Author Topic: Services.exe shutting down computer  (Read 21779 times)

0 Members and 1 Guest are viewing this topic.

Offline Vikitty

  • Jr. Member
  • **
  • Posts: 11
    • View Profile
Services.exe shutting down computer
« on: March 03, 2006, 02:38:50 AM »
I recently installed SP2 (long overdue, i know, but I had had many unsuccessful attempts prior - long story) and that same day I got fooled by SpySheriff (I assumed it was a feature of the new SP; I am obviously an idiot.) Not knowing what I was getting into, I let it fix all the errors it supposedly found and when it rebooted my computer afterward, I got the dreaded "60second shutdown" message. Luckily I can boot into safe mode without any problems (I'm there now as I type this) and I googled it.

All the posts/articles I found mentioned LSASS.exe, the Sasser worm and Windows 2000/NT, and any references including Services.exe (the error I got) were treated as such and given links to Sasser-killer resources.

I ran Stinger, AVG, Ewido and Spybot S&D but they didn't find anything so I don't think it's the worm. But I'm having a lot of trouble figuring out WHAT it is, so any help would be so so so awesome. If I need to post any logs, let me know.

Offline Die Hard

  • LzD Fallen Heroes
  • Hero Member
  • *****
  • Posts: 971
  • The Northern Berserk
    • View Profile
Re: Services.exe shutting down computer
« Reply #1 on: March 03, 2006, 07:11:06 AM »
 Vikitty , hello and welcome  :thumbsup:

Lets start by doing this :

Download HiJack This from here:  http://www.thespykiller.co.uk/files/HJTsetup.exe
This will download HiJack This to your computer, choose "Save" and navigate to the folder where it´s saved and doubleclick upon it.
This is a complete installer that installs Hijackthis onto the computer to C:\Program Files\HijackThis and makes an entry in the start menu & allows you to have a shortcut on desktop as well.

then.......
Doubleclick the HJT icon on your desktop, hit "Do a system scan and save logfile". Save the logfile and a txt-file will be produced.. Copy that one and paste it here and we´ll have a look at it.

Die Hard :)
I create and edit my posts in GS-NOTES

Offline Vikitty

  • Jr. Member
  • **
  • Posts: 11
    • View Profile
Re: Services.exe shutting down computer
« Reply #2 on: March 03, 2006, 03:48:40 PM »
Okay, here we go~

Logfile of HijackThis v1.99.1
Scan saved at 9:53:47 AM, on 03/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: YSIGet Browser Helper Object - {FCF9FD72-694D-411f-A322-D002CB13735F} - C:\Program Files\YSIGet\YSIGet.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [GrpConv] grpconv.exe -o
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} (A18X Control) - http://www.albatross18.com/cabs/A18X.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1141011039703
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {AD8D3C68-0C60-4B53-8A9E-BC654BBB36FE} - http://www.35mb.com/downloadapplet.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by7fd.bay7.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

Offline GR@PH;<'S

  • Administrator
  • Hero Member
  • *****
  • Posts: 20125
    • View Profile
    • http://www.taktmobiles.co.uk
Re: Services.exe shutting down computer
« Reply #3 on: March 03, 2006, 04:03:55 PM »
Vikitty,
While you are waiting for Die Hard I recommend that you take a look at conime.exe - Process Information
Quote
conime.exe is a process which is registered as the BFGhost 1.0 Remote administration backdoor tool. This backdoor application can allow attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.

GR@PH;<'S   :breakkie:
press Enter then have a Brandy then if the problem is still there have another Brandy
Q: does it work
A: It does seem to for a few hours at least.

Offline Vikitty

  • Jr. Member
  • **
  • Posts: 11
    • View Profile
Re: Services.exe shutting down computer
« Reply #4 on: March 03, 2006, 04:50:22 PM »
Okay, checked it out and it says
Quote
Note! If your system is using a non western language this can be a legitimate entry.

I have my regional settings on Japanese (for school) so I'm guessing that's why it's there.

Offline Die Hard

  • LzD Fallen Heroes
  • Hero Member
  • *****
  • Posts: 971
  • The Northern Berserk
    • View Profile
Re: Services.exe shutting down computer
« Reply #5 on: March 03, 2006, 07:26:11 PM »
Vikitty :)

Nothing is showing in your log, but that doesn´t mean your system is without malicious files.
Since you say you where hit by SpySheriff we will try this:

1. Download    smitRem.exe and save the file to your desktop.

2. Double click on the file to extract it to c:\smitrem.
Leave it there for now

3. Place a shortcut to Panda ActiveScan on your desktop.

4. Download  EmptyTempFolders
Install the program and click "Options" and select "Predefined folders".
Checkmark :
C:\DOCUMENT AND SETTINGS\your account\LOCAL SETTINGS\Temp\
C:\DOCUMENT AND SETTINGS\all other accounts\LOCAL SETTINGS\Temp\
C:\DOCUMENT AND SETTINGS\your account\LOCAL SETTINGS\Temporary Internet files
C:\DOCUMENT AND SETTINGS\all other accounts\LOCAL SETTINGS\Temporary Internet files
C:\Windows\Temp 
Do nothing more with the program at the moment

5.  Next, please reboot your computer in SafeMode by doing the following:

a.  Restart your computer

b.  After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

c.  Instead of Windows loading as normal, a menu should appear

d.  Select the first option, to run Windows in Safe Mode.

