the virus scanner we use so this file was probably not hostile. Just to be sure I located OfcDog.exe and it was a verbatim copy of the shady executable I had running on my computer.

I reckon that the reason for renaming the process on every reboot is to make it harder for hostile code, such as a virus, to kill the process. However, when having an executable that does such a thing it should be easy to understand what it is. If the developers at Trend Micro had used the same icon for this file as tray icon, I would have recognized it immediately. Having a cute puppy as an icon might seem like a fun idea since the file has “dog” in its name, but when used with applications that appear to be shady in the first place, it only makes users more suspicious.
The morale of the story is that one should always use icons that make sense to the user. An icon should be a picture or symbol that is universally recognized to be representative of something. Using something different only causes iconfusion."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users