HELP! I need a __concise__ Step-By-Step Instruction Removing a Ser

[Guest]

I'm on a standalone W2k (service packed up through the Rollup) and rarely
need to go into the Services to modify something; but somehow I picked up
THIS WORM:
__________kernel32.ime
and, while I have successfully disabled it, I want any reference of it
DELETED from my Services Listing, where it has implanted itself as
__________Remote Procedure Call (RPC) Remote (RpcRemote)
(observe the __literal_ wording of that string)

I made my first attempt at using the Console and . . . well, here I am lol.
It obviously didn't work. Would someone just list the "Do this, then Do
this next thing, then Do this next thing" series of steps, since I apparently
need to have this spelled out for me. I so do NOT want to hack the Registry
to get rid of this being listed in my Services.

And finally, in case anyone is interested, the FIX can be found at
http://www.geocities.jp/kiskzo/kernel32.ime.html
but of course, you have to know how to delete a Service. Which is why I'm
posting a request for help. Thanks . . .

MC

 

[David H. Lipman]

From: "MISS CHIEVOUS" <MISS (e-mail address removed)>

| I'm on a standalone W2k (service packed up through the Rollup) and rarely
| need to go into the Services to modify something; but somehow I picked up
| THIS WORM:
| __________kernel32.ime
| and, while I have successfully disabled it, I want any reference of it
| DELETED from my Services Listing, where it has implanted itself as
| __________Remote Procedure Call (RPC) Remote (RpcRemote)
| (observe the __literal_ wording of that string)
|
| I made my first attempt at using the Console and . . . well, here I am lol.
| It obviously didn't work. Would someone just list the "Do this, then Do
| this next thing, then Do this next thing" series of steps, since I apparently
| need to have this spelled out for me. I so do NOT want to hack the Registry
| to get rid of this being listed in my Services.
|
| And finally, in case anyone is interested, the FIX can be found at
| http://www.geocities.jp/kiskzo/kernel32.ime.html
| but of course, you have to know how to delete a Service. Which is why I'm
| posting a request for help. Thanks . . .
|
| MC

If this is truly a SDBot worm variant trhen you should be asking in a virus related News
Group becuase there are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

Start with the Sophos module in the below Multi AV Scanning Tool...

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[Guest]

I already have and use AV software. If you Google this virus you'll see that
it is able to get past Norton (and a good many others). The only fix that
works is the one I've posted -- but the last remaining step is one NOT
EXCLUSIVE to virus issues, but rather, how (generally) to remove a service
from the Services listing of Windows 2000 Professional.

I'll ask it again -- would anyone care to help me do this STEP-BY-STEP?
Thank you.

MC

 

[Dave Patrick]

To answer you question you can delete the registry service subkey for it
found in;
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
then delete the files associated with it.

As David Lipman says there's more to it that this.

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| I'm on a standalone W2k (service packed up through the Rollup) and rarely
| need to go into the Services to modify something; but somehow I picked up
| THIS WORM:
| __________kernel32.ime
| and, while I have successfully disabled it, I want any reference of it
| DELETED from my Services Listing, where it has implanted itself as
| __________Remote Procedure Call (RPC) Remote (RpcRemote)
| (observe the __literal_ wording of that string)
|
| I made my first attempt at using the Console and . . . well, here I am
lol.
| It obviously didn't work. Would someone just list the "Do this, then Do
| this next thing, then Do this next thing" series of steps, since I
apparently
| need to have this spelled out for me. I so do NOT want to hack the
Registry
| to get rid of this being listed in my Services.
|
| And finally, in case anyone is interested, the FIX can be found at
| http://www.geocities.jp/kiskzo/kernel32.ime.html
| but of course, you have to know how to delete a Service. Which is why I'm
| posting a request for help. Thanks . . .
|
| MC

 

[Guest]

Thank you Mr. Patrick. Will __just__ deleting the Key remove it from my
Services listed? This is what confuses me I admit, because obviously I can
quickly go into the Registry . . . but Windows Help advised that I am
supposed to do this the CONSOLE method, and that is what I find so, er,
complex.

Put another way (to spare anyone having to retype what has doubtless been
revisited millions of times before) . . . do you have a link to somewhere
that spells out how to perform the Microsoft Console method, using Console,
in terms more easily comprehesible by a home user than the MS Help file
offers? I can research this on Microsoft, but I fear I will just be looking
at the same instructions (and not be able to understand them, or more
precisely execute the correct SEQUENCE of steps to remove a Service the
"clean" way).

Thank you so much.

And I'll certainly follow through with the Virus groups, as well -- but this
really has to do with removing a Service generally.

