Solved

Rogue service will not disappear / cannot remove a program

Posted on 2011-02-15
11
934 Views
Last Modified: 2012-05-11
Hello,

A client of ours has an SBS2008. We recently noticed that the C Drive running out of space. Our investigations led us to the windows\temp drive filling up with random files. Digging down into these files, we found that it was being cause by a piece of software called Desktop Authority by Script Logic.

The client says they have not installed this software nor do they know where it comes from. After a couple of hours or so trying to remove this software, we have hit a brick wall, even after trying to contact the ScriptLogic support hotline. There's nothing under add/remove programs.

There is a service running called DA Remote Management Maintenance Service, which, if stopped and disabled, after a period of time, say an hour, will have enabled and started itself again. If we remove the program files from the program file directory C:\Program Files\RemoteSupportManager\ - (we cannot delete one of the DLLs at all) and remove references in the registry, everything re-appears after about an hour or so.

Malware scans do not show anything  either.

Any ideas?
0
Comment
Question by:puterssupport
11 Comments
 
LVL 21

Expert Comment

by:Larry Struckmeyer MVP
Comment Utility
0
 
LVL 5

Expert Comment

by:zippybungle2003
Comment Utility
Worst case scenario you can manually take it out of the registry

http://www.techieshelp.com/remove-a-windows-service-via-registry/

0
 

Author Comment

by:puterssupport
Comment Utility
Hello Flyfishing.

The problem is that no actual program functions are visible. It's just the service, and that folder I mentioned above. Along with the few registry entries. Nothing else.

The only reason we were able to determine it was a scriptlogic/desktop authority program was through decifering the log files in the temp folder that were being generated.
0
 
LVL 7

Accepted Solution

by:
jrwarren earned 250 total points
Comment Utility
Restart the server in Safe Mode - No Networking.
   Goto start ---> Administrative Tools ---> Services

Double click the service in question and set to Disabled.

Restart the server then perform your cleanup, including removing the service.
  you may want to verify the dlls are not registered by using the command line :
type : regsvr32 /u <filename>.dll
   Be careful with this, though - if it is a required dll, you may break something.

you can remove unwanted services via cmd line using : sc delete <ServiceName>
0
 

Author Comment

by:puterssupport
Comment Utility
Hello

Thanks for this.

Even with the service disabled still files are clogging up the temp folder. The folders generated appears to be the contents of the Program Files folder that it creates called RemoteSupportManager. It's not called that in Temp though, it's a random name. The sort of behaviour you get when you download a file from the internet.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 7

Expert Comment

by:jrwarren
Comment Utility
check your startup settings.
   You may have something kicking off a process on start.

Try using msconfig.exe to see what is starting on boot.
%SystemRoot%\system32\msconfig.exe
0
 

Author Comment

by:puterssupport
Comment Utility
it happens even without a reboot
0
 
LVL 7

Expert Comment

by:jrwarren
Comment Utility
If a process has started and is running in the background, it is likely what is causing the files to spawn.  Killing a service will not kill the process.  If the process is hidden, it can be generating other processes automatically.  the initial process is starting on boot of the server, it needs to be determined where it starts from.

msconfig will show you a list of initial calls and process startups, along with the associated registry entries.

you can also download and utilize : Sysinternals Process Explorer

This will show you all the current processes running on the machine and assist in identifying any rogue elements.
0
 

Author Comment

by:puterssupport
Comment Utility
Thank you - I will give this suggestion a try OOH this evening and let you know how I got on in the morning. UK Time.
0
 
LVL 16

Expert Comment

by:Ady Foot
Comment Utility
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Introduction At 19:33 (UST) on Tuesday 21st September the long awaited email arrived with the subject title of “ANNOUNCING THE AVAILABILITY OF WINDOWS SBS 7 PREVIEW”.  It was time to drop whatever I was doing and dedicate as much bandwidth as possi…
The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now