Solved

Virus like problem machine keeps shutting down

Posted on 2008-10-31
15
1,323 Views
Last Modified: 2012-06-27
I am getting this error message on my xp pro machine just after login,

The system process
C:\\WINDOWS\system32\services.exe'
terminated unexpectedly with
status code 203.  The system will
now shut down and restart.


I have cleaned off all infections using malwarebytes and smitfraud, I have also used spybot and now the system comes up clean. I have scanned for the sasser worm. Below is the output from my hijack this log, can anyone tell me what could be causing this

I can boot into safe mode fine

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:04:31, on 10/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\regedit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ie/ig/dell?hl=en&client=dell-row-rel&channel=ie&ibd=0070903
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mydomain.ie
O17 - HKLM\Software\..\Telephony: DomainName = mydomain.ie
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mydomain.ie
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mydomain.ie
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = mydomain.ie
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Event Log (Eventlog)  - Unknown owner - C:\Program Files\InstallShield Installation Information\bin\msconf.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 5837 bytes
0
Comment
Question by:Sid_F
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
  • 2
  • +2
15 Comments
 
LVL 2

Expert Comment

by:felny
ID: 22849892
services.exe is a part of the Microsoft Windows Operating System and manages the operation of starting and stopping services. This process also deals with the automatic starting of services during the computers boot-up and the stopping of services during shut-down. This program is important for the stable and secure running of your computer and should not be terminated.

POST:  services.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

You most to be sure that services is not in the starting program.

1) start-run--> msconfig

and the same time, you should look if there is something stranger here.  good look
1.JPG
0
 
LVL 6

Author Comment

by:Sid_F
ID: 22850254
Thanks,

I have disabled all services in msconfig but still get the same error when I try to boot normally
0
 
LVL 2

Expert Comment

by:felny
ID: 22851406
try to downloading it -->

http://www.download.com/AVG-Anti-Virus-Free-Edition/3000-2239_4-10320142.html?tag=contentAux;cloud

It is free, and update itself  everyday
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 32

Expert Comment

by:willcomp
ID: 22851513
See if minidumps are being produced -- look in C:\windows\minidump folder. They have a .dmp extension and file name includes the date. Attach most recent minidump file to a comment after renaming to a .txt extension.
0
 
LVL 23

Expert Comment

by:Admin3k
ID: 22860634
I am suspicious of a certain file which looks out of place, just to make sure please browse to the below path
 C:\Program Files\InstallShield Installation Information\bin\

upload the file msconf.exe to www.virustotal.com , just to make sure this file is authentic.
0
 
LVL 6

Author Comment

by:Sid_F
ID: 22865484
Installed avg in safe mode but it doesn't run in safe mode on booting machine got lsass.exe has terminated unexpectedly
0
 
LVL 6

Author Comment

by:Sid_F
ID: 22865617
Yes thats it, it picked up msconf.exe as a virus, I am now looking into removing it there are several different names for the virus, will post details shortly
0
 
LVL 6

Author Comment

by:Sid_F
ID: 22865889
Below is the info from virustotal file uploaded. I removed the entry in hijack this for C:\Program Files\InstallShield Installation Information\bin\msconf.exe but still got error after login reporting lsass.exe terminated unexpectedly. Although it did get slightly further into windows and loaded the icons



