{ "id": "20b68d6d-9f98-4e78-babd-b7792c4c30ca", "created_at": "2026-04-06T00:06:06.161964Z", "updated_at": "2026-04-10T03:20:55.097639Z", "deleted_at": null, "sha1_hash": "157e7bdf87004b211e9bf45087dbeb520ebf4e5f", "title": "How Malware hides and is installed as a Service", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 61624, "plain_text": "How Malware hides and is installed as a Service\r\nBy Lawrence Abrams\r\nArchived: 2026-04-05 21:52:38 UTC\r\nTable of Contents\r\n1. Introduction\r\n2. Service Configuration\r\n3. Listing and Analyzing the services\r\n4. Removing a service\r\n5. Conclusion\r\nIntroduction\r\nA common misconception when working on removing malware from a computer is that the only place an\r\ninfection will start from is in one of the entries enumerated by HijackThis. For the most part these entries are the\r\nmost common, but it is not always the case. Lately there are more infections installing a part of themselves as a\r\nservice. Some examples are Ssearch.biz and Home Search Assistant.\r\nWhen cleaning a computer the standard approach is to clean up the Run entries and the other more common\r\nstartup entries first. For the most part, that will be enough to remove the infection. The problem arises when the\r\nlog looks clean and yet there are still problems. One place to continue looking for the infection is in the operating\r\nsystem's services to see if there is a service that does not belong there and could possibly be loading the infection.\r\nA service is a program that is automatically started by Windows NT/XP/2000/2003 on startup or through some\r\nother means and is generally used for programs that run in the background.\r\nPlease note, in order to properly use the instructions below you must either run the programs with Administrator\r\nprivileges.\r\nService Configuration\r\n \r\nA service is loaded on startup by either using svchost.exe or by windows directly launching the application. If a\r\nservice is loaded directly by windows, the associated file name that launches the service can be found in the\r\nImagePath value under the following registry entry\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\servicename\r\nWhen the service is being launched by svchost.exe, it will be placed in a particular service group, which is then\r\nlaunched by svchost.exe. A listing of these groups and the services that are launched under them can be found\r\nhere:\r\nhttps://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/\r\nPage 1 of 6\n\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\r\nUnder this key you will find various groups (netsvcs, LocalServices, etc) in which each contain multiple services\r\nthat will be launched when the group is loaded by svchost.exe. These groups are loaded by the following\r\ncommand:\r\nsvchost.exe -k netsvcs\r\nIt will load all the services found under the netsvcs group in the above key and appear as one process under the\r\nprocess list. So each time a new group is loaded by svchost.exe, you will find a new svchost.exe process listed in\r\nmemory. It is for this reason why there are multiple svchost.exe processes listed on a machine. If you are using\r\nWindows XP, as this command is not available on Windows 2000, you can see what services each svchost.exe\r\nprocess is controlling by running the following command from a command prompt: tasklist /SVC\r\nWhen a service is launched in this way, the actual filename for the service can be found here:\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\servicename\\Parameters\\\\ServiceDll\r\nThe value of ServiceDLL is the actual service file that we want to be concerned with.\r\nListing and Analyzing the services\r\nTo get a report of configured services on your computer, I put together a  simple batch file that uses Bobbi\r\nFlekman's swsc program program to get a list of the services and open a notepad. Nothing fancy, but saves time\r\nwhen diagnosing.\r\nThis file can be found here: Getservices.zip\r\nTo use the script, you simply unzip the file to your C: drive and you will now find a directory called c:\\getservice.\r\nInside that directory is a batch file called getservice.bat and the psservice.exe file. Simply double-click on the\r\ngetservice.bat file and it will create a notepad containing a list of services installed on the computer you are\r\nrunning it on. Note: You must be running as a user with Administrator privaleges or this script will either\r\nnot work or not give enough information.