Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trusting the "Trusted" Installer?


  • Please log in to reply
6 replies to this topic

#1 TCSNinc

TCSNinc

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:55 AM

Posted 19 February 2016 - 05:34 AM

So I made a fresh start

Default Windows 8.1 Admins are the default Admin account and my solo user account.

 

At what point should I start hawking my user accounts for bleep like

 

NT/TrustedInstaller (s-543-05480958409584085490834098093-58-%0398483) ?

 

And is that .net or kids pretending to be .net?



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 19 February 2016 - 07:49 AM

There's no need to hawk the other user accounts on your system. If it's a fresh start, and the only accounts are yours and the default Admin one (which can be disabled by the way), all the other ones are legitimate. And it should stay that way. Malware that add another user account to perform their task are quite rare if you ask me, usually they'll stick to using permissions of the current user (or Admin if they can).

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 TCSNinc

TCSNinc
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:55 AM

Posted 20 February 2016 - 02:34 PM

Yeah, but eventually some snit finds a little hole on my system to worm into and starts creating themselves accounts under administrators.
I know that "Trusted Intaller" is common but that still doesn't make it 'trust'worthy.
 
I've found some .net login accounts under other groups, there are only about four however and I'm pretty sure those are official default.

#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 20 February 2016 - 02:38 PM

I would like to see a Windows system run properly without the TrustedInstaller. It's impossible. Hence why I suggest you to leave it be since it's a legitimate user. What you should worry about isn't the users, but malicious processes running under it if they can impersonate it.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 TCSNinc

TCSNinc
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:55 AM

Posted 20 February 2016 - 03:00 PM

 Let's put it this way - Trusted Installer is not currently under the Administrators group and i'm running fine.
So at some point if TI does appear under Admins and it's detrimental to remove then there must be
some Windows update that is not only placing TI under Admins but making it mandatory to leave under Admins.

#6 TCSNinc

TCSNinc
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:55 AM

Posted 20 February 2016 - 03:04 PM

I know where most Trojans hide and have run multiple Registry/Malware cleaners realizing that

different software will uncover different bugs.

 

I do firmly believe, however, that no matter how thorough a person is there's always going to be some form of

Trojan left somewhere on the system.

 

Also, after a clean install I took a gander at the default certificates

there were a lot of certs involving the root and even one signed as 'NOT LIABLE'

 

If some of those certs are as dodgy as they look then they're being left on the drive even after a Win 8 'Reset.'



#7 TCSNinc

TCSNinc
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:55 AM

Posted 20 February 2016 - 03:05 PM

As I start to 're-build' I'm just keeping careful eye as to which updates or software place what/where.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users