Solved

Unknown service causing crashes

Posted on 2008-10-20
15
1,819 Views
Last Modified: 2013-12-04
A customers Win 2003 server crashed today.
After a while, I noticed that the following services caused the crashes.
After setting them to Startup type: disabled, I was able to reboot the server and gain normal operation.

The service are:
-----------------------
Name: 111
Description: 111
Exe: C:\WINDOWS\System32\svchost.exe -k krnlsrvc
-----------------------
Name: Drivers Desktop
Description: Drivers Desktop Management
Exe: C:\WINDOWS\system32\explosre.exe
-----------------------
Name: Microsoft .ASP
Description: Microsoft .ASP Providers support for Rovies
Exe: C:\WINDOWS\system32\rovies.exe
-----------------------
Name: Welcome to use storm ddoc
Description: Thank you
Exe: C:\WINDWOS\SYSTEM\StormServer.exe
-----------------------

Update:
Found this on StormServer.exe
http://www.instead.it/download/EAS_6_Release_Notes_GA_Jun152007.pdf (page 53)
(Though to my awareness, has noting to do with this server)

Trying to google them gives me little (practically none) information, except I figured that they are malicious.
What is this I have come apon?
How did it get there, and how to remove?

Please advice!

Thank you!
0
Comment
Question by:tarasbredel
15 Comments
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22760901
If suspected as malware, you could run a hijack this and post your results on this web site for analysis:
http://www.hijackthis.de/index.php?langselect=english#anl

0
 
LVL 7

Expert Comment

by:cmarandi
ID: 22761263
http://www.instead.it/download/EAS_6_Release_Notes_GA_Jun152007.pdf

http://www.instead.it/

That service is for an app it looks like. see above links.... it's in italian though.
0
 
LVL 11

Expert Comment

by:snoopfrogg
ID: 22762053
I definitely recommend following ChiefIT's advice on posting a Hijack This log.

To see if the executables above are identified as malware by any of the major antivirus vendors, kill the above services and submit the corresponding files to virustotal.com.  Once this is done, if any of the files are malware-positive, you'll have a better idea of how to remove the malware now that you'll have the variant name and can research accordingly.
0
 

Author Comment

by:tarasbredel
ID: 22765151
Result from scanning StormServer.exe

File StormServer.exe received on 10.21.2008 09:34:19 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 12/36 (33.34%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
 Compact Print results  
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
 Email:  
 

Antivirus Version Last Update Result
AhnLab-V3 2008.10.18.0 2008.10.21 -
AntiVir 7.9.0.5 2008.10.21 TR/Spy.Gen
Authentium 5.1.0.4 2008.10.21 W32/Bifrost.C.gen!Eldorado
Avast 4.8.1248.0 2008.10.15 -
AVG 8.0.0.161 2008.10.20 -
BitDefender 7.2 2008.10.21 -
CAT-QuickHeal 9.50 2008.10.21 -
ClamAV 0.93.1 2008.10.21 -
DrWeb 4.44.0.09170 2008.10.21 BACKDOOR.Trojan
eSafe 7.0.17.0 2008.10.19 -
eTrust-Vet 31.6.6160 2008.10.20 -
Ewido 4.0 2008.10.20 -
F-Prot 4.4.4.56 2008.10.20 W32/Bifrost.C.gen!Eldorado
F-Secure 8.0.14332.0 2008.10.21 Suspicious:W32/Malware!Gemini
Fortinet 3.113.0.0 2008.10.21 -
GData 19 2008.10.21 -
Ikarus T3.1.1.44.0 2008.10.20 -
K7AntiVirus 7.10.500 2008.10.20 -
Kaspersky 7.0.0.125 2008.10.21 -
McAfee 5409 2008.10.21 -
Microsoft 1.4005 2008.10.21 -
NOD32 3540 2008.10.21 probably a variant of Win32/Ceckno
Norman 5.80.02 2008.10.20 -
Panda 9.0.0.4 2008.10.20 Suspicious file
PCTools 4.4.2.0 2008.10.20 -
Prevx1 V2 2008.10.21 -
Rising 20.67.11.00 2008.10.21 Trojan.DL.Win32.Undef.apn
SecureWeb-Gateway 6.7.6 2008.10.21 Trojan.Spy.Gen
Sophos 4.34.0 2008.10.21 Mal/Behav-116
Sunbelt 3.1.1741.1 2008.10.21 -
Symantec 10 2008.10.21 Downloader
TheHacker 6.3.1.0.121 2008.10.21 -
TrendMicro 8.700.0.1004 2008.10.21 -
VBA32 3.12.8.8 2008.10.21 suspected of Flooder.Agent.2 (paranoid heuristics)
ViRobot 2008.10.21.1429 2008.10.21 -
VirusBuster 4.5.11.0 2008.10.20 -
0
 