MC

 

[Dave Patrick]

Yes it will. The Reg_Sz string 'DisplayName' is the text you see in the
services.msc console. You can also do it from the command line.

sc delete "service name"

You can get sc.exe (service controller tool) here.
ftp://ftp.microsoft.com/reskit/win2000/

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Thank you Mr. Patrick. Will __just__ deleting the Key remove it from my
| Services listed? This is what confuses me I admit, because obviously I
can
| quickly go into the Registry . . . but Windows Help advised that I am
| supposed to do this the CONSOLE method, and that is what I find so, er,
| complex.
|
| Put another way (to spare anyone having to retype what has doubtless been
| revisited millions of times before) . . . do you have a link to somewhere
| that spells out how to perform the Microsoft Console method, using
Console,
| in terms more easily comprehesible by a home user than the MS Help file
| offers? I can research this on Microsoft, but I fear I will just be
looking
| at the same instructions (and not be able to understand them, or more
| precisely execute the correct SEQUENCE of steps to remove a Service the
| "clean" way).
|
| Thank you so much.
|
| And I'll certainly follow through with the Virus groups, as well -- but
this
| really has to do with removing a Service generally.
|
| MC

 

[Guest]

Thank you so much! Can I ask one other (unrelated) question that you might
quickly know the answer to. I misplaced my instruction for redesignating
the -->>DEFAULT DIRECTORY for Windows 2000 (eg. "Open ~"). I know the key(s)
are somewhere in the Registry -- I have 6 hard drives and just want to set it
up to go to one by default. Thanks!

MC

 

[Dave Patrick]

Edit the shortcut's 'Target' to read;
%systemroot%\explorer.exe /e,C:\
Where C:\ is the drive or directory you wish to expand.

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Thank you so much! Can I ask one other (unrelated) question that you
might
| quickly know the answer to. I misplaced my instruction for redesignating
| the -->>DEFAULT DIRECTORY for Windows 2000 (eg. "Open ~"). I know the
key(s)
| are somewhere in the Registry -- I have 6 hard drives and just want to set
it
| up to go to one by default. Thanks!
|
| MC

 

[Guest]

I guess I wasn't clear on that. I want to change the default FOLDER that is
opened when you perform FILE \ OPEN ~ from applications using the default --
in other words, the C:\XXXXX\YYYYYYY\ZZZZZZ\My Documents directory -- to (a
different) drive and directory.

MC

 

[Dave Patrick]

That is an application specific setting so look for the option within the
application. Example for Excel Tools|Options|General|Default file location

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
|I guess I wasn't clear on that. I want to change the default FOLDER that
is
| opened when you perform FILE \ OPEN ~ from applications using the
default --
| in other words, the C:\XXXXX\YYYYYYY\ZZZZZZ\My Documents directory -- to
(a
| different) drive and directory.
|
| MC

 

[Guest]

It's a \SHELL key if I remember. No big deal, I can look it up. Thanks!

MC

 

[David H. Lipman]

From: "MISS CHIEVOUS" <[email protected]>

| I already have and use AV software. If you Google this virus you'll see that
| it is able to get past Norton (and a good many others). The only fix that
| works is the one I've posted -- but the last remaining step is one NOT
| EXCLUSIVE to virus issues, but rather, how (generally) to remove a service
| from the Services listing of Windows 2000 Professional.
|
| I'll ask it again -- would anyone care to help me do this STEP-BY-STEP?
| Thank you.
|
| MC

You have NAV and you got infected -- Right ?
So NAV didn't help.

The reason I wrote the Multi AV Scanning Tool is because of a need to remove malware. The
reason I include four different AV vendor command line scanners is because one may catch
what another may miss. Additionally three are pure command line scanners that can be used
within the OS or outside the OS. Thus there are multiple ways to clean the PC; Normal
Mode, Safe Mode, Safe Mode with Command Prompt and Booting from a DOS Disk/DOS Disk with
NTFS4DOS.

My tool is NOT a substitute for a fully installed AV solution that performs not "On Access"
and "On Demand" scanning. My tool only offers 4 different AV vendor "On Demand" scanners
for malware removal. It supplements AV software that is installed, not replace it.

Your mind is closed. Please open it.
When you ask for help and someone offers it, you need to fully understand what is being
offered PRIOR to denying it.

 

[Guest]

Hi again Mr. Patrick. Yes I know I can set that individually; but I was
looking for the Registry hack (or is there NONE? for something like this
http://support.microsoft.com/kb/235356/en-us

I could have sworn there was a hack for this for Windows 2000, such that
(for example) if a default directory had not (yet) been established for the
application seeking to OPEN a file, Windows would use what was in the
Registry Default (MY DOCUMENTS, in other words) . . . and I thought I could
change that globally?

Anyway, this is apparently a more complex issue, so I'll start a new thread
on it if after I've Googled it I still cannot come up with the KEY that holds
this string.

MC

 

[Dave Patrick]

:
| Hi again Mr. Patrick. Yes I know I can set that individually; but I was
| looking for the Registry hack (or is there NONE?
*** There isn't one. This is an application specific issue.


for something like this
| http://support.microsoft.com/kb/235356/en-us
*** That's more or less what I gave you.


| I could have sworn there was a hack for this for Windows 2000, such that
| (for example) if a default directory had not (yet) been established for
the
| application seeking to OPEN a file, Windows would use what was in the
| Registry Default (MY DOCUMENTS, in other words) . . . and I thought I
could
| change that globally?
*** Right-click My Documents|Properties|Target|Move

But be aware with any file move that if something happens during the move
then files may be lost. So backup before hand.


--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

 

[Gary Smith]

It's a \SHELL key if I remember. No big deal, I can look it up. Thanks!

If you're talking about
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders and
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User
Shell Folders, changing the Personal value under those keys will move or
rename the My Documents folder, but that does't necessarily change the
default location used by applications. It depends on how they are
written.