Workstation Services won't start on SBS 2003

Posted on 2007-10-12
Last Modified: 2013-12-09
Hello Experts:

I have a problem.  My SBS 2003 server was infected by a virus which Symantec caught--and it required a reboot to clean the virus.  Upon the reboot a service did not start which was the Workstation service.  The Workstation service didn't start because it had a dependency that failed to start called Windowservices.  I looked at Windowservices and it looks like it was installed by the virus.  There is no normal description for the Windowservices and the path it points to is c:\msinfo.exe--which has I understand it is not a valid Windows file.  My question is how do I remove the Windowservices so that the Workstation service will run?  Even if I disable Windowservices the Workstation Services won't start. Presently, I can't connect to any remote drives because the Workstation Service and it's dependencies aren't running.  Any thoughts or help is appreciated.

**Title edited for clarity by TechSoEasy -- EE's Microsoft Zone Advisor**
Question by:huntersp3
    LVL 6

    Expert Comment

    LVL 6

    Expert Comment

    oh sorry thats to remove the virus. you have done that.
    LVL 6

    Expert Comment

    Whats the error code in the message message? Oh check event log and see what the code is reffering to the service.
    LVL 65

    Expert Comment

    can you show us a hijackthis scan log? may be there are still ramainents present from the virus which we can fix

    Author Comment

    Hello Everyone:

    As a temporary fix.  I went into the registry setting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation] and removed the DependOnService and DependOnGroup.  Rebooted the server and now the Workstation service has started.  I will look at your suggestions and see if I can still find pieces of the virus.  

    Author Comment


    I am concerned about running Trend Micro HijackThis 2.0.2 on a Windows 2003 server?  The program is for Windows XP.
    LVL 6

    Expert Comment

    Windows 2003 is Xp with all the network services.

    Author Comment

    Hello Everyone:

    Here is the scan log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:03:29 AM, on 10/12/2007
    Platform: Windows 2003 SP1 (WinNT 5.02.3790)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)
    Boot mode: Normal

    Running processes:
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
    C:\Program Files\Network Associates\ePO\MSSQL\Binn\sqlservr.exe
    C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
    C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
    C:\Program Files\Iomega\REV System Software\RevUDF.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Pwrchute\ups.exe
    C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
    C:\Program Files\Iomega\REV System Software\imiconxp.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    O1 - Hosts: bsrelay
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [AuCaption] DSA OMSA Reminder
    O4 - HKLM\..\Run: [AuFlag] 
    O4 - HKLM\..\Run: [Iomega ImIconXP] C:\Program Files\Iomega\REV System Software\imiconxp.exe
    O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
    O4 - Startup: Server Management.lnk = ?
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
    O14 - IERESET.INF: START_PAGE_URL=http://companyweb
    O15 - ESC Trusted Zone:
    O15 - ESC Trusted Zone:
    O15 - ESC Trusted Zone:
    O15 - ESC Trusted Zone: http://*
    O15 - ESC Trusted Zone: http://* (HKLM)
    O15 - ESC Trusted IP range:
    O15 - ESC Trusted IP range:
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
    O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) -
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
    O17 - HKLM\Software\..\Telephony: DomainName =
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F91BFF12-905F-495F-B009-A5DEE1F73F71}: NameServer =,
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
    O20 - Winlogon Notify: WtsFilter - C:\WINNT\SYSTEM32\WtsFilter.dll
    O23 - Service: Black  Remote Control Services (Brcervices) - Unknown owner - C:\WINNT\system32\coerver.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: HP Web Jetadmin (HPWebJetadmin) - Apache Software Foundation - C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
    O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
    O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINNT\system32\ams_ii\iao.exe
    O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINNT\system32\cba\xfr.exe
    O23 - Service: Logon Net  - Unknown owner - C:\WINNT\sochsys.exe
    O23 - Service: Windows Management Content Dns (MicerDns) - Unknown owner - C:\WINNT\system32\interdns.exe
    O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service - Unknown owner - C:\WINNT\system32\nvsrps32.exe (file missing)
    O23 - Service: RevUDFService - Iomega Corp - C:\Program Files\Iomega\REV System Software\RevUDF.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Support - Unknown owner - C:\WINNT\Helpsvcs.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Uninterruptible Power Supply (UPS) - APC - C:\Program Files\Pwrchute\ups.exe

    End of file - 8218 bytes
    LVL 6

    Accepted Solution

    Looks clean to me. anyone else see anything?
    LVL 65

    Assisted Solution

    O23 - Service: Logon Net  - Unknown owner - C:\WINNT\sochsys.exe
    O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)

    the Program.exe is already missing, so you can fix the entry
    but im not sure about this Logon Net (sochsys.exe) entry, couldn't find any info on it?!?!

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Join & Write a Comment

    Suggested Solutions

    PREFACE The purpose of this guide is to explain what the SEPC Status Utility is and how it works. I have written the utility using AutoIt and have included the source code for your review. You are welcome to modify the code to your liking, but I wi…
    The problem of the system drive in SBS 2003 getting full continues to be an issue, even though SBS 2008 and SBS 2011 are both in the market place.  There are several solutions to this, including adding additional drive space or using third party uti…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    27 Experts available now in Live!

    Get 1:1 Help Now