Suspicious Task Scheduler entries

beaverman · #1 February 11th, 2008, 07:43 PM

I went into my task scheduler to schedule my spyware to start up and there were seven tasks not scheduled by me. They all start with this string C:\Windows\system32\pcalua.exe
These are the arguments for each one.

-a E:\setup.exe -d E:\
-a C:\Windows\system32\javacpl.cpl -c Java
-a F:\netsetup.exe -d F:\
-a "C:\Users\(my name)\Desktop\DPInst32.EXE" -d "C:\Users\(my name)\Desktop"
-a "C:\Users\(my name)\Desktop\msj2.exe" -d "C:\Users\(my name)\Desktop"
-a "C:\Users\(my name)\Desktop\msj1.exe" -d "C:\Users\(my name)\Desktop"
-a "C:\Users\(my name)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\90F44Z3L\INTEL_NETWORK_CONNECTIO N_ID_TOOL_305[1].EXE" -d C:\Windows\system32

Where it says "my name" my own personal name appears.

I run Vista Home premium 32 bit.
I am not sure if these are spyware or some other malicious program. I have run Super anti spyware and Adaware. I have Norton internet security 2008 as my anti virus program.

syklitengutt · #2 February 11th, 2008, 07:49 PM

The files on desktop I really cant say why they are there.
Neither the setup.exe and netsetup.exe
Is these files existing in the places that are listed?

but the last one im not sure of.
This is supposed to be in temporary Internet files, and load in system.

AnnMarie · #3 February 11th, 2008, 11:27 PM

Quote:

They all start with this string C:\Windows\system32\pcalua.exe

The above statement is the key. pcalua.exe is the Program Compatibility Assistant . Check out the FAQ's in the link for more information regarding the function of this file. If you google the filenames of the files concerned, you will see that they all have a legitimate source.

beaverman · #4 February 12th, 2008, 03:08 AM

Thanx. I did Google them and some sites said it could be a spy. Glad to hear its not. Thanx again.

AnnMarie · #5 February 12th, 2008, 03:22 AM

Yes that can happen. Malware do sometimes give their files the same names as legitimate files so you have to look at the entire filepath in context. They are all fine and you are welcome.

airymic · #6 March 22nd, 2009, 07:46 AM

If you read your scheduler, nothing appears under the column: "Next Run Time". "pcalua" is a procedure run by windows periodically for product registration purposes. Something suspicios occurs in your system and this process is triggered. Nothing to worry about,... unless maybe you have an illegal copy of windows.

AnnMarie · #7 March 22nd, 2009, 08:07 AM

Quote:

pcalua" is a procedure run by windows periodically for product registration purposes.

That is not correct airymic. This file is the Program Compatibility Assistant and I have already posted a Microsoft link which outlines all it's functions.

airymic · #8 March 22nd, 2009, 08:50 AM

You're the expert. Guess I was fooled by the "HistoryTab" that said:

Information 109 Task triggered by registration

Product: Windows Operating System
ID: 109
Source: Microsoft-Windows-TaskScheduler
Version: 6.0
Symbolic Name: IMMEDIATE_TRIGGER
Message: Task Scheduler launched "%2" instance of task "%1" due to a registration trigger.

AnnMarie · #9 March 22nd, 2009, 09:13 AM

That means that the task is a registered task and has been triggered by predefined boundaries to perform an action. See Registration Trigger Example.

Similar Topics
Topic	Topic Starter	Forum	Replies	Last Post
Sloooow Browser and Suspicious HJT Entries	Kitty of Doom	Malware Removal	4	November 1st, 2010 05:26 AM
Task Scheduler - Again	Tom Brady	Windows NT, 2000, 2003, 2008, 2012	24	September 16th, 2008 01:08 PM
Please review for Suspicious entries -HJT	Riva	Malware Removal	3	November 3rd, 2006 03:41 AM
Suspicious Regedit entries	Riva	Malware Removal	3	November 19th, 2004 05:20 AM
Task Scheduler	garydanvers	Windows 98	2	September 29th, 2003 09:12 PM