Author Comment

by:tarasbredel
ID: 22765534
HiJackLog...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:53, on 21-10-2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AhsayOBM\aua\bin\AuaObm.exe
C:\Program Files\AhsayOBM\aua\jvm\bin\AuaObmJW.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\DebugDiag\DbgSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AhsayOBM\bin\Scheduler.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AhsayOBM\jvm\bin\SchedulerOBM.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5w.exe
C:\Program Files\AhsayOBM\bin\SystemTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINDOWS\System32\logon.scr
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5w.exe
C:\Program Files\AhsayOBM\bin\SystemTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RHI6G14Y\windows-kb890830-v2.3[1].exe
d:\aa4db099e2c23e6591868d\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Temp\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://eloungecom:7912/fpadmdll.dll?page=newsrvr.htm&port=/LM/W3SVC/288545745&frport=elounge
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ApacheTomcatMonitor] "C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5w.exe" //MS//Tomcat5
O4 - HKLM\..\Run: [AhsayBackupManager] C:\Program Files\AhsayOBM\bin\SystemTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212999524293
O17 - HKLM\System\CCS\Services\Tcpip\..\{B018F240-2DD9-45DD-ADEF-A3122C09E81C}: NameServer = 195.245.210.10,195.245.210.11
O23 - Service: AutoUpdateAgent (AutoUpdateAgentOBM) - Unknown owner - C:\Program Files\AhsayOBM\aua\bin\AuaObm.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: Online Backup Scheduler (OnlineBackupScheduler) - Unknown owner - C:\Program Files\AhsayOBM\bin\Scheduler.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe

--
End of file - 5956 bytes
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22766250
Your Hijack this results:

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RHI6G14Y\windows-kb890830-v2.3[1].exe  
 Neutral (3.37 / 5.00)
 

 d:\aa4db099e2c23e6591868d\mrtstub.exe  
 Neutral (3.32 / 5.00)

 O23 - Service: AutoUpdateAgent (AutoUpdateAgentOBM) - Unknown owner - C:\Program Files\AhsayOBM\aua\bin\AuaObm.exe  
 Unknown service. (AuaObm.exe)  

You have three unknown executable files that you might want to lookup .

____________________________________________________________________
Let's talk about the word "Crash" for a second.

Any blue screens of death? Any slowness? Do you mean the server freezes periodically? Does the mose frees if the server freezes?

There are many ways to interperate the word "Crash". Defining that word and being very explicite will help us narrow down the possibilities.

0
 

Author Comment

by:tarasbredel
ID: 22766491
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RHI6G14Y\windows-kb890830-v2.3[1].exe  
That's Microsoft Malicious Software Removal Tool

O23 - Service: AutoUpdateAgent (AutoUpdateAgentOBM) - Unknown owner - C:\Program Files\AhsayOBM\aua\bin\AuaObm.exe  
Is a backup application

 d:\aa4db099e2c23e6591868d\mrtstub.exe
Dont' know yet

Sorry let me clearify "crash"...