\r\nThe output of the script will contain information about each service installed on your computer. The important\r\ninformation to look at in the service entries are::\r\nSERVICE_NAME This is the name the service goes by and is what it is stored in the registry under.\r\nBINARY_PATH_NAME This is the actual file that is being used to launch the service.\r\nDISPLAY_NAME\r\nThis is the name the service appears under in the services.msc in the control\r\npanel.\r\nhttps://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/\r\nPage 2 of 6\n\nSTART_TYPE\r\nThis tells you if the service is disabled, manually started, or automatically\r\nstarted.\r\nBelow are examples of how an entry would look for two different types of infections explanations of how to\r\ninterpret the information given:\r\nSERVICE_NAME: O?'ŽrtñåȲ$Ó\r\n(null)\r\nTYPE : 20 WIN32_SHARE_PROCESS\r\nSTART_TYPE : 2 AUTO_START\r\nERROR_CONTROL : 0 IGNORE\r\nBINARY_PATH_NAME : C:\\WINDOWS\\system32\\d3xi.exe /s\r\nLOAD_ORDER_GROUP :\r\nTAG : 0\r\nDISPLAY_NAME : Remote Procedure Call (RPC) Helper\r\nDEPENDENCIES :\r\nSERVICE_START_NAME: LocalSystem\r\nHome Search Assistant Example\r\nThe Home Search Assistant uses a service, among standard Run entries, as part of its infection. The important\r\nattributes we can gather from the above information are as follow:\r\n1. It's display name in the Services control panel is Remote Procedure Call (RPC) Helper\r\n2. It has a service name of O?'ŽrtñåȲ$i in the registry.\r\n3. It is started automatically on boot up\r\n4. The file that starts this service is C:\\WINDOWS\\system32\\d3xi.exe\r\nArmed with this information we now know what registry entries the service is stored in and the file that is being\r\nused as part of the Home Search Assistant infection.\r\nThe next example is for the Ssearch.biz hijacker, but it is loaded in a slightly different way, causing us to work a\r\nlittle more in finding out what the infection file is.\r\nSERVICE_NAME: pnpsvc\r\nProvides plug and play svc devices support\r\nTYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS\r\nSTART_TYPE : 2 AUTO_START\r\nERROR_CONTROL : 1 NORMAL\r\nBINARY_PATH_NAME : C:\\WINNT\\system32\\svchost.exe -k netsvcs\r\nLOAD_ORDER_GROUP :\r\nTAG : 0\r\nDISPLAY_NAME : Plug and Play svc service\r\nhttps://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/\r\nPage 3 of 6\n\nDEPENDENCIES :\r\nSERVICE_START_NAME: LocalSystem\r\nSSearch.biz Example\r\nThe SSearch.biz hijacker uses a service as part of its infection as well. The important attributes we can gather\r\nfrom the above information are as follow:\r\n1. It's display name in the Services control panel is Plug and Play svc service\r\n2. It has a service name of pnpsvc in the registry\r\n3. It is started automatically on boot up\r\n4. The file that starts this service is C:\\WINNT\\system32\\svchost.exe -k netsvcs\r\nNow this information, though helpful, is somewhat useless without digging around further in the registry. We\r\nknow that the file that starts the service is svchost.exe, but that is a legitimate program, so we do not want to\r\ndelete it. How then can we find the appropriate file to remove? Remember what we discussed above about how\r\nsvchost.exe works?\r\nFrom the BINARY_PATH_NAME we know that the file is part of the netsvcs group. That means that when\r\nsvchost loads that group, which may contain many services, it will also load the file associated with this service.\r\nTo find the actual file name for this particular service, we need to check the following registry key:\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\pnpsvc\\Parameters\\\\ServiceDll\r\nThe value of the ServiceDLL key is the actual file that we want to get rid of.\r\nIn the next section we will discuss how to remove the service via deleting entries in the registry.\r\n \r\nRemoving a service\r\nRemoving a service manually requires removing entries from the registry. This can be a dangerous task for\r\nthe health of your computer. If you do not feel comfortable doing this, then please ask someone else to help\r\nwith this step of the cleanup procedure as making a mistake can cause the computer you are working on to\r\nnot work properly.