Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Why do I have some chameleon services?


  • Please log in to reply
2 replies to this topic

#1 prugoclepr

prugoclepr

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 06 November 2017 - 09:50 AM

I've recently discovered eight services installed on my machine, all mimicking the name of legitimate Windows services with a string of randomly generated characters appended to the end of the name. The set of characters changes upon boot.

 

Normally most services seem to be launched under the username SYSTEM or NETWORK SERVICE or LOCAL SERVICE, etc.

 

These eight mysterious services are launched instead by 'prugoclepr'. i.e. 'me', on startup.

 

Connected Devices Platform User Service <--- Legit OS service

Connected Devices Platform User Service_1196b9 <--- Weird thing that launches under my username.

DevicesFlow <--- Legit OS service

DevicesFlow_1196b9 <--- Weird thing that launches under my username.

MessagingService <--- etc

MessagingService_1196b9 <--- etc

Sync Host

Sync Host_1196b9

Contact Data

Contact Data_1196b9

User Data Storage

User Data Storage_1196b9

User Data Access

User Data Access_1196b9

Windows Push Notifications User Service

Windows Push Notifications User Service_1196b9

 

Usually, only two or three will launch on startup. It used to be that if I stopped one, another would start up, until I did a couple things over here: https://www.bleepingcomputer.com/forums/t/661641/infected-with-something-anti-malware-tools-cant-find-it/#entry4369823

 

Now if I stop them, they stop.

 

What are these, why are they duplicating the names of services already on my machine, why do they have appended characters randomizing on boot, and why are they starting under my username?



BC AdBot (Login to Remove)

 


#2 jenae

jenae

  • Members
  • 881 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 07 November 2017 - 01:28 AM

Hi, yes they are all windows services, the five character alpha numeric code at the end of some of them, will change from boot to boot, they identify a windows ten system and OS type to MS servers, (they do not identify you). Most are to do with telemetry, and will cause no issues. The last two should not be touched.

 

You should leave services alone, in general, and only access them if a specific service is causing problems, in which case you would be advised by someone from the forum.



#3 prugoclepr

prugoclepr
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 07 November 2017 - 10:14 AM

Hi, yes they are all windows services, the five character alpha numeric code at the end of some of them, will change from boot to boot, they identify a windows ten system and OS type to MS servers, (they do not identify you). Most are to do with telemetry, and will cause no issues. The last two should not be touched.

 

You should leave services alone, in general, and only access them if a specific service is causing problems, in which case you would be advised by someone from the forum.

 

Okay, but WHY will the 'five character code' change, particularly since the service already exists without the code at all?

 

Why do the codes exist at all?

 

And why are there TWO of each service?

 

And why are the coded ones launching under my name, rather than being launched by the OS if they're such OS-vital services?






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users