Link to home
Start Free TrialLog in
Avatar of beefstu123
beefstu123

asked on

services.exe problem

Hi guys, im having a bit of an annoying problem with a Services.exe error.

just recently we recovered from a pretty big virus infection, we ended up getting the PC cleaned and did a system restore to about 6 weeks previous. ever since then ive been getting this error report appearing (just writing these sentences its happened 4 times) i'll atach a screenshot of the report. also on startup we're getting one that says Init.exe, i'll atach that one too.

any help would be great :) cheers


error.-EE.bmp
Avatar of Houssam Ballout
Houssam Ballout
Flag of Lebanon image

is that  happens with every user on the computer
Avatar of ☠ MASQ ☠
☠ MASQ ☠

Possibly this friendly little bug:
http://www.sophos.com/security/analyses/viruses-and-spyware/w32rbotatt.html
 
Check the "More information" tab for registry entries that will confirm.
You have something left over from your cleaning trying to start...

goto start - run - type in msconfig - then select the startup tab

uncheck anything you dont recognize or want to start up,, see if that helps..
Avatar of beefstu123

ASKER

the ocmputer has two users and yes, it happens on both. thanks for the link, im checkin it out now
ive already worked thru msconfig and there are'nt any unwanted processes starting
Run MalwareBytes or even better Combofix and let's see what the log shows.http://www.malwarebytes.org/mbam.php


Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

ok, ive run them before but i'll do a fresh scan an post both logs for u
listed as an alias for trojanshield

also look for
%System%\init.exe
%Temp%\init.exe
%Windir%\temp\suqqrcyqrh\init.exe
%Windir%\windowsmp.exe
c:\explorer.exe

    *  %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    * %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
    * %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.


Find them and delete them.
combofix done MBAM on its way
log.txt
ASKER CERTIFIED SOLUTION
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
If you can get online, please run the Kaspersky online scanner. This can help us check for the presence of Virut / W32/Scribble-A.

http://www.kaspersky.com/virusscanner

If it finds Virut, I agree with RPGgamergirl that a system restore may be necessary.  Otherwise, if that's not the case, we can clean out the infections using Hijack This/Combofix and manually replace system files using the XP Recovery console.  As long as it isn't Virut, we should be able to clean this system.

Virut:
http://www.freedrweb.com/

Sality:
http://support.kaspersky.com/viruses/solutions?print=true&qid=208279889


If you decide to try and clean this, then also use the above tools, a lot of bad files are showing in the combofix log which we can also delete, but a lot of infected legit files will not be listed in the CF log because it will only list few of the modified/infected system files.
update time....i finshed the combofix and MBAM scans and they picked up some infected services.exe files but that didnt fix the problem. so i ran the dr web program which seemed to work fine, it found and cure a lot of infections but after the restart ive been having major troubles with the data execution program within windows. its preveting the network command shell from opening so i have no network connections whatsoever, this is turning out to be a pretty severe problem. hope u gusy can provide continued advice and assistance, :)

Cheers
A virut is a hard one tackle when a lot fo files has already been infected.

So you've run DrWebCureIt which would've deleted legit infected files. You then need to replace all system files that have been deleted/corrupted using the Windows disk if you still have it.
Have you run the Kaspersky online scanner to check for any infected files?
Also attach the result of the last combofix run.
still replacing vital files....its pretty hectic here too. updates may be few and far between
Did MBAM or DrWebCureIt deleted those numerous .tmp files howing in the combofix log?
Once done, you can scan again with combofix and show us the log.
tried to combat the infections and failed lol.  we ended up replacing the hard drive.  thanks heaps for the diagnosis of the combofix reports etc.  cheers :)