Virus like problem machine keeps shutting down

I am getting this error message on my xp pro machine just after login,

The system process
terminated unexpectedly with
status code 203.  The system will
now shut down and restart.

I have cleaned off all infections using malwarebytes and smitfraud, I have also used spybot and now the system comes up clean. I have scanned for the sasser worm. Below is the output from my hijack this log, can anyone tell me what could be causing this

I can boot into safe mode fine

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:04:31, on 10/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain =
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Event Log (Eventlog)  - Unknown owner - C:\Program Files\InstallShield Installation Information\bin\msconf.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

End of file - 5837 bytes
Who is Participating?
Computer101Connect With a Mentor Commented:
PAQed with no points refunded (of 500)

EE Admin
services.exe is a part of the Microsoft Windows Operating System and manages the operation of starting and stopping services. This process also deals with the automatic starting of services during the computers boot-up and the stopping of services during shut-down. This program is important for the stable and secure running of your computer and should not be terminated.

POST:  services.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

You most to be sure that services is not in the starting program.

1) start-run--> msconfig

and the same time, you should look if there is something stranger here.  good look
Sid_FAuthor Commented:

I have disabled all services in msconfig but still get the same error when I try to boot normally
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

try to downloading it -->;cloud

It is free, and update itself  everyday
See if minidumps are being produced -- look in C:\windows\minidump folder. They have a .dmp extension and file name includes the date. Attach most recent minidump file to a comment after renaming to a .txt extension.
Mohamed OsamaSenior IT ConsultantCommented:
I am suspicious of a certain file which looks out of place, just to make sure please browse to the below path
 C:\Program Files\InstallShield Installation Information\bin\

upload the file msconf.exe to , just to make sure this file is authentic.
Sid_FAuthor Commented:
Installed avg in safe mode but it doesn't run in safe mode on booting machine got lsass.exe has terminated unexpectedly
Sid_FAuthor Commented:
Yes thats it, it picked up msconf.exe as a virus, I am now looking into removing it there are several different names for the virus, will post details shortly
Sid_FAuthor Commented:
Below is the info from virustotal file uploaded. I removed the entry in hijack this for C:\Program Files\InstallShield Installation Information\bin\msconf.exe but still got error after login reporting lsass.exe terminated unexpectedly. Although it did get slightly further into windows and loaded the icons

Antivirus Version Last Update Result
AhnLab-V3 2008.11.1.0 2008.11.03 -
AntiVir 2008.11.03 TR/Spy.Gen
Authentium 2008.11.02 -
Avast 4.8.1248.0 2008.11.02 Win32:Spyware-gen
AVG 2008.11.02 -
BitDefender 7.2 2008.11.03 -
CAT-QuickHeal 9.50 2008.11.03 -
ClamAV 0.94.1 2008.11.03 -
DrWeb 2008.11.03 -
eSafe 2008.11.02 Suspicious File
eTrust-Vet 31.6.6185 2008.11.01 -
Ewido 4.0 2008.11.02 -
F-Prot 2008.11.02 -
F-Secure 8.0.14332.0 2008.11.03 Trojan-Downloader.Win32.Agent.amcj
Fortinet 2008.11.02 -
GData 19 2008.11.03 Win32:Spyware-gen  
Ikarus T3. 2008.11.03 -
K7AntiVirus 7.10.514 2008.11.01 -
Kaspersky 2008.11.03 Trojan-Downloader.Win32.Agent.amcj
McAfee 5422 2008.11.02 -
Microsoft 1.4005 2008.11.03 Backdoor:Win32/Tinxy.A
NOD32 3576 2008.11.03 -
Norman 5.80.02 2008.10.31 -
Panda 2008.11.02 Suspicious file
PCTools 2008.11.03 -
Prevx1 V2 2008.11.03 Malicious Software
Rising 2008.11.03 -
SecureWeb-Gateway 6.7.6 2008.11.03 Trojan.Spy.Gen
Sophos 4.35.0 2008.11.03 Mal/Behav-150
Sunbelt 3.1.1777.2 2008.11.03 -
Symantec 10 2008.11.03 -
TheHacker 2008.11.03 -
TrendMicro 8.700.0.1004 2008.11.03 PAK_Generic.001
VBA32 2008.11.02 Trojan-Downloader.Win32.Agent.amcj
ViRobot 2008.11.3.1448 2008.11.03 -
VirusBuster 2008.11.02 -
Additional information
File size: 9472 bytes
MD5...: 57e1dee40bfeb965c6f2c1c90d9a188a
SHA1..: 548c8106e404a977dc91e10a300eb2c2034505f8
SHA256: d2a60210eef807f9e7abae101f120351a50923b88fbada1ad5204347875192aa
SHA512: 8da7e1b94325fd4f74b23167f223ae5d9afe6ae27525314a792fe19eb6561796
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
TrID..: File type identification
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x406c90
timedatestamp.....: 0x49058b53 (Mon Oct 27 09:35:15 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
Sid_FAuthor Commented:
I downloaded and installed avast anti virus and ran a startup scan although it did not pick anything up i was able to get into windows and after bout one minute the remote procedure call service terminated unexpectedly error came up the system then froze.
Mohamed OsamaSenior IT ConsultantCommented:
Your computer may need some patching, please make sure you are running the latest service packs for your operating system, as well as the most recent security updates released from  microsoft, it appears there is a major security threat caused by vulnerabilities in the server service that is currently being actively exploited by malware, if for some reason the same file you just removed appeared out of nowhere in the same path, then this is indeed the case ,as a precaution please disable the SERVER service ( which is the one I suspect being exploited)

start>run>services.msc , browse to the service titled Server >properties>stop

 run windows update , make sure you are patched up with regards to critical & high priority updaes , or at the very least make sure your are covered with regards to this one

hope this helps.

Sid_FAuthor Commented:
When I stop the server service i can get the machine booted but after logon the machine grinds to a hault, doing a ctrl alt and del and clicking on task manager just leaves the machine screen blank. I can't run the updates in safe mode
Sid_FAuthor Commented:
I have gone down the rebuild route! I'm afraid.
Mohamed OsamaSenior IT ConsultantCommented:
Since you opted to rebuild the machine, please make sure the machine is properly patched & updated before putting it into your production environment, this is an obvious case of a vulnerable machine facing the horrors of the new Internet wold :)

Good luck with the rebuild.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.