A few (1-2) minutes after boot, the server starts getting slow and inresponsable.
Then the "At least one service failed during startup" message is displayed.
Then a dialog is displayed, stating that Windows has increased the size of the virtual memory.
A few sekonds after that it won't respond to anything, and can only be shutdown by cutting the power

To resolve, I booted without any network cables attached, then I was able to disable the 4 service, insert the network cables and reboot.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 38

Expert Comment

by:ChiefIT
ID: 22769985
Memory Leak:
Look for 5719 errors and 333 errors within event logs:
Then, check out task manager by pressing CTRL+ALT+DEL and see if you can find a process that pegs out your CPU usage to 100% and builds in Memory usage. That is usually the memory leak. What we will have to do is stop that process from loading upon boot long enought to fix it. If it is a system process, we may have to do a repair install of the OS.

HEAT:
Also run speedfan on the DC to check for heat.
Open up that DC and put a fan on it to make sure heat is NOT an issue. Slowdowns and a total freeze like that is the result of a serious memory leak or Heat.

I think your issue is HEAT.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22769996
To resolve, I booted without any network cables attached, then I was able to disable the 4 service, insert the network cables and reboot.

Can you list these four services?
0
 

Author Comment

by:tarasbredel
ID: 22773886
Hi Cheif

There is no DC
The four service are the once listed in the question.
Neither 5719 or 333 errors are listed, but I get these (System event log)...

Source: DCOM
ID: 10000
Unable to start a DCOM Server: {4001052F-9B7B-46A6-AD4B-C6984222BE61}. The error:
"The paging file is too small for this operation to complete. "
Happened while starting this command:
"C:\Program Files\DebugDiag\DbgHost.exe" -Embedding
-----------------
Source: W3SVC
ID: 1002
Application pool 'Net1.1' is being automatically disabled due to a series of failures in the process(es) serving that application pool.
-----------------
This one I got 5 times, one for each service failing:
(Not any more since the service has been disabled)

Source: Service Control Manager
ID: 7023
Descriptions....
The 111 service terminated with the following error:
The specified module could not be found.
&
The Welcome to use storm ddos service terminated unexpectedly.  It has done this 1 time(s).
&
The Microsoft .ASP service terminated unexpectedly.  It has done this 1 time(s).
&
The Network DDE Managerment service terminated unexpectedly.  It has done this 1 time(s).
&
The Drivers Desktop service terminated unexpectedly.  It has done this 1 time(s).
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22775192
Are you on a X64 bit system?

This also has symptoms of a memory leak, do you know how to troubleshoot this?
0
 

Author Comment

by:tarasbredel
ID: 22775636
It is not X64

Memory leak.. has come to mind.
I have another issue, where the server suddenly throughs all connections to an MS SQL server, and is no longer capable of establishing new connections.
In worst case the server has to be restarted to establish connections again.
The proprietary applications installed, have all been thorough checked.
Havn't found the reason why... curently investigating.
To temporarily solve, I have raised the number of sockets ports, and lowered the timeout interval on sockets ports in the registry.

Btw, I don't think heat is a problem. The IBM x345 server, is hosted in a top professional hosting facility. Temperature is very steady.

0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 500 total points
ID: 22781023
storm ddos service

So, I looked up this service because I didn't know what it was:

OUCH!!!

This explains your issues:
http://en.wikipedia.org/wiki/Storm_botnet
0
 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 500 total points
ID: 22781321
This is what I am thinking and have to research it further to come up with a solid conclusion:
http://en.wikipedia.org/wiki/Denial-of-service_attack

This is what I am thinking. Since this is under FBI investigation, you might contact thier IT abuse site and see if they want a piece of this puzzle. Then, also document all your fixes.

Also call your AV software vendor and ask if they have a fix or removal tool for this.

You have a very, very fast memory leak that is taking up page pool memory and not allowing DCOM to start. This renders Domain services unreliable or not working. That will result in denial of many domain services.

It sounds like a DDsS attack.
0
 

Author Closing Comment

by:tarasbredel
ID: 31507943
It really didn't solve my problems, so I ended up building a new enviroment for my customer.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now