\r\nService entries are stored in the registry under a section called ControlSet. A ControlSet are located under the\r\nfollowing key:\r\nHKEY_LOCAL_MACHINE\\SYSTEM\r\nA ControlSet is a complete copy of the configuration that is used to successfully launch services and other critical\r\nfiles \u0026 drivers for Windows. When you look under the above key there will always be at least two ControlSets\r\nand one CurrentControlSet. For the sake of this tutorial I will use what I have on my machine, which is\r\nControlSet1 and ControlSet2 (there may be more up to a maximum of 4). One of these numbered control sets\r\nrefers to the default configuration that is used when the computers normally boots. The other numbered control set\r\nhttps://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/\r\nPage 4 of 6\n\nrefers to the one used when you choose to boot up using the Last Known Good Configuration. The last one,\r\nCurrentControlSet, is an exact mirror of the ControlSet we had used to boot into Windows, so that if you make a\r\nchange CurrentControlSet it will automatically appear in the ControlSet it is mirroring and vice-versa.\r\nIf you wanted to know for sure which ControlSet the CurrentControlSet is pointing to you can examine the\r\nfollowing key:\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\Select\r\nThis key gives us important information as to which ControlSet was used on the last boot, which is used by\r\ndefault, and which is designated for LastKnownGoodConfiguration. This key contains the following values:\r\nCurrent\r\nThis will contain the number of the ControlSet that we are currently using and which\r\nCurrentControlSet points to.\r\nDefault\r\nThis will contain the number of the ControlSet that Windows uses by default when\r\nbooting.\r\nFailed\r\nThis will indicate with ControlSet was the one that failed on last boot. If it is 0, then\r\nthere was no failures.\r\nLastKnownGood\r\nThis will contain the number of the ControlSet that Windows uses when we choose the\r\nLast Known Good Configuration\r\nIf we wanted to manually remove a service from the registry we would only need to remove it from the numbered\r\nControlSets (remember CurrentControlSet is a mirror of one of the numbered ones). For example, to remove the\r\nservice for a SSearch.biz hijacker on my computer, we would simply delete from the registry the following\r\nentries:\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\pnpsvc\\\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Services\\pnpsvc\\\r\nOnce we reboot, these services will no longer be listed in the Services control panel.\r\nAt times though, the malware will also install itself under these keys:\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\Root\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Enum\\Root\r\nas subkeys called LEGACY_svcname. These LEGACY_svcname entries should be deleted as well, but will\r\nusually require you to change the permissions on them in order to delete them. Simply change the security\r\npermissions on these keys to Everyone (Full) and then delete them.\r\nConclusion\r\nhttps://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/\r\nPage 5 of 6\n\nKnowing how to diagnose a service running as a malware is an important part of fighting spyware. As more and\r\nmore spyware and viruses use this technique , the understanding of how services work and are configured in the\r\nRegistry will make the difference between fixing a computer and not fixing it.\r\nAs always if you have any comments, questions or suggestions about this tutorial please do not hesitate to tell us\r\nin the forums.\r\nFor expert malware removal assistance, you can ask for help at our Virus, Trojan, Spyware, and Malware Removal\r\nLogs.\r\n--\r\nLawrence Abrams\r\nBleeping Computer Advanced Spyware Removal Tutorial\r\nBleepingComputer.com: Computer Support \u0026 Tutorials for the beginning computer user.\r\nSource: https://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/\r\nhttps://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/\r\nPage 6 of 6\n\nfiles \u0026 drivers for and one CurrentControlSet. Windows. When For you the sake look under the above of this tutorial key there will I will use what I always be at have on my machine, least two ControlSets which is \nControlSet1 and ControlSet2 (there may be more up to a maximum of 4). One of these numbered control sets\nrefers to the default configuration that is used when the computers normally boots. The other numbered control set\n Page 4 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/" ], "report_names": [ "how-malware-hides-as-a-service" ], "threat_actors": [], "ts_created_at": 1775433966, "ts_updated_at": 1775791255, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/157e7bdf87004b211e9bf45087dbeb520ebf4e5f.pdf", "text": "https://archive.orkl.eu/157e7bdf87004b211e9bf45087dbeb520ebf4e5f.txt", "img": "https://archive.orkl.eu/157e7bdf87004b211e9bf45087dbeb520ebf4e5f.jpg" } }