flrman1's cwsserviceremove.zip file

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

FZWG

Thread Starter
Joined
Dec 17, 2000
Messages
974
Appreciate some assistance.

Was looking at the excellent guidance flrman1 provided on this thread:
http://forums.techguy.org/t266349&highlight=GetService.html
to get rid of this CWS variant: res://C:\WINDOWS\eszwm.dll/sp.html#27859

Would appreciate knowing what cwsserviceremove.zip does.

Is it used to remove Service entries like the following:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3



Or, does it remove entries like the following:


REGEDIT4


[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]


Thank you very much for your help.
 
Joined
Dec 9, 2000
Messages
45,855
If you open it up in Notepad (right click, select "edit"), you will see this:

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_O?*001E*2019*017DRT*00F1*00E5*00C8*00B2$*000E*00D3]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_O?*001E*2019*017DRT*00F1*00E5*00C8*00B2$*000E*00D3\0000]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_O?*001E*2019*017DRT*00F1*00E5*00C8*00B2$*000E*00D3\0000]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_O?*001E*2019*017DRT*00F1*00E5*00C8*00B2$*000E*00D3\0000]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O???rtñåȲ$Ó]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\½O.#????õØ´â]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\O???rtñåȲ$Ó]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\½O.#????õØ´â]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\O???rtñåȲ$Ó]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\½O.#????õØ´â]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\O???rtñåȲ$Ó]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\½O.#????õØ´â]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY___NS_SERVICE_3]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\__NS_Service_3]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_SERVICE_3]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Image"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Image"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Image"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"Image"=-

[-HKEY_CLASSES_ROOT>Image.Image]

[-HKEY_CLASSES_ROOT\Image.Image.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Image.Image]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Image.Image.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B40A54D-BEC3-4077-9A33-701BD6ACDEB2}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""




>> so you can see, it does both.
 

FZWG

Thread Starter
Joined
Dec 17, 2000
Messages
974
:) Thanks Rollin'Rog.

Was wondering what it did, but had not downloaded it.
 

FZWG

Thread Starter
Joined
Dec 17, 2000
Messages
974
Need a little more assistance...trying to understand a few things, and flrman1's solution to this hijacker is excellent.

If the 'malignant' Service is Workstation NetLogon Service, or Remote Procedure Call (RPC) Helper, or something else, does cwsserviceremove.zip still apply?

Aren't these 4 entries only referring to Network Security Service:
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY___NS_SERVICE_3]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\__NS_Service_3]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_SERVICE_3 ]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3]

Could the above 4 entries in cwsserviceremove.zip be modified, and a Reg merge done with whatever Service?

Thanks in advance for the help.
 
Joined
Dec 9, 2000
Messages
45,855
That's a very good question. The important thing is not the "display name", which is what you would see in the Administrative Tools services dialog, but the actual "service name" which often looks something like this:

½O.#????õØ´â

If that service name matches up with what is in the reg file, it will be removed. I've seen some though that do not.

The most important thing is that the service be "disabled". Once that happens the driver associated with it is no longer loaded and can be manually deleted. However the service will still be listed and show up in the "currentcontrolset" services key in the registry. It can be manually located there and deleted for complete cleaning.
 

FZWG

Thread Starter
Joined
Dec 17, 2000
Messages
974
Thanks for the explanation Rollin'Rog.

Would one be correct in assuming that:

If the hijack Service is Network Security Service (NSS), then cwsserviceremove.zip is OK to use.

However, have seen cwsserviceremove.zip used when the Service is:
SERVICE_NAME: O?’ŽrtñåȲ$Ó
Workstation NetLogon Service

SERVICE_NAME: O?’ŽrtñåȲ$Ó
Remote Procedure Call (RPC) Helper

Could it be used regardless of the Service?

Also, is this the website where cwsserviceremove.zip is obtained:
http://d21c.com/Tom41/cwsserviceremove.reg
 
Joined
Dec 9, 2000
Messages
45,855
I've only recently starting using it, having had users in the past manually search the "services" key to find what to be removed.

In the few times that I have used it, once without the actual service entry name being present in the reg file (the one with the funny characters), there have been no problems.

If the entries being targeted by the reg file are not found in the registry, nothing happens. At least that's the way its supposed to be.
 

FZWG

Thread Starter
Joined
Dec 17, 2000
Messages
974
Got it!!

Thank you.

Have a great Labor Day holiday!!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top