Stranger than fiction ?

Discussion in 'other software & services' started by MICRO, Mar 24, 2010.

Thread Status:
Not open for further replies.
  1. MICRO

    MICRO Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    1,020
    On my XP and in 'Services' there are two strange on the list, one is simply

    'X'
    and the other,

    'XCYTQOUKAO'
    Both are 'Disabled', probably by me as soon as I came across them.

    Anybody any clues ? especially how I might Delete both, rather than the Disabled ?
     
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    X and XCYTQOUKAO sound very dodgy, but "could" be related to something like an ARK etc that renames itself for protection.

    Anyway here's how to delete a service.



    http://www.theeldergeek.com/add_a_service_in_windows_xp.htm
     
  3. MICRO

    MICRO Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    1,020
    Thanks very much CR, I just followed the path you gave via regedit, got to the keys
    and both had two other sub. folders, Enum and security.

    I took a chance, whatever they might belong to, Deleted the 'X' Key\folder and it's subs. went with it, but re. the longer one, each time I tried to Delete
    it I get " Error while Deleting Key" - It won't go, I shall see if I can find and Delete it via Regseeker, and also try Unlocker, doubt it will unlock a .reg key, will also check your EG link.

    They might belong to an App. and be legit. but I don't like their peculiar looking names or where they are - Am wondering if they belong to Threatfire but didn't notice anyone else ask about them along the way.
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Good so far, let me know if you're successful :)
     
  5. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
  6. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Admin cmd :
    sc delete servicename
    will delete a service as well.
     
  7. MICRO

    MICRO Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    1,020
    Ran Regseeker's reg. search for that long lettered thing and got this list below - the 'X' service I deleted has gone, after a restart, I think they both belong to the same whatever but I can't get rid of this other service or this list below, I delete them all in Regseeker but they are soon back there.

    The 'Bugcheck' has stopped, at least upto now, so it might have been caused by incompat. via that Pro Security 1.30 I uninstalled a few days ago -
    Thanks to Global's BC referral page, which looks good, I downloaded Grinler's
    tiny batch file and will run it in a while - tried BC's mention to cmd prompt the words,
    tasklist /SVC
    but I only get a 'not recognised as a int. or ext. command'.
    MBAM, AVG, or Panda's Anti-Rootkit don't point to anything upto now.

    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
    "LastKey"="My Computer\\HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\XCYTQOUKAO"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites]

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_XCYTQOUKAO]

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_XCYTQOUKAO\0000]

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_XCYTQOUKAO\0000]

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\XCYTQOUKAO]

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_XCYTQOUKAO]

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_XCYTQOUKAO\0000]

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_XCYTQOUKAO\0000]

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\XCYTQOUKAO]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XCYTQOUKAO]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XCYTQOUKAO\0000]
     
  8. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    No (save it system32) tasklist? You must have Home.
     
  9. MICRO

    MICRO Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    1,020
    Hey thanks GF, that looks like a keeper page find at BC, I have downloaded
    Grinler's 'GetService' batch script so will run it when I go offline, see if it can find a bit more info., or a path, to this thing I can't get rid of, which may, or not, be legit.
     
  10. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Yeah, Legacy keys .... you'll need to run system to toss those babies - IF? You grab the dwnld from ComputerHope?
     
  11. MICRO

    MICRO Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    1,020
    Thanks Franklin, Have just this minute typed it at the command prompt and hit Enter to
    get,

    [SC] DeleteService SUCCESS

    Without even a restart it's GONE from the Services list, I just checked. If I was a girl you would deserve a big kiss, but I'm not, so you have to miss out, lol,lol
    I suppose when I restart later it could return so I had better hold my breath
    for a couple of hours, hmmm. - If it's still gone it will be time to try and
    big A the rest of it's list I showed CR above.
     
  12. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    When you want it done right - cli!
     
  13. MICRO

    MICRO Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    1,020
    Exactly GF - just read your next quick post re. 'Legacy Keys' and something at ComputerHope to download, can you give a link to whatever please ?

