Author Topic: Services.exe shutting down computer  (Read 21780 times)

0 Members and 1 Guest are viewing this topic.

Offline Die Hard

  • LzD Fallen Heroes
  • Hero Member
  • *****
  • Posts: 971
  • The Northern Berserk
    • View Profile
Re: Services.exe shutting down computer
« Reply #30 on: March 17, 2006, 06:36:35 AM »
Go here and download this tool, it will list files in your system folders by date:
http://virus-protect.net/bat/datFind.bat
Open the datFind.bat and the first log will be created. Collapse it to the taskbar and press any key to create the next one until all four logs are produced. (They are by default stored directly under "C:\ " as .txt-files )

Copy the files from the last month ( or from the date when you first noticed the problem) from the top of each log and post it here.

Die Hard :)
I create and edit my posts in GS-NOTES

Offline kronostar

  • Jr. Member
  • **
  • Posts: 24
    • View Profile
Re: Services.exe shutting down computer
« Reply #31 on: March 17, 2006, 01:16:19 PM »
I could only get it to create one log.

 Volume in drive C has no label.
 Volume Serial Number is 888B-DCCD

 Directory of C:\WINDOWS\system32

03/17/2006  08:03 AM            17,112 nvapps.xml
03/17/2006  08:03 AM            58,485 nvModes.001
03/17/2006  01:00 AM            58,485 nvModes.dat
03/16/2006  11:51 AM             2,550 Uninstall.ico
03/16/2006  11:51 AM             1,406 Help.ico
03/16/2006  11:51 AM            30,590 pavas.ico
03/15/2006  09:52 PM                 0 asfiles.txt
03/14/2006  09:21 AM             2,206 wpa.dbl
03/12/2006  11:56 AM           128,504 FNTCACHE.DAT
03/11/2006  08:09 PM           383,822 perfh009.dat
03/11/2006  08:09 PM            54,010 perfc009.dat
03/11/2006  08:09 PM           441,180 PerfStringBackup.INI
03/09/2006  05:10 PM         4,799,320 MRT.exe
02/14/2006  09:20 AM           550,120 LegitCheckControl.dll
02/13/2006  07:03 PM             8,632 spmsg.dll
02/12/2006  03:29 PM                95 productregistry
01/20/2006  05:13 PM            98,304 dzwrapper.dll
01/20/2006  05:13 PM           453,632 dzwrapper.pdb
01/20/2006  05:12 PM         5,083,136 dzcore.dll
01/20/2006  05:12 PM         5,164,032 dzcore.pdb
01/12/2006  02:00 PM             6,588 jupdate-1.5.0_06-b05.log
01/12/2006  12:21 PM                 6 reboot.txt
01/09/2006  04:02 PM         1,425,408 daz-qsa.dll
01/09/2006  04:02 PM         5,648,384 daz-qt-mt.dll
01/03/2006  08:35 PM            68,096 webclnt.dll

Offline kronostar

  • Jr. Member
  • **
  • Posts: 24
    • View Profile
Re: Services.exe shutting down computer
« Reply #32 on: March 17, 2006, 07:20:47 PM »
latest HJT log.  I just noticed instead of my usual 40 processes it had expanded to 70.  May mean nothing, I'm not sure.
Logfile of HijackThis v1.99.1
Scan saved at 2:24:30 PM, on 3/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\TrayTool.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroDist.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ToolExe] C:\Program Files\Dell\TrayTool.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://xlonhcld.xlontech.net/100348/qmpdev/qsp2ie06011811.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - c:\WINDOWS\Downloaded Program Files\mimectl.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


Offline kronostar

  • Jr. Member
  • **
  • Posts: 24
    • View Profile
Re: Services.exe shutting down computer
« Reply #33 on: March 17, 2006, 09:14:18 PM »
The actual text:
In the blue title bar: System Shutdown
This system is shutting down.  Please save all work in progress and log off.  Any unsaved changes will be lost.  This shutdown was initiated by NT AUTHORITY\SYSTEM.

Time before shutdown: (there's 60 seconds counting down)

Message box:
The system process 'C:\WINDOWS\system32\services.exe' terminated unexpectedly with the status code -1073741819.  The system will now shutdown and restart.

