Service.exe infection

Trooper69

OSNN Newbie
Joined
15 Jul 2004
Messages
7
Hi,

I'm having a bit of problem with my system (using the kid's right now). I download what was suppose to be a No-cd patch for a game. Well, instead of being a No-cd patch it was filled with "nasties". McAfee's (comcast free version) stopped several Trojans but it did write something to windows\system32\service.exe. Spybot Teatimer has stopped repeated attempts to write value changes to the registry, but it doesn't stop trying to make this same change. Now on a restart Mcfee's is blocking a buffer over write which is coming from "service.exe".

I've gotten into safe mode, but can't delete the file or over-write it with copy of "service.exe" from this uninfected machine. Also, I can't seem to get McAfee's AV to run in safe-mode either.

Is the a way to fix this without losing everything on the pc? I haven't used XP's restore at all, because I've heard viruses often write to the restore info as well when you get them. While I have a backup from a month ago, you'd be surprised at all I've downloaded and game data changes since.

Any suggestions? I've used the search function here but didn't find any matches, hence the new post.

Thanks
 
I'm afraid the only sure-fire suggestion I can make is to restore the backup. Games normally save their data in a file or a folder-full of files so you could probably back just those up before you restore the backup so you can restore the saved data afterward.

If I may make a suggestion for the future. Next time try [snip] for (so far in my experience) trust-worthy No-CD cracks. I prefer the first one, [snip], but if the first one doesn't have what you're looking for, the second one is worth a shot.
 
Last edited by a moderator:
stick xp disc in the drive, boot to recovery mode, copy service.ex_ from disc and expand it, overwrite the infected versions.

copy file to c:\windows\system32\dllcache and c:\windows\system32 (think thats where it lives)

also i believe you are breaking forum rules talking about no-cd patches which are norm warez based exe's, so you best stop it right now, and remove the links from your post above :)
 
Thanks, Carpo. I apologize if I broke the rules, but I'm glad you told me.

I didn't think there was anything nothing wrong with using a No-CD patch just to get around the annoyances with legal games.

I hope it's not presumptuous if I leave the links for now so that someone can tell me for sure if it's allowed or not. I meant it so innocently I honestly didn't even consider it's relation to illegal games. I just wanted to help him use a more reputable source so that he doesn't get viruses.

Good luck, Trooper69!
 
Hi RoirraW,
Just for the record, we are talking about legally owned games, the wife and I are major Sims2 junkies. I'm TrooperMNT at the official site and have every EP (& stuff pack) registered up to the one before last (haven't bought it yet lol). I'm just tired of "burning up" CDroms (4 to date over 7 years (Sim 1 originally)). As an Administrator for a Sims Fan site I know how touchy the subject can be and I apologize for bringing it as the source of my problem.

As to the problem itself, I tried to follow your advice Carpo, but my MS-DOS skills are really rusty. I was able to use it to delete the existing "Service.exe" file and copy an Existing "Service.exe" file from my other computer on to it. Unfortunately this didn't fix the problem. The computer would start up but all I got was a black screen. So possibly, "Service.exe" files aren't inter-changeable to that point or more damage was done than I thought.
I removed the the drive and placed it as a secondary in this machine and ran McAfee's on it, it didn't find anything. As I don't recall deleting the "package" the worm was delivered in the result of the scan is problematic. My Document files were passworded and "hidden" which now makes them inaccessible. A review of the last data backup shows there really were a lot of changes to the game data, which is the main thing I wish to retrieve.

Is there a way to retrieve this inaccessible data yet or do I need to write it off as a loss?
 
Last edited:
Unfortunately at this point I still think restoring your last backup is the best option.

There are programs out there (not free) which will remove passwords from Windows accounts, however I don't know if that necessarily means that your documents will become unprotected. It may, I just don't know, and the programs aren't cheap.

Passware makes one that definitely works but as I said it's not cheap.
 
You could try creating a BARTPE CD with the Deep Burner or Nero plugin as part of your disk. Boot from the disk you created then use the A43 File manager to browse to your files. Select the files you want to burn to CD/DVD then use whatever burning plugin you installed on your BARTPE CD to burn the files to CD/DVD.
 
