Unknown service causing crashes

Posted on 2008-10-20
Medium Priority
Last Modified: 2013-12-04
A customers Win 2003 server crashed today.
After a while, I noticed that the following services caused the crashes.
After setting them to Startup type: disabled, I was able to reboot the server and gain normal operation.

The service are:
Name: 111
Description: 111
Exe: C:\WINDOWS\System32\svchost.exe -k krnlsrvc
Name: Drivers Desktop
Description: Drivers Desktop Management
Exe: C:\WINDOWS\system32\explosre.exe
Name: Microsoft .ASP
Description: Microsoft .ASP Providers support for Rovies
Exe: C:\WINDOWS\system32\rovies.exe
Name: Welcome to use storm ddoc
Description: Thank you
Exe: C:\WINDWOS\SYSTEM\StormServer.exe

Found this on StormServer.exe
http://www.instead.it/download/EAS_6_Release_Notes_GA_Jun152007.pdf (page 53)
(Though to my awareness, has noting to do with this server)

Trying to google them gives me little (practically none) information, except I figured that they are malicious.
What is this I have come apon?
How did it get there, and how to remove?

Please advice!

Thank you!
Question by:tarasbredel
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 39

Expert Comment

ID: 22760901
If suspected as malware, you could run a hijack this and post your results on this web site for analysis:


Expert Comment

ID: 22761263


That service is for an app it looks like. see above links.... it's in italian though.
LVL 11

Expert Comment

ID: 22762053
I definitely recommend following ChiefIT's advice on posting a Hijack This log.

To see if the executables above are identified as malware by any of the major antivirus vendors, kill the above services and submit the corresponding files to virustotal.com.  Once this is done, if any of the files are malware-positive, you'll have a better idea of how to remove the malware now that you'll have the variant name and can research accordingly.
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!


Author Comment

ID: 22765151
Result from scanning StormServer.exe

File StormServer.exe received on 10.21.2008 09:34:19 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 12/36 (33.34%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
 Compact Print results  
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Antivirus Version Last Update Result
AhnLab-V3 2008.10.18.0 2008.10.21 -
AntiVir 2008.10.21 TR/Spy.Gen
Authentium 2008.10.21 W32/Bifrost.C.gen!Eldorado
Avast 4.8.1248.0 2008.10.15 -
AVG 2008.10.20 -
BitDefender 7.2 2008.10.21 -
CAT-QuickHeal 9.50 2008.10.21 -
ClamAV 0.93.1 2008.10.21 -
DrWeb 2008.10.21 BACKDOOR.Trojan
eSafe 2008.10.19 -
eTrust-Vet 31.6.6160 2008.10.20 -
Ewido 4.0 2008.10.20 -
F-Prot 2008.10.20 W32/Bifrost.C.gen!Eldorado
F-Secure 8.0.14332.0 2008.10.21 Suspicious:W32/Malware!Gemini
Fortinet 2008.10.21 -
GData 19 2008.10.21 -
Ikarus T3. 2008.10.20 -
K7AntiVirus 7.10.500 2008.10.20 -
Kaspersky 2008.10.21 -
McAfee 5409 2008.10.21 -
Microsoft 1.4005 2008.10.21 -
NOD32 3540 2008.10.21 probably a variant of Win32/Ceckno
Norman 5.80.02 2008.10.20 -
Panda 2008.10.20 Suspicious file
PCTools 2008.10.20 -
Prevx1 V2 2008.10.21 -
Rising 2008.10.21 Trojan.DL.Win32.Undef.apn
SecureWeb-Gateway 6.7.6 2008.10.21 Trojan.Spy.Gen
Sophos 4.34.0 2008.10.21 Mal/Behav-116
Sunbelt 3.1.1741.1 2008.10.21 -
Symantec 10 2008.10.21 Downloader
TheHacker 2008.10.21 -
TrendMicro 8.700.0.1004 2008.10.21 -
VBA32 2008.10.21 suspected of Flooder.Agent.2 (paranoid heuristics)
ViRobot 2008.10.21.1429 2008.10.21 -
VirusBuster 2008.10.20 -

Author Comment

ID: 22765534

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:53, on 21-10-2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\Program Files\AhsayOBM\aua\bin\AuaObm.exe
C:\Program Files\AhsayOBM\aua\jvm\bin\AuaObmJW.exe
C:\Program Files\DebugDiag\DbgSvc.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\AhsayOBM\bin\Scheduler.exe
C:\Program Files\AhsayOBM\jvm\bin\SchedulerOBM.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5w.exe
C:\Program Files\AhsayOBM\bin\SystemTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5w.exe
C:\Program Files\AhsayOBM\bin\SystemTray.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RHI6G14Y\windows-kb890830-v2.3[1].exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://eloungecom:7912/fpadmdll.dll?page=newsrvr.htm&port=/LM/W3SVC/288545745&frport=elounge
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ApacheTomcatMonitor] "C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5w.exe" //MS//Tomcat5
O4 - HKLM\..\Run: [AhsayBackupManager] C:\Program Files\AhsayOBM\bin\SystemTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212999524293
O17 - HKLM\System\CCS\Services\Tcpip\..\{B018F240-2DD9-45DD-ADEF-A3122C09E81C}: NameServer =,
O23 - Service: AutoUpdateAgent (AutoUpdateAgentOBM) - Unknown owner - C:\Program Files\AhsayOBM\aua\bin\AuaObm.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: Online Backup Scheduler (OnlineBackupScheduler) - Unknown owner - C:\Program Files\AhsayOBM\bin\Scheduler.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe

End of file - 5956 bytes
LVL 39

Expert Comment

ID: 22766250
Your Hijack this results:

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RHI6G14Y\windows-kb890830-v2.3[1].exe  
 Neutral (3.37 / 5.00)

 Neutral (3.32 / 5.00)

 O23 - Service: AutoUpdateAgent (AutoUpdateAgentOBM) - Unknown owner - C:\Program Files\AhsayOBM\aua\bin\AuaObm.exe  
 Unknown service. (AuaObm.exe)  

You have three unknown executable files that you might want to lookup .