Offline Die Hard

  • LzD Fallen Heroes
  • Hero Member
  • *****
  • Posts: 971
  • The Northern Berserk
    • View Profile
Re: Services.exe shutting down computer
« Reply #34 on: March 19, 2006, 07:29:11 PM »
 kronostar :)

The error message has similarities to the Sasser worm, that pested the net a year or so ago.That worm ,however, terminated the RPC service or "Lsass.exe"
I have to investigate this more , ask some questions ,before I come back again.

What happened when you ran the "datfind" file? When you only could produce one log, the one from the system32 folder?

Die Hard :)
I create and edit my posts in GS-NOTES

Offline Die Hard

  • LzD Fallen Heroes
  • Hero Member
  • *****
  • Posts: 971
  • The Northern Berserk
    • View Profile
Re: Services.exe shutting down computer
« Reply #35 on: March 19, 2006, 08:20:18 PM »
Does your shutdown messages look like this?





[attachment deleted by admin]
I create and edit my posts in GS-NOTES

Offline kronostar

  • Jr. Member
  • **
  • Posts: 24
    • View Profile
Re: Services.exe shutting down computer
« Reply #36 on: March 20, 2006, 05:06:19 PM »
The datfind.bat now works.  I closed most unnecessary processes through Hijackthis.  Before it would just print one report and then close not giving me any option to continue.
The shutdown message looks like the second one except it says services.exe instead of lsass.exe.  Yeah, it's very weird as the problem seems to be in every way the Sasser worm, but when I run the fxSasser.exe from Symantec it doesn't detect any sasser on my computer.

Thanks for your continuing help. :D

Here are the 4 log files for the month of March 2006:

Volume in drive C has no label.
 Volume Serial Number is 888B-DCCD

 Directory of C:\WINDOWS\system32

03/20/2006  12:03 PM             8,407 nvModes.001
03/20/2006  12:03 PM             8,407 nvModes.dat
03/20/2006  11:50 AM           383,822 perfh009.dat
03/20/2006  11:50 AM            54,010 perfc009.dat
03/20/2006  11:50 AM           443,556 PerfStringBackup.INI
03/20/2006  11:48 AM             2,228 wpa.dbl
03/20/2006  11:47 AM           128,504 FNTCACHE.DAT
03/20/2006  11:47 AM               288 $winnt$.inf
03/20/2006  11:40 AM            16,832 amcompat.tlb
03/20/2006  11:40 AM            23,392 nscompat.tlb
03/20/2006  11:39 AM               488 logonui.exe.manifest
03/20/2006  11:39 AM               488 WindowsLogon.manifest
03/20/2006  11:39 AM               749 wuaucpl.cpl.manifest
03/20/2006  11:39 AM               749 cdplayer.exe.manifest
03/20/2006  11:39 AM               749 sapi.cpl.manifest
03/20/2006  11:39 AM               749 nwc.cpl.manifest
03/20/2006  11:39 AM               749 ncpa.cpl.manifest
03/20/2006  11:37 AM            23,348 emptyregdb.dat
03/20/2006  10:44 AM            17,112 nvapps.xml
03/16/2006  11:51 AM             2,550 Uninstall.ico
03/16/2006  11:51 AM             1,406 Help.ico
03/16/2006  11:51 AM            30,590 pavas.ico
03/15/2006  09:52 PM                 0 asfiles.txt
03/09/2006  05:10 PM         4,799,320 MRT.exe

