?
Solved

Rogue service will not disappear / cannot remove a program

Posted on 2011-02-15
11
Medium Priority
?
965 Views
Last Modified: 2012-05-11
Hello,

A client of ours has an SBS2008. We recently noticed that the C Drive running out of space. Our investigations led us to the windows\temp drive filling up with random files. Digging down into these files, we found that it was being cause by a piece of software called Desktop Authority by Script Logic.

The client says they have not installed this software nor do they know where it comes from. After a couple of hours or so trying to remove this software, we have hit a brick wall, even after trying to contact the ScriptLogic support hotline. There's nothing under add/remove programs.

There is a service running called DA Remote Management Maintenance Service, which, if stopped and disabled, after a period of time, say an hour, will have enabled and started itself again. If we remove the program files from the program file directory C:\Program Files\RemoteSupportManager\ - (we cannot delete one of the DLLs at all) and remove references in the registry, everything re-appears after about an hour or so.

Malware scans do not show anything  either.

Any ideas?
0
Comment
Question by:puterssupport
10 Comments
 
LVL 22

Expert Comment

by:Larry Struckmeyer MVP
ID: 34896399
0
 
LVL 5

Expert Comment

by:zippybungle2003
ID: 34896437
Worst case scenario you can manually take it out of the registry

http://www.techieshelp.com/remove-a-windows-service-via-registry/

0
 

Author Comment

by:puterssupport
ID: 34896511
Hello Flyfishing.

The problem is that no actual program functions are visible. It's just the service, and that folder I mentioned above. Along with the few registry entries. Nothing else.

The only reason we were able to determine it was a scriptlogic/desktop authority program was through decifering the log files in the temp folder that were being generated.
0
2018 Annual Membership Survey

Here at Experts Exchange, we strive to give members the best experience. Help us improve the site by taking this survey today! (Bonus: Be entered to win a great tech prize for participating!)

 
LVL 7

Accepted Solution

by:
jrwarren earned 1000 total points
ID: 34898906
Restart the server in Safe Mode - No Networking.
   Goto start ---> Administrative Tools ---> Services

Double click the service in question and set to Disabled.

Restart the server then perform your cleanup, including removing the service.
  you may want to verify the dlls are not registered by using the command line :
type : regsvr32 /u <filename>.dll
   Be careful with this, though - if it is a required dll, you may break something.

you can remove unwanted services via cmd line using : sc delete <ServiceName>
0
 

Author Comment

by:puterssupport
ID: 34898927
Hello

Thanks for this.

Even with the service disabled still files are clogging up the temp folder. The folders generated appears to be the contents of the Program Files folder that it creates called RemoteSupportManager. It's not called that in Temp though, it's a random name. The sort of behaviour you get when you download a file from the internet.
0
 
LVL 7

Expert Comment

by:jrwarren
ID: 34899047
check your startup settings.
   You may have something kicking off a process on start.

Try using msconfig.exe to see what is starting on boot.
%SystemRoot%\system32\msconfig.exe
0
 

Author Comment

by:puterssupport
ID: 34899068
it happens even without a reboot
0
 
LVL 7

Expert Comment

by:jrwarren
ID: 34899150
If a process has started and is running in the background, it is likely what is causing the files to spawn.  Killing a service will not kill the process.  If the process is hidden, it can be generating other processes automatically.  the initial process is starting on boot of the server, it needs to be determined where it starts from.

msconfig will show you a list of initial calls and process startups, along with the associated registry entries.

you can also download and utilize : Sysinternals Process Explorer

This will show you all the current processes running on the machine and assist in identifying any rogue elements.
0
 

Author Comment

by:puterssupport
ID: 34899171
Thank you - I will give this suggestion a try OOH this evening and let you know how I got on in the morning. UK Time.
0
 
LVL 16

Expert Comment

by:Ady Foot
ID: 35455580
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Small Business Server 2011. NOTE: This guide has been written using the preview version of SBS2011 therefore some of the screens may …
If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Kernel Data Recovery is a renowned Data Recovery solution provider which offers wide range of softwares for both enterprise and home users with its cost-effective solutions. Let's have a quick overview of the journey and data recovery tools range he…
Suggested Courses

588 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question