Windows Security Tutorials - Herong's Tutorial Examples - v3.01, by Dr. Herong Yang
Malicious System Service - drv.dll and drv.sys
This section provides some notes on how a malicious system service was installed to run C:\Program Files\drv\drv.dll as part of the Antivirus System PRO infection.
More notes on what I did to remove Antivirus System PRO and related malicious programs.
27. Looking system services (Control Panel > Administrator Tools > Services). There is a new entry: "drv - drv - C:\WINDOWS\system32\svchost.exe -k drv". See the picture below:
28. Selecting "Disabled" from the Startup type dropdown and clicking OK to save the change. But it changes back to "Automatic" and stays in the "Starting" status again.
29. Running "regedit.exe" and searching "drv". The matched registry entry shows:
HKLM\SYSTEM\CurrentControlSet\Services\drv\Parameters ServicDll C:\Program Files\drv\drv.dll
30. Running "msconfig.exe" and clicking the Service tab. Clicking the "drv" entry to uncheck its check box, then clicking the Apply button.
31. Windows system restarts by itself. A warning message shows up:
System Configuration Utility You have used the System Configuration Utility to make changes to the way Windows starts. The System Configuration Utility is currently in Diagnostic or Selective Startup mode, causing this message to be displayed and the utility to run every time Windows starts. Choose the Normal Startup mode on the General tab to start Windows normally and undo the changes you made using the System Configuration Utility. [ ] Don't show this message or launch the System Configuration Utility when Windows start. [OK]
32. Do not click the OK button and leave the warning message on the screen.
33. Looking at the folder C:\Program Files\drv and deleting these 2 files:
Name Size Type Date Modified drv.dll 36KB Application Extension 7/4/2009 10:25 AM drv.sys 10KB System file 7/4/2009 10:25 AM
34. Run the Service Controller (SC) command line tool, sc.exe, to delete the malicious service:
>sc.exe delete drv [SC] DeleteService SUCCESS
35. Now clicking the OK button on the System Configuration Utility warning message dialog box. Windows restarts by itself.
Some quick conclusions:
Table of Contents
About This Windows Security Book
Windows 8: System Security Review
Windows 8: System Security Protection
Windows 8 Defender for Real-Time Protection
Windows 7: System Security Review
Windows 7: System Security Protection
Windows 7 Forefront Client Security
Norton Power Eraser - Anti-Virus Scan Tool
McAfee Virus and Malware Protection Tools
Spybot - Spyware Blocker, Detection and Removal
Keeping IE (Internet Explorer) Secure
Malware (Adware, Spyware, Trojan, Worm, and Virus)
HijackThis - Browser Hijacker Diagnosis Tool
IE Add-on Program Listing and Removal
"Conduit Search" - Malware Detection and Removal
"Tube Dimmer", "Scorpion Saver" or "Adpeak" Malware
Malware Manual Removal Experience
Vundo (VirtuMonde/VirtuMundo) - vtsts.dll Removal
Trojan and Malware "Puper" Description and Removal
VSToolbar (VSAdd-in.dll) - Description and Removal
PWS (Password Stealer) Trojan Infection Removal
MS08-001 Vulnerability on Windows Systems
Antivirus System PRO - Fake Security Alert
Antivirus System PRO - Task Bar Icon Message
Malicious Progarm - WinSpywareProtect sysguard.exe
Malicious Programs - pp10.exe and ld12.exe
Faked Host Name - 209.44.111.62