Volume in drive C has no label.
 Volume Serial Number is 888B-DCCD

 Directory of C:\DOCUME~1\Michael\LOCALS~1\Temp

03/20/2006  12:03 PM            16,384 ~DF3FA4.tmp
03/20/2006  10:01 AM            16,296 33cb_appcompat.txt
03/20/2006  10:00 AM            29,696 Programme.doc
03/20/2006  09:57 AM             8,168 jusched.log
03/20/2006  09:56 AM            59,964 Adobelm_Cleanup.0001
03/19/2006  11:00 PM               939 jupdate1.5.0.xml
03/19/2006  10:57 PM            16,296 bc0_appcompat.txt
03/19/2006  10:50 PM                 0 1vhA.tmp
03/19/2006  06:52 PM         3,857,920 Titus-1.ppt
03/19/2006  04:00 PM            16,296 2295_appcompat.txt
03/19/2006  03:47 PM            16,296 9f8f_appcompat.txt
03/19/2006  03:45 PM                 0 pptF.tmp
03/19/2006  03:42 PM         3,884,032 Titus.ppt
03/19/2006  03:39 PM            30,208 Titus - Marketing theme and Credibility.ppt
03/19/2006  02:20 PM                 0 1kj7.tmp
03/19/2006  02:18 PM                 0 z9y5.tmp
03/19/2006  02:16 PM                 0 lvs3.tmp
03/19/2006  02:03 PM            16,296 9a30_appcompat.txt
03/19/2006  01:56 PM            23,552 pptD.tmp
03/18/2006  12:23 AM            57,080 f1a2_appcompat.txt
03/18/2006  12:23 AM            10,726 battlestar.galactica.s02e20.dsr.xvid-xor.[VTV].avi.3455948.TPB-1.torrent
03/18/2006  12:22 AM            57,080 5393_appcompat.txt
03/18/2006  12:22 AM            10,726 battlestar.galactica.s02e20.dsr.xvid-xor.[VTV].avi.3455948.TPB.torrent
03/17/2006  07:48 PM         6,871,297 Azureus2.4.0.2.jar
03/17/2006  07:43 PM            65,536 ~DF28A9.tmp
03/17/2006  07:42 PM             4,862 AZU49731.tmp
03/17/2006  04:25 PM            16,296 c7e5_appcompat.txt
03/17/2006  02:01 PM            15,554 947f_appcompat.txt
03/17/2006  01:38 PM            16,296 d9cf_appcompat.txt
03/17/2006  01:38 PM            57,080 c19d_appcompat.txt
03/17/2006  10:07 AM               220 1410_appcompat.txt
03/17/2006  08:17 AM            57,080 637a_appcompat.txt
03/17/2006  12:49 AM            65,536 ~DF62AD.tmp
03/17/2006  12:43 AM            65,536 ~DFD4FD.tmp
03/16/2006  11:37 PM            65,536 ~DF62FA.tmp
03/16/2006  09:03 PM            65,536 ~DF732D.tmp
03/16/2006  08:33 PM               220 5be5_appcompat.txt
03/16/2006  08:27 PM             4,608 i4j32345.exe
03/16/2006  08:27 PM             2,481 suite_uninstaller.log
03/16/2006  06:44 PM            14,006 dd_depcheck80.txt
03/16/2006  05:00 PM            78,583 avg7inst.log
03/16/2006  03:41 PM            16,384 ~WRF0000.tmp
03/16/2006  03:09 PM            16,296 8c95_appcompat.txt
03/16/2006  02:42 PM            65,536 ~DF2920.tmp
03/16/2006  02:34 PM            77,208 c57e_appcompat.txt
03/16/2006  01:59 PM            16,296 3dd8_appcompat.txt
03/16/2006  01:50 PM            16,384 Perflib_Perfdata_280.dat
03/16/2006  01:49 PM            65,536 ~DF3000.tmp
03/16/2006  01:46 PM            16,296 db8c_appcompat.txt
03/15/2006  11:40 PM            16,296 e5d1_appcompat.txt
03/15/2006  11:33 PM             7,245 gilmore.girls.s06e16.hdtv.xvid-fqm.[VTV][EZTV].avi.3451147.TPB.torrent
03/15/2006  10:00 PM            16,296 d64_appcompat.txt
03/14/2006  12:24 AM               114 99B6B886.TMP
03/10/2006  07:15 PM                70 ECF54A0E.TMP

