Solved

Multiple services stop spontaneously in XP Pro

Posted on 2010-11-07
17
958 Views
Last Modified: 2012-05-10
We have a Windows XP SP3 PC where about eighteen services suddenly stop after several hours of running.  There are no error messages or Event log entries around the time of the failure to give us any clues as to the cause.

I saw this problem 3 or 4 years ago in Windows XP Pro on a few unrelated machines, and only reinstalling the OS solved it back then.  I'm hoping someone can help with a more elegant solution this time because this particular PC acts as the server at our client's office and has software installed that we're not 100% sure how to reinstall.

Here are the services that stop each time:

Automatic Updates
Computer Browser
Cryptographic Services
DHCP Client
Distributed Link Tracking Client
Error Reporting Service
Help and Support
Logical Disk Manager
Secondary Logon
Security Center
Server
Shell Hardware Detection
System Restore Service
Task Scheduler
Windows Audio
Windows Firewall/Internet Connection Sharing
Wireless Zero Configuration
Workstation


So far, we have tried the following:

1. Uninstalled McAfee antivirus, which had been giving us problems since we installed it three weeks ago.  Ran the McAfee remover to completely clean it up

2. Ran CHKDSK on the drive

3. Ran a safe-mode scan with Super Anti Spyware and Malware Bytes

4. Rolled Windows back to a restore point from 3 or 4 days before the problem arose

5. Ran sfc /scannow (it scanned for 20 minutes then closed without saying anything)

We're ready to try a Windows repair install, but I'd love to get some ideas to actually track down this problem before we just try to blast it away.  This is an especially frustrating problem because I just don't see anywhere to get any clues (no registry entries, no error messages, no crashdump, etc.).

Thanks for any advice you can offer...

-Tom
0
Comment
Question by:trusnock
  • 6
  • 4
  • 3
  • +4
17 Comments
 
LVL 3

Accepted Solution

by:
osmystatocny earned 84 total points
Comment Utility
Well this seems like a tricky one. Never had this problem before but some of the services are related to netwrok - could it be a network problem? Maybe NIC itself? Have you tried to change it? New NIC can cost you about $20 and it's probably worth trying if you can't afford to reinstall it.

Event log must give you at least information that there is something going on - btw is event log working and recording error fine? Maybe it has started after you install some updates - even though you rolled back I'd looked into it.
0
 
LVL 14

Expert Comment

by:Dhiraj Mutha
Comment Utility
Can you post the Event Logs?
0
 

Author Comment

by:trusnock
Comment Utility
The Event log seems to be working fine.  It logs plenty of mundane stuff throughout the day, but there are no entries that seem related to this problem within a couple of hours before or after the services stop.

There were a dozen or so updates three weeks ago... Maybe we'll try uninstalling those.

The NIC is a good suggestion... I'll see if we can get a spare sent out there in time.

Thanks for the suggestions.
0
 
LVL 14

Expert Comment

by:Dhiraj Mutha
Comment Utility
run this command... Go to Start > Run and type 'sfc /scannow'. Note that you have should have a Windows XP CD available with you.
0
 

Author Comment

by:trusnock
Comment Utility
pspqlb: As per #5 in by original post, we already tried that.
-Tom
0
 
LVL 14

Assisted Solution

by:Dhiraj Mutha
Dhiraj Mutha earned 84 total points
Comment Utility
Apologies, i did not read that properly. Have you tried this?
http://www.tomshardware.co.uk/forum/80348-35-windows-services-stop-automatically
The issue is not with one service, so it is a issue with Windows OS itself. You can run Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) on this system in Safe mode and try your luck, if that also does not resolves the issue the best would be to try repair the OS.
 
0
 
LVL 23

Assisted Solution

by:Dr. Klahn
Dr. Klahn earned 83 total points
Comment Utility
Before going further, I would back up the drive.  Then I would take the drive to another system, connect it to the secondary controller, and run a couple of the online virus scanners against it.  I would also check for rootkits.

BitDefender:
http://www.bitdefender.com/scanner/online/free.html

Symantec:
http://security.symantec.com/sscv6/ssc_EULA.asp?langid=ie&venid=sym&plfid=23&pkj=BNVQIVNTZPZRNQJQFRD&vc_scanstate=2

Eset:
http://www.eset.com/online-scanner

Agree with your comments on McAfee.  I have also found Norton to be problematic.  AVG seems reliable, in my experience.
0
 
LVL 22

Assisted Solution

by:orangutang
orangutang earned 83 total points
Comment Utility
Also, maybe there's something wrong with your Remote Procedure Call (RPC) service? Is that service still running when the other services stop?
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 2

Assisted Solution

by:Slouzer
Slouzer earned 83 total points
Comment Utility
Another suggestion, mabye some joker created a buch of scheduled tasks ?
0
 
LVL 1

Assisted Solution

by:jasbosis
jasbosis earned 83 total points
Comment Utility
when attempting to clean a virus, you need to disable system restore.  Without doing so the virus can be stored in these restore files and regenerate itself.  

right click my computer --> select properties --> click the "System Restore" tab -->  check the "Turn off System Restore on all Drives" box.