Antivirus Version Last Update Result
AhnLab-V3 2008.11.1.0 2008.11.03 -
AntiVir 7.9.0.10 2008.11.03 TR/Spy.Gen
Authentium 5.1.0.4 2008.11.02 -
Avast 4.8.1248.0 2008.11.02 Win32:Spyware-gen
AVG 8.0.0.161 2008.11.02 -
BitDefender 7.2 2008.11.03 -
CAT-QuickHeal 9.50 2008.11.03 -
ClamAV 0.94.1 2008.11.03 -
DrWeb 4.44.0.09170 2008.11.03 -
eSafe 7.0.17.0 2008.11.02 Suspicious File
eTrust-Vet 31.6.6185 2008.11.01 -
Ewido 4.0 2008.11.02 -
F-Prot 4.4.4.56 2008.11.02 -
F-Secure 8.0.14332.0 2008.11.03 Trojan-Downloader.Win32.Agent.amcj
Fortinet 3.117.0.0 2008.11.02 -
GData 19 2008.11.03 Win32:Spyware-gen  
Ikarus T3.1.1.45.0 2008.11.03 -
K7AntiVirus 7.10.514 2008.11.01 -
Kaspersky 7.0.0.125 2008.11.03 Trojan-Downloader.Win32.Agent.amcj
McAfee 5422 2008.11.02 -
Microsoft 1.4005 2008.11.03 Backdoor:Win32/Tinxy.A
NOD32 3576 2008.11.03 -
Norman 5.80.02 2008.10.31 -
Panda 9.0.0.4 2008.11.02 Suspicious file
PCTools 4.4.2.0 2008.11.03 -
Prevx1 V2 2008.11.03 Malicious Software
Rising 21.02.01.00 2008.11.03 -
SecureWeb-Gateway 6.7.6 2008.11.03 Trojan.Spy.Gen
Sophos 4.35.0 2008.11.03 Mal/Behav-150
Sunbelt 3.1.1777.2 2008.11.03 -
Symantec 10 2008.11.03 -
TheHacker 6.3.1.1.137 2008.11.03 -
TrendMicro 8.700.0.1004 2008.11.03 PAK_Generic.001
VBA32 3.12.8.9 2008.11.02 Trojan-Downloader.Win32.Agent.amcj
ViRobot 2008.11.3.1448 2008.11.03 -
VirusBuster 4.5.11.0 2008.11.02 -
Additional information
File size: 9472 bytes
MD5...: 57e1dee40bfeb965c6f2c1c90d9a188a
SHA1..: 548c8106e404a977dc91e10a300eb2c2034505f8
SHA256: d2a60210eef807f9e7abae101f120351a50923b88fbada1ad5204347875192aa
SHA512: 8da7e1b94325fd4f74b23167f223ae5d9afe6ae27525314a792fe19eb6561796
523887e9777d3c7721c7dd572f2a688be63869360625f2997be1e52e92f36163
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
TrID..: File type identification
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x406c90
timedatestamp.....: 0x49058b53 (Mon Oct 27 09:35:15 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
0
 
LVL 6

Author Comment

by:Sid_F
ID: 22866335
I downloaded and installed avast anti virus and ran a startup scan although it did not pick anything up i was able to get into windows and after bout one minute the remote procedure call service terminated unexpectedly error came up the system then froze.
0
 
LVL 23

Expert Comment

by:Admin3k
ID: 22868587
Your computer may need some patching, please make sure you are running the latest service packs for your operating system, as well as the most recent security updates released from  microsoft, it appears there is a major security threat caused by vulnerabilities in the server service that is currently being actively exploited by malware, if for some reason the same file you just removed appeared out of nowhere in the same path, then this is indeed the case ,as a precaution please disable the SERVER service ( which is the one I suspect being exploited)

start>run>services.msc , browse to the service titled Server >properties>stop

 run windows update , make sure you are patched up with regards to critical & high priority updaes , or at the very least make sure your are covered with regards to this one
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx

hope this helps.



0
 
LVL 6

Author Comment

by:Sid_F
ID: 22874818
When I stop the server service i can get the machine booted but after logon the machine grinds to a hault, doing a ctrl alt and del and clicking on task manager just leaves the machine screen blank. I can't run the updates in safe mode
0
 
LVL 6

Author Comment

by:Sid_F
ID: 22875009
I have gone down the rebuild route! I'm afraid.
0
 
LVL 23

Expert Comment

by:Admin3k
ID: 22876064
Since you opted to rebuild the machine, please make sure the machine is properly patched & updated before putting it into your production environment, this is an obvious case of a vulnerable machine facing the horrors of the new Internet wold :)

Good luck with the rebuild.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 23101486
PAQed with no points refunded (of 500)

Computer101
EE Admin
0

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Has this user really been infected by Ransomware? 3 162
Ransome Ware Question 10 172
vMware vShield Endpoint 6.0 4 116
WinZIp - quick question 8 30
The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question