Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removing malware as a service?


  • Please log in to reply
9 replies to this topic

#1 abeachguy

abeachguy

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles County
  • Local time:12:51 PM

Posted 23 May 2011 - 05:30 PM

Just wanted to know if there is an easy way to remove malware from the registry? When I look at the registry I know that that at least half of the services listed were not put there by Microsoft.

If my laptop has been infected so long that the Viruses, Trojans, Spyware and Malware have become services or whatever they do, how do I know which one was the original? Do they have their own DNA that can be traced and located? Or are they now a cancer and its just a matter of time before it dies?

Edited by boopme, 23 May 2011 - 06:31 PM.
Moved to AntiVirus, Firewall and Privacy Products and Protection Methods


BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,663 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:51 PM

Posted 24 May 2011 - 05:22 AM

Use Sysinternals' Autoruns. In Options, select "Hide Microsoft and Windows entries" and "Verify Code Signatures". Then select the tab services, this will list the services that are not from Microsoft.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:51 PM

Posted 24 May 2011 - 07:31 AM

Tools to investigate running processes, services and gather additional information to identify them or resolve problems:Note: Determining whether a file is malware or a legitimate process usually depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a legitimate or critical system file. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 abeachguy

abeachguy
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles County
  • Local time:12:51 PM

Posted 25 May 2011 - 01:07 AM

Using Autoruns am I supposed to be the only user listed? Because I see 3 more that aren't mine

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:51 PM

Posted 25 May 2011 - 07:43 AM

That is normal.

If you click on User in the menu at the top it will show the users accounts on your computer. The check mark indicates what user account Autoruns is being run under. NT Authority System is usually one that will show along with other user accounts on the machine.

To check the User Accounts on your computer, press the WINKEY + R keys on your keyboard or go to Posted Image > Run..., and in the Open dialog box, type: control userpasswords2
Click OK or press Enter.

Alternatively, you can go to Start > Control Panel and just double-click the icon for User Accounts or right-click on My Computer, select Manage and from within the Computer Management window, double-click on Local Users and Groups to expand, then double-click on Users.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 abeachguy

abeachguy
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles County
  • Local time:12:51 PM

Posted 25 May 2011 - 07:36 PM

I did that and it said that I was the only account but there are 4 more accounts listed under that column. I went further into user accounts and it said it was saved. The name and password I never even seen before let alone saved it. Further in using Autoruns I think under connections or networks ithere were 4 files I couldnr click on or even get information on. They were all called System. I think those are the things in my computer that took control because there were rules applied to the firewall and other settings I couldnt change.

Any ideas anybody?

Also if you go back and look at networking and see my post I think the settings for the LAN or IP something was called Local Area Network 17 because there are 16 others that dont come up. I found that out by doing ipconfig /all. But then some were still hidden. I ran a System health report and thats were they were all listed. Along with all the other tecnical stuff that over my head.

Thanks



Edited by abeachguy, 25 May 2011 - 07:50 PM.


#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,663 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:51 PM

Posted 26 May 2011 - 03:10 AM

Using Autoruns am I supposed to be the only user listed? Because I see 3 more that aren't mine


I suppose you see NT AUTHORITY\SYSTEM. What are the other two?

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 abeachguy

abeachguy
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles County
  • Local time:12:51 PM

Posted 26 May 2011 - 03:42 AM

NT AUTHORITY\LOCAL SERVICE AND NT AUTHORITY\NETWORK SERVICE



#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,663 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:51 PM

Posted 26 May 2011 - 05:20 AM

NT AUTHORITY\LOCAL SERVICE AND NT AUTHORITY\NETWORK SERVICE


OK, those are Microsoft accounts for services. It's normal that you have them on your machine.
I assume you have Windows Vista or Windows 7?

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:51 PM

Posted 26 May 2011 - 07:55 AM

Here is some info it you want to learn more about these Service User Accounts.

Local Service Account
The Local Service account is a built-in account that has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard the system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session without credentials. Be aware that the Local Service account is not supported for the SQL Server or SQL Server Agent services. The actual name of the account is "NT AUTHORITY\LOCAL SERVICE".

Network Service Account
The Network Service account is a built-in account that has more access to resources and objects than members of the Users group. Services that run as the Network Service account access network resources by using the credentials of the computer account. The actual name of the account is "NT AUTHORITY\NETWORK SERVICE".
Local System Account

Local System
Local System is a very high-privileged built-in account. It has extensive privileges on the local system and acts as the computer on the network. The actual name of the account is "NT AUTHORITY\SYSTEM"

Windows Service Accounts
IIS and Built-in Accounts: LocalSystem, Network Servie

Edited by quietman7, 26 May 2011 - 07:56 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users