Virus like problem machine keeps shutting down

Posted on 2008-10-31
Medium Priority
Last Modified: 2012-06-27
I am getting this error message on my xp pro machine just after login,

The system process
terminated unexpectedly with
status code 203.  The system will
now shut down and restart.

I have cleaned off all infections using malwarebytes and smitfraud, I have also used spybot and now the system comes up clean. I have scanned for the sasser worm. Below is the output from my hijack this log, can anyone tell me what could be causing this

I can boot into safe mode fine

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:04:31, on 10/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ie/ig/dell?hl=en&client=dell-row-rel&channel=ie&ibd=0070903
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mydomain.ie
O17 - HKLM\Software\..\Telephony: DomainName = mydomain.ie
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mydomain.ie
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mydomain.ie
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = mydomain.ie
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Event Log (Eventlog)  - Unknown owner - C:\Program Files\InstallShield Installation Information\bin\msconf.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

End of file - 5837 bytes
Question by:Sid_F
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
  • 2
  • +2

Expert Comment

ID: 22849892
services.exe is a part of the Microsoft Windows Operating System and manages the operation of starting and stopping services. This process also deals with the automatic starting of services during the computers boot-up and the stopping of services during shut-down. This program is important for the stable and secure running of your computer and should not be terminated.

POST:  services.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

You most to be sure that services is not in the starting program.

1) start-run--> msconfig

and the same time, you should look if there is something stranger here.  good look

Author Comment

ID: 22850254

I have disabled all services in msconfig but still get the same error when I try to boot normally

Expert Comment

ID: 22851406
try to downloading it -->


It is free, and update itself  everyday
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

LVL 32

Expert Comment

ID: 22851513
See if minidumps are being produced -- look in C:\windows\minidump folder. They have a .dmp extension and file name includes the date. Attach most recent minidump file to a comment after renaming to a .txt extension.
LVL 23

Expert Comment

by:Mohamed Osama
ID: 22860634
I am suspicious of a certain file which looks out of place, just to make sure please browse to the below path
 C:\Program Files\InstallShield Installation Information\bin\

upload the file msconf.exe to www.virustotal.com , just to make sure this file is authentic.

Author Comment

ID: 22865484
Installed avg in safe mode but it doesn't run in safe mode on booting machine got lsass.exe has terminated unexpectedly

Author Comment

ID: 22865617
Yes thats it, it picked up msconf.exe as a virus, I am now looking into removing it there are several different names for the virus, will post details shortly

Author Comment

ID: 22865889
Below is the info from virustotal file uploaded. I removed the entry in hijack this for C:\Program Files\InstallShield Installation Information\bin\msconf.exe but still got error after login reporting lsass.exe terminated unexpectedly. Although it did get slightly further into windows and loaded the icons

Antivirus Version Last Update Result
AhnLab-V3 2008.11.1.0 2008.11.03 -
AntiVir 2008.11.03 TR/Spy.Gen
Authentium 2008.11.02 -
Avast 4.8.1248.0 2008.11.02 Win32:Spyware-gen
AVG 2008.11.02 -
BitDefender 7.2 2008.11.03 -
CAT-QuickHeal 9.50 2008.11.03 -
ClamAV 0.94.1 2008.11.03 -
DrWeb 2008.11.03 -
eSafe 2008.11.02 Suspicious File
eTrust-Vet 31.6.6185 2008.11.01 -
Ewido 4.0 2008.11.02 -
F-Prot 2008.11.02 -
F-Secure 8.0.14332.0 2008.11.03 Trojan-Downloader.Win32.Agent.amcj
Fortinet 2008.11.02 -
GData 19 2008.11.03 Win32:Spyware-gen  
Ikarus T3. 2008.11.03 -
K7AntiVirus 7.10.514 2008.11.01 -
Kaspersky 2008.11.03 Trojan-Downloader.Win32.Agent.amcj
McAfee 5422 2008.11.02 -
Microsoft 1.4005 2008.11.03 Backdoor:Win32/Tinxy.A
NOD32 3576 2008.11.03 -
Norman 5.80.02 2008.10.31 -
Panda 2008.11.02 Suspicious file
PCTools 2008.11.03 -
Prevx1 V2 2008.11.03 Malicious Software
Rising 2008.11.03 -
SecureWeb-Gateway 6.7.6 2008.11.03 Trojan.Spy.Gen
Sophos 4.35.0 2008.11.03 Mal/Behav-150
Sunbelt 3.1.1777.2 2008.11.03 -
Symantec 10 2008.11.03 -
TheHacker 2008.11.03 -
TrendMicro 8.700.0.1004 2008.11.03 PAK_Generic.001
VBA32 2008.11.02 Trojan-Downloader.Win32.Agent.amcj
ViRobot 2008.11.3.1448 2008.11.03 -
VirusBuster 2008.11.02 -
Additional information
File size: 9472 bytes
MD5...: 57e1dee40bfeb965c6f2c1c90d9a188a
SHA1..: 548c8106e404a977dc91e10a300eb2c2034505f8
SHA256: d2a60210eef807f9e7abae101f120351a50923b88fbada1ad5204347875192aa
SHA512: 8da7e1b94325fd4f74b23167f223ae5d9afe6ae27525314a792fe19eb6561796
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
TrID..: File type identification
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x406c90
timedatestamp.....: 0x49058b53 (Mon Oct 27 09:35:15 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5

Author Comment

ID: 22866335
I downloaded and installed avast anti virus and ran a startup scan although it did not pick anything up i was able to get into windows and after bout one minute the remote procedure call service terminated unexpectedly error came up the system then froze.
LVL 23

Expert Comment

by:Mohamed Osama
ID: 22868587
Your computer may need some patching, please make sure you are running the latest service packs for your operating system, as well as the most recent security updates released from  microsoft, it appears there is a major security threat caused by vulnerabilities in the server service that is currently being actively exploited by malware, if for some reason the same file you just removed appeared out of nowhere in the same path, then this is indeed the case ,as a precaution please disable the SERVER service ( which is the one I suspect being exploited)

start>run>services.msc , browse to the service titled Server >properties>stop

 run windows update , make sure you are patched up with regards to critical & high priority updaes , or at the very least make sure your are covered with regards to this one

hope this helps.


Author Comment

ID: 22874818
When I stop the server service i can get the machine booted but after logon the machine grinds to a hault, doing a ctrl alt and del and clicking on task manager just leaves the machine screen blank. I can't run the updates in safe mode

Author Comment

ID: 22875009
I have gone down the rebuild route! I'm afraid.
LVL 23

Expert Comment

by:Mohamed Osama
ID: 22876064
Since you opted to rebuild the machine, please make sure the machine is properly patched & updated before putting it into your production environment, this is an obvious case of a vulnerable machine facing the horrors of the new Internet wold :)

Good luck with the rebuild.

Accepted Solution

Computer101 earned 0 total points
ID: 23101486
PAQed with no points refunded (of 500)

EE Admin

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most PC repair technicians (if not all) always start their cleanup process by emptying the temp folders before running any removal tools. It makes sense because temp folders are common places for malware installers to lurk and removing all the junk …
Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question