# Workstation Service fails to start



## macado (Feb 19, 2009)

Last week I noticed a problem on someone's Vista machine at work. The system was running Vista Enterprise with SP1. The Workstation Service would not start and fails with the following code.

C:\Windows\system32>net start workstation
The Workstation service is starting.
The Workstation service could not be started.

System error 2 has occured

The system cannot find the file specified

As a result, several other services such as Netlogon, Computer Browser will not start because they depend on Workstation Service.

The almost same exact problem is described here http://blog.karmona.com/index.php/2008/12/12/vista-services-corruption-saga/ however their solution does not work.


So far I have tried the following:
chkdsk /r
sfc /scannow
Uninstalling/Reinstalling SP1
Scanned for viruses/spywate using MalwareBytes and Trendmicro OfficeScan
Used AutoRuns to check for suspicious files/drivers


At first I thought the problem was limited to one computer but so far I have experienced the problem on 3 seperate computers. 2 of them were running Vista Enterprise and the other one was running Vista Business (all with SP1)

On a side note, one of them I discovered must have had a rootkit because I found about 50gb of warez/movies hidden in C:\System Volume Information however the other 2 systems do not show signs of rootkits (or at least they're undetectable) so it could just be a coincidence.


Any ideas? Willing to post errors logs or any scans requested.

Other information: All systems are connected to an AD Domain, updates are pulled from WSUS

Thanks


----------



## joeten (Dec 4, 2008)

hi my advice is post the logs etc as it will help someone here help you to try to find out what is causing the issue


----------



## jenae (Jun 17, 2008)

Hi, what happened with SFC did you get any message about files not able to be repaired or did it give a clean bill of health? That "post" he was a true IT pro I loved the "5 restarts". Now as I have not experienced this problem before I am guessing there is an UAC problem you could try these commands (will do no harm). Run from CMD prompt as administrator.


```
net localgroup Administrators /add networkservice
press enter then type:
net localgroup Administrators /add localservice
press enter then type:
exit
press enter and restart your computer
```


----------



## macado (Feb 19, 2009)

UPDATE: Problem is caused by a trojan/worm. Very nasty one at that! I work at University and it seems to be infecting tons of PCs. 

Due to the severity of the infection. I am going to do a complete format I dont want to take a chance that there is a rootkit component hiding somewhere.

Here are my notes so far... 

So far I have found 20 infected computers and count. This is a bad one.
I first noticed the problem when I was scanning one of the machines and discovered it had approximately 40gb of movies/warez hidden in C:\System Volume Information. Further investigation led to the discovery of an open FTP server on port 5946

It also BREAKS almost every Vista machine it infects because it adds itself as a Dependency to many Windows Services and as a result several key services in Windows are prevented from starting such as Workstation Server, Netlogon and Computer Browser. It adds itself to the same services in Windows XP but does not break them.

Malwarebytes,Trend OfficeScan,and Trendmicro Sysclean do not seem to find it but I was able to manually look through the services where it created a fake/rogue service called “Backup” under the executable c:\windows\system32\sysrestore.exe. The other computer just called this service “Backup Service” It masquerates as a Microsoft service but AutoRuns can see it and tell you that it's not verified.

You can also check by going to HKLM\System\CurrentControlSet\Services and look for a service called “Backup”

Several online websites such as Sophos identify this trojan as “Troj/ServU-FP” however this variant seems to have many differences. 

Here is what I have gathered so far…

Creates a service called Backup with executable c:\windows\system32\sysrestore.exe
-Modifies the service Lanmanworkstation and removes all other dependencies and adds itself as a dependency as “Backup”
-Modifies the service Lanmanworkserver so that depends on Backup and removes dependencies from lanmanworkserver
-Modifies Eventlog Service so that it depends on backup and removes other dependencies
-Modifies Spooler so that it depends on Backup and remove other dependencies
-Modifies Dnscache so that it depends on Backup and remove other dependencies
-Modifies EventSystem so that it depends on Backup and remove other dependencies.
-Modifies ProtectedStorage so that it depends on Backup and remove other dependencies.
-Stores data in C:\System Volume Information so that user cannot find it
-Installs DameWare NT Utilities 2.6

Installs the following files in c:\windows\system32
java.dat
java.ico
pv.exe
sisbackup.dll
sysregpro.dll
refdmnx32.dll
sysrestore.exe



Very very nasty trojan. Hope no one else has to deal with this..


----------



## joeten (Dec 4, 2008)

hi have a look in the security forum for help with this they are very good at sorting these things


----------

