beefstu123
asked on
services.exe problem
Hi guys, im having a bit of an annoying problem with a Services.exe error.
just recently we recovered from a pretty big virus infection, we ended up getting the PC cleaned and did a system restore to about 6 weeks previous. ever since then ive been getting this error report appearing (just writing these sentences its happened 4 times) i'll atach a screenshot of the report. also on startup we're getting one that says Init.exe, i'll atach that one too.
any help would be great :) cheers
error.-EE.bmp
just recently we recovered from a pretty big virus infection, we ended up getting the PC cleaned and did a system restore to about 6 weeks previous. ever since then ive been getting this error report appearing (just writing these sentences its happened 4 times) i'll atach a screenshot of the report. also on startup we're getting one that says Init.exe, i'll atach that one too.
any help would be great :) cheers
error.-EE.bmp
is that happens with every user on the computer
Possibly this friendly little bug:
http://www.sophos.com/secu rity/analy ses/viruse s-and-spyw are/w32rbo tatt.html
Check the "More information" tab for registry entries that will confirm.
http://www.sophos.com/secu
Check the "More information" tab for registry entries that will confirm.
You have something left over from your cleaning trying to start...
goto start - run - type in msconfig - then select the startup tab
uncheck anything you dont recognize or want to start up,, see if that helps..
goto start - run - type in msconfig - then select the startup tab
uncheck anything you dont recognize or want to start up,, see if that helps..
ASKER
the ocmputer has two users and yes, it happens on both. thanks for the link, im checkin it out now
ASKER
ive already worked thru msconfig and there are'nt any unwanted processes starting
Run MalwareBytes or even better Combofix and let's see what the log shows.http://www.malwarebytes.org/mbam.php
Please download ComboFix by sUBs:
http://download.bleepingco mputer.com /sUBs/Comb oFix.exe
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Please download ComboFix by sUBs:
http://download.bleepingco
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ASKER
ok, ive run them before but i'll do a fresh scan an post both logs for u
listed as an alias for trojanshield
also look for
%System%\init.exe
%Temp%\init.exe
%Windir%\temp\suqqrcyqrh\i nit.exe
%Windir%\windowsmp.exe
c:\explorer.exe
* %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
* %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
* %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
Find them and delete them.
also look for
%System%\init.exe
%Temp%\init.exe
%Windir%\temp\suqqrcyqrh\i
%Windir%\windowsmp.exe
c:\explorer.exe
* %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
* %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
* %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
Find them and delete them.
ASKER
combofix done MBAM on its way
log.txt
log.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you can get online, please run the Kaspersky online scanner. This can help us check for the presence of Virut / W32/Scribble-A.
http://www.kaspersky.com/virusscanner
If it finds Virut, I agree with RPGgamergirl that a system restore may be necessary. Otherwise, if that's not the case, we can clean out the infections using Hijack This/Combofix and manually replace system files using the XP Recovery console. As long as it isn't Virut, we should be able to clean this system.
http://www.kaspersky.com/virusscanner
If it finds Virut, I agree with RPGgamergirl that a system restore may be necessary. Otherwise, if that's not the case, we can clean out the infections using Hijack This/Combofix and manually replace system files using the XP Recovery console. As long as it isn't Virut, we should be able to clean this system.
Virut:
http://www.freedrweb.com/
Sality:
http://support.kaspersky.c
If you decide to try and clean this, then also use the above tools, a lot of bad files are showing in the combofix log which we can also delete, but a lot of infected legit files will not be listed in the CF log because it will only list few of the modified/infected system files.
ASKER
update time....i finshed the combofix and MBAM scans and they picked up some infected services.exe files but that didnt fix the problem. so i ran the dr web program which seemed to work fine, it found and cure a lot of infections but after the restart ive been having major troubles with the data execution program within windows. its preveting the network command shell from opening so i have no network connections whatsoever, this is turning out to be a pretty severe problem. hope u gusy can provide continued advice and assistance, :)
Cheers
Cheers
A virut is a hard one tackle when a lot fo files has already been infected.
So you've run DrWebCureIt which would've deleted legit infected files. You then need to replace all system files that have been deleted/corrupted using the Windows disk if you still have it.
Have you run the Kaspersky online scanner to check for any infected files?
Also attach the result of the last combofix run.
So you've run DrWebCureIt which would've deleted legit infected files. You then need to replace all system files that have been deleted/corrupted using the Windows disk if you still have it.
Have you run the Kaspersky online scanner to check for any infected files?
Also attach the result of the last combofix run.
ASKER
still replacing vital files....its pretty hectic here too. updates may be few and far between
Did MBAM or DrWebCureIt deleted those numerous .tmp files howing in the combofix log?
Once done, you can scan again with combofix and show us the log.
Once done, you can scan again with combofix and show us the log.
ASKER
tried to combat the infections and failed lol. we ended up replacing the hard drive. thanks heaps for the diagnosis of the combofix reports etc. cheers :)