Malicious System Service - drv.dll and drv.sys

This section provides some notes on how a malicious system service was installed to run C:\Program Files\drv\drv.dll as part of the Antivirus System PRO infection.

More notes on what I did to remove Antivirus System PRO and related malicious programs.

27. Looking system services (Control Panel > Administrator Tools > Services). There is a new entry: "drv - drv - C:\WINDOWS\system32\svchost.exe -k drv". See the picture below:

Antivirus System PRO iehelper.dll
Antivirus System PRO iehelper.dll

28. Selecting "Disabled" from the Startup type dropdown and clicking OK to save the change. But it changes back to "Automatic" and stays in the "Starting" status again.

29. Running "regedit.exe" and searching "drv". The matched registry entry shows:

HKLM\SYSTEM\CurrentControlSet\Services\drv\Parameters
   ServicDll   C:\Program Files\drv\drv.dll

30. Running "msconfig.exe" and clicking the Service tab. Clicking the "drv" entry to uncheck its check box, then clicking the Apply button.

31. Windows system restarts by itself. A warning message shows up:

System Configuration Utility

You have used the System Configuration Utility to make changes to the
way Windows starts. 

The System Configuration Utility is currently in Diagnostic or 
Selective Startup mode, causing this message to be displayed and the 
utility to run every time Windows starts.

Choose the Normal Startup mode on the General tab to start Windows 
normally and undo the changes you made using the System Configuration
Utility.

[ ] Don't show this message or launch the System Configuration 
Utility when Windows start.

[OK]

32. Do not click the OK button and leave the warning message on the screen.

33. Looking at the folder C:\Program Files\drv and deleting these 2 files:

Name                 Size   Type                    Date Modified

drv.dll              36KB   Application Extension   7/4/2009 10:25 AM
drv.sys              10KB   System file             7/4/2009 10:25 AM

34. Run the Service Controller (SC) command line tool, sc.exe, to delete the malicious service:

>sc.exe delete drv
[SC] DeleteService SUCCESS

35. Now clicking the OK button on the System Configuration Utility warning message dialog box. Windows restarts by itself.

Some quick conclusions:

Table of Contents

 About This Windows Security Book

 Windows 8: System Security Review

 Windows 8: System Security Protection

 Windows 8 System Recovery

 Windows 8 Defender for Real-Time Protection

 Windows 7: System Security Review

 Windows 7: System Security Protection

 Windows 7 System Recovery

 Windows 7 Forefront Client Security

 Norton Power Eraser - Anti-Virus Scan Tool

 McAfee Virus and Malware Protection Tools

 Spybot - Spyware Blocker, Detection and Removal

 Keeping Firefox Secure

 Keeping IE (Internet Explorer) Secure

 Malware (Adware, Spyware, Trojan, Worm, and Virus)

 HijackThis - Browser Hijacker Diagnosis Tool

 IE Add-on Program Listing and Removal

 "Conduit Search" - Malware Detection and Removal

 "Tube Dimmer", "Scorpion Saver" or "Adpeak" Malware

 Malware Manual Removal Experience

 Vundo (VirtuMonde/VirtuMundo) - vtsts.dll Removal

 Trojan and Malware "Puper" Description and Removal

 VSToolbar (VSAdd-in.dll) - Description and Removal

 PWS (Password Stealer) Trojan Infection Removal

 MS08-001 Vulnerability on Windows Systems

Antivirus System PRO

 Antivirus System PRO - Fake Security Alert

 Antivirus System PRO - Task Bar Icon Message

 Malicious Progarm - WinSpywareProtect sysguard.exe

 Malicious Programs - pp10.exe and ld12.exe

 IE BHO - iehelper.dll

 Faked Host Name - 209.44.111.62

Malicious System Service - drv.dll and drv.sys

 References

 Full Version in PDF/ePUB