BleepingComputer.com: Removing malware as a service?

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Removing malware as a service?

#1 User is offline   abeachguy 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 43
  • Joined: 10-May 11
  • Gender:Male
  • Location:Los Angeles County

Posted 23 May 2011 - 05:30 PM

Just wanted to know if there is an easy way to remove malware from the registry? When I look at the registry I know that that at least half of the services listed were not put there by Microsoft.

If my laptop has been infected so long that the Viruses, Trojans, Spyware and Malware have become services or whatever they do, how do I know which one was the original? Do they have their own DNA that can be traced and located? Or are they now a cancer and its just a matter of time before it dies?

This post has been edited by boopme: 23 May 2011 - 06:31 PM
Reason for edit: Moved to AntiVirus, Firewall and Privacy Products and Protection Methods

#2 User is offline   Didier Stevens 

  • Senior Member
  • PipPipPipPip
  • Find Topics
  • Group: BC Advisor
  • Posts: 594
  • Joined: 12-October 10
  • Gender:Male

Posted 24 May 2011 - 05:22 AM

Use Sysinternals' Autoruns. In Options, select "Hide Microsoft and Windows entries" and "Verify Code Signatures". Then select the tab services, this will list the services that are not from Microsoft.
Didier Stevens
http://blog.DidierStevens.com
Microsoft MVP 2011-2012 Consumer Security
Posted Image

#3 User is offline   quietman7 

  • Bleepin' Janitor
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Global Moderator
  • Posts: 25,517
  • Joined: 09-July 05
  • Gender:Male
  • Location:Virginia, USA

Posted 24 May 2011 - 07:31 AM

Tools to investigate running processes, services and gather additional information to identify them or resolve problems:
Note: Determining whether a file is malware or a legitimate process usually depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a legitimate or critical system file. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there.
Microsoft MVP - Consumer Security 2007-2012 Posted Image
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#4 User is offline   abeachguy 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 43
  • Joined: 10-May 11
  • Gender:Male
  • Location:Los Angeles County

Posted 25 May 2011 - 01:07 AM

Using Autoruns am I supposed to be the only user listed? Because I see 3 more that aren't mine

#5 User is offline   quietman7 

  • Bleepin' Janitor
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Global Moderator
  • Posts: 25,517
  • Joined: 09-July 05
  • Gender:Male
  • Location:Virginia, USA

Posted 25 May 2011 - 07:43 AM

That is normal.

If you click on User in the menu at the top it will show the users accounts on your computer. The check mark indicates what user account Autoruns is being run under. NT Authority System is usually one that will show along with other user accounts on the machine.

To check the User Accounts on your computer, press the WINKEY + R keys on your keyboard or go to Posted Image > Run..., and in the Open dialog box, type: control userpasswords2
Click OK or press Enter.

Alternatively, you can go to Start > Control Panel and just double-click the icon for User Accounts or right-click on My Computer, select Manage and from within the Computer Management window, double-click on Local Users and Groups to expand, then double-click on Users.
Microsoft MVP - Consumer Security 2007-2012 Posted Image
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#6 User is offline   abeachguy 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 43
  • Joined: 10-May 11
  • Gender:Male
  • Location:Los Angeles County

  Posted 25 May 2011 - 07:36 PM

I did that and it said that I was the only account but there are 4 more accounts listed under that column. I went further into user accounts and it said it was saved. The name and password I never even seen before let alone saved it. Further in using Autoruns I think under connections or networks ithere were 4 files I couldnr click on or even get information on. They were all called System. I think those are the things in my computer that took control because there were rules applied to the firewall and other settings I couldnt change.

Any ideas anybody?

Also if you go back and look at networking and see my post I think the settings for the LAN or IP something was called Local Area Network 17 because there are 16 others that dont come up. I found that out by doing ipconfig /all. But then some were still hidden. I ran a System health report and thats were they were all listed. Along with all the other tecnical stuff that over my head.

Thanks

This post has been edited by abeachguy: 25 May 2011 - 07:50 PM

#7 User is offline   Didier Stevens 

  • Senior Member
  • PipPipPipPip
  • Find Topics
  • Group: BC Advisor
  • Posts: 594
  • Joined: 12-October 10
  • Gender:Male

Posted 26 May 2011 - 03:10 AM

View Postabeachguy, on 25 May 2011 - 01:07 AM, said:

Using Autoruns am I supposed to be the only user listed? Because I see 3 more that aren't mine


I suppose you see NT AUTHORITY\SYSTEM. What are the other two?
Didier Stevens
http://blog.DidierStevens.com
Microsoft MVP 2011-2012 Consumer Security
Posted Image

#8 User is offline   abeachguy 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 43
  • Joined: 10-May 11
  • Gender:Male
  • Location:Los Angeles County

Posted 26 May 2011 - 03:42 AM

NT AUTHORITY\LOCAL SERVICE AND NT AUTHORITY\NETWORK SERVICE


#9 User is offline   Didier Stevens 

  • Senior Member
  • PipPipPipPip
  • Find Topics
  • Group: BC Advisor
  • Posts: 594
  • Joined: 12-October 10
  • Gender:Male

Posted 26 May 2011 - 05:20 AM

View Postabeachguy, on 26 May 2011 - 03:42 AM, said:

NT AUTHORITY\LOCAL SERVICE AND NT AUTHORITY\NETWORK SERVICE


OK, those are Microsoft accounts for services. It's normal that you have them on your machine.
I assume you have Windows Vista or Windows 7?
Didier Stevens
http://blog.DidierStevens.com
Microsoft MVP 2011-2012 Consumer Security
Posted Image

#10 User is offline   quietman7 

  • Bleepin' Janitor
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Global Moderator
  • Posts: 25,517
  • Joined: 09-July 05
  • Gender:Male
  • Location:Virginia, USA

Posted 26 May 2011 - 07:55 AM

Here is some info it you want to learn more about these Service User Accounts.

Quote

Local Service Account
The Local Service account is a built-in account that has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard the system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session without credentials. Be aware that the Local Service account is not supported for the SQL Server or SQL Server Agent services. The actual name of the account is "NT AUTHORITY\LOCAL SERVICE".

Network Service Account
The Network Service account is a built-in account that has more access to resources and objects than members of the Users group. Services that run as the Network Service account access network resources by using the credentials of the computer account. The actual name of the account is "NT AUTHORITY\NETWORK SERVICE".
Local System Account

Local System
Local System is a very high-privileged built-in account. It has extensive privileges on the local system and acts as the computer on the network. The actual name of the account is "NT AUTHORITY\SYSTEM"
Windows Service Accounts
IIS and Built-in Accounts: LocalSystem, Network Servie

This post has been edited by quietman7: 26 May 2011 - 07:56 AM

Microsoft MVP - Consumer Security 2007-2012 Posted Image
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users