Remove the virus that is hidden in the Vista system service by removing the Windows service.
One, what is Windows services
Windows services, also known as Windows Service, are the foundation of the Windows operating system and Windows network, part of the core of the system, and support a variety of operations across Windows. Services such as DNS clients, print programs, Windows Update Services, scheduled tasks, Windows Time services, and so on, are related to whether the machine works correctly. If these services are not properly managed, they will affect the normal operation of the machine.
A service is first a Win32 executable program, or a process that is formed by Rundll32.exe to run a. dll. Unlike ordinary applications, where WORD is turned on, there is an interface, but the service does not have a user interface. You cannot run the appropriate. EXE program by double-clicking it directly.
Second, how does Windows control a service?
Windows services are managed by a higher level of services.exe, which is managed by the service to start, stop, run, pause, and so on. Our most common operation is through the Windows Service MMC interface to complete the relevant operations.
In Windows7 system, we click on the Start menu, enter the "service" in the search box, double-click the first result to open service management, in Vista and XP system, you can also open service management by running Services.msc-
Iii. How to remove Windows services
Now the rogue software, more and more to register themselves as a service. The services for non-Windows systems are typically listed in 023, as in the following paragraph:
O23-unknown-Service:bkmarks [provides the data security mechanism of the transport Protocol to effectively maintain the safety and integrity of the data transmission.] ]-C:windowssystem32rundll. Exe
O23-unknown-Service:ewido Anti-spyware 4.0 guard [Ewido Anti-spyware 4.0 guard]-D:program filesewido anti-spyware 4.0gua Rd.exe
O23-unknown-Service:ksd2service [Ksd2service]-C:windowssystem32svch0st.exe
For these rogue software, you need to delete the relevant. exe file, so that it can no longer run, or directly clear the service itself, so that when the computer restarts, it will not start again.
There are two options for deletion:
Method One: Use sc.exe this Windows command
Click Start Menu-"All Programs-" accessories-"command line program, right-click menu, select" Run as Administrator. "
In this way, the administrator to open a command-line program, input SC plus parameters on it, the use of the method is very simple:
SC Delete "service name" (if there is a space between the service name, you need to enclose the quotation marks)
As for the above: SC delete ksd2service
SC command of the detailed, see below this article, Windows7 home/vista has helped you organize.
Method Two: Directly to the registry edit (not recommended)
Open Registry Editor and locate the following key values:
The Hkey_local_machine/system/currentcontrolset/services General Service will display a master key here with the same name, and delete the relevant keys directly.
Iv. Special Circumstances
1, if the service is displaying rundll32.exe, and this file is located in the System32 directory, then you cannot delete the Rundll32.exe file, which is a Windows system file. At this point, just clear the relevant services can be.
2, if a service deleted immediately and automatically established, the background has the process of monitoring, protection. You need to kill the process in the Process Manager first, or press F8 after startup to remove it in Win7/vista Safe mode.
Appendix: SC Command Line program parameters detailed///////
Describe:
SC is a command-line program used to communicate with the Service Control Manager and service.
Usage:
SC [command] [service name] ...
option is formatted as "ServerName"
Type SC [command] to get further help on the command
Command:
Query-----------The state of the service,
Or enumerate the state of the service type.
Queryex---------The extended state of the query service,
Or enumerate the state of the service type.
Start-----------starting the service.
Pause-----------Send Pause control requests to the service.
Interrogate-----Send interrogate control requests to the service.
Continue--------send continue control requests to the service.
The stop------------sends a STOP request to the service.
Config----------change the configuration of the service (permanent).
Description-----Change the description of the service.
Failure---------to change the action that is performed when a service fails.
Failureflag-----Change the service's failed action flag.
Sidtype---------Change the service SID type of the service.
Privs-----------Change the required permissions for the service.
The QC--------------the configuration information for the query service.
Qdescription----The description of the query service.
Qfailure the action that the service performs--------the query fails.
Qfailureflag----The failed operation flag for the query service.
Qsidtype--------The service SID type of the query service.
Qprivs----------The required permissions for the query service.
Qtriggerinfo----The trigger parameters for the query service.
qpreferrednode--Query-Preferred service NUMA node.
Delete----------(from the registry) to remove the service.
The Create----------creates a service (adds it to the registry).
Control---------send controls to the service.
Sdshow----------Display the security descriptor for the service.
Sdset-----------Set the security descriptor for the service.
Showsid---------Displays the SID string corresponding to the assumed name.
Triggerinfo-----Configure the service's trigger parameters.
Preferrednode---Set the preferred service NUMA node.
getdisplayname--Access to Services DisplayName
Getkeyname------Get the servicekeyname of the service.
EnumDepend------Enumerate the dependencies of the service.
The following command does not require a service name:
Sc
The boot------------(ok bad) indicates whether the last boot was saved as
Last Known Good boot configuration
Lock------------Locking Service database
Querylock-------Query The lockstatus of Scmanager database
Example:
SC start MyService
QUERY and QUERYEX options:
If the query command takes a service name, it returns
The status of the service. Other options are not appropriate for this
Situation If the query command takes no parameters or
This service is enumerated with one of the following options.
Type= the type of service to enumerate (driver, service, all)
Default = Service)
State= the status of the service to enumerate (inactive, all)
(default = Active)
Size of the Bufsize= enumeration buffer in bytes
(default = 4096)
ri= the recovery index number from which to begin the enumeration
(default = 0)
Group= the service groups to enumerate
(default = ALL groups)
Syntax examples
sc query-enumerates the status of active services and drivers
sc query EventLog-Shows the status of the EventLog service
sc queryex EventLog-Displays the extended status of the EventLog service
sc query type= Driver-Enumerate active drivers only
sc query type= Service-Enumerate Win32 services only
sc query state= All-enumerate all services and drivers
sc query bufsize= 50-enumeration buffer is 50 bytes
sc query ri= 14-Restore index = 14 when enumerated
sc queryex group= ""-enumeration of active services not in a group
sc query type= Interact-Enumerate all inactive services
sc query type= driver group= NDIS-Enumerate all NDIS drivers