Solved

Virus like problem machine keeps shutting down

Posted on 2008-10-31
15
1,316 Views
Last Modified: 2012-06-27
I am getting this error message on my xp pro machine just after login,

The system process
C:\\WINDOWS\system32\services.exe'
terminated unexpectedly with
status code 203.  The system will
now shut down and restart.


I have cleaned off all infections using malwarebytes and smitfraud, I have also used spybot and now the system comes up clean. I have scanned for the sasser worm. Below is the output from my hijack this log, can anyone tell me what could be causing this

I can boot into safe mode fine

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:04:31, on 10/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\regedit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ie/ig/dell?hl=en&client=dell-row-rel&channel=ie&ibd=0070903
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mydomain.ie
O17 - HKLM\Software\..\Telephony: DomainName = mydomain.ie
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mydomain.ie
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mydomain.ie
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = mydomain.ie
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Event Log (Eventlog)  - Unknown owner - C:\Program Files\InstallShield Installation Information\bin\msconf.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 5837 bytes
0
Comment
Question by:Sid_F
  • 7
  • 3
  • 2
  • +2
15 Comments
 
LVL 2

Expert Comment

by:felny
ID: 22849892
services.exe is a part of the Microsoft Windows Operating System and manages the operation of starting and stopping services. This process also deals with the automatic starting of services during the computers boot-up and the stopping of services during shut-down. This program is important for the stable and secure running of your computer and should not be terminated.

POST:  services.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

You most to be sure that services is not in the starting program.

1) start-run--> msconfig

and the same time, you should look if there is something stranger here.  good look
1.JPG
0
 
LVL 5

Author Comment

by:Sid_F
ID: 22850254
Thanks,

I have disabled all services in msconfig but still get the same error when I try to boot normally
0
 
LVL 2

Expert Comment

by:felny
ID: 22851406
try to downloading it -->

http://www.download.com/AVG-Anti-Virus-Free-Edition/3000-2239_4-10320142.html?tag=contentAux;cloud

It is free, and update itself  everyday
0
 
LVL 32

Expert Comment

by:willcomp
ID: 22851513
See if minidumps are being produced -- look in C:\windows\minidump folder. They have a .dmp extension and file name includes the date. Attach most recent minidump file to a comment after renaming to a .txt extension.
0
 
LVL 23

Expert Comment

by:Admin3k
ID: 22860634
I am suspicious of a certain file which looks out of place, just to make sure please browse to the below path
 C:\Program Files\InstallShield Installation Information\bin\

upload the file msconf.exe to www.virustotal.com , just to make sure this file is authentic.
0
 
LVL 5

Author Comment

by:Sid_F
ID: 22865484
Installed avg in safe mode but it doesn't run in safe mode on booting machine got lsass.exe has terminated unexpectedly
0
 
LVL 5

Author Comment

by:Sid_F
ID: 22865617
Yes thats it, it picked up msconf.exe as a virus, I am now looking into removing it there are several different names for the virus, will post details shortly
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 5

Author Comment

by:Sid_F
ID: 22865889
Below is the info from virustotal file uploaded. I removed the entry in hijack this for C:\Program Files\InstallShield Installation Information\bin\msconf.exe but still got error after login reporting lsass.exe terminated unexpectedly. Although it did get slightly further into windows and loaded the icons