    I may need it - Franklin's move brought instant success, unless it happens to be a returnable Malware, and then there are these above mentioned keys
    to hopefully lose.
     
  14. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Second "click here" - it'll be in your status bar as tasklist.exe.
     
  15. MICRO

    MICRO Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    1,020
    You lost me GF - second "click here" ? Where ? What ? How ? Who ?
     
  16. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Backup - you'll find it.
     
  17. MICRO

    MICRO Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    1,020
    Thanks a million GF - One would think I should be used to you being a man of few (but very helpful) words after several years but I must have Dementia setting in because I forget, and am then sitting here like a spare ..... , looking at the screen, and wondering. lol

    Kindest Regards.
     
  18. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Last edited: Mar 28, 2010
  19. MICRO

    MICRO Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    1,020
    GF - I am going to 'attempt' this man of few words business, here we go - Yes.
     
  20. MICRO

    MICRO Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    1,020
    This is primarily to sincerely thank,

    Clone Ranger
    Global Force
    and Franklin
    for their much needed help via links to good info.,Apps., or action.

    And for the people who know the techie areas I should reiterate - ran many security Apps. first, none showed any sign of a problem, even though I was copping more and more 'Bugchecks' via sudden Auto. Reboots when online.

    So tried to Delete the MalServices in 'Services' but could only Disable.

    Then tried in the Registry but could only Delete one.
    Tried via Regseeker but they returned immediately after a Reboot.

    Next I tried Franklin's,

    Admin cmd :
    sc delete servicename
    will delete a service as well.

    On XP,
    Went via Start - Accessories - Command Prompt - CD\ and hit Enter to get C:\> then typed in sc Delete XCYTQOUKAO and hit Enter again.

    It was immediately gone from 'Services' but a Regseeker reg. re-search showed
    half a dozen remnants were still in the Registry, highlighted them and Deleted,
    Rebooted and checked RS again, Clear, and it still is today, BUT, from now on I shall check the 'Services' list to see if there are any
    sudden additions, or if the 'Bugchecking Auto. restarts' return.

    Kind Regards to the guys.
     
  21. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Good. I'm sure the boys'll be happy to hear of your satisfaction.
     
  22. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @Micro

    :thumb:

    Here's a thread i wanted to post originally as well as the other info, couldn't find it till now.

    How to delete 'Legacy' registry entries? by Tommy :thumb:

    https://www.wilderssecurity.com/showthread.php?t=141555

    I've used this method several times, and it really does work.
     
  23. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Could probably get away with this too. Don't know about Vista and later ....
     
  24. MICRO

    MICRO Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    1,020
    Thanks CR I have taken the links - Early in this thread I dived in and Deleted one of the joint pair
    in 'Services' named 'X' and thought no more about IT -
    Later when GF
    mentioned these 'Legacy' keys as being a pain to get rid of I still thought no more about the Deleted 'X' - Now, when you just refer to how to get rid of them I went into regedit and followed the paths as shown in #7 above and the 'main'
    multi lettered thing and it's 'Legacy' keys appear to be gone via Regseeker,
    but, there were a couple of 'L' keys with "Legacy_X" (no quotes), unfortunately there are others with 'X' attached, and a whole slew of them
    not with 'X' but Legacy_AVG etc., legit. Apps. - I can't tell which are to
    be Deleted and which are legit.

    One question, are all 'Legacy' keys bad news, or as in my case, some can belong to legit Apps. ?
     
  25. MICRO

    MICRO Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    1,020
    Thanks GF - I didn't come back to you re. the little "tasklist.exe" because I
    always figure, be careful it's not turning into a saga.

    I have taken a look at this tiny 'Power Prompt' and may need it re. tasklist.exe.

    Tried to run tasklist but it wouldn't, then noticed you had told me to place it in 'Sys32' and so did that and tried several times, only get,
    Error:
    The RPC Server is Unavailable

    RPC in 'Services' is always on 'Automatic' and that has not changed, so now
    I am wondering why the Error, any clues ?
     
Thread Status:
Not open for further replies.