Once you do this run Malwarebytes and spybot search and destroy in safe mode after updating the definition files
Then reboot to normal mode and run adaware.

I would advise running all 3 of these programs twice.  Then run hijackthis and post the log on here.

0
 

Author Comment

by:trusnock
Comment Utility
Slouzer: Nothing was out-of-place in the scheduled tasks

jasbosis: Here is the HijackThis log...


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:39:48 AM, on 11/9/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\AcadiaBackup\aua\bin\AuaObm.exe
C:\Program Files\AcadiaBackup\bin\Scheduler.exe
C:\Program Files\AcadiaBackup\aua\jvm\bin\AuaObmJW.exe
C:\Program Files\AcadiaBackup\jvm\bin\bschJW.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Uniblue\WinBackup 2.0\wbscheds.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\AcadiaBackup\bin\SystemTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Uniblue\WinBackup 2.0\wbjob.exe
C:\Program Files\Uniblue\WinBackup 2.0\wbcdws.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\PingPlotter Pro\PingPlotter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\IT\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [OBSystemTray] "C:\Program Files\AcadiaBackup\bin\SystemTray.exe"
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OQBBAFYARgBSAEUARQAtAFYATgBKADMAMgAtAEcAMwBMAEEAQQ"&"inst=NwA3AC0ANAAyADgANwA3ADcAOQAxADgALQBUADEALQBVADgANQArADEALQBCAEEAKwAxAC0AWABMACsAMQAtAFUAQwBBAEwATA"&"prod=90"&"ver=9.0.856
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\Run: [OBSystemTray] "C:\Program Files\AcadiaBackup\bin\SystemTray.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [OBSystemTray] "C:\Program Files\AcadiaBackup\bin\SystemTray.exe" (User 'Default user')
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.mcafee.com (HKLM)
O15 - ESC Trusted Zone: http://betavscan.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://vs.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://www.mcafeeasap.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229628831093
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229628821765
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC11DBFC-DBD6-49D7-AA22-1EC0259F9E5C}: NameServer = 192.168.1.1
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee SiteAdvisor Enterprise Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exe (file missing)
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - Unknown owner - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe (file missing)
O23 - Service: AutoUpdateAgent (AcadiaBackup) (OBAutoUpdate) - Unknown owner - C:\Program Files\AcadiaBackup\aua\bin\AuaObm.exe
O23 - Service: Online Backup Scheduler (Ahsay Online Backup Manager) (OBScheduler) - Unknown owner - C:\Program Files\AcadiaBackup\bin\Scheduler.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Program Files\Macrium\Reflect\ReflectService.exe
O23 - Service: McAfee Peer Distribution Service (RumorServer) - Unknown owner - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe (file missing)
O23 - Service: IPSentry Service Manager (srvipsen) (SRVIPSEN) -  RGE, Inc. - C:\Program Files\RGE INC\IPSentry\srvipsen.exe
O23 - Service: WinBackup Scheduler (WinBackupScheduler) - Uniblue Systems - C:\Program Files\Uniblue\WinBackup 2.0\wbscheds.exe
O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe

--
End of file - 9096 bytes
0
 
LVL 1

Expert Comment

by:jasbosis
Comment Utility
well assuming your scans ran and didnt find anything, i would rule out a virus of sorts and look into other issues..i will continue to look into your issue
0
 

Author Comment

by:trusnock
Comment Utility
Well, we attempted to run a Windows Repair Install, but I guess the media wasn't an exact match for the installation because it didn't offer the repair install option.  We accidentally started a regular installation as a result, and it started to install windows in a new C:\WINDOWS.1 folder (and it presumably started to overwrite common files in the "C:\Program Files" folder too).

Whatever got overwritten in this partial parallel installation of Windows seems to have fixed the problem!  I don't recommend this as a solution, and I can't tell you exactly where in the installation process we cancelled it, but we don't seem to have suffered any side effects except for a corrupted IE installation (which a fresh download and install fixed).

If this happens again, we'll definitely try to get our hands on the right XP install CD so we can do a proper repair install... But for now this seems to have done the trick.

-Tom
0
 

Author Comment

by:trusnock
Comment Utility
Any suggestions for awarding points?  In the end, we solved the problem (however accieentally) ourselves, but pspglb managed to find a 5-year-old post about exactly the same problem, which I hadn't found myself.  And others made good suggestions.

Thanks everyone for your help.

-Tom
0
 
LVL 1

Expert Comment

by:jasbosis
Comment Utility
I would say split the points among all those who offered assistance.
0
 
LVL 14

Expert Comment

by:Dhiraj Mutha
Comment Utility
Thanks a lot, good to know that my suggestion helped out a bit. I agree with Jasbosis
0
 

Author Closing Comment

by:trusnock
Comment Utility
I ultimately solved the problem with my own initial suggestion, but several people offered good advice and even found links to another discussion of an identical problem that I had not discovered myself.  So I'm awarding equal points to everyone who chimed in.  Thanks.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
The viewer will learn how to successfully download and install the SARDU utility on Windows 8, without downloading adware.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now