What is this mix of Chinese/Arabic/Korean/Japanese user owning a process listening on port 139?

file-sharing windows-8 unicode chinese japanese

While using an open port checking tool (Technicians toolbox v1.1.0) I found a strange user name listening on port 139 hiding in PID 4 with a mix of Chinese and other Unicode characters as the user name:

There is no command line or creation date or an executable path or device path listed. Also the program won't let me trace the file path; it comes up with "Error". In Windows Task Manager, PID 4 shows as "System".

The Unicode characters are: 

U+548B U+0824 U+428D U+8B0C U+E84A U+C833
U+ACE8 U+F8A9 U+B8FF U+F680 U+7318 U+29E9
U+FBBA U+22FF U+9305 U+0219 U+005C

The Google translator translated the Chinese portion as "Ye Ge mad dog" mixed with some form of Unicode.

According to unicode-table.com there is a mix of Arabic, Korean, Japanese, Latin and Chinese with private code blocks mixes throughout.

I am running my laptop through a Belkin 600 wifi range extender boosting off of a Linksys WRT54GS, both have no security.

Does anyone have any idea what this is? Should I kill this process?


Check the process with another tool such as TCPView from Microsoft. It will show process names with ports open with PID, protocol, local address, local port, remote address, remote port, as well as sent and received packets and bytes for each entry. Look for process ID 4 in its list. When you have located it, if you double-click on an entry, or right-click and choose "Process Properties", it will show the path and file name associated with the process. You could upload the file to Google's VirusTotal site, which checks uploaded files with multiple antivirus programs, to check whether it might be a system file that was replaced by malware, though it is possible that what you are seeing is due to some quirk of the tool. Once you have the location of the file associated with the process, you could right-click on it in the Microsoft Windows Explorer, choose "Properties", then select "Digital Signatures"; if it is a legitimate program, the name of the signer should be "Microsoft Corporation".

Another free tool that provides functionality similar to TCPView, is CurrPorts from NirSoft.

Related

Windows 10 Runtime Broker CPU usage
Disable Video Buffering in Firefox
Can't change default playback device on Windows 10
Excel creates non-existent worksheets in VBA Project Explorer
Remove extraneous items from Windows Explorer
Remove Microsoft linked account in Windows 10
How to find max RAM speed supported
Youtube-dl - different config file for video & audio?
HTTP over SSH tunnel on Windows
Do HKLM registries take precedence over HKCU for system policies?
Windows Virus & Threat Protection is not working
How does a computer know if a directory exists?