Can't Remove Mystery Service

[Joatman71]

I have a process running on my XP Pro machine that I can't seem to get
rid of. It is called vgaac.exe. It uses up quite a lot of memory. I
can't find this name anywhere on the Internet. Since I can't find any
reference to it and because it acts very funny, I am thinking it is
some sort of Virus/Trojan/Spyware/Adware. I am also worried that if I
do end up killing it, I will mess up my computer if it is important.

If I kill this process it starts up again. I found the executable
name in the registry under
HKEY_LOCAL_MACHINE/Software/Microsoft/widows/CurrentVersion/RunOnce
(also under Run) and deleted it, but it comes back again. It is
strange that it is always in RunOnce. If I start in safe mode, it is
already running. The executable is in c:\windows\ assembly\temp, but
that directory can't be accessed from Windows Explorer. I need to get
there via DOS. The executable is hidden. If I try to delete it, it
says that the file cannot be found, but it can be listed using dir /A.
If I try to change the attribute I get "Not resetting system file -
C:\WINDOWS\assembly\temp\vgaac.exe". There are also other hidden
directories in the assembly directory that relate to the .NET
framework. I don't want to uninstall the Framework.

Ad-aware 6.0 and Symantec Antivirus 9 don't seem to think it is a
problem. I would hate to get rid of it if it is important. Does
anyone know what it is? I am now thinking of installing the drive as
a slave in another computer and removing the files that way. Any
other suggestions?

Thanks
Joatman71

 

[BJ Canada Bullshit]

Could it be a Anti-Virus scanner running in the background?

 

[Carey Frisch [MVP]]

It would be best to boot into Safe Mode, search for the file,
then delete it.

How to Delete A File That Is Seemingly "Undeletable"
http://www.theeldergeek.com/delete_undeletable_file.htm

A description of the Safe Mode Boot options in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;315222&Product=winxp

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect Your PC!
http://www.microsoft.com/athome/security/protect/default.aspx

-------------------------------------------------------------------------

:

| I have a process running on my XP Pro machine that I can't seem to get
| rid of. It is called vgaac.exe. It uses up quite a lot of memory. I
| can't find this name anywhere on the Internet. Since I can't find any
| reference to it and because it acts very funny, I am thinking it is
| some sort of Virus/Trojan/Spyware/Adware. I am also worried that if I
| do end up killing it, I will mess up my computer if it is important.
|
| If I kill this process it starts up again. I found the executable
| name in the registry under
| HKEY_LOCAL_MACHINE/Software/Microsoft/widows/CurrentVersion/RunOnce
| (also under Run) and deleted it, but it comes back again. It is
| strange that it is always in RunOnce. If I start in safe mode, it is
| already running. The executable is in c:\windows\ assembly\temp, but
| that directory can't be accessed from Windows Explorer. I need to get
| there via DOS. The executable is hidden. If I try to delete it, it
| says that the file cannot be found, but it can be listed using dir /A.
| If I try to change the attribute I get "Not resetting system file -
| C:\WINDOWS\assembly\temp\vgaac.exe". There are also other hidden
| directories in the assembly directory that relate to the .NET
| framework. I don't want to uninstall the Framework.
|
| Ad-aware 6.0 and Symantec Antivirus 9 don't seem to think it is a
| problem. I would hate to get rid of it if it is important. Does
| anyone know what it is? I am now thinking of installing the drive as
| a slave in another computer and removing the files that way. Any
| other suggestions?
|
| Thanks
| Joatman71

 

[Rock]

I have a process running on my XP Pro machine that I can't seem to get
rid of. It is called vgaac.exe. It uses up quite a lot of memory. I
can't find this name anywhere on the Internet. Since I can't find any
reference to it and because it acts very funny, I am thinking it is
some sort of Virus/Trojan/Spyware/Adware. I am also worried that if I
do end up killing it, I will mess up my computer if it is important.

