How do I remove a virus that is hidden in the Win7 system service?

One, what is Windows services

Windows services, also known as Windows Service, are the foundation of the Windows operating system and Windows network, part of the core of the system, and support a variety of operations across Windows. Services such as DNS clients, print programs, Windows Update Services, scheduled tasks, Windows Time services, and so on, are related to whether the machine works correctly. If these services are not properly managed, they will affect the normal operation of the machine.

A service is first a Win32 executable program, or a process that is formed by Rundll32.exe to run a. dll. Unlike ordinary applications, where WORD is turned on, there is an interface, but the service does not have a user interface. You cannot run the appropriate. EXE program by double-clicking it directly.

Second, how does Windows control a service?

Windows services are managed by a higher level of services.exe, which is managed by the service to start, stop, run, pause, and so on. Our most common operation is through the Windows Service MMC interface to complete the relevant operations.

In the Windows7 system, we click the Start menu, enter the "service" in the search box, double-click the first result to open service management--

Iii. How to remove Windows services

Now the rogue software, more and more to register themselves as a service. The services for non-Windows systems are typically listed in 023, as in the following paragraph:

O23-unknown-Service:bkmarks [provides the data security mechanism of the transport Protocol to effectively maintain the safety and integrity of the data transmission.] ]-C:windowssystem32rundll. Exe

O23-unknown-Service:ewido Anti-spyware 4.0 guard [Ewido Anti-spyware 4.0 guard]-D:program filesewido anti-spyware 4.0gua Rd.exe

O23-unknown-Service:ksd2service [Ksd2service]-C:windowssystem32svch0st.exe

For these rogue software, you need to delete the relevant. exe file, so that it can no longer run, or directly clear the service itself, so that when the computer restarts, it will not start again.

There are two options for deletion:

Method One: Use SC.exe this Windows command

Click Start Menu-"All Programs-" accessories-"command line program, right-click menu, select" Run as Administrator. "

In this way, the administrator to open a command-line program, input SC plus parameters on it, the use of the method is very simple:

SC Delete "service name" (if there is a space between the service name, you need to enclose the quotation marks)

As for the above: SC Delete Ksd2service

SC order of detailed, see below this article, Windows7 home has helped you organize.

Method Two: Directly to the registry edit (not recommended)

Open Registry Editor and locate the following key values:

The Hkey_local_machine/system/currentcontrolset/services General Service will display a master key here with the same name, and delete the relevant keys directly.

Iv. Special Circumstances

1, if the service is displaying rundll32.exe, and this file is located in the System32 directory, then you cannot delete the Rundll32.exe file, which is a Windows system file. At this point, just clear the relevant services can be.

2, if a service deleted immediately and automatically established, the background has the process of monitoring, protection. You need to kill the process in the Process Manager first, or press F8 after startup to remove it in WIN7 Safe mode.

Appendix: SC Command Line program parameters detailed///////

Describe:

SC is a command-line program used to communicate with the Service Control Manager and service.

Usage:

SC [command] [service name] ...

option is formatted as "ServerName"

Type SC [command] to get further help on the command

Command:

Query-----------The state of the service,

Or enumerate the state of the service type.

Queryex---------The extended state of the query service,

Or enumerate the state of the service type.

Start-----------starting the service.

Pause-----------Send Pause control requests to the service.

Interrogate-----Send interrogate control requests to the service.

Continue--------send continue control requests to the service.

The stop------------sends a STOP request to the service.

Config----------change the configuration of the service (permanent).

DeSCription-----Change the description of the service.

Failure---------to change the action that is performed when a service fails.

Failureflag-----Change the service's failed action flag.

Sidtype---------Change the service SID type of the service.

Privs-----------Change the required permissions for the service.

The QC--------------the configuration information for the query service.

Qdescription----The description of the query service.

Qfailure the action that the service performs--------the query fails.

Qfailureflag----The failed operation flag for the query service.

Qsidtype--------The service SID type of the query service.

Qprivs----------The required permissions for the query service.

Qtriggerinfo----The trigger parameters for the query service.

qpreferrednode--Query-Preferred service NUMA node.

Delete----------(from the registry) to remove the service.

The Create----------creates a service (adds it to the registry).

Control---------send controls to the service.

Sdshow----------Display the security descriptor for the service.

Sdset-----------Set the security descriptor for the service.

Showsid---------Displays the SID string corresponding to the assumed name.

Triggerinfo-----Configure the service's trigger parameters.

Preferrednode---Set the preferred service NUMA node.

getdisplayname--Access to Services DisplayName

Getkeyname------Get the servicekeyname of the service.

EnumDepend------Enumerate the dependencies of the service.

The following command does not require a service name:

Sc

Boot------------(OK | bad) indicates whether the last boot was saved as

Last Known Good boot configuration

Lock------------Locking Service database

Querylock-------Query The lockstatus of Scmanager database

Example:

SC start MyService

QUERY and QUERYEX options:

If the query command takes a service name, it returns

The status of the service. Other options are not appropriate for this

Situation If the query command takes no parameters or

This service is enumerated with one of the following options.

Type= the type of service to enumerate (driver, service, all)

Default = Service)

State= the status of the service to enumerate (inactive, all)

(default = Active)

Size of the Bufsize= enumeration buffer in bytes

(default = 4096)

ri= the recovery index number from which to begin the enumeration

(default = 0)

Group= the service groups to enumerate

(default = ALL groups)

Syntax examples

SC query-Enumerates the status of active services and drivers

SC Query EventLog-shows the status of the EventLog service

SC Queryex EventLog-Displays the extended status of the EventLog service

SC Query type= Driver-Enumerate active drivers only

SC Query type= Service-Enumerate Win32 services only

SC Query state= All-enumerate all services and drivers

SC Query bufsize= 50-enumeration buffer is 50 bytes

SC Query ri= 14-Restore index = 14 when enumerated

SC queryex group= ""-enumeration of active services not in a group

SC Query Type= Interact-Enumerate all inactive services

SC query type= driver group= NDIS-Enumerate all NDIS drivers