Suspicious Task Scheduler entries

beaverman · #1 February 11th, 2008, 06:43 PM

I went into my task scheduler to schedule my spyware to start up and there were seven tasks not scheduled by me. They all start with this string C:\Windows\system32\pcalua.exe
These are the arguments for each one.

-a E:\setup.exe -d E:\
-a C:\Windows\system32\javacpl.cpl -c Java
-a F:\netsetup.exe -d F:\
-a "C:\Users\(my name)\Desktop\DPInst32.EXE" -d "C:\Users\(my name)\Desktop"
-a "C:\Users\(my name)\Desktop\msj2.exe" -d "C:\Users\(my name)\Desktop"
-a "C:\Users\(my name)\Desktop\msj1.exe" -d "C:\Users\(my name)\Desktop"
-a "C:\Users\(my name)\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\90F44Z3L\INTEL_NETWORK_CONNECTIO N_ID_TOOL_305[1].EXE" -d C:\Windows\system32

Where it says "my name" my own personal name appears.

I run Vista Home premium 32 bit.
I am not sure if these are spyware or some other malicious program. I have run Super anti spyware and Adaware. I have Norton internet security 2008 as my anti virus program.

syklitengutt · #2 February 11th, 2008, 06:49 PM

The files on desktop I really cant say why they are there.
Neither the setup.exe and netsetup.exe
Is these files existing in the places that are listed?

but the last one im not sure of.
This is supposed to be in temporary Internet files, and load in system.

**AnnMarie** · #3 February 11th, 2008, 10:27 PM

Quote:

They all start with this string C:\Windows\system32\pcalua.exe

The above statement is the key. pcalua.exe is the Program Compatibility Assistant . Check out the FAQ's in the link for more information regarding the function of this file. If you google the filenames of the files concerned, you will see that they all have a legitimate source.

beaverman · #4 February 12th, 2008, 02:08 AM

Thanx. I did Google them and some sites said it could be a spy. Glad to hear its not. Thanx again.

**AnnMarie** · #5 February 12th, 2008, 02:22 AM

Yes that can happen. Malware do sometimes give their files the same names as legitimate files so you have to look at the entire filepath in context. They are all fine and you are welcome.

airymic · #6 March 22nd, 2009, 06:46 AM

If you read your scheduler, nothing appears under the column: "Next Run Time". "pcalua" is a procedure run by windows periodically for product registration purposes. Something suspicios occurs in your system and this process is triggered. Nothing to worry about,... unless maybe you have an illegal copy of windows.

**AnnMarie** · #7 March 22nd, 2009, 07:07 AM

Quote:

pcalua" is a procedure run by windows periodically for product registration purposes.

That is not correct airymic. This file is the Program Compatibility Assistant and I have already posted a Microsoft link which outlines all it's functions.

airymic · #8 March 22nd, 2009, 07:50 AM

You're the expert. Guess I was fooled by the "HistoryTab" that said:

Information 109 Task triggered by registration

Product: Windows Operating System
ID: 109
Source: Microsoft-Windows-TaskScheduler
Version: 6.0
Symbolic Name: IMMEDIATE_TRIGGER
Message: Task Scheduler launched "%2" instance of task "%1" due to a registration trigger.

**AnnMarie** · #9 March 22nd, 2009, 08:13 AM

That means that the task is a registered task and has been triggered by predefined boundaries to perform an action. See Registration Trigger Example.