Remove viruses hidden in Vista system services

  

First, what is a Windows service

Windows service, also known as Windows Service, is the basis of the Windows operating system and Windows network, is part of the core of the system, it supports the entire operation of Windows. Services such as DNS clients, print programs, Windows update services, scheduled tasks, Windows time services, etc., are related to whether the machine can run correctly. If these services are not properly managed, it will affect the normal operation of the machine.

A service is first a Win32 executable, or a process that is rundll32.exe to run a .dll. Unlike normal applications, such as opening WORD, there is an interface, but the service does not have a user interface. It is also not possible to run by directly double-clicking the corresponding .exe program.

Second, how does Windows control a service?

Windows services are managed by a higher-level services.exe service, which is managed by the service. Start, stop, run, pause, etc. Our most common operation is to complete the related operations through the Windows service MMC interface.

In the Windows7 system, we click on the Start menu and type "Service" in the search box. Double-click the first result on the top to open the service management. In Vista and XP, you can also Open service management by running services.msc——


Third, how to delete Windows services

Now rogue software, more and more register yourself as a service. Generally, non-Windows system services are listed as 023, as in the following paragraph:

O23 - Unknown - Service: BKMARKS [Provides data security protection mechanism for transport protocol, effectively maintaining security in data transmission And complete. ] - C:WINDOWSSYSTEM32RUNDLL.EXE

O23 - Unknown - Service: ewido anti-spyware 4.0 guard [ewido anti-spyware 4.0 guard] - D:Program Filesewido anti-spyware 4.0guard.exe

O23 - Unknown - Service: KSD2Service [KSD2Service] - C:WINDOWSsystem32SVCH0ST.exe

For these rogue software, you need to delete the relevant .exe file so that it can no longer run, or directly clear the service itself, so that When the computer restarts, it will not start again.

There are two ways to delete:

Method 1: Use the sc.exe Windows command

Click the Start menu -> All Programs -> Accessories -> Command Line Program In the right-click menu, select “Run as administrator> ”.


In this way, open a command line program as an administrator, enter sc plus parameters, the method is very simple:

sc delete " Service name " (If there is a space in the middle of the service name, you need to be quoted before and after)

For the above: sc delete KSD2Service

For details on the sc command, see the Windows 7 home below. The /Vista House has helped you organize it.

Method 2: Direct Registry Editing (not recommended)

Open the Registry Editor and find the following key:

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services The service will display a main key here with the same name, and delete the relevant key values ​​directly.

Fourth, special circumstances

1, if the service shows rundll32.exe, and this file is located in the system32 directory, then you can not delete the rundll32.exe file, it is the Windows system document. At this time, just clear the relevant services.

2. If a service is deleted and it is automatically created, it indicates that the process is monitoring and protecting. You need to kill the corresponding process in the process manager, or press F8 after startup to delete it in Win7/Vista security mode.

//////Appendix: SC Command Line Program Parameters Detailed ////////

Description: SC is a command used to communicate with the Service Control Manager and services. Line program. Usage: sc <server> [command] [service name] <option1> <option2>...

The format of the option <server> is "\\\\ServerName" type "sc [ ,null,null,3],Command]" can get further help on the command Command: query-----------Query the status of the service, or enumerate the status of the service type. Queryex---------Query the extended status of the service, or enumerate the status of the service type. Start----------- Start the service. Pause----------- Send a PAUSE control request to the service. Interrogate-----Send an INTERROGATE control request to the service. Continue--------Send a CONTINUE control request to the service. Stop------------ Send a STOP request to the service. Config----------Change the configuration of the service (permanent). Description-----Change the description of the service. Failure---------Change the action performed when the service fails. Failureflag-----Change the service's failed operation flag. Sidtype---------Change the service's service SID type. Privs-----------Change the required permissions for the service. Qc--------------Query the configuration information of the service. Qdescription----Query the description of the service. Qfailure--------The operation performed by the service when the query fails. Qfailureflag----Query the service's failed operation flag. Qsidtype--------Query the service's service SID type. Qprivs----------Query the required permissions of the service. Qtriggerinfo----Query the trigger parameters of the service. qpreferrednode--Query the preferred service NUMA node. Delete---------- (from the registry) delete the service. Create----------Create a service (add it to the registry). Control--------- Send control to the service. Sdshow---------- displays the security descriptor of the service. Sdset----------- Set the security descriptor of the service. Showid--------- displays the SID string corresponding to the assumed name. Triggerinfo-----Configure the trigger parameters of the service. Preferrednode---Set the preferred service NUMA node. GetDisplayName--Get the DisplayName of the service GetKeyName------ Get the ServiceKeyName of the service. EnumDepend------ enumerates the dependencies of the service.

The following commands do not require a service name: sc <server> <command> <option> boot------------(ok

Copyright © Windows knowledge All Rights Reserved