dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1141

Nogard is me
Premium Member
join:2004-01-08
Columbus, OH

1 edit

Nogard is me

Premium Member

Weird Service in my windows 8.1 services.

I was going through my services and found one that has Japanese letters on it. I tried to google it and no luck finding out what it meant. Anyone know anything about this?
ianenc
join:2014-01-28
Mississauga, ON

ianenc

Member

A screenshot would be helpful.

Nogard is me
Premium Member
join:2004-01-08
Columbus, OH

Nogard is me

Premium Member

Click for full size
Here's the Screenshot of it

darcilicious
Cyber Librarian
Premium Member
join:2001-01-02
Forest Grove, OR

darcilicious

Premium Member

In your shoes, I'd be heading over here »Security Cleanup

Nogard is me
Premium Member
join:2004-01-08
Columbus, OH

Nogard is me

Premium Member

Thanks, I scanned my Laptop with SAS, Malwarebytes and my Virus scanner. I looked at my running process and nothing jumped out at me. I'll head over there.

andyross
MVM
join:2003-05-04
Aurora, IL

andyross to Nogard is me

MVM

to Nogard is me
You can go into the properties and see what program it's pointing at. That may give a clue.

I also wonder if that's Chinese instead of Japanese. Anybody who can read either one able to translate?
rfnut
Premium Member
join:2002-04-27
Fisher, IL

rfnut to Nogard is me

Premium Member

to Nogard is me
I noticed this on an android tablet yesterday as well. It was a driver module that was not malicious, but made me look twice. Properties and directory of the service files may point to a company, or device type.

Nogard is me
Premium Member
join:2004-01-08
Columbus, OH

Nogard is me to andyross

Premium Member

to andyross
When I open it I get the Chinese/Japanese words in the path to executable. No dependencies or anything, I stopped the service. I'm wondering if it has something to do with ASUS laptops or products. I'm scanning my laptop now again with Malwarebytes, SAS and doing a fe online virus scans to be safe. When my wife comes home i'm going see if it's on her laptop to see maybe it's an ASUS thing. Anyone that can translate it that would be cool
dave
Premium Member
join:2000-05-04
not in ohio

dave to Nogard is me

Premium Member

to Nogard is me
I suspect it's simply junk. Being Chinese doesn't make a lot of sense with the t" at the end. I'd guess someone fed olde-timey 8-bit characters into an API expecting 16-bit characters.

Can you find the matching registry entry? It'll be under HLKM/System/CurrentControlSet/Services.

Nogard is me
Premium Member
join:2004-01-08
Columbus, OH

Nogard is me

Premium Member

Yeah, I thinking it might not be a bad service. I want to find out what it's to and how to get rid of it.
Nogard is me

Nogard is me to dave

Premium Member

to dave
Yes I have it my registry. My wife don't have it on her latop so it's not asus.
dave
Premium Member
join:2000-05-04
not in ohio

dave

Premium Member

Right-click on the key name in the left-hand pane of regedit, choose 'export' and save to a .reg file. Then rename it as .txt (to avoid accidents) and upload it here.

You might take a look in the .txt file first and make sure that only the single key got saved. We don't want you to accidentally post your entire registry.

Nogard is me
Premium Member
join:2004-01-08
Columbus, OH

Nogard is me

Premium Member

Here it is.
BlitzenZeus
Burnt Out Cynic
Premium Member
join:2000-01-13

BlitzenZeus

Premium Member

They even encoded the path in hex, and that wasn't necessary.

C:\Program Files (x86)\Wise\Wise Care 365\BootTime.exe
 

Nogard is me
Premium Member
join:2004-01-08
Columbus, OH

Nogard is me

Premium Member

is that the program causing this?
BlitzenZeus
Burnt Out Cynic
Premium Member
join:2000-01-13

1 recommendation

BlitzenZeus

Premium Member

Yes, that's the program being launched by the service.
»www.wisecleaner.com/wise ··· 365.html

Nogard is me
Premium Member
join:2004-01-08
Columbus, OH

Nogard is me

Premium Member

How did you find this out?
BlitzenZeus
Burnt Out Cynic
Premium Member
join:2000-01-13

BlitzenZeus

Premium Member

All characters are a numerical value, but hex is base 16 instead of base 10. Convert that to ascii, and you get text. You can find the converters on the web which is what I did to make it easier.

