1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

flrman1's cwsserviceremove.zip file

Discussion in 'Virus & Other Malware Removal' started by FZWG, Sep 2, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. FZWG

    FZWG Thread Starter

    Joined:
    Dec 17, 2000
    Messages:
    974
    Appreciate some assistance.

    Was looking at the excellent guidance flrman1 provided on this thread:
    http://forums.techguy.org/t266349&highlight=GetService.html
    to get rid of this CWS variant: res://C:\WINDOWS\eszwm.dll/sp.html#27859

    Would appreciate knowing what cwsserviceremove.zip does.

    Is it used to remove Service entries like the following:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3



    Or, does it remove entries like the following:


    REGEDIT4


    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]


    Thank you very much for your help.
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    If you open it up in Notepad (right click, select "edit"), you will see this:

    Windows Registry Editor Version 5.00

    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_O?*001E*2019*017DRT*00F1*00E5*00C8*00B2$*000E*00D3]

    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_O?*001E*2019*017DRT*00F1*00E5*00C8*00B2$*000E*00D3\0000]

    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_O?*001E*2019*017DRT*00F1*00E5*00C8*00B2$*000E*00D3\0000]

    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_O?*001E*2019*017DRT*00F1*00E5*00C8*00B2$*000E*00D3\0000]

    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O???rtñåȲ$Ó]

    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\½O.#????õØ´â]

    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\O???rtñåȲ$Ó]

    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\½O.#????õØ´â]

    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\O???rtñåȲ$Ó]

    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\½O.#????õØ´â]

    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\O???rtñåȲ$Ó]

    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\½O.#????õØ´â]

    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY___NS_SERVICE_3]

    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\__NS_Service_3]

    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_SERVICE_3]

    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

    [-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

    [-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

    [-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Image"=-

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Image"=-

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "Image"=-

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    "Image"=-

    [-HKEY_CLASSES_ROOT>Image.Image]

    [-HKEY_CLASSES_ROOT\Image.Image.1]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Image.Image]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Image.Image.1]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B40A54D-BEC3-4077-9A33-701BD6ACDEB2}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""




    >> so you can see, it does both.
     
  3. FZWG

    FZWG Thread Starter

    Joined:
    Dec 17, 2000
    Messages:
    974
    :) Thanks Rollin'Rog.

    Was wondering what it did, but had not downloaded it.
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
  5. FZWG

    FZWG Thread Starter

    Joined:
    Dec 17, 2000
    Messages:
    974
    Need a little more assistance...trying to understand a few things, and flrman1's solution to this hijacker is excellent.

    If the 'malignant' Service is Workstation NetLogon Service, or Remote Procedure Call (RPC) Helper, or something else, does cwsserviceremove.zip still apply?

    Aren't these 4 entries only referring to Network Security Service:
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY___NS_SERVICE_3]

    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\__NS_Service_3]

    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_SERVICE_3 ]

    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3]

    Could the above 4 entries in cwsserviceremove.zip be modified, and a Reg merge done with whatever Service?

    Thanks in advance for the help.
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    That's a very good question. The important thing is not the "display name", which is what you would see in the Administrative Tools services dialog, but the actual "service name" which often looks something like this:

    ½O.#????õØ´â

    If that service name matches up with what is in the reg file, it will be removed. I've seen some though that do not.

    The most important thing is that the service be "disabled". Once that happens the driver associated with it is no longer loaded and can be manually deleted. However the service will still be listed and show up in the "currentcontrolset" services key in the registry. It can be manually located there and deleted for complete cleaning.
     
  7. FZWG

    FZWG Thread Starter

    Joined:
    Dec 17, 2000
    Messages:
    974
    Thanks for the explanation Rollin'Rog.

    Would one be correct in assuming that:

    If the hijack Service is Network Security Service (NSS), then cwsserviceremove.zip is OK to use.

    However, have seen cwsserviceremove.zip used when the Service is:
    SERVICE_NAME: O?’ŽrtñåȲ$Ó
    Workstation NetLogon Service

    SERVICE_NAME: O?’ŽrtñåȲ$Ó
    Remote Procedure Call (RPC) Helper

    Could it be used regardless of the Service?

    Also, is this the website where cwsserviceremove.zip is obtained:
    http://d21c.com/Tom41/cwsserviceremove.reg
     
  8. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I've only recently starting using it, having had users in the past manually search the "services" key to find what to be removed.

    In the few times that I have used it, once without the actual service entry name being present in the reg file (the one with the funny characters), there have been no problems.

    If the entries being targeted by the reg file are not found in the registry, nothing happens. At least that's the way its supposed to be.
     
  9. FZWG

    FZWG Thread Starter

    Joined:
    Dec 17, 2000
    Messages:
    974
    Got it!!

    Thank you.

    Have a great Labor Day holiday!!
     
  10. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    (y) Cheers! You're welcome :)
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/269405

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice