PDA

View Full Version : Security service can't be started



Fifthdawn
10-09-2010, 11:39 PM
Hello PF1

I have been tasks with 'fixing' a family laptop (HP tablet pc running Vista home premium) which is 'going slow', I have removed a few Trojans with malwarebytes, but I am concerned about the fact that I get this message when I attempt to turn on the inbuilt security

[Window Title]
Windows Security Center

[Main Instruction]
The Security Center service can't be started.

[Close]

The computer will also not download windows updates (the loading bar just keeps scrolling with no bandwidth being used)

I have read around the internet and all the posts that I have seen say that I should manually start the service, but its not even in the services list!

Any advice would be great :)

Speedy Gonzales
10-09-2010, 11:45 PM
Disable system restore. Reboot. If this is 32 bit, get trojan remover from here http://www.simplysup.com/

Update it then scan. Then select all options under utilities

Fifthdawn
11-09-2010, 12:25 PM
Thanks for that reply, I followed those steps but it failed to find anything, and I still cant run windows update or turn on the security service.

Would a repair installation be able to fix this, as it seems like parts of windows are damaged.

Speedy Gonzales
11-09-2010, 12:49 PM
What were the name/s of the trojans??

Speedy Gonzales
11-09-2010, 01:17 PM
Is, or was Nortons on this?? It looks like this program can make that message appear. Mcafees can also screw it up

Fifthdawn
11-09-2010, 01:29 PM
what i removed was called "worm.prolaco.m".

I think this laptop has had both McAfee and Norton on it in the past.

thanks for the help.

Speedy Gonzales
11-09-2010, 01:47 PM
So what AV program is on it now? Is there a P2P program on this? If there is that's probably how it got infected. Post a HJT log if it can run (rename its file if it cant). or run it in safe mode / networking

Fifthdawn
11-09-2010, 02:59 PM
Its running MSE and Avast!, but avast seems to be broken - it just quits with an error.

here is the hijack this log:


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:58:06 p.m., on 11/09/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-21-1341804659-2337394881-1397761179-1000\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Windows\system32\Pen_Tablet.exe
O23 - Service: Wacom Touch Service (WacomTouchService) - Unknown owner - C:\Windows\system32\WacomTouchService.exe

--
End of file - 5508 bytes

Speedy Gonzales
11-09-2010, 03:04 PM
Uninstall one of them you dont need both of them

You can tick these then tick fix checked

Close browsers. I would also install SP2. Once you figure out how to fix this prob

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot

Update MSE, then do a full scan

Get the Norton / Symantec and the Mcafee removal tool. So both remove whatever completely

Fifthdawn
11-09-2010, 07:53 PM
I ran the scan and it found nothing, the security service still wont start and is not shown in the list of services which means that I cant even start it manually.

Speedy Gonzales
11-09-2010, 08:00 PM
So, security centre doesnt appear in services, if you type services.msc under run? Is that what you were looking for?

Speedy Gonzales
11-09-2010, 08:30 PM
Try this

http://social.answers.microsoft.com/Forums/en-US/vistasecurity/thread/b04734b6-deab-44d7-aa2c-0d73149daf21

As the security center service is not present in services, let us look for the entry Windows Management Instrumentation(WMI) and make note that the service status is started.

Go to Start, type services.msc and hit Enter.

In order to proceed you will need to pause the WMI service so double click the entry and click the “Pause” button.

It will take a few seconds for Windows to pause the service so wait until it completes before proceeding. Leave the services dialog box open. Now you need to proceed to your Windows directory and delete a specific folder. DO NOT delete ANY OTHER folder except the one that is specified.

Go to C:\Windows\System32.

Inside the System32 folder you will find the wbem directory.

In wbem you will find a folder named Repository which contains information that is reported to the Security Center such as which programs are installed, firewall status, etc. After installing and uninstalling different security programs, these entries can become corrupted and report false information to the Security Center.

With your Services dialog box still open, check and make sure that the Windows Management Instrumentation (WMI) service is still paused, if it is, proceed, if not, go back and follow the steps to pause the service. Once you are sure the service is paused, go ahead and delete the repository folder and make sure ONLY to delete the repository folder, DO NOT delete any other entries.

Now, go back to your services dialog box and remember how the WMI service is paused, well, it’s time to start it up again so double click the Windows Management Instrumentation entry once more and click Resume.

This step forces Windows to redo the inventory of your installed security applications (firewall, antivirus and the like) and rebuild the Security Center index. It will take a few moments for the service to Resume. Remember that repository folder you deleted, well, you will now note that it has magically been created again with a new inventory of what’s installed.

Restart your Computer, the Security Center should now be displaying the correct information as to what programs are installed and functioning.

Fifthdawn
12-09-2010, 02:50 AM
I followed those steps Speedy, but they didn't solve the problem.

Is there anyway to check for broken windows files?

I'm starting to thing that a repair install of windows vista might be the best option, and is there a special version that has to be used with a tablet pc?

Speedy Gonzales
12-09-2010, 08:32 AM
Open a command prompt as admin. Type sfc /scannow

See what happens

Fifthdawn
12-09-2010, 12:47 PM
running sfc /scannow returns the error

"Windows resources protection could not perform the requested operation."

kahawai chaser
12-09-2010, 01:12 PM
Perhaps check the log file for sfc - sfcdetails.txt to view any corrupt folders. Maybe also run the check disk utility.

Speedy Gonzales
12-09-2010, 01:29 PM
Try this

http://social.answers.microsoft.com/Forums/en-US/w7performance/thread/2e8e994e-08b7-4ccf-859c-685c7bf1614e

If that doesnt fix it you may have to reinstall somehow

kahawai chaser
12-09-2010, 01:43 PM
Perhaps try running sfc by booting from the disc if available, or running/down loading/burning a Vista recovery disc. (http://neosmart.net/blog/2008/windows-vista-recovery-disc-download/)

Fifthdawn
12-09-2010, 02:12 PM
Nothing seems to work, I'm thinking that a reinstall will be needed :(

Just a quick thought, will a normal windows 7 install work as a tablet OS, or is there a special version that would be needed for all the special tablet features to work?

Cheers

Also is it legal to install home/home premium in a small business environment?

Speedy Gonzales
12-09-2010, 06:59 PM
Have you tried a reg file that some people have posted online? To restore the security center (for some)?? Is this online ? If it is, put teamviewer on it. And I'll check it out

Fifthdawn
12-09-2010, 08:23 PM
Just downloading team viewer now. Ready when you are :)

Speedy Gonzales
12-09-2010, 08:30 PM
Umm k. Can we wait till about 8?? I'm going to have tea. Send the ID and password it gives you to me in a PM. I'll log in then

Fifthdawn
12-09-2010, 08:31 PM
Ok, PM sent.

Speedy Gonzales
13-09-2010, 12:00 AM
Ok I think whatever this trojan does.

It may be similar to this - http://www.symantec.com/security_response/writeup.jsp?docid=2009-022520-1425-99&tabid=2 (that's Symantec's name for it)

It removes entries (in the registry), for security center's service in Windows. I managed to find a few reg files and import them. BUT, one entry under root in the registry maybe protected or may need permission to import.

And this is the entry that's missing (I think thats why the service complains / wont start this is missing). It's on this - Vista, but not in FD's registry. I managed to get so far with the Security center service ( I managed to make it reappear in services, it disappeared altogether).

But cant start it. So FD may have no choice but to reinstall windows again. Too many files are either missing or corrupt. It looks like, when he runs a few programs, windows installer keeps appearing. It shouldn't, they're already installed