Solved

Rogue service will not disappear / cannot remove a program

Posted on 2011-02-15
11
944 Views
Last Modified: 2012-05-11
Hello,

A client of ours has an SBS2008. We recently noticed that the C Drive running out of space. Our investigations led us to the windows\temp drive filling up with random files. Digging down into these files, we found that it was being cause by a piece of software called Desktop Authority by Script Logic.

The client says they have not installed this software nor do they know where it comes from. After a couple of hours or so trying to remove this software, we have hit a brick wall, even after trying to contact the ScriptLogic support hotline. There's nothing under add/remove programs.

There is a service running called DA Remote Management Maintenance Service, which, if stopped and disabled, after a period of time, say an hour, will have enabled and started itself again. If we remove the program files from the program file directory C:\Program Files\RemoteSupportManager\ - (we cannot delete one of the DLLs at all) and remove references in the registry, everything re-appears after about an hour or so.

Malware scans do not show anything  either.

Any ideas?
0
Comment
Question by:puterssupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 22

Expert Comment

by:Larry Struckmeyer MVP
ID: 34896399
0
 
LVL 5

Expert Comment

by:zippybungle2003
ID: 34896437
Worst case scenario you can manually take it out of the registry

http://www.techieshelp.com/remove-a-windows-service-via-registry/

0
 

Author Comment

by:puterssupport
ID: 34896511
Hello Flyfishing.

The problem is that no actual program functions are visible. It's just the service, and that folder I mentioned above. Along with the few registry entries. Nothing else.

The only reason we were able to determine it was a scriptlogic/desktop authority program was through decifering the log files in the temp folder that were being generated.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 7

Accepted Solution

by:
jrwarren earned 250 total points
ID: 34898906
Restart the server in Safe Mode - No Networking.
   Goto start ---> Administrative Tools ---> Services

Double click the service in question and set to Disabled.

Restart the server then perform your cleanup, including removing the service.
  you may want to verify the dlls are not registered by using the command line :
type : regsvr32 /u <filename>.dll
   Be careful with this, though - if it is a required dll, you may break something.

you can remove unwanted services via cmd line using : sc delete <ServiceName>
0
 

Author Comment

by:puterssupport
ID: 34898927
Hello

Thanks for this.

Even with the service disabled still files are clogging up the temp folder. The folders generated appears to be the contents of the Program Files folder that it creates called RemoteSupportManager. It's not called that in Temp though, it's a random name. The sort of behaviour you get when you download a file from the internet.
0
 
LVL 7

Expert Comment

by:jrwarren
ID: 34899047
check your startup settings.
   You may have something kicking off a process on start.

Try using msconfig.exe to see what is starting on boot.
%SystemRoot%\system32\msconfig.exe
0
 

Author Comment

by:puterssupport
ID: 34899068
it happens even without a reboot
0
 
LVL 7

Expert Comment

by:jrwarren
ID: 34899150
If a process has started and is running in the background, it is likely what is causing the files to spawn.  Killing a service will not kill the process.  If the process is hidden, it can be generating other processes automatically.  the initial process is starting on boot of the server, it needs to be determined where it starts from.

msconfig will show you a list of initial calls and process startups, along with the associated registry entries.

you can also download and utilize : Sysinternals Process Explorer

This will show you all the current processes running on the machine and assist in identifying any rogue elements.
0
 

Author Comment

by:puterssupport
ID: 34899171
Thank you - I will give this suggestion a try OOH this evening and let you know how I got on in the morning. UK Time.
0
 
LVL 16

Expert Comment

by:Ady Foot
ID: 35455580
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the event you manage a Small Business Server 2003, and you are audited for PCI compliance, there are several changes you must make in order to pass the audit. I can take no credit for discovering any of these fixes or workarounds, but there is no…
I've often see, or have been asked, the question about the difference between the Exchange 2010 SP1 version, available as part of Small Business Server (SBS) 2011, and the “normal” Exchange 2010 SP1 Standard. The answer to the question is relativ…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question