?
Solved

Workstation Services won't start on SBS 2003

Posted on 2007-10-12
10
Medium Priority
?
2,856 Views
Last Modified: 2013-12-09
Hello Experts:

I have a problem.  My SBS 2003 server was infected by a virus which Symantec caught--and it required a reboot to clean the virus.  Upon the reboot a service did not start which was the Workstation service.  The Workstation service didn't start because it had a dependency that failed to start called Windowservices.  I looked at Windowservices and it looks like it was installed by the virus.  There is no normal description for the Windowservices and the path it points to is c:\msinfo.exe--which has I understand it is not a valid Windows file.  My question is how do I remove the Windowservices so that the Workstation service will run?  Even if I disable Windowservices the Workstation Services won't start. Presently, I can't connect to any remote drives because the Workstation Service and it's dependencies aren't running.  Any thoughts or help is appreciated.

**Title edited for clarity by TechSoEasy -- EE's Microsoft Zone Advisor**
0
Comment
Question by:huntersp3
  • 5
  • 3
  • 2
10 Comments
 
LVL 6

Expert Comment

by:nathana21
ID: 20065896
oh sorry thats to remove the virus. you have done that.
0
 
LVL 6

Expert Comment

by:nathana21
ID: 20065957
Whats the error code in the message message? Oh check event log and see what the code is reffering to the service.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 20065971
can you show us a hijackthis scan log? may be there are still ramainents present from the virus which we can fix
http://www.softpedia.com/get/Antivirus/Trend-Micro-HijackThis.shtml
0
 

Author Comment

by:huntersp3
ID: 20066120
Hello Everyone:

As a temporary fix.  I went into the registry setting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation] and removed the DependOnService and DependOnGroup.  Rebooted the server and now the Workstation service has started.  I will look at your suggestions and see if I can still find pieces of the virus.  
0
 

Author Comment

by:huntersp3
ID: 20066153
Shehar:

I am concerned about running Trend Micro HijackThis 2.0.2 on a Windows 2003 server?  The program is for Windows XP.
0
 
LVL 6

Expert Comment

by:nathana21
ID: 20066244
Windows 2003 is Xp with all the network services.
0
 

Author Comment

by:huntersp3
ID: 20066748
Hello Everyone:

Here is the scan log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:29 AM, on 10/12/2007
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\coerver.exe
C:\WINNT\system32\certsrv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\Program Files\Network Associates\ePO\MSSQL\Binn\sqlservr.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINNT\system32\ntfrs.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\Program Files\Iomega\REV System Software\RevUDF.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Pwrchute\ups.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\tcpsvcs.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\MsgSys.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\dmadmin.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Iomega\REV System Software\imiconxp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
c:\winnt\system32\inetsrv\w3wp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 205.152.59.16 bsrelay
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AuCaption] DSA OMSA Reminder
O4 - HKLM\..\Run: [AuFlag] 
O4 - HKLM\..\Run: [Iomega ImIconXP] C:\Program Files\Iomega\REV System Software\imiconxp.exe
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Server Management.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://www.networksolutions.com
O15 - ESC Trusted Zone: http://www.symantec.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O15 - ESC Trusted IP range: http://10.10.0.1
O15 - ESC Trusted IP range: http://10.10.0.254
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183066700312
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nationalsteelerection.com
O17 - HKLM\Software\..\Telephony: DomainName = nationalsteelerection.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F91BFF12-905F-495F-B009-A5DEE1F73F71}: NameServer = 10.10.0.252,10.10.0.13
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nationalsteelerection.com
O20 - Winlogon Notify: WtsFilter - C:\WINNT\SYSTEM32\WtsFilter.dll
O23 - Service: Black  Remote Control Services (Brcervices) - Unknown owner - C:\WINNT\system32\coerver.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: HP Web Jetadmin (HPWebJetadmin) - Apache Software Foundation - C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINNT\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Logon Net  - Unknown owner - C:\WINNT\sochsys.exe
O23 - Service: Windows Management Content Dns (MicerDns) - Unknown owner - C:\WINNT\system32\interdns.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service - Unknown owner - C:\WINNT\system32\nvsrps32.exe (file missing)
O23 - Service: RevUDFService - Iomega Corp - C:\Program Files\Iomega\REV System Software\RevUDF.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Support - Unknown owner - C:\WINNT\Helpsvcs.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Uninterruptible Power Supply (UPS) - APC - C:\Program Files\Pwrchute\ups.exe

--
End of file - 8218 bytes
0
 
LVL 6

Accepted Solution

by:
nathana21 earned 1000 total points
ID: 20066818
Looks clean to me. anyone else see anything?
0
 
LVL 65

Assisted Solution

by:SheharyaarSaahil
SheharyaarSaahil earned 1000 total points
ID: 20069534
O23 - Service: Logon Net  - Unknown owner - C:\WINNT\sochsys.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)

the Program.exe is already missing, so you can fix the entry
but im not sure about this Logon Net (sochsys.exe) entry, couldn't find any info on it?!?!
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question