Unknown service causing crashes

A customers Win 2003 server crashed today.
After a while, I noticed that the following services caused the crashes.
After setting them to Startup type: disabled, I was able to reboot the server and gain normal operation.

The service are:
Name: 111
Description: 111
Exe: C:\WINDOWS\System32\svchost.exe -k krnlsrvc
Name: Drivers Desktop
Description: Drivers Desktop Management
Exe: C:\WINDOWS\system32\explosre.exe
Name: Microsoft .ASP
Description: Microsoft .ASP Providers support for Rovies
Exe: C:\WINDOWS\system32\rovies.exe
Name: Welcome to use storm ddoc
Description: Thank you
Exe: C:\WINDWOS\SYSTEM\StormServer.exe

Found this on StormServer.exe
http://www.instead.it/download/EAS_6_Release_Notes_GA_Jun152007.pdf (page 53)
(Though to my awareness, has noting to do with this server)

Trying to google them gives me little (practically none) information, except I figured that they are malicious.
What is this I have come apon?
How did it get there, and how to remove?

Please advice!

Thank you!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If suspected as malware, you could run a hijack this and post your results on this web site for analysis:



That service is for an app it looks like. see above links.... it's in italian though.
I definitely recommend following ChiefIT's advice on posting a Hijack This log.

To see if the executables above are identified as malware by any of the major antivirus vendors, kill the above services and submit the corresponding files to virustotal.com.  Once this is done, if any of the files are malware-positive, you'll have a better idea of how to remove the malware now that you'll have the variant name and can research accordingly.
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

tarasbredelAuthor Commented:
Result from scanning StormServer.exe

File StormServer.exe received on 10.21.2008 09:34:19 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 12/36 (33.34%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
 Compact Print results  
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Antivirus Version Last Update Result
AhnLab-V3 2008.10.18.0 2008.10.21 -
AntiVir 2008.10.21 TR/Spy.Gen
Authentium 2008.10.21 W32/Bifrost.C.gen!Eldorado
Avast 4.8.1248.0 2008.10.15 -
AVG 2008.10.20 -
BitDefender 7.2 2008.10.21 -
CAT-QuickHeal 9.50 2008.10.21 -
ClamAV 0.93.1 2008.10.21 -
DrWeb 2008.10.21 BACKDOOR.Trojan
eSafe 2008.10.19 -
eTrust-Vet 31.6.6160 2008.10.20 -
Ewido 4.0 2008.10.20 -
F-Prot 2008.10.20 W32/Bifrost.C.gen!Eldorado
F-Secure 8.0.14332.0 2008.10.21 Suspicious:W32/Malware!Gemini
Fortinet 2008.10.21 -
GData 19 2008.10.21 -
Ikarus T3. 2008.10.20 -
K7AntiVirus 7.10.500 2008.10.20 -
Kaspersky 2008.10.21 -
McAfee 5409 2008.10.21 -
Microsoft 1.4005 2008.10.21 -
NOD32 3540 2008.10.21 probably a variant of Win32/Ceckno
Norman 5.80.02 2008.10.20 -
Panda 2008.10.20 Suspicious file
PCTools 2008.10.20 -
Prevx1 V2 2008.10.21 -
Rising 2008.10.21 Trojan.DL.Win32.Undef.apn
SecureWeb-Gateway 6.7.6 2008.10.21 Trojan.Spy.Gen
Sophos 4.34.0 2008.10.21 Mal/Behav-116
Sunbelt 3.1.1741.1 2008.10.21 -
Symantec 10 2008.10.21 Downloader
TheHacker 2008.10.21 -
TrendMicro 8.700.0.1004 2008.10.21 -
VBA32 2008.10.21 suspected of Flooder.Agent.2 (paranoid heuristics)
ViRobot 2008.10.21.1429 2008.10.21 -
VirusBuster 2008.10.20 -
tarasbredelAuthor Commented:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:53, on 21-10-2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\Program Files\AhsayOBM\aua\bin\AuaObm.exe
C:\Program Files\AhsayOBM\aua\jvm\bin\AuaObmJW.exe
C:\Program Files\DebugDiag\DbgSvc.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\AhsayOBM\bin\Scheduler.exe
C:\Program Files\AhsayOBM\jvm\bin\SchedulerOBM.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5w.exe
C:\Program Files\AhsayOBM\bin\SystemTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5w.exe
C:\Program Files\AhsayOBM\bin\SystemTray.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RHI6G14Y\windows-kb890830-v2.3[1].exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://eloungecom:7912/fpadmdll.dll?page=newsrvr.htm&port=/LM/W3SVC/288545745&frport=elounge
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ApacheTomcatMonitor] "C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5w.exe" //MS//Tomcat5
O4 - HKLM\..\Run: [AhsayBackupManager] C:\Program Files\AhsayOBM\bin\SystemTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212999524293
O17 - HKLM\System\CCS\Services\Tcpip\..\{B018F240-2DD9-45DD-ADEF-A3122C09E81C}: NameServer =,
O23 - Service: AutoUpdateAgent (AutoUpdateAgentOBM) - Unknown owner - C:\Program Files\AhsayOBM\aua\bin\AuaObm.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: Online Backup Scheduler (OnlineBackupScheduler) - Unknown owner - C:\Program Files\AhsayOBM\bin\Scheduler.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe

End of file - 5956 bytes
Your Hijack this results:

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RHI6G14Y\windows-kb890830-v2.3[1].exe  
 Neutral (3.37 / 5.00)

 Neutral (3.32 / 5.00)

 O23 - Service: AutoUpdateAgent (AutoUpdateAgentOBM) - Unknown owner - C:\Program Files\AhsayOBM\aua\bin\AuaObm.exe  
 Unknown service. (AuaObm.exe)  

You have three unknown executable files that you might want to lookup .

Let's talk about the word "Crash" for a second.

Any blue screens of death? Any slowness? Do you mean the server freezes periodically? Does the mose frees if the server freezes?

There are many ways to interperate the word "Crash". Defining that word and being very explicite will help us narrow down the possibilities.

tarasbredelAuthor Commented:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RHI6G14Y\windows-kb890830-v2.3[1].exe  
That's Microsoft Malicious Software Removal Tool

O23 - Service: AutoUpdateAgent (AutoUpdateAgentOBM) - Unknown owner - C:\Program Files\AhsayOBM\aua\bin\AuaObm.exe  
Is a backup application

Dont' know yet

Sorry let me clearify "crash"...

A few (1-2) minutes after boot, the server starts getting slow and inresponsable.
Then the "At least one service failed during startup" message is displayed.
Then a dialog is displayed, stating that Windows has increased the size of the virtual memory.
A few sekonds after that it won't respond to anything, and can only be shutdown by cutting the power

To resolve, I booted without any network cables attached, then I was able to disable the 4 service, insert the network cables and reboot.
Memory Leak:
Look for 5719 errors and 333 errors within event logs:
Then, check out task manager by pressing CTRL+ALT+DEL and see if you can find a process that pegs out your CPU usage to 100% and builds in Memory usage. That is usually the memory leak. What we will have to do is stop that process from loading upon boot long enought to fix it. If it is a system process, we may have to do a repair install of the OS.

Also run speedfan on the DC to check for heat.
Open up that DC and put a fan on it to make sure heat is NOT an issue. Slowdowns and a total freeze like that is the result of a serious memory leak or Heat.

I think your issue is HEAT.
To resolve, I booted without any network cables attached, then I was able to disable the 4 service, insert the network cables and reboot.

Can you list these four services?
tarasbredelAuthor Commented:
Hi Cheif

There is no DC
The four service are the once listed in the question.
Neither 5719 or 333 errors are listed, but I get these (System event log)...

Source: DCOM
ID: 10000
Unable to start a DCOM Server: {4001052F-9B7B-46A6-AD4B-C6984222BE61}. The error:
"The paging file is too small for this operation to complete. "
Happened while starting this command:
"C:\Program Files\DebugDiag\DbgHost.exe" -Embedding
Source: W3SVC
ID: 1002
Application pool 'Net1.1' is being automatically disabled due to a series of failures in the process(es) serving that application pool.
This one I got 5 times, one for each service failing:
(Not any more since the service has been disabled)

Source: Service Control Manager
ID: 7023
The 111 service terminated with the following error:
The specified module could not be found.
The Welcome to use storm ddos service terminated unexpectedly.  It has done this 1 time(s).
The Microsoft .ASP service terminated unexpectedly.  It has done this 1 time(s).
The Network DDE Managerment service terminated unexpectedly.  It has done this 1 time(s).

The Drivers Desktop service terminated unexpectedly.  It has done this 1 time(s).
Are you on a X64 bit system?

This also has symptoms of a memory leak, do you know how to troubleshoot this?
tarasbredelAuthor Commented:
It is not X64

Memory leak.. has come to mind.
I have another issue, where the server suddenly throughs all connections to an MS SQL server, and is no longer capable of establishing new connections.
In worst case the server has to be restarted to establish connections again.
The proprietary applications installed, have all been thorough checked.
Havn't found the reason why... curently investigating.
To temporarily solve, I have raised the number of sockets ports, and lowered the timeout interval on sockets ports in the registry.

Btw, I don't think heat is a problem. The IBM x345 server, is hosted in a top professional hosting facility. Temperature is very steady.

storm ddos service

So, I looked up this service because I didn't know what it was:


This explains your issues:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
This is what I am thinking and have to research it further to come up with a solid conclusion:

This is what I am thinking. Since this is under FBI investigation, you might contact thier IT abuse site and see if they want a piece of this puzzle. Then, also document all your fixes.

Also call your AV software vendor and ask if they have a fix or removal tool for this.

You have a very, very fast memory leak that is taking up page pool memory and not allowing DCOM to start. This renders Domain services unreliable or not working. That will result in denial of many domain services.

It sounds like a DDsS attack.
tarasbredelAuthor Commented:
It really didn't solve my problems, so I ended up building a new enviroment for my customer.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.