Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
V
V
Valeria Smirnova2017-02-10 13:16:14
Information Security
Valeria Smirnova, 2017-02-10 13:16:14

NtControlSvc and StaffCop - how to fight?

On our corporate PCs, a hundred years ago, apparently some remote system administrator installed the notorious Staffcop program to monitor the work of employees. For a long time nothing happened, then on random PCs, normal certificates began to be replaced in the browser with some AtomParks. Struggled repeatedly with this removal of the files described in the uninstall64.cmd file:

NtControlSvc.exe /Unregserver
registerlsp -q "Network Proxy System"
TIMEOUT /T 3
TASKKILL /F /IM NtControlSvc.exe
DEL "%systemroot%\System32\NtControlSvc.ini"
DEL "%systemroot%\System32\NtControlSvcOff.ini"
DEL "%WinDir%\Temp\NtControlSvc.log"
DEL "%WinDir%\Temp\NtControlSvcr.log"
DEL .\NetSpy_ErrorLog.txt
DEL .\Debug_Proxy.log
, and also manually disabled the service in processes.
But the trouble is that after a while she suddenly turns back on herself and starts doing the same dirt.
Who faced and how to remove it completely and irrevocably?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
C
CityCat4, 2017-02-10
@CityCat4

Put a staff and remove agents through his admin face. Well, or find a place where it is installed. The staff does NOT work remotely, its server must be on the local network, for monitoring you need to log in via VPN. Another thing is that if this was done not at the direction of the management, but on someone's stupid initiative, the staff server may no longer exist :)
I won't say anything about NtControlSvc, I haven't used it. But the general principle is this - there is an agent, it hangs somewhere and checks for the presence of its files, if it does not find it, it pulls it up again. Check ALL services and all places where the program can store data - ProgramData for example.

Report
Y
Yuri Bortnik, 2017-03-08
@DrakeMazzy

Network in a domain? Check your domain policies for the presence of auto-deployment/auto-start programs.

Similar questions
Z
zebraxxl2011-05-18 21:55:08
Sandboxing with .NET 2.0? 1Reply
B
Bohdan Zadorozhniy2021-06-18 11:30:41
How to ban ip in MikroTik when connecting to a port? 1Reply
B
b13k2015-10-11 10:39:12
How can a windows 7 account be hacked without having physical access to the machine? 3Reply
V
Vasily Pupkin2015-10-15 16:57:32
What “Skype analogues” (screen area broadcast, text, voice) with p2p and encryption do you know what you use? 5Reply
B
BelBES2015-10-17 20:19:27
How to achieve complete deletion of confidential data by a mobile operator? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question