If I kill this process it starts up again. I found the executable
name in the registry under
HKEY_LOCAL_MACHINE/Software/Microsoft/widows/CurrentVersion/RunOnce
(also under Run) and deleted it, but it comes back again. It is
strange that it is always in RunOnce. If I start in safe mode, it is
already running. The executable is in c:\windows\ assembly\temp, but
that directory can't be accessed from Windows Explorer. I need to get
there via DOS. The executable is hidden. If I try to delete it, it
says that the file cannot be found, but it can be listed using dir /A.
If I try to change the attribute I get "Not resetting system file -
C:\WINDOWS\assembly\temp\vgaac.exe". There are also other hidden
directories in the assembly directory that relate to the .NET
framework. I don't want to uninstall the Framework.

Ad-aware 6.0 and Symantec Antivirus 9 don't seem to think it is a
problem. I would hate to get rid of it if it is important. Does
anyone know what it is? I am now thinking of installing the drive as
a slave in another computer and removing the files that way. Any
other suggestions?

Thanks
Joatman71

Since google gives no hits ( you spelled it correctly, right?), it could
be malware.

Run these programs to check for spyware/malware. After installing
update them, then boot into safe mode and run them. You should update
and run them weekly.

Cwshredder
http://aumha.org/freeware/freeware.php#cwshred

Ad-aware SE
http://www.lavasoftusa.com

Spybot Search and Destroy
http://www.safer-networking.org

Bazooka Adware and Spyware Scanner
http://download.com.com/3000-2144-10247783.html

Pest Patrol Free Pest Scanner
http://www.pestscan.com/ScanOrTrial.asp

After your system is clean use these programs to help keep it clean:

Spywareblaster
www.javacoolsoftware.com/sbdownload.html

Spywareguard
http://www.javacoolsoftware.com/sgdownload.html

IE-SPYAD
http://www.staff.uiuc.edu/~ehowes/resource.htm

For viruses, run at least two of these online scans in addition to your
regular up to date AV program:

Online and Downloadable Virus Scanning:

Panda ActiveScan
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Bit Defender Online Virus Scan:
http://www.bitdefender.com/scan/license.php

Symantec Online Virus and Security Scan:
http://security.symantec.com/ssc/home.asp

TrendMicro:
http://housecall.trendmicro.com/housecall/start_corp.asp

McAfee Online Virus Scan:
http://www.mcafee.com/myapps/mfs/default.asp

RAV AntiVirus - Scan Online
http://www.ravantivirus.com/scan/

F-Secure:
http://support.f-secure.com/enu/home/ols.shtml

Trend Micro Sysclean
http://www.trendmicro.com/download/dcs.asp

Trend Micro Signature File
http://www.trendmicro.com/download/pattern.asp

 

[Joatman71]

The file doesn't exist on my XP Pro SP2 system. The 'vga' might make one
think of a video driver.

Suggestion: Mucking around with the Registry will cause System Restore to
put it back in its original state. Turn off System Restore, remove it and
then restart. See if it is still there. If not, turn on System Restore.

I don't think system restore was putting it back. When I deleted it
from the registry, it came back within a few seconds. When I finally
kept the process from starting, and removed it from the registry it
did not appear again. I am thinking the running process was
continually looking at the registry entry and adding it back if it was
missing. To stop the process I added the drive as a slave in another
system. When I tried to delete the file I got an error saying I could
not delete it because it was a system file. So I changed the parent
directory name. When I booted up the original system again I got an
error saying that c:\windows\assembly\temp\vgaac.exe could not be
found. So the process did not start up. I still have the file, but
it is not running. I have not seen a problem with my system.

I will scan this file using some of the other programs mentioned in
the other replies and see if any of them think it is bad.

Thanks for all of the replies.

 

[...D.]

Since it is already running even in safe mode, this is what I'd try. First,
go into your task manager and kill it like you said. Now, do a search for
vgaac.exe on your hard drive. After locating it, go there and make a new
folder. Now since you stopped it running in the task manager, you can move
it into the folder. You are moving it because it might be something you
need & can put back later. Move the folder out of there just in case. OK,
now reboot and hopefully it will not be running and you don't need the file.
Run a registry cleaner program too. I don't know what else to say. I've
done this before with a file and it worked.
...D.
-------
OT : The steel knights (st33l_kn1ghts) are a small Yahoo Messenger based
chatroom group of computer users. It is nice knowing the people you are in a
chatroom environment with. Beginners are welcome. Those of us who know
computers can help you. Requirements: be a semi-responsible individual.
http://www.steel-knights.com