SBS2003 - only 16 services running - cann not start any other services - errors

Client server sbs2003 when I boot the server I find only 16 services running. I see the event logs but cannot view anything. sharepoint

Any ideas on how to get these services running again?   How to troubleshoot?

running servicces:
Dcom server
eset service
event log
Java quick starter
Monitoring sw
nod32 kernal service
ntlm security provider
Plug and play
qbcfmonitor service
SBcore service
Sharepoint timer service
sql server browser
uninterruptible power supply
Who is Participating?
Davis McCarnConnect With a Mentor OwnerCommented:
These are classic signs of a trojan!
Try RogueKiller:
And/or MS Safety Scanner:

After you know you are clean,'s All-In-One can fix most Windows issues (though it won't put back some deleted services or root devices):
Lionel MMSmall Business IT ConsultantCommented:
It may be a user that has been mistakenly deleted, a user used to start these services although most should be using either SYSTEM or service specific users to run with. But I would check the users and make sure they all still exist and are still functioning with the proper permissions. Are you trying to view these with an Administrator account? Is there any indication that the system may have been hit with virus or malware? Worst case you may have to do a repair re-install of SBS.
JoemtAuthor Commented:
I am logged in as the administrator...I can access a jump drive and the backup drive (USB) if sbs2003 is booted to safe mode. But will not save or copy files.  

I can see the event logs - In System things were fine and then

System Log: SAM event Id 12294 errors start streaming on 10-5. I can't get the details to open so I can only see the event's list.

Application log is missing all the log enteries until two days (7th) after the SAM errors started. I found that odd.

The microsoft safty utility would not run on the SBS2003.

Anyone have a suggestionas to the next step? This server is down in my office and I can't even get the quickbooks file for the customer off the hard drive.
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

JoemtAuthor Commented:
I believe this server is infected with the PhysicalDrive0_User_dat virus (rootkit?)

Does anyone know of a SW utility that will remove this on a RAID 10 sbs2003 server? Or can it be removed manually?

Thank you
Davis McCarnOwnerCommented:
Yes, try what was in my post.
JoemtAuthor Commented:
Ok so once again I ran:

Rouge Killer - cleaned
TDSSkiller - Found nothing (except it listed sbscr.exe) Legit file
Microsoft program

- Tweek fails to run.

The server runs quicker...butI still have only 16 services running and I cannot start the rest.

Any ideas on how to get those services back up and running?
Davis McCarnOwnerCommented:
What error does the All-In-One give you?
It uses Sysinternals PSExec to run as the system account and should run just fine.
JoemtAuthor Commented:
Tweek error message:

Failed to load control lvbuttons_H From. Your version of    may beoutdated. Make sure youare using the version of the control that was provided with your application.

That is the message I get.

SO I downloaded both the portable and standard tweek downloads. I did both 3 times on my laptop to jump drives. On extract never got the same amount of files. most of the time the exe was missing.  I tried the direct location download and that seemed to work. Running now. I've had no problems downloading and running any other utility.

  Now I have even less services running.  

Davis McCarnConnect With a Mentor OwnerCommented:
Every hit on your error message says there is still an active infection running and I would suggest you get the Windows Defender Offline, burn it to a CD, and boot it to scan your system.  After it is finished, you will probably still need to use the All-In-One to repair things.
JoemtAuthor Commented:
Ran the windows defender - offline - quick scan = nothing   full scan found the following:

1, Monitoring tool\win32\spector

2, hack tool: win32\keydump

Deleted both.  Now I'm back to tweek and currently checking system file check.

Ok...finished WD,

Ran the tweek  file system check after reboot I could see a usb drive listed in "computer".

If I run the tweek repair (registry)...I loose being able to see a usb drive in computers. So I restore the last tweek registry point and I have the ability once again to see my jump drive listed up computers.

Running out of ideas.....still connot copy and paste. Only 11 services running.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.