Sid_F
asked on
Virus like problem machine keeps shutting down
I am getting this error message on my xp pro machine just after login,
The system process
C:\\WINDOWS\system32\servi
terminated unexpectedly with
status code 203. The system will
now shut down and restart.
I have cleaned off all infections using malwarebytes and smitfraud, I have also used spybot and now the system comes up clean. I have scanned for the sasser worm. Below is the output from my hijack this log, can anyone tell me what could be causing this
I can boot into safe mode fine
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:04:31, on 10/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\regedit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\ToolBoxFX\bin\HPTLB
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCt
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtr
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprov
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CS3\Services\T
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\As
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\Program Files\InstallShield Installation Information\bin\msconf.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\E
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshi
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTsk
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCON
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\R
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageServi
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\W
--
End of file - 5837 bytes
The system process
C:\\WINDOWS\system32\servi
terminated unexpectedly with
status code 203. The system will
now shut down and restart.
I have cleaned off all infections using malwarebytes and smitfraud, I have also used spybot and now the system comes up clean. I have scanned for the sasser worm. Below is the output from my hijack this log, can anyone tell me what could be causing this
I can boot into safe mode fine
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:04:31, on 10/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\regedit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\ToolBoxFX\bin\HPTLB
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCt
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtr
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprov
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CS3\Services\T
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\As
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\Program Files\InstallShield Installation Information\bin\msconf.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\E
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshi
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTsk
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCON
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\R
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageServi
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\W
--
End of file - 5837 bytes
ASKER
Thanks,
I have disabled all services in msconfig but still get the same error when I try to boot normally
I have disabled all services in msconfig but still get the same error when I try to boot normally
try to downloading it -->
http://www.download.com/AVG-Anti-Virus-Free-Edition/3000-2239_4-10320142.html?tag=contentAux;cloud
It is free, and update itself everyday
http://www.download.com/AVG-Anti-Virus-Free-Edition/3000-2239_4-10320142.html?tag=contentAux;cloud
It is free, and update itself everyday
See if minidumps are being produced -- look in C:\windows\minidump folder. They have a .dmp extension and file name includes the date. Attach most recent minidump file to a comment after renaming to a .txt extension.
I am suspicious of a certain file which looks out of place, just to make sure please browse to the below path
C:\Program Files\InstallShield Installation Information\bin\
upload the file msconf.exe to www.virustotal.com , just to make sure this file is authentic.
C:\Program Files\InstallShield Installation Information\bin\
upload the file msconf.exe to www.virustotal.com , just to make sure this file is authentic.
ASKER
Installed avg in safe mode but it doesn't run in safe mode on booting machine got lsass.exe has terminated unexpectedly
ASKER
Yes thats it, it picked up msconf.exe as a virus, I am now looking into removing it there are several different names for the virus, will post details shortly
ASKER
Below is the info from virustotal file uploaded. I removed the entry in hijack this for C:\Program Files\InstallShield Installation Information\bin\msconf.exe
Antivirus Version Last Update Result
AhnLab-V3 2008.11.1.0 2008.11.03 -
AntiVir 7.9.0.10 2008.11.03 TR/Spy.Gen
Authentium 5.1.0.4 2008.11.02 -
Avast 4.8.1248.0 2008.11.02 Win32:Spyware-gen
AVG 8.0.0.161 2008.11.02 -
BitDefender 7.2 2008.11.03 -
CAT-QuickHeal 9.50 2008.11.03 -
ClamAV 0.94.1 2008.11.03 -
DrWeb 4.44.0.09170 2008.11.03 -
eSafe 7.0.17.0 2008.11.02 Suspicious File
eTrust-Vet 31.6.6185 2008.11.01 -
Ewido 4.0 2008.11.02 -
F-Prot 4.4.4.56 2008.11.02 -
F-Secure 8.0.14332.0 2008.11.03 Trojan-Downloader.Win32.Ag
Fortinet 3.117.0.0 2008.11.02 -
GData 19 2008.11.03 Win32:Spyware-gen
Ikarus T3.1.1.45.0 2008.11.03 -
K7AntiVirus 7.10.514 2008.11.01 -