Antivirus Version Last Update Result
AhnLab-V3 2008.11.1.0 2008.11.03 -
AntiVir 7.9.0.10 2008.11.03 TR/Spy.Gen
Authentium 5.1.0.4 2008.11.02 -
Avast 4.8.1248.0 2008.11.02 Win32:Spyware-gen
AVG 8.0.0.161 2008.11.02 -
BitDefender 7.2 2008.11.03 -
CAT-QuickHeal 9.50 2008.11.03 -
ClamAV 0.94.1 2008.11.03 -
DrWeb 4.44.0.09170 2008.11.03 -
eSafe 7.0.17.0 2008.11.02 Suspicious File
eTrust-Vet 31.6.6185 2008.11.01 -
Ewido 4.0 2008.11.02 -
F-Prot 4.4.4.56 2008.11.02 -
F-Secure 8.0.14332.0 2008.11.03 Trojan-Downloader.Win32.Agent.amcj
Fortinet 3.117.0.0 2008.11.02 -
GData 19 2008.11.03 Win32:Spyware-gen  
Ikarus T3.1.1.45.0 2008.11.03 -
K7AntiVirus 7.10.514 2008.11.01 -
Kaspersky 7.0.0.125 2008.11.03 Trojan-Downloader.Win32.Agent.amcj
McAfee 5422 2008.11.02 -
Microsoft 1.4005 2008.11.03 Backdoor:Win32/Tinxy.A
NOD32 3576 2008.11.03 -
Norman 5.80.02 2008.10.31 -
Panda 9.0.0.4 2008.11.02 Suspicious file
PCTools 4.4.2.0 2008.11.03 -
Prevx1 V2 2008.11.03 Malicious Software
Rising 21.02.01.00 2008.11.03 -
SecureWeb-Gateway 6.7.6 2008.11.03 Trojan.Spy.Gen
Sophos 4.35.0 2008.11.03 Mal/Behav-150
Sunbelt 3.1.1777.2 2008.11.03 -
Symantec 10 2008.11.03 -
TheHacker 6.3.1.1.137 2008.11.03 -
TrendMicro 8.700.0.1004 2008.11.03 PAK_Generic.001
VBA32 3.12.8.9 2008.11.02 Trojan-Downloader.Win32.Agent.amcj
ViRobot 2008.11.3.1448 2008.11.03 -
VirusBuster 4.5.11.0 2008.11.02 -
Additional information
File size: 9472 bytes
MD5...: 57e1dee40bfeb965c6f2c1c90d9a188a
SHA1..: 548c8106e404a977dc91e10a300eb2c2034505f8
SHA256: d2a60210eef807f9e7abae101f120351a50923b88fbada1ad5204347875192aa
SHA512: 8da7e1b94325fd4f74b23167f223ae5d9afe6ae27525314a792fe19eb6561796
523887e9777d3c7721c7dd572f2a688be63869360625f2997be1e52e92f36163
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
TrID..: File type identification
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x406c90
timedatestamp.....: 0x49058b53 (Mon Oct 27 09:35:15 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
0
 
LVL 5

Author Comment

by:Sid_F
ID: 22866335
I downloaded and installed avast anti virus and ran a startup scan although it did not pick anything up i was able to get into windows and after bout one minute the remote procedure call service terminated unexpectedly error came up the system then froze.
0
 
LVL 23

Expert Comment

by:Admin3k
ID: 22868587
Your computer may need some patching, please make sure you are running the latest service packs for your operating system, as well as the most recent security updates released from  microsoft, it appears there is a major security threat caused by vulnerabilities in the server service that is currently being actively exploited by malware, if for some reason the same file you just removed appeared out of nowhere in the same path, then this is indeed the case ,as a precaution please disable the SERVER service ( which is the one I suspect being exploited)

start>run>services.msc , browse to the service titled Server >properties>stop

 run windows update , make sure you are patched up with regards to critical & high priority updaes , or at the very least make sure your are covered with regards to this one
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx

hope this helps.



0
 
LVL 5

Author Comment

by:Sid_F
ID: 22874818
When I stop the server service i can get the machine booted but after logon the machine grinds to a hault, doing a ctrl alt and del and clicking on task manager just leaves the machine screen blank. I can't run the updates in safe mode
0
 
LVL 5

Author Comment

by:Sid_F
ID: 22875009
I have gone down the rebuild route! I'm afraid.
0
 
LVL 23

Expert Comment

by:Admin3k
ID: 22876064
Since you opted to rebuild the machine, please make sure the machine is properly patched & updated before putting it into your production environment, this is an obvious case of a vulnerable machine facing the horrors of the new Internet wold :)

Good luck with the rebuild.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 23101486
PAQed with no points refunded (of 500)

Computer101
EE Admin
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

The intent of this Article is to provide the basic First Aid steps for working through most malware infections. The target audience includes experienced IT professionals and the casual user who just wants to make the infection go away. **********…
The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now