WgaTray.exe

trimis · Dec 24, 2020

For many months now I have noticed every time I insert a Lexar flashdrive, it flashes continuously for like 15 minutes. Today I got a hunch that some sort of spyware might be scanning it, and/or copying it to the internet. I fiddled with SterJo Netstalker, and it looked like the culprit was 13.107.4.50, which turned out to be 'WgaTray.exe'. I went to majorgeeks, and installed RemoveWGA 1.2, then re-inserted the flashdrive. It flashed a few times, then quiet.

Not sure, but I now suspect WgaTray.exe was doing more than just checking to see if windows is genuine.

Elizabeth23 · Dec 24, 2020

I would suggest a full indepth scan of your pc.

trimis · Dec 25, 2020

Elizabeth23 said:
I would suggest a full indepth scan of your pc.

I run Malwarebytes Free 3.5.1.2522, Superantispyware 8.0.1046, and Adwcleaner 6.0.4.5 consecutively, once a week. Next due date in couple days, but I don't expect to find anything. SterJo Netstalker lists all outgoing connections, and 13.107.4.50 was the only one I did not recognize. Since nuking WgaTray.exe, the frantic 15+ minutes flashing of the Lexar jumpdrive is down to under a minute. Pretty sure I found the culprit.

trimis · Dec 27, 2020

Elizabeth23 said:
I would suggest a full indepth scan of your pc.

Turns out you were right. Malwarebytes Free 3.5.1.2522 found a PUP. I saw no option for actual removal/deletion, so I went with quarantine. The subsequent running of Superantispyware and Adwcleaner did not find it, so I guess it is tucked away in the XP attic, in permanent timeout.

Elizabeth23 · Dec 27, 2020

it can be deleted from within the quarantine page.

I do not use supterantispyware and adcleaner , just malwarebytes and 360, also when I download an item I scan it before opening

trimis · Jan 1, 2021

Elizabeth23 said:
it can be deleted from within the quarantine page.

I do not use supterantispyware and adcleaner , just malwarebytes and 360, also when I download an item I scan it before opening

Thanks a lot! Never saw that, but then I never explored Malwarebytes much. I have not downloaded anything (other than Centaury) for at least a month or so. Either I got it from there, or the PUP was one of them driveby-downloads. Anyway, thanks to you its kaput!

WindowsCP · Jan 7, 2021

You can get rid of WGA. It's called WGA killer. I can get that to you. It's not like you can buy a license anyways. It can't communiate so it hangs on you.

trimis · Jan 10, 2021

WindowsCP said:
You can get rid of WGA. It's called WGA killer. I can get that to you. It's not like you can buy a license anyways. It can't communiate so it hangs on you.

As mentioned, the RemoveWGA 1.2 (from majorgeeks) did the job, and I have its link on flashdrive for install on Win 7. I'll let Win 7 'phone home' for maybe a week (I think WGA checks in everyday on startup), then silence it.