dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
662
share rss forum feed


Nogard is me
Premium
join:2004-01-08
Columbus, OH

1 edit

Weird Service in my windows 8.1 services.

I was going through my services and found one that has Japanese letters on it. I tried to google it and no luck finding out what it meant. Anyone know anything about this?

ianenc

join:2014-01-28
Mississauga, ON
A screenshot would be helpful.


Nogard is me
Premium
join:2004-01-08
Columbus, OH
reply to Nogard is me
Click for full size
Here's the Screenshot of it


darcilicious
Cyber Librarian
Premium
join:2001-01-02
Forest Grove, OR
kudos:4
In your shoes, I'd be heading over here »Security Cleanup
--
♬ Dragon of good fortune struggles with the trickster Fox ♬


Nogard is me
Premium
join:2004-01-08
Columbus, OH
Thanks, I scanned my Laptop with SAS, Malwarebytes and my Virus scanner. I looked at my running process and nothing jumped out at me. I'll head over there.

andyross
Premium,MVM
join:2003-05-04
Schaumburg, IL
reply to Nogard is me
You can go into the properties and see what program it's pointing at. That may give a clue.

I also wonder if that's Chinese instead of Japanese. Anybody who can read either one able to translate?

rfnut
Premium
join:2002-04-27
Fisher, IL
kudos:2
reply to Nogard is me
I noticed this on an android tablet yesterday as well. It was a driver module that was not malicious, but made me look twice. Properties and directory of the service files may point to a company, or device type.


Nogard is me
Premium
join:2004-01-08
Columbus, OH
reply to andyross
When I open it I get the Chinese/Japanese words in the path to executable. No dependencies or anything, I stopped the service. I'm wondering if it has something to do with ASUS laptops or products. I'm scanning my laptop now again with Malwarebytes, SAS and doing a fe online virus scans to be safe. When my wife comes home i'm going see if it's on her laptop to see maybe it's an ASUS thing. Anyone that can translate it that would be cool

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to Nogard is me
I suspect it's simply junk. Being Chinese doesn't make a lot of sense with the t" at the end. I'd guess someone fed olde-timey 8-bit characters into an API expecting 16-bit characters.

Can you find the matching registry entry? It'll be under HLKM/System/CurrentControlSet/Services.


Nogard is me
Premium
join:2004-01-08
Columbus, OH
Yeah, I thinking it might not be a bad service. I want to find out what it's to and how to get rid of it.


Nogard is me
Premium
join:2004-01-08
Columbus, OH
reply to dave
Yes I have it my registry. My wife don't have it on her latop so it's not asus.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
Right-click on the key name in the left-hand pane of regedit, choose 'export' and save to a .reg file. Then rename it as .txt (to avoid accidents) and upload it here.

You might take a look in the .txt file first and make sure that only the single key got saved. We don't want you to accidentally post your entire registry.


Nogard is me
Premium
join:2004-01-08
Columbus, OH
downloadweird.reg.zip 579 bytes
Here it is.

BlitzenZeus
Burnt Out Cynic
Premium
join:2000-01-13
kudos:3
They even encoded the path in hex, and that wasn't necessary.

C:\Program Files (x86)\Wise\Wise Care 365\BootTime.exe
 


Nogard is me
Premium
join:2004-01-08
Columbus, OH
is that the program causing this?

BlitzenZeus
Burnt Out Cynic
Premium
join:2000-01-13
kudos:3

1 recommendation

Yes, that's the program being launched by the service.
»www.wisecleaner.com/wisecare365.html


Nogard is me
Premium
join:2004-01-08
Columbus, OH
How did you find this out?

BlitzenZeus
Burnt Out Cynic
Premium
join:2000-01-13
kudos:3
All characters are a numerical value, but hex is base 16 instead of base 10. Convert that to ascii, and you get text. You can find the converters on the web which is what I did to make it easier.


Nogard is me
Premium
join:2004-01-08
Columbus, OH
ok I see. Thanks. Now if I uninstall wise
cleaner will it remove the services?

BlitzenZeus
Burnt Out Cynic
Premium
join:2000-01-13
kudos:3
If it doesn't you have the location of the service in the registry, and you can do it yourself.

Otherwise programs like Autoruns can help, but don't get paranoid when using Autoruns, you can break things.
»technet.microsoft.com/en-us/sysi···902.aspx
--
I distrust those people who know so well what god wants them to do because I notice it always coincides with their own desires- Susan B. Anthony
Yesterday we obeyed kings, and bent our necks before emperors. But today we kneel only to the truth- Kahlil G.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

4 edits
reply to BlitzenZeus
said by BlitzenZeus:

They even encoded the path in hex, and that wasn't necessary.

No they didn't.

What they did, as I suggested earlier, was supply an 8-bit string in a context that (like everything else in Windows proper, as opposed to stupid-app-compatibility-land) needed a 16-bit string.

So, they coded "C:\\Program Files\\..." when what they should have coded was L"C:\\Program Files\\...".

The value is not "in hex" in the registry or in the program that created it, it's just bits. regedit decided to dump it in hex when writing the export file, not quite sure why. Maybe it didn't look suitably stringy. EDITED Nope, turns out regedit always does that for the imagepath value. Probably because it's a REG_EXPAND_SZ rather than a REG_SZ.


Nogard is me
Premium
join:2004-01-08
Columbus, OH
is that bad or good? I have been racking my brain and scan my laptop all night and nothing was found.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

2 edits
It's written by an incompetent programmer. It's not necessarily malicious.

Anyway, what the idiot programmer intended to call the service was

"WiseBootAssistant"

but he screwed it up by coding it in ASCII. And since this hasn't been an ASCII world since 1990, every 2 bytes (=2 ASCII characters) got treated as one 16-bit Unicode character, and the bit-paterns just happened to look like Chinese characters.

Since the rest of the driver is probably no better than its installer, perhaps it's time to uninstall.

Edit Googling around, it seems like crapware anyway.

»regrunreanimator.com/research/sp···e365.htm

BlitzenZeus
Burnt Out Cynic
Premium
join:2000-01-13
kudos:3
reply to dave
Definitely interesting behavior of regedit then, and maybe to keep the integrity of the string if something else modifies the file.


Nogard is me
Premium
join:2004-01-08
Columbus, OH
reply to dave
Thanks, I uninstalled the program and remove the registry key now when I open up my services, the service is still there but just an error saying it can't be opened.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to BlitzenZeus
I'm inclined to think that the export code (which was essentially born in Windows 95) hasn't quite kept up with the available datatypes, and so its fallback is to dump unknown types as byte strings in hex.

REG_MULTI_SZ seems to be handled the same way.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
reply to Nogard is me
Reboot. By deleting the key directly, the service controller hasn't been told that the service no longer exists. It'll figure it out on restart (i.e., when it reads in the service database from the registry).


Nogard is me
Premium
join:2004-01-08
Columbus, OH
Thank you but the services is still there but it won't let me open the service.

BlitzenZeus
Burnt Out Cynic
Premium
join:2000-01-13
kudos:3
You can delete the service entry in regedit, or autoruns. Just be careful either way to not delete anything else.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to Nogard is me
So you navigated to HLKM/System/CurrentControlSet/Services in regedit, found the funny key name in the left pain, selected it and then either (a) right-click, delete, or (b) edit->delete from the menu.

Then you rebooted.

Right?

And the service is still visible ... where?