Let's talk about the word "Crash" for a second.

Any blue screens of death? Any slowness? Do you mean the server freezes periodically? Does the mose frees if the server freezes?

There are many ways to interperate the word "Crash". Defining that word and being very explicite will help us narrow down the possibilities.


Author Comment

ID: 22766491
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RHI6G14Y\windows-kb890830-v2.3[1].exe  
That's Microsoft Malicious Software Removal Tool

O23 - Service: AutoUpdateAgent (AutoUpdateAgentOBM) - Unknown owner - C:\Program Files\AhsayOBM\aua\bin\AuaObm.exe  
Is a backup application

Dont' know yet

Sorry let me clearify "crash"...

A few (1-2) minutes after boot, the server starts getting slow and inresponsable.
Then the "At least one service failed during startup" message is displayed.
Then a dialog is displayed, stating that Windows has increased the size of the virtual memory.
A few sekonds after that it won't respond to anything, and can only be shutdown by cutting the power

To resolve, I booted without any network cables attached, then I was able to disable the 4 service, insert the network cables and reboot.
LVL 39

Expert Comment

ID: 22769985
Memory Leak:
Look for 5719 errors and 333 errors within event logs:
Then, check out task manager by pressing CTRL+ALT+DEL and see if you can find a process that pegs out your CPU usage to 100% and builds in Memory usage. That is usually the memory leak. What we will have to do is stop that process from loading upon boot long enought to fix it. If it is a system process, we may have to do a repair install of the OS.

Also run speedfan on the DC to check for heat.
Open up that DC and put a fan on it to make sure heat is NOT an issue. Slowdowns and a total freeze like that is the result of a serious memory leak or Heat.

I think your issue is HEAT.
LVL 39

Expert Comment

ID: 22769996
To resolve, I booted without any network cables attached, then I was able to disable the 4 service, insert the network cables and reboot.

Can you list these four services?

Author Comment

ID: 22773886
Hi Cheif

There is no DC
The four service are the once listed in the question.
Neither 5719 or 333 errors are listed, but I get these (System event log)...

Source: DCOM
ID: 10000
Unable to start a DCOM Server: {4001052F-9B7B-46A6-AD4B-C6984222BE61}. The error:
"The paging file is too small for this operation to complete. "
Happened while starting this command:
"C:\Program Files\DebugDiag\DbgHost.exe" -Embedding
Source: W3SVC
ID: 1002
Application pool 'Net1.1' is being automatically disabled due to a series of failures in the process(es) serving that application pool.
This one I got 5 times, one for each service failing:
(Not any more since the service has been disabled)

Source: Service Control Manager
ID: 7023
The 111 service terminated with the following error:
The specified module could not be found.
The Welcome to use storm ddos service terminated unexpectedly.  It has done this 1 time(s).
The Microsoft .ASP service terminated unexpectedly.  It has done this 1 time(s).
The Network DDE Managerment service terminated unexpectedly.  It has done this 1 time(s).

The Drivers Desktop service terminated unexpectedly.  It has done this 1 time(s).
LVL 39

Expert Comment

ID: 22775192
Are you on a X64 bit system?

This also has symptoms of a memory leak, do you know how to troubleshoot this?

Author Comment

ID: 22775636
It is not X64

Memory leak.. has come to mind.
I have another issue, where the server suddenly throughs all connections to an MS SQL server, and is no longer capable of establishing new connections.
In worst case the server has to be restarted to establish connections again.
The proprietary applications installed, have all been thorough checked.
Havn't found the reason why... curently investigating.
To temporarily solve, I have raised the number of sockets ports, and lowered the timeout interval on sockets ports in the registry.

Btw, I don't think heat is a problem. The IBM x345 server, is hosted in a top professional hosting facility. Temperature is very steady.

LVL 39

Accepted Solution

ChiefIT earned 1000 total points
ID: 22781023
storm ddos service

So, I looked up this service because I didn't know what it was:


This explains your issues:
LVL 39

Assisted Solution

ChiefIT earned 1000 total points
ID: 22781321
This is what I am thinking and have to research it further to come up with a solid conclusion:

This is what I am thinking. Since this is under FBI investigation, you might contact thier IT abuse site and see if they want a piece of this puzzle. Then, also document all your fixes.

Also call your AV software vendor and ask if they have a fix or removal tool for this.

You have a very, very fast memory leak that is taking up page pool memory and not allowing DCOM to start. This renders Domain services unreliable or not working. That will result in denial of many domain services.

It sounds like a DDsS attack.

Author Closing Comment

ID: 31507943
It really didn't solve my problems, so I ended up building a new enviroment for my customer.

Featured Post

Want to be a Web Developer? Get Certified Today!

Enroll in the Certified Web Development Professional course package to learn HTML, Javascript, and PHP. Build a solid foundation to work toward your dream job!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question