Service.exe infection

Discussion in 'Windows Desktop Systems' started by Trooper69, Jun 29, 2008.

  1. Trooper69

    Trooper69 OSNN One Post Wonder

    Messages:
    7
    Location:
    Near Phila.; PA; USA
    Hi,

    I'm having a bit of problem with my system (using the kid's right now). I download what was suppose to be a No-cd patch for a game. Well, instead of being a No-cd patch it was filled with "nasties". McAfee's (comcast free version) stopped several Trojans but it did write something to windows\system32\service.exe. Spybot Teatimer has stopped repeated attempts to write value changes to the registry, but it doesn't stop trying to make this same change. Now on a restart Mcfee's is blocking a buffer over write which is coming from "service.exe".

    I've gotten into safe mode, but can't delete the file or over-write it with copy of "service.exe" from this uninfected machine. Also, I can't seem to get McAfee's AV to run in safe-mode either.

    Is the a way to fix this without losing everything on the pc? I haven't used XP's restore at all, because I've heard viruses often write to the restore info as well when you get them. While I have a backup from a month ago, you'd be surprised at all I've downloaded and game data changes since.

    Any suggestions? I've used the search function here but didn't find any matches, hence the new post.

    Thanks
     
    roirraW "edor" ehT likes this.
  2. roirraW "edor" ehT

    roirraW "edor" ehT Builder/Installer

    Messages:
    529
    I'm afraid the only sure-fire suggestion I can make is to restore the backup. Games normally save their data in a file or a folder-full of files so you could probably back just those up before you restore the backup so you can restore the saved data afterward.

    If I may make a suggestion for the future. Next time try [snip] for (so far in my experience) trust-worthy No-CD cracks. I prefer the first one, [snip], but if the first one doesn't have what you're looking for, the second one is worth a shot.
     
    Last edited by a moderator: Jun 30, 2008
    Trooper69 likes this.
  3. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    stick xp disc in the drive, boot to recovery mode, copy service.ex_ from disc and expand it, overwrite the infected versions.

    copy file to c:\windows\system32\dllcache and c:\windows\system32 (think thats where it lives)

    also i believe you are breaking forum rules talking about no-cd patches which are norm warez based exe's, so you best stop it right now, and remove the links from your post above :)
     
    Trooper69 likes this.
  4. Trooper69

    Trooper69 OSNN One Post Wonder

    Messages:
    7
    Location:
    Near Phila.; PA; USA
    Thanks I'll give it a go. If it works, I'll be backing up everything....
     
  5. roirraW "edor" ehT

    roirraW "edor" ehT Builder/Installer

    Messages:
    529
    Thanks, Carpo. I apologize if I broke the rules, but I'm glad you told me.

    I didn't think there was anything nothing wrong with using a No-CD patch just to get around the annoyances with legal games.

    I hope it's not presumptuous if I leave the links for now so that someone can tell me for sure if it's allowed or not. I meant it so innocently I honestly didn't even consider it's relation to illegal games. I just wanted to help him use a more reputable source so that he doesn't get viruses.

    Good luck, Trooper69!
     
  6. roirraW "edor" ehT

    roirraW "edor" ehT Builder/Installer

    Messages:
    529
    I guess I was (breaking the rules). *blush* sorry!
     
    tdinc likes this.
  7. Trooper69

    Trooper69 OSNN One Post Wonder

    Messages:
    7
    Location:
    Near Phila.; PA; USA
    Hi RoirraW,
    Just for the record, we are talking about legally owned games, the wife and I are major Sims2 junkies. I'm TrooperMNT at the official site and have every EP (& stuff pack) registered up to the one before last (haven't bought it yet lol). I'm just tired of "burning up" CDroms (4 to date over 7 years (Sim 1 originally)). As an Administrator for a Sims Fan site I know how touchy the subject can be and I apologize for bringing it as the source of my problem.

    As to the problem itself, I tried to follow your advice Carpo, but my MS-DOS skills are really rusty. I was able to use it to delete the existing "Service.exe" file and copy an Existing "Service.exe" file from my other computer on to it. Unfortunately this didn't fix the problem. The computer would start up but all I got was a black screen. So possibly, "Service.exe" files aren't inter-changeable to that point or more damage was done than I thought.
    I removed the the drive and placed it as a secondary in this machine and ran McAfee's on it, it didn't find anything. As I don't recall deleting the "package" the worm was delivered in the result of the scan is problematic. My Document files were passworded and "hidden" which now makes them inaccessible. A review of the last data backup shows there really were a lot of changes to the game data, which is the main thing I wish to retrieve.

    Is there a way to retrieve this inaccessible data yet or do I need to write it off as a loss?
     
    Last edited: Jul 6, 2008
  8. roirraW "edor" ehT

    roirraW "edor" ehT Builder/Installer

    Messages:
    529
    Unfortunately at this point I still think restoring your last backup is the best option.

