Malware deleting TrustedInstaller.exe, therefore crippling Windows

My sister’s computer is was infected with a bunch of stubborn malware. Even after cleaning the offending files, a lot of things won’t wouldn’t work.

Windows Update, run sfc /scannow, or DISM /Online /Cleanup-Image fails with unknown reasons, which I found it somehow related to “Windows Module Installer” service not running.

I saw something weird in services.msc: “Windows Module Installer” doesn’t exist, but I know the underlying name is “TrustedIntaller” and noticed a service named as such is there, but it cannot be started, nor there are any descriptive information.

So I searched registry for “TrustedInstaller” and got to its entry. I noticed these two:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TrustedInstaller]
"DisplayName"="@%SystemRoot%\\servicing\\TrustedInstaller.exe,-100"
"Description"="@%SystemRoot%\\servicing\\TrustedInstaller.exe,-101"

It means the meaningful names and descriptions I saw on services.msc are generated by calling the underlying  service executable file with switches. I checked my “C:\Windows\servicing” and found that “TrustedInstaller.exe” is not there at all! Of course you cannot start a service where the file does not exist at the promised path (ImagePath).

I searched the hard drive and found only one instance of the file stored somewhere (like C:\Windows\winsxs\x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_6.1.7600.16385_none_90e389a7ae7a4b6c) and I tried to move the file to “C:\Windows\servicing”. However the ownership and permissions to write to “C:\Windows\servicing” goes to “TrustedInstaller” account, not “Administrator”, so I took the ownership, gave Administrator full rights, then move the file over.

Everything worked after that! Just the mere trick of deleting TrustedInstaller.exe is enough to make the user miserable trying to clean the system up! “sfc /scannow” or the like requires TrustedInstaller/WIM to be working in the first place, so you cannot use it to repair TrustedInstaller/WIM problems.

Loading

Simple dialog box built in windows

Back in the days, we use “net send” to display dialog boxes (I used it to chat with my friend after we dial up to the other’s computer).

Since Windows XP, there’s a more intuitive tool to do the same. It’s convenient if you want to add GUI interactions so that the user won’t ignore the text on the command prompt screen:

msg %SESSIONNAME% "your message goes here"

 

Loading

Visual C++ 2008 Redistributable (VC_RED) unpacks temp files to root folder

Over the last decade I was wondering if I did something wrong or my computer was infected by some rootkit that some random installation files shows up in the root folder.

Turns out it’s a stupid bug (didn’t expect something this low from Microsoft) that it unpacks temporary files of Visual C++ 2008 redistributables to whatever’s that’s largest storage space’s ROOT folder!

It’s fixed in SP1, but some old programs distributing the first revision will crap all over the root folder of seemingly random drives (actually, it’s the one with the most free space). Nasty!

https://support.microsoft.com/en-us/help/950683/vcredist-from-vc-2008-installs-temporary-files-in-root-directory

I made a batch file to clean it up. It’s not robust or up to any good programming standards (should have checked the hash signature before deleting if I was paid to write that, but I wasn’t). This batch file accepts an input like where the drive letter was littered (like E:\), or without input arguments, it will just pick the root folder of the current location.

@ECHO OFF
echo.Clean up Visual C++ 2008 temporary files (due to a bug)

set "old_dir=%cd%"

if "%~1" == "" goto Main
cd /d %1

:Main
REM must be a root folder of some drive
cd /

REM Display current drive
echo.%cd:~0,1% drive is going to be cleaned. Press Ctrl+C now to abort now or any other key to continue.
pause

del install.exe 
del install.res.1028.dll 
del install.res.1031.dll 
del install.res.1033.dll 
del install.res.1036.dll 
del install.res.1040.dll 
del install.res.1041.dll 
del install.res.1042.dll 
del install.res.2052.dll 
del install.res.3082.dll 
del vcredist.bmp 
del globdata.ini 
del install.ini 
del eula.1028.txt 
del eula.1031.txt 
del eula.1033.txt 
del eula.1036.txt 
del eula.1040.txt 
del eula.1041.txt 
del eula.1042.txt 
del eula.2052.txt 
del eula.3082.txt 
del VC_RED.MSI
del VC_RED.cab 

echo.Done
cd /d %old_dir%

No warranty or support of any sort if you use it. That’s why I wouldn’t even make it downloadable. Just copy and paste it to a batch file yourself, and keep in mind that you are on your own.

Loading

Windows Gotcha: Cannot access other machine because time doesn’t sync

Newer Windows, starting with Windows 7 at least, requires the clocks to be in sync for the login/authentication to work. The confusing part is that if it fails, it doesn’t tell you why, leading you to think your password was wrong.

Turns out this time, I’m trying to inject files to a Windows 2000 machine (a logic analyzer). After some Googling, this website showed me it could be a time issue. The RTC on that motherboard was alright, and showing that it’s 2018, but after a close look, the timezone was EST (GMT-7) while I’m on PST (GMT-8), so the clock is off by one hour!

Loading