I just observed WSCNTIFY.exe start at 10:47 in Image Names, last for about 10 seconds, and then stop. So that is definitely what is doing this. During that time the Windows Firewall was reported as off. I took jpg images of Task Manager showing this.
I was doing, as it happens, of a full thorough all-files AVG whole computer scan. C & D are complete, and what remains is my USB hard drive where backups are stored etc. Nothing has been reported by the scan of interest - just tracking cookies and one adware. The cookies are all in Firefox Application Data.
Before scanning I turned off the System Restore per the (Symantec) Instructions, and will turn it back on after this is completed. Btw, this scan is taking 3-4 times as long a scan using the default settings.
Please advise what do do; the Symantec documentation on wscntify is pretty scary. I have not yet run the 'fix problems' on the CCleaner Registry Cleaner. Thank you. Btw, if nothing further shows up on the scan, I will not add to this thread about that.
EDIT.. I ran CCleaner's registry cleaner
I decided to go ahead and run CCleaner's Registry Fix Selected (all found) problems.
I will report back here in the morning, when I see whether the wscntify starts up again.
Hello. I have always kept my computer up-to-date with Windows updates. And yes, this issue only started, or rather, became visible, when I changed over from Corporate Symantec to AVG, and from ZA Pro to Windows Firewall last week . I have changed 4 laptops also, over the last 6 months, but none do this.
I went thru the normal procedures for cleaning an infection, and also did the Registry Clean. I just did a regedit search too, and found under hKEY_CURRENT_USER/Software/NVidia/Global/nView/
Windowmanagement/wscntfy.exe there is a REG_SZ and REG_DWORD with nothing set or zeroes. The same is in KEY_LOCAL_MACHINE.
(I also did an ordinary search for wscntfy.exe as a file name with nothing found, on my hard drive.)
And for kicks, I also searched the registry on my primary laptop for wscntfy and there was nothing at all.
8:47 and it did it again.
Should I delete those Registry entries? Thank you.
I checked my husband's desktop, which also has an NVidia card. He still uses ZAPro and Corporate Symantec.
His registry has the wscntfy entries.
We both use Spybot S&D, and neither of us uses Teatimer. (I do on the laptop). I just updated and ran it on mine, and there were no 'immediate threats.'
I understand that the Registry entries for wscntfy may be infected on my machine and that the instructions in your last post mentioned quarantining them. But can a registry entry cause an Image Name (ie, a process of some sort, right?) to appear or wake up every hour or so? I wish I could tell what was different (or not running) on my machine to cause the thing to change from :44 to :24 to :47.
My update times of day on AVG are 8am and 5pm. However, it's 9:36am and AVG was just updating. It even shows that the last update was 9:36am.
9:47 and wscntfy.exe did its thing. I'll post this.
These computers are all XP (MCE and laptops are Pro).
I installed GMER and checked every entry in Windows/System32 and all its sub-directories. I did this manually because I couldn't find a find function in GMER. I checked first for Hidden files only, and then under all files.
It was not present. I wouldn't bet my life on this, but I am very sure.
EDIT.. RIGHT THERE IN THE TOP LEVEL..
WSCNTFY.EXE is right there in the TOP LEVEL of system32.
I determined, too, thru GMER's Processes tab, that that is where it is running from when it started up at 10:47 just now.
Scan "Shell extension scan" completed.
No infection was found during this scan
Folders selected for scanning:;"C:\WINDOWS\system32\wscntfy.exe;"
Scan started:;"Thursday, February 24, 2011, 12:03:02 PM"
Scan finished:;"Thursday, February 24, 2011, 12:03:02 PM (less than one second)"
Total object scanned:;"1"
User who launched the scan:;"me"
Hello - I checked my laptop's WSCNTFY against this problem desktop, and they appeared to be the same. I scanned this one with AVG and the results are above. So what is going on? If it's not infected, how is it seemingly giving the symptoms shown in the Symantec article on it?
The documentation I have seen on w32.spybot.AFEW which may mask itself as wscntfy.exe says it spreads thru AOL IM. I do not use that. I do not even have it installed on my computer.
Some of the documentation spells it wscntIfy and some spell it wscntFY (no 'i') but it is unclear whether the worm mis-spells it or the people writing the articles did.
Is it possible that AVG itself is checking for updates or similar every hour and is turning off the Firewall? If so, why wouldn't it do this on my other machines, in fact, with everyone else's?
Please respond. Thank you.