Is this normal?

[Krome]

I went to sleep. I did not have anything running.  Computer is left on without any active application running.  When I woke up, I see this:

 

After I deny it from internet access, I get this:

 

Is someone attempting to have access to my computer?  What's "Newegg" has anything to do with Microsoft Compability Advisor Inventory Tool?  Anyone can help give logical explanation would be greatly appreciated.  Thanks.

[Dot Matrix]

Can you show us a list of the processes running? Watson is a name I haven't heard in a long time. Is this Vista?

[techbeck]

From doing a quick search, those EXE files listed in the screenshots could be malware related.  Have you run a scan?

[Top Qat]

I run Win 8.1 on 3 machines and I have never seen that before.

 

Looks very suspicious to me, I would not allow that to run or install.

Also do a full system scan with a good AV product to make sure your system is clean.

[techbeck]

Actually, this is with Windows 7.  Files are located in the system32\CompatTel folder under windows.  I have the same files on my Win7 systems.  Should be OK as long as they are valid MS files.  Some are masquerading as malware tho or could be a false positive.

 

The system32\CompatTel does not appear on any of my Win8 systems. 

[Krome]

Well, the snapshot is taken from Symantec a/v that was monitoring any suspicious activity and I didn't think I have much application installed.  Here's the processes.

 

I am running Windows 7.

[techbeck]

Well, the snapshot is taken from Symantec a/v that was monitoring any suspicious activity and I didn't think I have much application installed.  Here's the processes.

 

 

See my post above.  Those are normal files with Win7.  Probably a false positive with Symantec which happens every now and then.  Woudlnt worry about it but if you are, do some scans of your system.

[Ironman273]

http://systemexplorer.net/file-database/file/wicainventory-exe

http://systemexplorer.net/file-database/file/queryappblock-exe

[Top Qat]

See my post above.  Those are normal files with Win7.  Probably a false positive with Symantec which happens every now and then.  Woudlnt worry about it but if you are, do some scans of your system.

 

Those files are showing Win8.1u1 version numbers.

[techbeck]

Those files are showing Win8.1u1 version numbers.

 

The OP is running Win7.  I can see that folder on every single system I checked so far at work running Win7.  They are normal files and Symantec is probably throwing a false positive.  See attahced

[Krome]

Well, it's not about "false positive".  It's more like "why did it ask for internet" and "why does it has anything to do with 'newegg'?".  My browser was not running at the time.  Nothing was running.

 

I see so many response.  Thank you guys for paying attention to this problem.  This is still puzzling tbh.

[techbeck]

Well, it's not about "false positive".  It's more like "why did it ask for internet" and "why does it has anything to do with 'newegg'?".  My browser was not running at the time.  Nothing was running.

 

Not sure on that one.  promotions.newegg.com is a valid site and they do talk about the compatibility/upgrade adviser.  Really wouldnt worry about it and was probably running all along. Most likely, Symantec updated and is reporting issues with those files.  My guess is, it will be fixed in another update.

[Krome]

Thanks techbeck.  Just FYI.  For the past few days, I have been formatting/restoring my PC using True Image.  Why?  Because there's so many odd things happenning.  I had just recently finished formatting my PC yesterday because, I was not doing anything at all, and all the sudden, the CMD window pop up and it was scanning or did something.  Previously, some other odd things happening.  I do not have any malware installed on the PC.  The computer has almost no application installed and yet I see very odd things going on.  I believe I have been a target of government surveillance program.  I have not done anything at all.  Most of the stuff I do is posting stuff on Neowin.  I do not know why I am being targetted.  Very silly and a waste of US government money.

[+Warwagon MVC]

I believe I have been a target of government surveillance program.  I have not done anything at all.  Most of the stuff I do is posting stuff on Neowin.  I do not know why I am being targetted.  Very silly and a waste of US government money.

 

[Dot Matrix]

Thanks techbeck.  Just FYI.  For the past few days, I have been formatting/restoring my PC using True Image.  Why?  Because there's so many odd things happenning.  I had just recently finished formatting my PC yesterday because, I was not doing anything at all, and all the sudden, the CMD window pop up and it was scanning or did something.  Previously, some other odd things happening.  I do not have any malware installed on the PC.  The computer has almost no application installed and yet I see very odd things going on.  I believe I have been a target of government surveillance program.  I have not done anything at all.  Most of the stuff I do is posting stuff on Neowin.  I do not know why I am being targetted.  Very silly and a waste of US government money.

Extraordinary claims, require extraordinary evidence.

[Krome]

Well I have format my computer like 3 or 4 times already because of the anomaly.  I mean my PC do not have any third party apps installed but yet I see weird activities.

[+Warwagon MVC]

I'd take a look at your router too. Make sure there are no open  ports, turn off uPnp ..check the routers DNS numbers. .. Are your images clean you are restoring from?

 

I would try a clean install from a Windows disc and not images. Maybe you have a dirty image.

[xrobwx71]

Good place to check for open ports.

 

https://www.grc.com/x/ne.dll?bh0bkyd2

[Top Qat]

Where did you source the install media? Original CD or downloaded ISO?

[Krome]

Top Qat: Original.

 

xrobwx: Thanks. Eventhough my port was/has been closed, I did the test anyways and it report that It's closed and safe.

 

warwagon: Thanks buddy for the reply.  Sorry that I could not or would not want to disclose the router security info, but I will brief on the importance of the security in question.  My router is WRT54G and firmware is up-to-date (I think). Local DHCP is disabled.

DHCP Enabled. . . . . . . . . . . : No
NetBIOS over Tcpip. . . . . . . . : Disabled
Local LAN . . . . . . . . . . . . : Static
All Unnecessary Ports . . . . . . : Closed
DMZ . . . . . . . . . . . . . . . : Disabled
Router QoS Service. . . . . . . . : Disabled
Microsoft QoS Service . . . . . . : Disabled
Router UPnP . . . . . . . . . . . : Disabled
Router Remote Management. . . . . : Disabled
Router Passworded . . . . . . . . : Yes
Router Log. . . . . . . . . . . . : Enabled

If I do not use static IP and have DHCP turned on, I will not have constant intenet connection.  I find that if I turned of DHCP and use static IP address, I have internet 24/7 all year round.  If dynamic IP is used, my internet drops if someone were to use my internet connection.  DNS poisoned and router gets clogged.  Don't beat me up on this method BudMan.  I have to go this route or suffer the security flaw. :)

 

[goretsky Supervisor]

Hello,

Since the report came from Symantec's security software, why not contact their technical support for assistance in troubleshooting it?  They are (1) most likely to be familiar with the in's-and-out's of their own software, including any recent bugs or errors caused by recent updates; and (2) as a paying customer or theirs, you should be able to get some assistance from them, especially if you are the victim of a target zero-day attack by a nation-state.

 

Regards,

 

Aryeh Goretsky