Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Missing "non-critical" Microsoft Services.


  • Please log in to reply
8 replies to this topic

#1 Credomane

Credomane

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 05 September 2012 - 11:53 AM

I work on computers for a living and got a laptop Monday afternoon the was badly infected with just about everything under the sun (trojans, viruses, adware, borderline malicious programs). Spent nearly all day yesterday getting that all removed, manually fixing some system file permissions, unhiding nearly everything on C:, fixing some registry permissions and reinstalling IPv4 & IPv6 (to fix modified info forcing malicious dns servers). The whole time I'm doing this yesterday something was bothering me. Decided to keep the laptop an extra day and glad I did. There are a number of windows services completely deleted.

Windows Updates, BITS, Windows Defender, Windows Firewall, ICS, Security Center, Event Logging Service and probably more that I haven't noticed and missing from the registry. While I know I can boot up my one of my Win7 virtual machines and export hives* of the needed registry keys I was wondering if someone knew of a program that could repair all of these services automatically since windows can't short of a complete a complete reinstall.

As I was typing this up I spoke with my coworkers and they too have had some computers recently missing many services and simply reinstalled windows. I'd just reinstall windows myself if I knew the services were missing when I started but now it will take just as much time reinstalling/updating windows as I've already put into the machine + fixing the services.



TL;DR Someone know of a program that can repair damaged and install missing windows services? I'd rather avoid reinstalling windows every time I discover the services missing or spending time manually fixing them. Recent conversation (30m ago) with co-workers lead me to believe this is going to be a common problem if it isn't already but overlooked problem.



* For those wondering the registry is store in hives. Regedit allows you to export parts/all of the registry to either .reg files or raw .hive files. There are a few differences between hives and reg files. Normal reg can be modified with an text editor, contain location information but lack permissions. Hives can't not be modified easily, contain permission info but lack location information. Since hives lack location information this makes them incredibly dangerous to import if you don't know what you are doing. Importing hives make all the warnings about damaging your registry with reg files look a little silly. Importing hives is like comparing sticking your hand in boiling water to sticking it in lava. If you import hives even slightly wrong you WILL destroy all/part of your registry. Just don't use hives. I mention them specifically for the people that know what they are and how to use them for everyone else this is what they are and why they are dangerous in a nutshell.

[edit]
Fixed a grammar mistake.

Edited by Credomane, 05 September 2012 - 11:55 AM.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:46 PM

Posted 05 September 2012 - 12:48 PM

Download

http://www.bleepingcomputer.com/download/rkill/

Run it and after scan finishes,post the contents of RKILL log located on the desktop here

Edited by narenxp, 05 September 2012 - 12:48 PM.


#3 Credomane

Credomane
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 05 September 2012 - 01:35 PM

Looks like I missed a few services. :/
Did rkill restore them as I haven't check yet. If it did restore them did it assign the proper registry permissions if they needed it?
I see that it says windows defender service is disabled which is how it was on the machine I had restored from.

Rkill Log:
Spoiler


#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:46 PM

Posted 05 September 2012 - 01:41 PM

Rkill didnot restore them.

I dont find any critical services missing.

Edited by narenxp, 05 September 2012 - 01:41 PM.


#5 Credomane

Credomane
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 05 September 2012 - 04:09 PM

I have already manually restored the missing critical services using registry hives.
My question was if there was some kind of program that can detect missing Microsoft Windows services like rkill did and then automatically restore them. Don't get me wrong even knowing what services are missing is a big help. Having to consistently hop machines to spot the differences took forever, as I thought it would. Then there is manual restore process of exporting hives for each missing service, copying the hives to the damaged machine and making absolutely sure I restore them to the right place on the broken machine.

I'm quite positive that this is going to become the norm for malware to start doing. Just like they all practically move your start menu to folders in %APPDATA%\temp\smtmp\, hide your entire c drive or sometimes even both. Figured having a tool to detect and restore missing services would be an extremely tool to have.

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:46 PM

Posted 05 September 2012 - 05:13 PM

This tool is to restore/repair missing specific services after zero access infection

http://kb.eset.com/library/ESET/KB%20Team%20Only/Malware/ServicesRepair.exe

This tool doesnt work in all the cases.I'm not aware of any other tool that could fix all the missing services.

System restore is a better option for fixing missing services if you feel hard to import registry keys.

#7 Credomane

Credomane
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 05 September 2012 - 07:36 PM

Dang. That is what I needed to know. I've heard of Zero Access but haven't ran into it, yet. Guess I'll stick with the manual repair of services for now then.

Might make a script or something if I can. I have a free command line program for checking file system permissions but the registry permissions seems to be avoided/forgotten about.

Thanks for the assistance!

[edit]
Moved to new post....Didn't want to double post but then got a reply while editing.

Edited by Credomane, 05 September 2012 - 08:00 PM.


#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:46 PM

Posted 05 September 2012 - 07:42 PM

You're welcome :)

#9 Credomane

Credomane
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 05 September 2012 - 08:00 PM

Well, I started looking around some more and I found SetACL. More poking around and I found more info on the Sirefef (One of the ones I got rid of) that does the same line of stuff as Zero Access. It trashes Windows firewall, BITS and SharedAccess (service name of ICS). Seem to have hit a gold mine of information that I've been looking for!
This webpage is pretty much covering the worst part of what I had to deal with. http://resguru.com/2012/08/defeating-a-live-virus-trojan-infection-with-am/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users