Phantom service?

[needlove]

Hello,

I was browsing the Event Log trying to find a clue to a recent BSOD and came
across this service I have never seen before:

"Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7035
Date: 12/3/2005
Time: 9:07:39 AM
User: OWNER\Captian
Computer: OWNER
Description:
The KWY service was successfully sent a start control."

It started successfully and stopped successfully after less than two
minutes.

I could not find any other entry for this service in the event log. I could
not find any information on google about the service so I ran several scans;
virus, worm, trojan, keylogger, rootkit, malware/adware... all clean. I
searched my hard drives for "KWY" and found nothing. Its not listed in
startup programs, services or proccesses. No other logged event coincides
with this one and the BSOD happened hours after this event and was more
likely due to faulty or conflicting drivers.

Any ideas as to what this service is and does?

 

[Heirloom]

Open Start, Run, in the dialog box type: SERVICES.MSC and click on run.
See if you can locate anything to do with KWY. Like you, I could not find
anything on Google (or Groups). Another option would be to dl'd Process
Explorer, free, from www.sysinternals.com . This is a terrific free process
viewer and will show you everything running on your machine and the amount
of cpu usage in % in real time. It has a lot of other nifty features as
well.
Heirloom, old and let us know
what you find

 

[Ramesh, MS-MVP]

Type in Start, Run:

CMD /K SC QC KWY

This will give you more information about the Service / driver. Given below
is the general information on removing an unwanted / Malware service:

First, use the "SC DELETE <...>" Command-line, or follow the instructions to
remove a Service / driver from the registry directly.

If that does not help, or if you want to remove a service manually from the
registry, read below:

The Service and driver entries are present under this registry key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]

Each sub-key represents a driver or a Service. To modify/delete a 3rd party
service, click Start, Run and type REGEDIT to open the Registry Editor and
navigate to the above location.You should be able to identify them easily by
reading the "DisplayName" and "ImagePath" fields in the right-pane in the
Registry Editor.

Note: Before modifying / removing a Service, create a System Restore point
or a complete Registry backup, just in case something happens.

[ERUNT] Registry Backup and Restore for Windows
http://www.larshederer.homepage.t-online.de/erunt/

[ERUNT Download URLs]
http://www.aumha.org/downloads/erunt.zip
http://www.aumha.org/downloads/erunt-setup.exe

[Installing & Using ERUNT]
http://www.silentrunners.org/sr_eruntuse.html
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

--
Ramesh, Microsoft MVP
Windows XP Shell/User

Windows XP Troubleshooting
http://www.winhelponline.com

 

[needlove]

I did what you said and KWY doesn't exist as an installed sevice. It was
also not listed under services in the registry hive you specified. I used
"find" to seach the entire registry for KWY and only found what I had typed
in the run box.
This really is a phantom cause I've got three events showing it started, ran
and stopped.

Type in Start, Run:

CMD /K SC QC KWY

This will give you more information about the Service / driver. Given
below is the general information on removing an unwanted / Malware
service:

First, use the "SC DELETE <...>" Command-line, or follow the instructions
to remove a Service / driver from the registry directly.

If that does not help, or if you want to remove a service manually from
the registry, read below:

The Service and driver entries are present under this registry key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]

Each sub-key represents a driver or a Service. To modify/delete a 3rd
party
service, click Start, Run and type REGEDIT to open the Registry Editor and
navigate to the above location.You should be able to identify them easily
by
reading the "DisplayName" and "ImagePath" fields in the right-pane in the
Registry Editor.

Note: Before modifying / removing a Service, create a System Restore
point
or a complete Registry backup, just in case something happens.

[ERUNT] Registry Backup and Restore for Windows
http://www.larshederer.homepage.t-online.de/erunt/

[ERUNT Download URLs]
http://www.aumha.org/downloads/erunt.zip
http://www.aumha.org/downloads/erunt-setup.exe

[Installing & Using ERUNT]
http://www.silentrunners.org/sr_eruntuse.html
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

--
Ramesh, Microsoft MVP
Windows XP Shell/User

Windows XP Troubleshooting
http://www.winhelponline.com

Hello,

I was browsing the Event Log trying to find a clue to a recent BSOD and
came across this service I have never seen before:

"Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7035
Date: 12/3/2005
Time: 9:07:39 AM
User: OWNER\Captian
Computer: OWNER
Description:
The KWY service was successfully sent a start control."

It started successfully and stopped successfully after less than two
minutes.

I could not find any other entry for this service in the event log. I
could not find any information on google about the service so I ran
several scans; virus, worm, trojan, keylogger, rootkit, malware/adware...
all clean. I searched my hard drives for "KWY" and found nothing. Its not
listed in startup programs, services or proccesses. No other logged event
coincides with this one and the BSOD happened hours after this event and
was more likely due to faulty or conflicting drivers.

Any ideas as to what this service is and does?

 

[Ramesh, MS-MVP]

See if editing the registry offline can help. You'll need to use the BartPE
boot CD, or have an parallel installation of Windows XP.

BartPE - Offline registry editing example is here.

How to edit the registry offline using BartPE boot CD ?:
http://windowsxp.mvps.org/peboot.htm

--
Ramesh, Microsoft MVP
Windows XP Shell/User

Windows XP Troubleshooting
http://www.winhelponline.com

 

[needlove]

Great thanks!
BartPE sounds really cool...beats the heck out using the recovery console.
I'll make a disk and give it a shot but first I need to back up everything
to my other drive.