Vista - Path to services changed

12-04-2007

Hi All,

I have an interesting issue. My laptop is running Vista Home Premium and has
had AV installed and kept up to date from day one. Recently (don't know when
it changed) a few, not all, of the services have had a "-" inserted before
the path in the registry. The services affected were things like the Adobe
file manager, Apple Ipod service, Sound card manager, Intel Raid monitor and
Sony Event service. I can go into the registry and change them back by
deleting the - from the beginning of the path, but after a while it returns.
I am quite sure it's not some kind of malware (unless it's by-passed the
AV), but its really annoying! Any ideas? The only thing I can see that they
have in common is that the service's executable resides in c:\progam
files\xxx.

Thanks,

Mark

12-05-2007

Mark delta P wrote:

Quote:

> Hi All,
>
> I have an interesting issue. My laptop is running Vista Home Premium and has
> had AV installed and kept up to date from day one. Recently (don't know when
> it changed) a few, not all, of the services have had a "-" inserted before
> the path in the registry. The services affected were things like the Adobe
> file manager, Apple Ipod service, Sound card manager, Intel Raid monitor and
> Sony Event service. I can go into the registry and change them back by
> deleting the - from the beginning of the path, but after a while it returns.
> I am quite sure it's not some kind of malware (unless it's by-passed the
> AV), but its really annoying! Any ideas? The only thing I can see that they
> have in common is that the service's executable resides in c:\progam
> files\xxx.

Since services' executables do not reside in C:\Program Files, this is a
pretty sure sign your computer is infected.

Go through these general malware removal steps systematically -
http://www.elephantboycomputers.com/...moving_Malware

Include scanning with David Lipman's Multi_AV and follow instructions to
do all scans in Safe Mode. Please see the special Notes regarding using
Multi_AV in Vista.

http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions
http://www.pctipp.ch/downloads/siche...ning_tool.html
- download site

The site is in German but David's tool is in English so don't let that
worry you. Scroll all the way down to almost the bottom of the page and
you'll see a box titled "Infos Zum Download - Multi-AV Scanning Tool".
You'll see "Download von www pctipp.ch" and the live link to download
Multi_AV.

When all else fails, run HijackThis and post your log in one of the
specialty forums listed at the first link above (not here, please).

Not all tools used will work in Vista and you will need to run them
elevated. Since Vista is so new, it will be a while before removal
techniques and tools are developed. If you are unable to remove the
infection by following the general steps, register at one of the
HijackThis forums as suggested.

Standard caveat: If the procedures look too complex - and there is no
shame in admitting this isn't your cup of tea - take the machine to a
professional computer repair shop (not your local version of
BigComputerStore/GeekSquad). Please be aware that not all local shops
are skilled at removing malware and even if they are, your computer may
be so infested that Windows will need to be clean-installed. Have all
your data backed up before you take the machine into a shop.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

12-04-2007	#1 (permalink)
Mark delta P n/a posts	Path to services changed Hi All, I have an interesting issue. My laptop is running Vista Home Premium and has had AV installed and kept up to date from day one. Recently (don't know when it changed) a few, not all, of the services have had a "-" inserted before the path in the registry. The services affected were things like the Adobe file manager, Apple Ipod service, Sound card manager, Intel Raid monitor and Sony Event service. I can go into the registry and change them back by deleting the - from the beginning of the path, but after a while it returns. I am quite sure it's not some kind of malware (unless it's by-passed the AV), but its really annoying! Any ideas? The only thing I can see that they have in common is that the service's executable resides in c:\progam files\xxx. Thanks, Mark
My System Specs

12-05-2007	#2 (permalink)
Malke n/a posts	Re: Path to services changed Mark delta P wrote: Quote: > Hi All, > > I have an interesting issue. My laptop is running Vista Home Premium and has > had AV installed and kept up to date from day one. Recently (don't know when > it changed) a few, not all, of the services have had a "-" inserted before > the path in the registry. The services affected were things like the Adobe > file manager, Apple Ipod service, Sound card manager, Intel Raid monitor and > Sony Event service. I can go into the registry and change them back by > deleting the - from the beginning of the path, but after a while it returns. > I am quite sure it's not some kind of malware (unless it's by-passed the > AV), but its really annoying! Any ideas? The only thing I can see that they > have in common is that the service's executable resides in c:\progam > files\xxx. Since services' executables do not reside in C:\Program Files, this is a pretty sure sign your computer is infected. Go through these general malware removal steps systematically - http://www.elephantboycomputers.com/...moving_Malware Include scanning with David Lipman's Multi_AV and follow instructions to do all scans in Safe Mode. Please see the special Notes regarding using Multi_AV in Vista. http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions http://www.pctipp.ch/downloads/siche...ning_tool.html - download site The site is in German but David's tool is in English so don't let that worry you. Scroll all the way down to almost the bottom of the page and you'll see a box titled "Infos Zum Download - Multi-AV Scanning Tool". You'll see "Download von www pctipp.ch" and the live link to download Multi_AV. When all else fails, run HijackThis and post your log in one of the specialty forums listed at the first link above (not here, please). Not all tools used will work in Vista and you will need to run them elevated. Since Vista is so new, it will be a while before removal techniques and tools are developed. If you are unable to remove the infection by following the general steps, register at one of the HijackThis forums as suggested. Standard caveat: If the procedures look too complex - and there is no shame in admitting this isn't your cup of tea - take the machine to a professional computer repair shop (not your local version of BigComputerStore/GeekSquad). Please be aware that not all local shops are skilled at removing malware and even if they are, your computer may be so infested that Windows will need to be clean-installed. Have all your data backed up before you take the machine into a shop. Malke -- Elephant Boy Computers www.elephantboycomputers.com "Don't Panic!" MS-MVP Windows - Shell/User
My System Specs

Similar Threads
Thread	Forum
strPathtoMDB path changed from mdb to the System file(runtime error)	VB Script
Was playing with services, and changed a few settings.	General Discussion
profile path changed strangely	Vista General
BUG? (Test-Path $path -IsValid) and empty $path	PowerShell
BUG/ANNOYANCE: PoSH autocompletes the full path rather than a minimal path	PowerShell