1 edit |
Weird Service in my windows 8.1 services.I was going through my services and found one that has Japanese letters on it. I tried to google it and no luck finding out what it meant. Anyone know anything about this? |
|
|
ianenc join:2014-01-28 Mississauga, ON |
ianenc
Member
2014-Feb-21 4:22 pm
A screenshot would be helpful. |
|
|
Here's the Screenshot of it |
|
darciliciousCyber Librarian Premium Member join:2001-01-02 Forest Grove, OR |
In your shoes, I'd be heading over here » Security Cleanup |
|
|
Thanks, I scanned my Laptop with SAS, Malwarebytes and my Virus scanner. I looked at my running process and nothing jumped out at me. I'll head over there. |
|
|
to Nogard is me
You can go into the properties and see what program it's pointing at. That may give a clue.
I also wonder if that's Chinese instead of Japanese. Anybody who can read either one able to translate? |
|
rfnut Premium Member join:2002-04-27 Fisher, IL |
to Nogard is me
I noticed this on an android tablet yesterday as well. It was a driver module that was not malicious, but made me look twice. Properties and directory of the service files may point to a company, or device type. |
|
|
to andyross
When I open it I get the Chinese/Japanese words in the path to executable. No dependencies or anything, I stopped the service. I'm wondering if it has something to do with ASUS laptops or products. I'm scanning my laptop now again with Malwarebytes, SAS and doing a fe online virus scans to be safe. When my wife comes home i'm going see if it's on her laptop to see maybe it's an ASUS thing. Anyone that can translate it that would be cool |
|
dave Premium Member join:2000-05-04 not in ohio |
to Nogard is me
I suspect it's simply junk. Being Chinese doesn't make a lot of sense with the t" at the end. I'd guess someone fed olde-timey 8-bit characters into an API expecting 16-bit characters.
Can you find the matching registry entry? It'll be under HLKM/System/CurrentControlSet/Services. |
|
|
Yeah, I thinking it might not be a bad service. I want to find out what it's to and how to get rid of it. |
|
Nogard is me |
to dave
Yes I have it my registry. My wife don't have it on her latop so it's not asus. |
|
dave Premium Member join:2000-05-04 not in ohio |
dave
Premium Member
2014-Feb-21 8:33 pm
Right-click on the key name in the left-hand pane of regedit, choose 'export' and save to a .reg file. Then rename it as .txt (to avoid accidents) and upload it here.
You might take a look in the .txt file first and make sure that only the single key got saved. We don't want you to accidentally post your entire registry. |
|
|
|
|
BlitzenZeusBurnt Out Cynic Premium Member join:2000-01-13 |
They even encoded the path in hex, and that wasn't necessary. C:\Program Files (x86)\Wise\Wise Care 365\BootTime.exe
|
|
|
is that the program causing this? |
|
BlitzenZeusBurnt Out Cynic Premium Member join:2000-01-13
1 recommendation |
Yes, that's the program being launched by the service. » www.wisecleaner.com/wise ··· 365.html |
|
|
How did you find this out? |
|
BlitzenZeusBurnt Out Cynic Premium Member join:2000-01-13 |
All characters are a numerical value, but hex is base 16 instead of base 10. Convert that to ascii, and you get text. You can find the converters on the web which is what I did to make it easier. |
|
|
ok I see. Thanks. Now if I uninstall wise cleaner will it remove the services? |
|
BlitzenZeusBurnt Out Cynic Premium Member join:2000-01-13 |
If it doesn't you have the location of the service in the registry, and you can do it yourself. Otherwise programs like Autoruns can help, but don't get paranoid when using Autoruns, you can break things. » technet.microsoft.com/en ··· 902.aspx |
|
dave Premium Member join:2000-05-04 not in ohio 4 edits |
to BlitzenZeus
said by BlitzenZeus:They even encoded the path in hex, and that wasn't necessary. No they didn't. What they did, as I suggested earlier, was supply an 8-bit string in a context that (like everything else in Windows proper, as opposed to stupid-app-compatibility-land) needed a 16-bit string. So, they coded "C:\\Program Files\\..." when what they should have coded was L"C:\\Program Files\\...". The value is not "in hex" in the registry or in the program that created it, it's just bits. regedit decided to dump it in hex when writing the export file, not quite sure why. Maybe it didn't look suitably stringy. EDITED Nope, turns out regedit always does that for the imagepath value. Probably because it's a REG_EXPAND_SZ rather than a REG_SZ. |
|
|
is that bad or good? I have been racking my brain and scan my laptop all night and nothing was found. |
|
dave Premium Member join:2000-05-04 not in ohio 2 edits |
dave
Premium Member
2014-Feb-21 10:08 pm
It's written by an incompetent programmer. It's not necessarily malicious. Anyway, what the idiot programmer intended to call the service was "WiseBootAssistant" but he screwed it up by coding it in ASCII. And since this hasn't been an ASCII world since 1990, every 2 bytes (=2 ASCII characters) got treated as one 16-bit Unicode character, and the bit-paterns just happened to look like Chinese characters. Since the rest of the driver is probably no better than its installer, perhaps it's time to uninstall. Edit Googling around, it seems like crapware anyway. » regrunreanimator.com/res ··· e365.htm |
|
BlitzenZeusBurnt Out Cynic Premium Member join:2000-01-13 |
to dave
Definitely interesting behavior of regedit then, and maybe to keep the integrity of the string if something else modifies the file. |
|
|
to dave
Thanks, I uninstalled the program and remove the registry key now when I open up my services, the service is still there but just an error saying it can't be opened. |
|
dave Premium Member join:2000-05-04 not in ohio |
to BlitzenZeus
I'm inclined to think that the export code (which was essentially born in Windows 95) hasn't quite kept up with the available datatypes, and so its fallback is to dump unknown types as byte strings in hex.
REG_MULTI_SZ seems to be handled the same way. |
|
dave |
to Nogard is me
Reboot. By deleting the key directly, the service controller hasn't been told that the service no longer exists. It'll figure it out on restart (i.e., when it reads in the service database from the registry). |
|
|
Thank you but the services is still there but it won't let me open the service. |
|
BlitzenZeusBurnt Out Cynic Premium Member join:2000-01-13 |
You can delete the service entry in regedit, or autoruns. Just be careful either way to not delete anything else. |
|
dave Premium Member join:2000-05-04 not in ohio |
to Nogard is me
So you navigated to HLKM/System/CurrentControlSet/Services in regedit, found the funny key name in the left pain, selected it and then either (a) right-click, delete, or (b) edit->delete from the menu.
Then you rebooted.
Right?
And the service is still visible ... where? |
|