    There are programs out there (not free) which will remove passwords from Windows accounts, however I don't know if that necessarily means that your documents will become unprotected. It may, I just don't know, and the programs aren't cheap.

    Passware makes one that definitely works but as I said it's not cheap.
     
  9. American Zombie

    American Zombie Moderator Staff Member Political User

    Messages:
    2,931
    Location:
    Seattle
    You could try creating a BARTPE CD with the Deep Burner or Nero plugin as part of your disk. Boot from the disk you created then use the A43 File manager to browse to your files. Select the files you want to burn to CD/DVD then use whatever burning plugin you installed on your BARTPE CD to burn the files to CD/DVD.
     
  10. Trooper69

    Trooper69 OSNN One Post Wonder

    Messages:
    7
    Location:
    Near Phila.; PA; USA
    Wow, $195 for the cheapest of those programs from Passware! Probably worth it if you're into PC repair as a living. Thanks RoirraW.

    I'm looking over this BARTPE CD, sounds very interesting American Zombie. I'm looking into it right now. Unfortunately, I'm one of those users that falls into the category of knowing just enough to be dangerous LOL.

    I'm going to give this BARTPE CD a try...wish me luck.

    Thanks again.
     
  11. roirraW "edor" ehT

    roirraW "edor" ehT Builder/Installer

    Messages:
    529
    I don't think that would work since his Windows account was passworded and encrypted. Or would it ask for his password when he tried to browse to his documents?

    But he could save the files from recovery mode by choosing his account and "logging" in to it, couldn't he? (Credit Carpo for bringing it up)

    I've used BartPE in the past but not for that purpose so I can't make a guess if it'll work. One way or another you won't be able to get to your files without entering a password somewhere.

    FYI to anyone reading this who's interested there is also VistaPE for users of Vista. I haven't used it for practical purposes but it looks very interesting, too.

    Good luck.

    To have gotten as far as you have in attempting to do what you're trying to do, you are a bit more advanced than those I consider "knowing" just enough to be dangerous. Like my wife's nephew and my neighbors across the street.
     
  12. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    or like you have tried already stick the drive into another pc - copy all you need saving and reinstall
     
  13. roirraW "edor" ehT

    roirraW "edor" ehT Builder/Installer

    Messages:
    529
    So will Windows from another PC or BartPE ask for his password when trying to access his documents?
     
  14. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    no - as long as he has read rights on the drive/folders/files - he should be able to copy the stuff he needs no problem, i have done it will other peoples drives in the past without issue
     
  15. roirraW "edor" ehT

    roirraW "edor" ehT Builder/Installer

    Messages:
    529
    Don't get me wrong - with all the Windows installations I do I am still very inexperienced with Windows accounts with passwords and encryption, so I'm only asking because I'm ignorant and I'd like to know. :D

    Very few of the PCs I work on ever have passwords on them and if they do they don't enable encrypting their documents, and I don't password my accounts on any of my PCs. That said, with unencrypted accounts I've never had trouble copying their documents, so with that info I'm leading to the following question:

    Isn't passworded accounts with encrypted documents made just for that purpose so someone can't:

    1. Log in to another Windows account on the same PC and access your files.

    2. Put your hard drive into another PC and access your files.

    Wouldn't read rights for his data from another Windows installation have had to been specified from the original Windows installation, i.e. before attempting to access it from another Windows installation?

    Again, sorry if I'm stubborn and I often play the devil's advocate - no harm meant.
     
  16. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    depends on how the files were encrypted, if password based he should be ok as long as he remembers the password used to encrypted them, i know you can do this if you use truecrypt or pgp, if its done by windows im not too sure how it works.

    if he logs onto another pc that has the same username and password he shouldnt have any issue at all :)
     
  17. roirraW "edor" ehT

    roirraW "edor" ehT Builder/Installer

    Messages:
    529
    Ah, I see. So if he creates an account on his friend's computer with the same username and password; that makes sense. Thanks.
     
  18. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    Granted I haven't tried, but I would think that may not work since the SID of the account would be different. Could be wrong though.
     
  19. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    basically if you are admin you can access any file/folder you like :p
     
  20. roirraW "edor" ehT

    roirraW "edor" ehT Builder/Installer

    Messages:
    529
    I'm going to have to disagree with you on that one, Carpo. For one thing, I'm assuming his old account was an Admin account, as most people don't bother creating Limited accounts for themselves, although maybe for their kids - but a lot of people aren't even aware of Limited accounts.

    If his old account was password protected (and I've been assuming all along that when he said hidden he meant he opted to make his files private, and therefore encrypted and unaccessible from any other account that he was using Windows' built-in function to do that), then just any other Admin account won't be able to access his files.

    You've got my curiosity going enough now that I might test the scenarios we've mentioned so far in VMWare Workstation. Inquiring minds want to know!

    @kcnychief, you may be right.