Get rid of a service entry that was a virus???

[John Jay Smith]

I got a stupid virus that created a service in the list of windows services
so it would download trojans...

I deleted the virus files and deleted the service from the registry but I
still see it in the list...

where do I go in the registry to remove this annoying thing?

see screenshot: (the one that says windows log is in fact the virus)

http://img147.imageshack.us/img147/5912/services01oy7.jpg


thanks

 

[Ted Zieglar]

Did you think a virus writer would make it that easy to remove their
artwork?

The correct way to remove a virus is to let your (updated) antivirus
program do it. Even then, many viruses can't be removed, just disabled.

Now that you've tried to remove the virus on your own, it may be
impossible for your antivirus program to do its work.

Sometimes, you can find removal instructions for a virus on the websites
of the major antivirus organizations. To make use of this you would need
to know the specific name of the virus.

Here's what to do now:

Update your antivirus program and let it try to remove the virus.

If that doesn't work, try one (or more) online virus scanners.

If that doesn't help, and you know the name of the virus, search for
removal instructions.

If none of the above provide relief, and you don't have a known good
backup of your system partition, erase your hard disk and start over.

 

[NewScience]

If you remember the Service name, open Control Panel | System | Hardware |
Device Manager.
CLick on View | SHow Hidden Devices.
SCan hidden devices and either check the properties or Uninstall the
offending name.

It may also be in HKLM\Software\Microsoft\Windows NT\Winlogin\......
entries.
Have you tried using Autoruns from www.sysinternals.com?

 

[Ted Zieglar]

"If you remember the Service name, open Control Panel | System |
Hardware | Device Manager."

Is that where the services are located?

 

[John Jay Smith]

I did not ask how to remove the virus. Nor did I ask to be lecture by you.

I asked where in the registry are the services located!

Geeeesshhh!!

 

[John John]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

John

 

[Richard Urban]

Best that you research before you attempt removal. If you do an incomplete
job (you did) it can make removal of the final pieces next to impossible.

Nuke and reinstall.

--
Regards,

Richard Urban
Microsoft MVP Windows Shell/User
(For email, remove the obvious from my address)

Quote from George Ankner:
If you knew as much as you think you know,
You would realize that you don't know what you thought you knew!

 

[John Jay Smith]

I have not encountered something impossible for me, ever.
Some things just may need more time.

 

[NewScience]

Some services are started when the system reboots, and they do not list in
SERVICES.
If you follow the directions, you can see where some services Startup
(Properties | Driver ... Startup), is set to Boot, Demand, ....
These will show in HKLM/System/CurrentControlSet/Services, but Control Panel
| System | Hardware | Device Manager .... SHow Hidden Devices provides a
means to Uninstall, which should clean all remnants from the system using
any *.INF file properties which may have been installed when driver/service
was.

Probably in this case, since it is a application (.sys), it will not have a
*.inf file.

Most people do not know about these Hidden Devices, nor do they know that
some are used as viruses when the system starts, which in turn, increases
boot time.

 

[Guest]

Open the registry editor (regedit.exe) by typing its name ina Run.. box, and
examine this key as mentioned:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Do be careful though as deleting essential services could leave your
computer unbootable.

Alternatively, download 'Autoruns' from http://sysinternals.com - this will
give you a wealth of information about self-starting processes. To narrow it
down, use the setting to 'Show only non-Microsoft entries'

 

[cquirke (MVP Windows shell/user)]

On Thu, 28 Sep 2006 19:13:08 -0300, John John

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Finally, someone answered the OP's question!

I'd also do...

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet*\Services

....for all values of *, as different contexts can switch different
ControlSet into active CurrentControlSet effect.

Expect malware to defend itself - so I'd do this from Bart CDR boot
using RunScanner plugin to redirect Regedit to the inactive HD hives.

John Jay Smith wrote:

Sounds fairly smart to me...

Where in the registry did you delete it?

As above. Don't work while the malware is active, duh... which is
what's wrong with "use your av" and especially "use online scanner".
All of these common and convenient approaches are weak, because they
depend on the malware not making full use of opportunities available
to it to defend itself, as rootkits begin to do.

You could also try MSConfig to disable it, or Administration Tools,
Services to Disable it there. MSConfig can work from Bart, if you set
it up as a RunScanner'd plugin; I haven't seen Administration Tools
work in that way, however. Without RunScanner redirection, you'd be
looking at the irrelevant Bart registry settings.

Something that is necessary does not cease to be necessary just
because it is difficult (or impossible?) to do.

Bart is tuff, but neccesary. Live with it, or (as other advisors have
suggested) die, start over, and hope for better luck next time.

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.

 

[Ted Zieglar]

"Don't work while the malware is active, duh... which is
what's wrong with "use your av" and especially "use online scanner"."

Oh...so you don't think people should scan their computers when they
suspect they have a virus? That's not what I read in the product manuals.

 

[cquirke (MVP Windows shell/user)]

On Fri, 29 Sep 2006 09:34:42 -0400, Ted Zieglar

"Don't work while the malware is active, duh... which is
what's wrong with "use your av" and especially "use online scanner"."

Oh...so you don't think people should scan their computers when they
suspect they have a virus? That's not what I read in the product manuals.

Firstly, I think folks should have their av set up so that incoming
material is scanned *before* the material can run. It's not only less
effective to "do a full system scan every now and then to see if I'm
infected", it's also dangerous - you may trigger a strikeback.

I do think people should scan thier computers when they suspect they
have "a virus" (and they should suspect malware, possibly multiple,
whenever ill-defined problems arise).

But for this to be safe and effective, the malware should not be
running at the time, and that rules out convienient Windows-based av.
If you're in Windows, you're prolly running the malware.

As to online scanners, well... consider this...

You suspect you're infected, so you go to an online scanning site.
You click Yes, when prompted to run an ActiveX control.
You stay online while the site drops and runs this control.
You stay online while the av scans all your files.
You expect to see the HD activity LED flashing away for hours.
You expect the scanner to touch all your files.
You expect to see plenty of traffic to and from the web site.
You're told the system is now clean, and all is well.

Then you figure out the site you went to was IP address a.b.c.d,
whereas the real online scanning site should be w.x.y.z

I'll leave you to join the dots...

As to product manuals, remember the vendor-vision factor, i.e. "if we
don't have it, you don't need it" or "if we can't do it, let's pretend
it can't be done". It's the naked emperor syndrome.

------------ ----- --- -- - - - -

Drugs are usually safe. Inject? (Y/n)

 

[Ted Zieglar]

<smile> Best wishes to you. </smile>

 

[Steven L Umbach]

You might try using Autoruns to list ALL your services and see if upchucking
it using that helps and/or search the registry for the service name and
delete references only specific to it. A registry tool such as RegSeeker may
also be able to detect orphaned entries relating to it but in general be
careful with registry cleaners and I suggest backing up before deleting
anything as prompted by the application "just in case".

Steve

http://www.snapfiles.com/get/regseeker.html