Wow, $195 for the cheapest of those programs from Passware! Probably worth it if you're into PC repair as a living. Thanks RoirraW.

I'm looking over this BARTPE CD, sounds very interesting American Zombie. I'm looking into it right now. Unfortunately, I'm one of those users that falls into the category of knowing just enough to be dangerous LOL.

I'm going to give this BARTPE CD a try...wish me luck.

Thanks again.
 
You could try creating a BARTPE CD with the Deep Burner or Nero plugin as part of your disk. Boot from the disk you created then use the A43 File manager to browse to your files. Select the files you want to burn to CD/DVD then use whatever burning plugin you installed on your BARTPE CD to burn the files to CD/DVD.

I don't think that would work since his Windows account was passworded and encrypted. Or would it ask for his password when he tried to browse to his documents?

But he could save the files from recovery mode by choosing his account and "logging" in to it, couldn't he? (Credit Carpo for bringing it up)

Wow, $195 for the cheapest of those programs from Passware! Probably worth it if you're into PC repair as a living. Thanks RoirraW.

I'm looking over this BARTPE CD, sounds very interesting American Zombie. I'm looking into it right now. Unfortunately, I'm one of those users that falls into the category of knowing just enough to be dangerous LOL.

I'm going to give this BARTPE CD a try...wish me luck.

Thanks again.

I've used BartPE in the past but not for that purpose so I can't make a guess if it'll work. One way or another you won't be able to get to your files without entering a password somewhere.

FYI to anyone reading this who's interested there is also VistaPE for users of Vista. I haven't used it for practical purposes but it looks very interesting, too.

Good luck.

To have gotten as far as you have in attempting to do what you're trying to do, you are a bit more advanced than those I consider "knowing" just enough to be dangerous. Like my wife's nephew and my neighbors across the street.
 
or like you have tried already stick the drive into another pc - copy all you need saving and reinstall
 
So will Windows from another PC or BartPE ask for his password when trying to access his documents?
 
no - as long as he has read rights on the drive/folders/files - he should be able to copy the stuff he needs no problem, i have done it will other peoples drives in the past without issue
 
Don't get me wrong - with all the Windows installations I do I am still very inexperienced with Windows accounts with passwords and encryption, so I'm only asking because I'm ignorant and I'd like to know. :D

Very few of the PCs I work on ever have passwords on them and if they do they don't enable encrypting their documents, and I don't password my accounts on any of my PCs. That said, with unencrypted accounts I've never had trouble copying their documents, so with that info I'm leading to the following question:

Isn't passworded accounts with encrypted documents made just for that purpose so someone can't:

1. Log in to another Windows account on the same PC and access your files.

2. Put your hard drive into another PC and access your files.

Wouldn't read rights for his data from another Windows installation have had to been specified from the original Windows installation, i.e. before attempting to access it from another Windows installation?

Again, sorry if I'm stubborn and I often play the devil's advocate - no harm meant.
 
depends on how the files were encrypted, if password based he should be ok as long as he remembers the password used to encrypted them, i know you can do this if you use truecrypt or pgp, if its done by windows im not too sure how it works.

if he logs onto another pc that has the same username and password he shouldnt have any issue at all :)
 
Ah, I see. So if he creates an account on his friend's computer with the same username and password; that makes sense. Thanks.
 
Granted I haven't tried, but I would think that may not work since the SID of the account would be different. Could be wrong though.
 
basically if you are admin you can access any file/folder you like :p
 
I'm going to have to disagree with you on that one, Carpo. For one thing, I'm assuming his old account was an Admin account, as most people don't bother creating Limited accounts for themselves, although maybe for their kids - but a lot of people aren't even aware of Limited accounts.

If his old account was password protected (and I've been assuming all along that when he said hidden he meant he opted to make his files private, and therefore encrypted and unaccessible from any other account that he was using Windows' built-in function to do that), then just any other Admin account won't be able to access his files.

You've got my curiosity going enough now that I might test the scenarios we've mentioned so far in VMWare Workstation. Inquiring minds want to know!

@kcnychief, you may be right.
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back