Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think some files in my system32 have been tampered with


  • Please log in to reply
2 replies to this topic

#1 comhall

comhall

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:34 AM

Posted 14 May 2011 - 03:11 PM

Hey Everyone!
I have recently had a huge trojan and adware and spyware problem. 12 hours of constant work later and I have it just about under control. I was reading online that a lot of malware hides in a file called wdmaud in system32. I read that if the owner doesn't say Microsoft Corporation in the details section that it is probably a fake. I have 5 different wdmaud files:
wdmaudio
wdmaud.drv
wdmaud.drv.mui
wdmaudio.inf_loc
wdmaud.pnf

When I click into details on these files it says the owner name is TrustedInstaller and not Microsoft Corporation
This automatically makes it seem like a tampered with file. Especially the name TrustedInstaller makes it seem even more tampered with.
Posted Image
Everyone single one of my wdmaud files claims that the owner is TrustedInstaller.

Any advice would be really appreciated!
Thanks everyone

Edited by comhall, 14 May 2011 - 03:12 PM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:34 PM

Posted 14 May 2011 - 03:52 PM

If you're on Vista, or 7 TrustedInstaller is a legit service.
Read:
HERE
http://www.vistax64.com/tutorials/159360-trustedinstaller-restore-owner.html
http://helpdeskgeek.com/windows-7/windows-7-how-to-delete-files-protected-by-trustedinstaller/

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:34 AM

Posted 16 May 2011 - 07:25 AM

Broni is right, this is normal on Windows Vista and 7.

You are confusing file ownership and application ownership.
TrustedInstaller is the owner of the file. When you read online that you should find Microsoft Corporation as the owner, they are not talking about file ownership, but about application ownership. Take an application like notepad.exe for example. Open its properties and look at the Details information (or Digital Signature if present), you'll see Microsoft Corporation.

Edited by Didier Stevens, 16 May 2011 - 07:39 AM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users