Solved

Rogue service will not disappear / cannot remove a program

Posted on 2011-02-15
11
942 Views
Last Modified: 2012-05-11
Hello,

A client of ours has an SBS2008. We recently noticed that the C Drive running out of space. Our investigations led us to the windows\temp drive filling up with random files. Digging down into these files, we found that it was being cause by a piece of software called Desktop Authority by Script Logic.

The client says they have not installed this software nor do they know where it comes from. After a couple of hours or so trying to remove this software, we have hit a brick wall, even after trying to contact the ScriptLogic support hotline. There's nothing under add/remove programs.

There is a service running called DA Remote Management Maintenance Service, which, if stopped and disabled, after a period of time, say an hour, will have enabled and started itself again. If we remove the program files from the program file directory C:\Program Files\RemoteSupportManager\ - (we cannot delete one of the DLLs at all) and remove references in the registry, everything re-appears after about an hour or so.

Malware scans do not show anything  either.

Any ideas?
0
Comment
Question by:puterssupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 22

Expert Comment

by:Larry Struckmeyer MVP
ID: 34896399
0
 
LVL 5

Expert Comment

by:zippybungle2003
ID: 34896437
Worst case scenario you can manually take it out of the registry

http://www.techieshelp.com/remove-a-windows-service-via-registry/

0
 

Author Comment

by:puterssupport
ID: 34896511
Hello Flyfishing.

The problem is that no actual program functions are visible. It's just the service, and that folder I mentioned above. Along with the few registry entries. Nothing else.

The only reason we were able to determine it was a scriptlogic/desktop authority program was through decifering the log files in the temp folder that were being generated.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 7

Accepted Solution

by:
jrwarren earned 250 total points
ID: 34898906
Restart the server in Safe Mode - No Networking.
   Goto start ---> Administrative Tools ---> Services

Double click the service in question and set to Disabled.

Restart the server then perform your cleanup, including removing the service.
  you may want to verify the dlls are not registered by using the command line :
type : regsvr32 /u <filename>.dll
   Be careful with this, though - if it is a required dll, you may break something.

you can remove unwanted services via cmd line using : sc delete <ServiceName>
0
 

Author Comment

by:puterssupport
ID: 34898927
Hello

Thanks for this.

Even with the service disabled still files are clogging up the temp folder. The folders generated appears to be the contents of the Program Files folder that it creates called RemoteSupportManager. It's not called that in Temp though, it's a random name. The sort of behaviour you get when you download a file from the internet.
0
 
LVL 7

Expert Comment

by:jrwarren
ID: 34899047
check your startup settings.
   You may have something kicking off a process on start.

Try using msconfig.exe to see what is starting on boot.
%SystemRoot%\system32\msconfig.exe
0
 

Author Comment

by:puterssupport
ID: 34899068
it happens even without a reboot
0
 
LVL 7

Expert Comment

by:jrwarren
ID: 34899150
If a process has started and is running in the background, it is likely what is causing the files to spawn.  Killing a service will not kill the process.  If the process is hidden, it can be generating other processes automatically.  the initial process is starting on boot of the server, it needs to be determined where it starts from.

msconfig will show you a list of initial calls and process startups, along with the associated registry entries.

you can also download and utilize : Sysinternals Process Explorer

This will show you all the current processes running on the machine and assist in identifying any rogue elements.
0
 

Author Comment

by:puterssupport
ID: 34899171
Thank you - I will give this suggestion a try OOH this evening and let you know how I got on in the morning. UK Time.
0
 
LVL 16

Expert Comment

by:Ady Foot
ID: 35455580
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Small Business Server 2011. NOTE: This guide has been written using the preview version of SBS2011 therefore some of the screens may …
The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question