Solution: Repair damaged/missing services following malware infection

Many times, following a nasty infection (such as that of various rogues or rootkits), you might notice that some of the critical Windows services are missing (such as the Security Center or Windows Firewall), or that Windows seems to be devoid of some typically critical functionality (such as Windows Update).  Apart from the obvious corrective measures that often must be taken post-disinfection (such as reinstalling any security software which might have been damaged), repairing system components can be much tougher.

Today, I’ll focus specifically on how to detect/repair some of the most commonly damaged services following an infection.  The four most commonly-damaged services are:

  • BITS (The Background Intelligent Transfer Service)
  • wscsvc (The Windows Security Center Service)
  • (not present on XP) BFE (The Base Filtering Engine Service)
  • (not present on XP) MpsSvc (The Windows Firewall Service)

It’s easy to understand why these services specifically are targeted by infections: all of them are potential threats to the malware, as they deal directly with Windows’ ability to protect and update itself.

The easiest way to detect missing or damaged services is to run these commands at the Command Prompt:

sc query bits

sc query wscsvc

sc query bfe

sc query mpssvc

As mentioned above, the bottom two services don’t exist on XP.  You can also script this using batch like so:

echo Checking for damaged Windows services...
sc query bits|find "The specified service does not exist as an installed service.">nul&&( echo BITS Service [BITS] does not exist )
sc query wscsvc|find "The specified service does not exist as an installed service.">nul&&( echo Security Center Service [WscSvc] does not exist )
sc query bfe|find "The specified service does not exist as an installed service.">nul&&( echo Base Filtering Engine Service [bfe] does not exist )
sc query mpssvc|find "The specified service does not exist as an installed service.">nul&&( echo Windows Firewall Service [MpsSvc] does not exist )

If any required services return an erroneous response (i.e., “The specified service does not exist as an installed service.”) then it’s pretty clear that damage has been done by the infection which requires repair.

At this point, you have to first check to ensure that the relevant system files for each service are still intact.  The easiest way to do this is to perform a sfc /scannow operation at the command line (run as Administrator) and ensure that any damaged files were successfully repaired.

Next, it’s generally as easy as reimporting the default registry keys corresponding with each missing service.  This isn’t difficult once you find a reliable location to acquire those keys.  The best place available is currently BleepingComputer.com’s Index of Windows Services.  Simply choose the folder which matches your operating system, select the name of the damaged/missing service, download the file, and import it into your registry.

After this is finished, you’ll still need to set each service to its default Startup type.  The easiest way to do this is to simply type each of these commands at the Command Prompt (again, running as Administrator):

sc config BITS start= delayed-auto

sc config wscsvc start= delayed-auto

sc config BFE start= auto

sc config MpsSvc start= auto

Again, it bears repeating: the final two services don’t exist on XP machines.

After completing these steps, reboot the PC and see if everything’s working again.

In a later post, I’ll cover Windows Update repair procedures, permissions resets, and plenty more techniques to help repair damaged systems following infection.