Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

services.exe problem

Posted on 2009-02-22
17
Medium Priority
?
572 Views
Last Modified: 2013-11-22
Hi guys, im having a bit of an annoying problem with a Services.exe error.

just recently we recovered from a pretty big virus infection, we ended up getting the PC cleaned and did a system restore to about 6 weeks previous. ever since then ive been getting this error report appearing (just writing these sentences its happened 4 times) i'll atach a screenshot of the report. also on startup we're getting one that says Init.exe, i'll atach that one too.

any help would be great :) cheers


error.-EE.bmp
0
Comment
Question by:beefstu123
  • 7
  • 5
  • 2
  • +3
17 Comments
 
LVL 17

Expert Comment

by:houssam_ballout
ID: 23706798
is that  happens with every user on the computer
0
 
LVL 63

Expert Comment

by:☠ MASQ ☠
ID: 23706817
Possibly this friendly little bug:
http://www.sophos.com/security/analyses/viruses-and-spyware/w32rbotatt.html
 
Check the "More information" tab for registry entries that will confirm.
0
 
LVL 8

Expert Comment

by:Dirtpatch-Jenkins
ID: 23706826
You have something left over from your cleaning trying to start...

goto start - run - type in msconfig - then select the startup tab

uncheck anything you dont recognize or want to start up,, see if that helps..
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Author Comment

by:beefstu123
ID: 23706830
the ocmputer has two users and yes, it happens on both. thanks for the link, im checkin it out now
0
 
LVL 2

Author Comment

by:beefstu123
ID: 23707281
ive already worked thru msconfig and there are'nt any unwanted processes starting
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 23707296
Run MalwareBytes or even better Combofix and let's see what the log shows.http://www.malwarebytes.org/mbam.php


Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

0
 
LVL 2

Author Comment

by:beefstu123
ID: 23707326
ok, ive run them before but i'll do a fresh scan an post both logs for u
0
 
LVL 8

Expert Comment

by:Dirtpatch-Jenkins
ID: 23707334
listed as an alias for trojanshield

also look for
%System%\init.exe
%Temp%\init.exe
%Windir%\temp\suqqrcyqrh\init.exe
%Windir%\windowsmp.exe
c:\explorer.exe

    *  %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    * %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
    * %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.


Find them and delete them.
0
 
LVL 2

Author Comment

by:beefstu123
ID: 23707427
combofix done MBAM on its way
log.txt
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 2000 total points
ID: 23707655

[COLOR=RED] c:\windows\system32\userinit.exe . . . is infected!![/COLOR]
[COLOR=RED] c:\windows\system32\spoolsv.exe . . . is infected!![/COLOR]
[COLOR=RED] c:\windows\explorer.exe . . . is infected!![/COLOR]
Thanks for posting the CF log.
This looks very much like a Virut or Sality infection. It infects legit exes etc. If this is virut the files are uncleanable so all infected files have to be replaced.
Looks like Combofix couldn't find any clean files in the system to replaced the above infected files.
Under the sigcheck section of the log, there are also other system files that looks like infected.

Depending how long the system has been infected (how any files need replacing, and programs need re-installing) I would suggest a reformat and reinstall of the OS.
When reformatting, you can't backup any .exes, scr, archives of .zip and .rar, .htm and .html files.

If you decide to combat and clean this, we'll still try and help you.
0
 
LVL 2

Expert Comment

by:Dooflegna
ID: 23707766
If you can get online, please run the Kaspersky online scanner. This can help us check for the presence of Virut / W32/Scribble-A.

http://www.kaspersky.com/virusscanner

If it finds Virut, I agree with RPGgamergirl that a system restore may be necessary.  Otherwise, if that's not the case, we can clean out the infections using Hijack This/Combofix and manually replace system files using the XP Recovery console.  As long as it isn't Virut, we should be able to clean this system.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 23707977

Virut:
http://www.freedrweb.com/

Sality:
http://support.kaspersky.com/viruses/solutions?print=true&qid=208279889


If you decide to try and clean this, then also use the above tools, a lot of bad files are showing in the combofix log which we can also delete, but a lot of infected legit files will not be listed in the CF log because it will only list few of the modified/infected system files.
0
 
LVL 2

Author Comment

by:beefstu123
ID: 23729630
update time....i finshed the combofix and MBAM scans and they picked up some infected services.exe files but that didnt fix the problem. so i ran the dr web program which seemed to work fine, it found and cure a lot of infections but after the restart ive been having major troubles with the data execution program within windows. its preveting the network command shell from opening so i have no network connections whatsoever, this is turning out to be a pretty severe problem. hope u gusy can provide continued advice and assistance, :)

Cheers
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 23762442
A virut is a hard one tackle when a lot fo files has already been infected.

So you've run DrWebCureIt which would've deleted legit infected files. You then need to replace all system files that have been deleted/corrupted using the Windows disk if you still have it.
Have you run the Kaspersky online scanner to check for any infected files?
Also attach the result of the last combofix run.
0
 
LVL 2

Author Comment

by:beefstu123
ID: 23802649
still replacing vital files....its pretty hectic here too. updates may be few and far between
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 23815180
Did MBAM or DrWebCureIt deleted those numerous .tmp files howing in the combofix log?
Once done, you can scan again with combofix and show us the log.
0
 
LVL 2

Author Closing Comment

by:beefstu123
ID: 31549867
tried to combat the infections and failed lol.  we ended up replacing the hard drive.  thanks heaps for the diagnosis of the combofix reports etc.  cheers :)
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
If you are like me and like multiple layers of protection, read on!
The viewer will learn how to simulate a series of coin tosses with the rand() function and learn how to make these “tosses” depend on a predetermined probability. Flipping Coins in Excel: Enter =RAND() into cell A2: Recalculate the random variable…
The viewer will learn how to create a normally distributed random variable in Excel, use a normal distribution to simulate the return on an investment over a period of years, Create a Monte Carlo simulation using a normal random variable, and calcul…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question