Nogard is me
Premium Member
join:2004-01-08
Columbus, OH

Nogard is me

Premium Member

ok I see. Thanks. Now if I uninstall wise
cleaner will it remove the services?
BlitzenZeus
Burnt Out Cynic
Premium Member
join:2000-01-13

BlitzenZeus

Premium Member

If it doesn't you have the location of the service in the registry, and you can do it yourself.

Otherwise programs like Autoruns can help, but don't get paranoid when using Autoruns, you can break things.
»technet.microsoft.com/en ··· 902.aspx
dave
Premium Member
join:2000-05-04
not in ohio

4 edits

dave to BlitzenZeus

Premium Member

to BlitzenZeus
said by BlitzenZeus:

They even encoded the path in hex, and that wasn't necessary.

No they didn't.

What they did, as I suggested earlier, was supply an 8-bit string in a context that (like everything else in Windows proper, as opposed to stupid-app-compatibility-land) needed a 16-bit string.

So, they coded "C:\\Program Files\\..." when what they should have coded was L"C:\\Program Files\\...".

The value is not "in hex" in the registry or in the program that created it, it's just bits. regedit decided to dump it in hex when writing the export file, not quite sure why. Maybe it didn't look suitably stringy. EDITED Nope, turns out regedit always does that for the imagepath value. Probably because it's a REG_EXPAND_SZ rather than a REG_SZ.

Nogard is me
Premium Member
join:2004-01-08
Columbus, OH

Nogard is me

Premium Member

is that bad or good? I have been racking my brain and scan my laptop all night and nothing was found.
dave
Premium Member
join:2000-05-04
not in ohio

2 edits

dave

Premium Member

It's written by an incompetent programmer. It's not necessarily malicious.

Anyway, what the idiot programmer intended to call the service was

"WiseBootAssistant"

but he screwed it up by coding it in ASCII. And since this hasn't been an ASCII world since 1990, every 2 bytes (=2 ASCII characters) got treated as one 16-bit Unicode character, and the bit-paterns just happened to look like Chinese characters.

Since the rest of the driver is probably no better than its installer, perhaps it's time to uninstall.

Edit Googling around, it seems like crapware anyway.

»regrunreanimator.com/res ··· e365.htm
BlitzenZeus
Burnt Out Cynic
Premium Member
join:2000-01-13

BlitzenZeus to dave

Premium Member

to dave
Definitely interesting behavior of regedit then, and maybe to keep the integrity of the string if something else modifies the file.

Nogard is me
Premium Member
join:2004-01-08
Columbus, OH

Nogard is me to dave

Premium Member

to dave
Thanks, I uninstalled the program and remove the registry key now when I open up my services, the service is still there but just an error saying it can't be opened.
dave
Premium Member
join:2000-05-04
not in ohio

dave to BlitzenZeus

Premium Member

to BlitzenZeus
I'm inclined to think that the export code (which was essentially born in Windows 95) hasn't quite kept up with the available datatypes, and so its fallback is to dump unknown types as byte strings in hex.

REG_MULTI_SZ seems to be handled the same way.
dave

dave to Nogard is me

Premium Member

to Nogard is me
Reboot. By deleting the key directly, the service controller hasn't been told that the service no longer exists. It'll figure it out on restart (i.e., when it reads in the service database from the registry).

Nogard is me
Premium Member
join:2004-01-08
Columbus, OH

Nogard is me

Premium Member

Thank you but the services is still there but it won't let me open the service.
BlitzenZeus
Burnt Out Cynic
Premium Member
join:2000-01-13

BlitzenZeus

Premium Member

You can delete the service entry in regedit, or autoruns. Just be careful either way to not delete anything else.
dave
Premium Member
join:2000-05-04
not in ohio

dave to Nogard is me

Premium Member

to Nogard is me
So you navigated to HLKM/System/CurrentControlSet/Services in regedit, found the funny key name in the left pain, selected it and then either (a) right-click, delete, or (b) edit->delete from the menu.

Then you rebooted.

Right?

And the service is still visible ... where?