ZHPDiag – O23 module (SMND)

In the operating systems type Windows NT, one service (or Windows service) is a program which works in the background. It is similar to a daemon d’UNIX.

A service must conform to the rules of interface and to the protocols of the Service Control Manager, the loaded part of the management of services.

The services can be configured to start when the operating system is started and run in the background as long as Windows is running. In Variant, they can be launched manually by the user or by an event that needs the service. The Windows NT type operating systems include many services. The units are attached to three user accounts : the account System, the account Network service and the account Local service. Because the services are associated with their own dedicated user accounts, they can function without a user is logged on to the operating system. Services are often associated to the process host for Windows services. [Wikipedia]

Features

– This allows lists all of the services launched at system startup. Microsoft generic services and disabled services are deliberately excluded from this enumeration. Research is done on the value.ImagePath "of all the subkeys of the key Base of registers [HKLMSYSTEMCurrentControlSetServices].

Overview ZHPDiag

 

—\\ Liste des services NT non Microsoft et non désactivés (5) – 2s
O23 – Service: Service Google Update (gUpdate) (gUpdate) . (.Google Inc. – Programme d’installation de Google.) – C:\Program FilesGoogleUpdateGoogleUpdate.exe =>.Google Inc®
O23 – Service: NetLimiter 4 Service (nlsvc) . (.Locktime Software – NetLimiter Service.) – C:\Program FilesLocktime SoftwareNetLimiter 4NLSvc.exe =>.Locktime Software s.r.o.®
O23 – Service: SoftEther VPN Client (SEVPNCLIENT) . (.SoftEther VPN Project at University of Tsukuba, Japan – SoftEther VPN.) – C:\Program FilesSoftEther VPN Clientvpnclient.exe =>.SoftEther K.K.®

Example of infection

O23 – Service: Background Logic Handler (backlh) . (.Copyright © 2016 – ExtManager.) – C:\ProgramDataLogic Crambleset.exe =>PUP. Optional.LogicHandler
O23 – Service: Prefs Secure (Nettrans) . (.Copyright © 2015 – Network Packet Monitor.) – C:\ProgramDataPrefsSecureNettrans.exe =>PUP. Optional.LogicHandler

Action ZHPFix

O23 – Service: {Startup} ( {KeyService}) . (…) – {FileName}

[Key} : Key to the Base of registers [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices}
{KeyService} : Subkey of the key {Key}
{Startup} : The value data «» DisplayName » de clé {KeyService}
{FileName} : The value data «» ImagePath » del clé {KeyService}

1) L’outil supprime la clé {KeyService} et toutes ses sous-clés.
2) The tool deletes the file {FileName}