6. When your computer has started in safe mode and you see the desktop, see if the Ewido icon is present next to your clock. If it is, doubleclick upon the "e"-icon and in the main window disable the real time monitor by clicking on active and it will change to inactive .
If you have any other real time monitoring programs running, disable these,too.

7. Open the c:\smitrem folder and double click the RunThis.bat file to start the tool.

Follow the prompts on screen and wait for the tool to complete and disk cleanup to finish.

When the tool is finished, it will will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or the partition where your operating system is installed. Examining that log should show that the infection was cleaned.

8. Open the EmptyTemp program. Then click "Empty all folders" (blue lightning) to delete the contents in the preset folders.

9. Run Ewido.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
    On the first alert, a window will open prompting you to take action. Checkmark "Remove" and "Perform action on all detections".
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.

Now close ewido security suite.

10. Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!

11. Now ,please post the smitfiles.txt, the Ewido report and a new HiJack This log

Die Hard :)
I create and edit my posts in GS-NOTES

Offline Vikitty

  • Jr. Member
  • **
  • Posts: 11
    • View Profile
Re: Services.exe shutting down computer
« Reply #6 on: March 03, 2006, 07:41:06 PM »
Okay, question. For Step 4, I'm already in Safe Mode right now (since booting normally just starts the shutdown loop) so when I pick which folders to clean out, the only two accounts I see are Administrator and LocalService. Is this normal?

Offline SpiritWind

  • Full Member
  • ***
  • Posts: 81
    • View Profile
Re: Services.exe shutting down computer
« Reply #7 on: March 03, 2006, 08:43:02 PM »
 :D  Hi Vikitty :

      Just a little while ago I read your post on the Annoyances.org forum that you
      were going to follow my recommendation to come to Landzdown . One thing that
      has not been mentioned, that may be helpful to the Experts here, is that Vikitty
      was referred to the "self-help" tutorial on bleepingcomputer & followed its advice.
      One of the reasons I encouraged you to come here is that "SpySherrif" tutorial
      is dated June 2005, more than 8 1/2 months ago, & spyware has a tendency of
     "migrating", so it is best to have "live" up-to-date help .
For the BEST in what counts in Life :

www.tacf.org

Offline Vikitty

  • Jr. Member
  • **
  • Posts: 11
    • View Profile
Re: Services.exe shutting down computer
« Reply #8 on: March 03, 2006, 08:47:18 PM »
Heeey, SW ^_^ Thanks for letting me know about this place; always good to get some more opinions on how to go about figuring out what's wrong!  :breakkie:

Offline SpiritWind

  • Full Member
  • ***
  • Posts: 81
    • View Profile
Re: Services.exe shutting down computer
« Reply #9 on: March 03, 2006, 09:30:17 PM »
:D  Hi Vikitty :

      Just a little while ago I read your post on the Annoyances.org forum that you
      were going to follow my recommendation to come to Landzdown . One thing that
      has not been mentioned, that may be helpful to the Experts here, is that Vikitty
      was referred to the "self-help" tutorial on bleepingcomputer & followed its advice.
      One of the reasons I encouraged you to come here is that "SpySheriff" tutorial
      is dated June 2005, more than 8 1/2 months ago, & spyware has a tendency of
     "mutating", so it is best to have "live" up-to-date help .

      How come there is no "Edit" feature on this forum !?
For the BEST in what counts in Life :

www.tacf.org

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20208
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Services.exe shutting down computer
« Reply #10 on: March 03, 2006, 11:04:28 PM »
Because it causes potential problems if a poster returns and edits a logfile after the analyst has started working on it. 


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Vikitty

  • Jr. Member
  • **
  • Posts: 11
    • View Profile
Re: Services.exe shutting down computer
« Reply #11 on: March 04, 2006, 07:03:01 PM »
Because it causes potential problems if a poster returns and edits a logfile after the analyst has started working on it. 

Ah, that makes a lot of sense~

Offline Die Hard

  • LzD Fallen Heroes
  • Hero Member
  • *****
  • Posts: 971
  • The Northern Berserk
    • View Profile
Re: Services.exe shutting down computer
« Reply #12 on: March 04, 2006, 07:29:34 PM »
Okay, question. For Step 4, I'm already in Safe Mode right now (since booting normally just starts the shutdown loop) so when I pick which folders to clean out, the only two accounts I see are Administrator and LocalService. Is this normal?

Are there more than one user account on your computer ? (I´m not counting "Local service" as  user account)

Die Hard :)
I create and edit my posts in GS-NOTES

Offline Vikitty

  • Jr. Member
  • **
  • Posts: 11
    • View Profile
Re: Services.exe shutting down computer
« Reply #13 on: March 04, 2006, 07:45:45 PM »
Well I've never been prompted to pick an account when I boot into normal mode - by default it signs me into my "Vikitty" account. When I boot into safe mode there are two options. Admin and "Vikitty."

Offline Die Hard

  • LzD Fallen Heroes
  • Hero Member
  • *****
  • Posts: 971
  • The Northern Berserk
    • View Profile
Re: Services.exe shutting down computer
« Reply #14 on: March 04, 2006, 08:33:24 PM »
When booting into safe mode and performing the cleaning operation, login as Administrator.

Die Hard :)
I create and edit my posts in GS-NOTES