Kaspersky 7.0.0.125 2008.11.03 Trojan-Downloader.Win32.Ag
McAfee 5422 2008.11.02 -
Microsoft 1.4005 2008.11.03 Backdoor:Win32/Tinxy.A
NOD32 3576 2008.11.03 -
Norman 5.80.02 2008.10.31 -
Panda 9.0.0.4 2008.11.02 Suspicious file
PCTools 4.4.2.0 2008.11.03 -
Prevx1 V2 2008.11.03 Malicious Software
Rising 21.02.01.00 2008.11.03 -
SecureWeb-Gateway 6.7.6 2008.11.03 Trojan.Spy.Gen
Sophos 4.35.0 2008.11.03 Mal/Behav-150
Sunbelt 3.1.1777.2 2008.11.03 -
Symantec 10 2008.11.03 -
TheHacker 6.3.1.1.137 2008.11.03 -
TrendMicro 8.700.0.1004 2008.11.03 PAK_Generic.001
VBA32 3.12.8.9 2008.11.02 Trojan-Downloader.Win32.Ag
ViRobot 2008.11.3.1448 2008.11.03 -
VirusBuster 4.5.11.0 2008.11.02 -
Additional information
File size: 9472 bytes
MD5...: 57e1dee40bfeb965c6f2c1c90d
SHA1..: 548c8106e404a977dc91e10a30
SHA256: d2a60210eef807f9e7abae101f
SHA512: 8da7e1b94325fd4f74b23167f2
523887e9777d3c7721c7dd572f
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
TrID..: File type identification
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x406c90
timedatestamp.....: 0x49058b53 (Mon Oct 27 09:35:15 2008)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
Antivirus Version Last Update Result
AhnLab-V3 2008.11.1.0 2008.11.03 -
AntiVir 7.9.0.10 2008.11.03 TR/Spy.Gen
Authentium 5.1.0.4 2008.11.02 -
Avast 4.8.1248.0 2008.11.02 Win32:Spyware-gen
AVG 8.0.0.161 2008.11.02 -
BitDefender 7.2 2008.11.03 -
CAT-QuickHeal 9.50 2008.11.03 -
ClamAV 0.94.1 2008.11.03 -
DrWeb 4.44.0.09170 2008.11.03 -
eSafe 7.0.17.0 2008.11.02 Suspicious File
eTrust-Vet 31.6.6185 2008.11.01 -
Ewido 4.0 2008.11.02 -
F-Prot 4.4.4.56 2008.11.02 -
F-Secure 8.0.14332.0 2008.11.03 Trojan-Downloader.Win32.Ag
Fortinet 3.117.0.0 2008.11.02 -
GData 19 2008.11.03 Win32:Spyware-gen
Ikarus T3.1.1.45.0 2008.11.03 -
K7AntiVirus 7.10.514 2008.11.01 -
Kaspersky 7.0.0.125 2008.11.03 Trojan-Downloader.Win32.Ag
McAfee 5422 2008.11.02 -
Microsoft 1.4005 2008.11.03 Backdoor:Win32/Tinxy.A
NOD32 3576 2008.11.03 -
Norman 5.80.02 2008.10.31 -
Panda 9.0.0.4 2008.11.02 Suspicious file
PCTools 4.4.2.0 2008.11.03 -
Prevx1 V2 2008.11.03 Malicious Software
Rising 21.02.01.00 2008.11.03 -
SecureWeb-Gateway 6.7.6 2008.11.03 Trojan.Spy.Gen
Sophos 4.35.0 2008.11.03 Mal/Behav-150
Sunbelt 3.1.1777.2 2008.11.03 -
Symantec 10 2008.11.03 -
TheHacker 6.3.1.1.137 2008.11.03 -
TrendMicro 8.700.0.1004 2008.11.03 PAK_Generic.001
VBA32 3.12.8.9 2008.11.02 Trojan-Downloader.Win32.Ag
ViRobot 2008.11.3.1448 2008.11.03 -
VirusBuster 4.5.11.0 2008.11.02 -
Additional information
File size: 9472 bytes
MD5...: 57e1dee40bfeb965c6f2c1c90d
SHA1..: 548c8106e404a977dc91e10a30
SHA256: d2a60210eef807f9e7abae101f
SHA512: 8da7e1b94325fd4f74b23167f2
523887e9777d3c7721c7dd572f
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
TrID..: File type identification
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x406c90
timedatestamp.....: 0x49058b53 (Mon Oct 27 09:35:15 2008)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
ASKER
I downloaded and installed avast anti virus and ran a startup scan although it did not pick anything up i was able to get into windows and after bout one minute the remote procedure call service terminated unexpectedly error came up the system then froze.
Your computer may need some patching, please make sure you are running the latest service packs for your operating system, as well as the most recent security updates released from microsoft, it appears there is a major security threat caused by vulnerabilities in the server service that is currently being actively exploited by malware, if for some reason the same file you just removed appeared out of nowhere in the same path, then this is indeed the case ,as a precaution please disable the SERVER service ( which is the one I suspect being exploited)
start>run>services.msc , browse to the service titled Server >properties>stop
run windows update , make sure you are patched up with regards to critical & high priority updaes , or at the very least make sure your are covered with regards to this one
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
hope this helps.
start>run>services.msc , browse to the service titled Server >properties>stop
run windows update , make sure you are patched up with regards to critical & high priority updaes , or at the very least make sure your are covered with regards to this one
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
hope this helps.
ASKER
When I stop the server service i can get the machine booted but after logon the machine grinds to a hault, doing a ctrl alt and del and clicking on task manager just leaves the machine screen blank. I can't run the updates in safe mode
ASKER
I have gone down the rebuild route! I'm afraid.
Since you opted to rebuild the machine, please make sure the machine is properly patched & updated before putting it into your production environment, this is an obvious case of a vulnerable machine facing the horrors of the new Internet wold :)
Good luck with the rebuild.
Good luck with the rebuild.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
POST: services.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.
You most to be sure that services is not in the starting program.
1) start-run--> msconfig
and the same time, you should look if there is something stranger here. good look
1.JPG