[Disinfection] How to delete an infected service?

During disinfection, you may have to remove a service belonging to an infected malware. Some methods of removal.

Deleting through HijackThis

The delete an NT service option can delete the services the line 023 of a HijackThis report (after having been turned off before).

To do:

• Go to: Start
• Module run and type: services.msc then press OK
• In the window that follows, look for the service (s) to stop.
• Example to remove the service: Boonty Games

o Make a right-click above <stop <then properties startup type, set off and valid.

• You can also stop a command line:

o Start-stop service from the command line

• Then run HijackThis
• Line HijackThis corresponding to this service:

o O23 - Service: Boonty Games - Boonty -
C:\Program Files\Common Files\Boonty Shared\Service\Boonty.exe

• Select the section open misc tools section
• Option delete an NT service
• Enter the exact name of the service to delete! In our case: BOONTY Shared
• Once deleted, it will be impossible to restore service. If you are not sure of the legitimacy of a service, just deactivate it!

Remove using the command line

You can also delete a service directly from the command line to be:

• Go to: Start
• Module Run, type: cmd and press OK:
• In the DOS window that follows, enter each of the following commands followed by the name of the service to delete in strict syntax and confirm with [Enter] after each line.

Example command line to enter to stop and remove two infected servines, namely ezntsvc and scagent:

sc stop ezntsvc [Enter]
sc config ezntsvc start= disabled > confirm with OK
sc delete ezntsvc [Entrée]
sc stop scagent [Enter]
sc config scagent start= disabled > puis valider par OK
sc delete scagent [Enter]
exit [Enter]



Important Notes:

• 1) To remove a service having a name composed of several words, such as the line HijackThis follows:

o O23 - Service: Service Hello(Hello Service) - Apple Inc. - C: \ Program Files\Hello\mDNSResponder.exe
o We must enter the full name enclosed by parentheses, ie, enter the following:

• sc stop "Hello Service"
• sc delete "Hello Service"
• 2) The name of the service be to remove should be in parentheses, ie in our example "Hello Service", as indicated earlier in the HijackThis.
• 3) These two methods of removal apply to services called "basics", but will not work for rootkits services, which are much more complex to remove.