General discussion

Locked

Bad Windows 7 service???

By chris ·
While doing a virus cleanup on a clients win 7 x32 laptop (domain environment), I noticed a service that I cannot set to manual (or disabled for that matter) It bugs me because the service looks like a typical malware keyboard mash.... Display name = "ghykva" and Service name = "nrdgzkwb" If I try to set to manual or disabled I get "Access Denied" in normal or safe mode.

This user did get the conficker worm, (I think from charging her IPhone) - which had some shared music on it and I think was uploading the virus when it synced....I uninstalled ITunes and stopped that issue and I was able to remove conficker and some other adware/tracking cookies...and all AV scans show clean now but I still cant seem to change the startup on this service and I am worried it may be malware....
Google research on both the display and service name either shows no results or just some Romanian Prince , or other foreign authors, artists etc....nothing windows or PC releated...

Has anyone seen this service before? know if it is safe ? or not and how to remove/set to manual or disable?

This conversation is currently closed to new comments.

8 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Can you disable it in MSCONFIG? No text.

by CharlieSpencer In reply to Bad Windows 7 service???
Collapse -

It is running with System privileges.

by seanferd In reply to Bad Windows 7 service???

You may have to edit the service startup registry entries with the OS offline.

It may be best all around to back up the user data, then nuke and pave. Wipe the drive (use, e.g., DBAN), partition, format, and reinstall.

Note, however, that Win 7 is not susceptible to Conficker, so it is quite likely something else. And any other system should be patched by now - especially after last patch Tuesday.

Collapse -

reply to suggestions

by chris In reply to Bad Windows 7 service???

to both suggesstions Thank You... I have disabled all uneccessary start up items in MSconfig=no change... and the process is not currently running it does show stopped, (no dependencies,) It is set to auto and dont know when/if it might be running but I have been fighting some weird network share drive access issues for all users and no other users have that service listed in their machines....So it is something that is not supposed to be there...but it just wont let me remove it, set to manual or disable it....The description does say something about it being a windows diagnostic service ( but I think it is lying to me) and I just want to eliminate it to make sure it is not affecting any of my other issues.

Thanks for the ideas!

Collapse -

I really hate to say this, but

by Deadly Ernest In reply to Bad Windows 7 service???

Do you know how to edit the registry?

I see three ways to deal with this, two are safe and one is risky. The risky way may result in you doing it the safe way in the end, if you stuff it up.

safe way 1 - copy all data, format c: the hard drive and rebuild it.

safe way 2 - see if you can disable it in within MSCONFIG run in the Command Mode.

risky way - copy all data, run Regedit in the command mode (I assume this still works in Win 7 as I don't have a copy), go through the registry entries for the local machine until you find the entries with this name, and delete the entry. The registry entry to start looking in would be Microsoft>Windows>Current>Run

Collapse -

Often the quickest way

by j-mart In reply to Bad Windows 7 service???

With this sort of problem is the nuke and re-install. I have seen many a tech become obsessed with an elegant solution to this sort of problem, waste a week going around in circles before ending up with a nuke and re-install. Someone has to pay for the fix, be it an employer or customer, so if you are not likely to sort it in a few hours, nuking is the most cost effective fix.

Collapse -

You know, you can mount an offline registry with Autoruns.

by seanferd In reply to Bad Windows 7 service???

It would make such an attempt infinitely easier.

Collapse -

Bad Windows 7 service???

by bni1369 In reply to Bad Windows 7 service???

Not sure if this helps : 03.07.2010 13:58
ytiilqryep _ZOOM_SAYS:
ghyKVa wtrvmbrubqeg, uwgsnwaybhid, jffjtgstsqqp, http://podypmzgyqqx.com/
Got it from : http://joomla.aafc.dk/index.php? option=com_zoom&Itemid=31&page=view&catid=5&key=1&hit=1

Thanks to NRGZ from Xda-Developers and ppcgeeks for this great beta build wm 6.5.1 rom build for the cdma touch pro 2.
Got it from: http://digitaldiscountproducts.com/WP/tag/nrgz/

Not sure what all this is but, if I were you, I'd use KILLDISK on that drive and re-load. Just because a given AV says 'it's clean' doesn't mean it really is clean. AV products have to know what is and is not a virus (spyware) BEFORE they can disinfect same. Not a single AV product that I know of had a clue about STUXNET, and we know what happened there.

Collapse -

What's with the extra .... in the post?

by seanferd In reply to Bad Windows 7 service???

Paste accident, or intentional?

Back to Windows Forum
8 total posts (Page 1 of 1)  

Related Discussions

Related Forums