Detailed description:
I was running a normal system shutdown a few days ago and noted that my shutdown was delayed due to an application that was still running named “GSPY”. I did not launch this application and it does not appear in my installed programs. This name does not appear in a search of my system registry. I ran a Norton full system scan, a deep scan, and a startup scan and found no issues. These symptoms have not reappeared since that one occurrence. Should I be concerned? Has anyone else seen this?
Product & version number: Norton 360
OS details: Microsoft Windows 11 pro
There are two articles on this issue, both offer different perspectives. The first suggests there is a hidden trojan infection. Do you have any indications from Norton that it detects suspect activity?
If your answers are NO to one or both these questions I suggest that, you download Rkill to stop any processes that are nefarious. Once done, you can run a full system scan with Norton, again! Next, download and run Malwarebytes full scan.
Norton has not flagged any suspicious activity. The device manager does not indicate that I have any GPSY devices setup.
I followed the suggested procedure. I downloaded RKill and ran it. It did not flag any issues. After that I ran a Norton full virus scan. Norton found no issues. Then I downloaded Malwarebytes and ran it. Malwarebytes found no issues.
Is it possible that the GSPY Trojan was there, did its work, and then deleted itself? It’s possible that in the couple of seconds that the shutdown delay message was delayed that I misread the name of the application, but I cannot think of any other application that I have with a similar name. Would the process created by the GSPY trojan use “GSPY” as the application name?
Yes, a trojan of this type can reside on the system without your being aware its there. Conversely, the OS can also mistake something for what its not on occasion as well. Do you have MSI components installed on this device? MSI Dragon Center maybe? Have a look in Windows device manager for a listing of HID devices that are installed ( if any ). Post a screenshot for us to review if you’d be so kind. I would like to see what you are seeing in that area of the installed hardware.
The WD SES device is an external device, most likely an external HD. Do you have one attached? If that is the case, this is most likely the culprit for the shutdown notice. My external backup will throw a notice on occasion when shutting down is Norton is actively looking at it. In your screenshot it appears that device isn’t active when the screenshot was taken. When was the last time you updated Dragon Center? Do you have at least version 2.0.148.0 installed? Latest version 2.6.2003.2401
I was mistaken about having Dragon Center installed. It was installed on my old computer.
Yes, the external HD is my backup HD and I have a service running to do backups. The backup is scheduled to run daily and the HD is constantly attached. It’s possible that a normal shutdown could interrupt the scheduled process, but that does not explain why the suspect application was named “GSPY”.
Don’t allow the wording GSPY to spook you into automatically having the idea you are infected. There would be something within Norton history detecting malware if that were the case. GSPY indicates a HID device is not properly shutting itself down when the system is shutting down. Resident malware would restart itself during the next boot, Norton would detect it and stop it.
There is the possibility that something you may have previously installed is still being detected. HID devices are Human Interface Devices and can be anything from a keyboard to game controllers. Even added displays. HID allows usage without custom drivers for those devices and most, run via Bluetooth , USB or both. Check your HID devices and see what is listed there.
