NogysgN Application - What is it?

[aslyter1]

Hello! I was modifying my startup program list and noticed a .exe I've never seen before called NogysgN. The location on my machine is:

c:\ProgramData\YmrpslH\HntyfkP\NogsysgN.exe

It's differentiated from the rest of the items on the list for two reasons: 1) My primary drive is listed as a lowercase letter, unlike other program locations listed, and 2) Program locations are notated with parentheses ("C:\...\...\"), whereas this application is unmarked. The publisher for the program is listed as "Unknown."

Google searches yield zero results for "NogsysgN," which is surprising; in fact, it's the first time I've been unable to identify a process using Google as a starting point, lol. Whatever program this is, it was marked to boot on startup, so I've disabled it to be cautious and will run a full system security scan to see if Avast identifies it as anything I need to be aware of.

If anybody knows what this application is, or has this running on their Windows machines, please let me know and maybe we can work to identify this thing.

The red flags I'm getting are the facts that the program location formatting is odd, the path to the application is built from arbitrary strings, and it seems no one has posted about this anywhere before. All help offered is appreciated!

Best,

Alec

 

[fseal]

Those are very red flags, and the reason Google couldn't find it is that the file path and name are made of completely random letters that are chosen for you on install, which is the biggest red flag of all.

The contents of the file can only change so much so a malware or virus scanner should be able to detect it still...

 

[aslyter1]

The contents of the file can only change so much so a malware or virus scanner should be able to detect it still...

I would think so too, but Avast didn't locate anything on my system scan. I think I'll run Malwarebytes before I try and get in that directory. Thanks for confirming my paranoia, fseal

 

[fseal]

Hmm I just noticed that the executable is in the program data folder not the program files folder...

A /possible/ explanation is that it is the temp output of a down-loader program or something. The kind of thing that would be created, then when DL is complete moved and renamed. Though ususaly \temp or some other folder under the product name would normally be used...

I'd be tempted to load the program in a binary editor and look for strings that might identify it as something you meant to DL at one time...

 

[aslyter1]

A /possible/ explanation is that it is the temp output of a down-loader program or something. The kind of thing that would be created, then when DL is complete moved and renamed. Though ususaly \temp or some other folder under the product name would normally be used...

I'd be tempted to load the program in a binary editor and look for strings that might identify it as something you meant to DL at one time...

I've thought about the possibility of it being temp output, but kind of dismissed it for the reason you pointed out (that it's not stored in any kind of \temp folder) and also because it was enabled to boot on startup. Wouldn't that indicate some kind of need for repetitive functionality? When I check all of my running processes, nothing shows up that's unnecessary or out of the ordinary.

A good suggestion though, if my second system scan for malware doesn't come up with anything, I'll open it up in an editor and dig around. Thanks for the idea!

 

[Jacee]

Upload the file in c:\ProgramData\YmrpslH\HntyfkP\NogsysgN.exe to Jotti and have it scanned for malware.
Jotti's malware scan

 

[aslyter1]

Upload the file in c:\ProgramData\YmrpslH\HntyfkP\NogsysgN.exe to Jotti and have it scanned for malware.
Jotti's malware scan

Not familiar with that program, but if Malwarebytes doesn't catch anything, I'll definitely give it a shot, before I open it up in an editor, thanks for the tip, Jacee!

 

[fseal]

Ugh yeah, running a program out of the program data folder is also very suspicious. :/

You have removed it form the startup already right?

 

[aslyter1]

Ugh yeah, running a program out of the program data folder is also very suspicious. :/

You have removed it form the startup already right?

Lol, yeah, definitely removed it from startup right off the bat!

 

[aslyter1]

Okay, here are the results pulled up from a Malwarebytes' system scan:

While the precise location of NogsysgN.exe isn't listed here, the command location, HKCU\SOFTWARE\Windows\CurrentVersion\Run, the registry location of that third item in the list is pretty close. Going to get rid of these, run the path through Jotti's (on suggestion from Jacee) and see what happens after a reboot before trying to open in an editor.

Considering I run fairly regular system scans and don't visit too many suspicious websites (lol ), I'm surprised to see that at least three of these could have pretty nasty consequences. Unsurprisingly, I've never had any problems like this on my Linux machine.

 

[fseal]

The trojan.agent.gen may be the one doing it. Surprising that that was not picked up by the other scanners!

And spyware generally comes in piggybacked on otherwise normal looking software unfortunately No need to visit neferious sites, download warez or even get "hacked". The user just needss to be "tricked" into installing a simple program

And such things /would/ happen on Linux constantly if it were enough of a target. I.e. iOS and Android have been extremely heavy malware targets over the last year or so now that the OSes are both insanely popular. Android of course is Linux.... If that popularity transfered over to the desktop, it would be just as hard hit.

Malware has become even more of a problem than just plain virii these days, the two aught to be lumped together as a single body of threats so that multiple ways of thinking about protection do not need to be made.

 

[aslyter1]

The trojan.agent.gen may be the one doing it. Surprising that that was not picked up by the other scanners!

...

And such things /would/ happen on Linux constantly if it were enough of a target. I.e. iOS and Android have been extremely heavy malware targets over the last year or so now that the OSes are both insanely popular. Android of course is Linux.... If that popularity transfered over to the desktop, it would be just as hard hit.

Yeah, I was surprised it wasn't picked up by Avast (I put too much trust in you, Avast ).

Yeah, it's funny to me that most people writing viruses and malware probably use Linux desktops - and I think the way most Linux and derivative OS's for desktop are set up now - users would be severely unprepared if people started hitting Linux.