One of the people in my office told me he noticed the CPU usage on his machine was pegged at 100% and Task Manager showed it was an executable CANADA.EXE that was consuming the time. (he is running a Windows 2000 laptop) I looked at his PC and found that the program CANADA.EXE, from C:\Program Files\Dialers\Canada\Canada.EXE, was indeed pegged at 100% CPU utilization, although it didn't seem like it was slowing the system down much. I copied the executable off, then removed it from his registry (HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run). I examined the executable using Strings from www.sysinternals.com but found nothing unusual except that it appears to be a Visual Basic program, based on the file properties (it has strings such as VS_VERSION_INFO, Comments, CompanyName, FileDescription, etc. which have blank values). The list of imported DLLs at the end show that it does use network-related code, such as URLMON.DLL, WININET.DLL, and WSOCK32.DLL. There are no ASCII or Unicode strings of note except for a portion that seems to start with "This executable", but it is garbled. The file size is 68,096 bytes. I Googled for it and saw it was mentioned in a list of known Start-Up Applications (http://www.pacs-portal.co.uk/startup_pages/startup_full.htm) with a comment "Known to be a dialler - but is it maliscous or clean?". Does anyone have any idea what this program is? Steve Boyko IT Specialist-Generation NB Power sboykoat_private ------------------------- This e-mail communication (including any or all attachments) is intended only for the use of the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient of this e-mail, any use, review, retransmission, distribution, dissemination, copying, printing, or other use of, or taking of any action in reliance upon this e-mail, is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the original and any copy of this e-mail and any printout thereof, immediately. Your co-operation is appreciated. Le présent courriel (y compris toute pièce jointe) s'adresse uniquement à son destinataire, qu'il soit une personne ou un organisme, et pourrait comporter des renseignements privilégiés ou confidentiels. Si vous n'êtes pas le destinataire du courriel, il est interdit d'utiliser, de revoir, de retransmettre, de distribuer, de disséminer, de copier ou d'imprimer ce courriel, d'agir en vous y fiant ou de vous en servir de toute autre façon. Si vous avez reçu le présent courriel par erreur, prière de communiquer avec l'expéditeur et d'éliminer l'original du courriel, ainsi que toute copie électronique ou imprimée de celui-ci, immédiatement. Nous sommes reconnaissants de votre collaboration. ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Tue Mar 11 2003 - 09:16:07 PST