Volume in drive C has no label.
 Volume Serial Number is 888B-DCCD

 Directory of C:\WINDOWS

03/20/2006  11:54 AM           359,896 WindowsUpdate.log
03/20/2006  11:50 AM            21,695 comsetup.log
03/20/2006  11:50 AM           682,994 setuplog.txt
03/20/2006  11:49 AM           286,512 setupapi.log
03/20/2006  11:48 AM                 0 0.log
03/20/2006  11:47 AM             2,048 bootstat.dat
03/20/2006  11:47 AM            62,796 iis6.log
03/20/2006  11:47 AM            11,608 ntdtcsetup.log
03/20/2006  11:47 AM            10,978 tsoc.log
03/20/2006  11:47 AM             1,294 tabletoc.log
03/20/2006  11:47 AM             4,382 imsins.log
03/20/2006  11:47 AM               885 ocmsn.log
03/20/2006  11:47 AM            70,360 setupact.log
03/20/2006  11:41 AM             2,052 wmsetup.log
03/20/2006  11:40 AM           316,640 WMSysPr9.prx
03/20/2006  11:40 AM             1,933 OEWABLog.txt
03/20/2006  11:40 AM             4,161 ODBCINST.INI
03/20/2006  11:39 AM               749 WindowsShell.Manifest
03/20/2006  11:38 AM             1,006 win.ini
03/20/2006  11:38 AM             1,646 MedCtrOC.log
03/20/2006  11:38 AM            14,732 ocgen.log
03/20/2006  11:38 AM               927 msgsocm.log
03/20/2006  11:38 AM            14,759 FaxSetup.log
03/20/2006  11:38 AM             1,041 sessmgr.setup.log
03/20/2006  11:38 AM             2,790 netfxocm.log
03/20/2006  11:37 AM               120 DtcInstall.log
03/20/2006  11:36 AM            10,204 msmqinst.log
03/20/2006  11:36 AM               200 cmsetacl.log
03/20/2006  11:35 AM               783 wiadebug.log
03/20/2006  11:35 AM                49 wiaservc.log
03/20/2006  11:29 AM               121 setuperr.log
03/20/2006  11:28 AM               976 regopt.log
03/20/2006  11:28 AM               227 system.ini
03/20/2006  11:14 AM            32,652 SchedLgU.Txt
03/20/2006  10:57 AM            10,154 setupapi.old
03/19/2006  10:49 PM             1,409 QTFont.for
03/19/2006  10:49 PM            54,156 QTFont.qfn
03/19/2006  06:14 PM             4,904 EventSystem.log
03/19/2006  01:22 AM            26,341 KB898461.log
03/18/2006  12:56 AM         1,031,670 ntbtlog.txt
03/16/2006  08:23 PM                 0 vpd.properties
03/16/2006  11:52 AM                32 pavsig.txt
03/15/2006  08:53 PM                 0 vpc32.INI
03/15/2006  07:08 PM               116 NeroDigital.ini
03/10/2006  09:33 PM                68 DVDRegionFree.INI

Volume in drive C has no label.
 Volume Serial Number is 888B-DCCD

 Directory of C:\

03/20/2006  12:06 PM                 0 sys.txt
03/20/2006  12:06 PM             5,581 system.txt
03/20/2006  12:06 PM             3,629 systemtemp.txt
03/20/2006  12:06 PM           108,564 system32.txt
03/20/2006  11:47 AM     1,207,959,552 pagefile.sys
03/20/2006  11:35 AM               211 boot.ini
03/18/2006  04:02 PM               567 hpcmerr.log
03/18/2006  03:26 PM               225 cleaned out these.txt
03/15/2006  08:15 PM           826,360 ewido-signatures-full-20060315.exe.part
03/15/2006  08:08 PM             3,168 smitfiles.txt

Offline kronostar

  • Jr. Member
  • **
  • Posts: 24
    • View Profile
Re: Services.exe shutting down computer
« Reply #37 on: March 21, 2006, 02:44:44 AM »
This morning I reinstalled windows after trying to just repair it.  No formatting, so I kept my files.  My computer seemed to be working just fine.  It's annoying not having a repeatable error.  But just now I received the dreaded error yet again.
Also I've been getting a notice that my windows firewall isn't turned on, even though I've had it on.  When I go to my network connections the lock icon is on my network connections signifying that the firewall is on.  When I check the properties I now get an unknown error.

Offline kronostar

  • Jr. Member
  • **
  • Posts: 24
    • View Profile
Re: Services.exe shutting down computer
« Reply #38 on: March 21, 2006, 03:07:06 AM »
just restarted after everything hung.  When I went into network connections the locks were gone from the icons, but when I went into advanced settings to turn on the firewall again it was already switched on.  Hitting OK then returned the locks to the network connections.

Offline Die Hard

  • LzD Fallen Heroes
  • Hero Member
  • *****
  • Posts: 971
  • The Northern Berserk
    • View Profile
Re: Services.exe shutting down computer
« Reply #39 on: March 21, 2006, 10:09:43 PM »
 kronostar  :)

You have some suspicious fles in the temp  folder.
Go here and download  EmptyTempFolders
Install the program and click "Options" and select "Predefined folders".
Checkmark :
C:\DOCUMENT AND SETTINGS\your account\LOCAL SETTINGS\Temp\
C:\DOCUMENT AND SETTINGS\all other accounts\LOCAL SETTINGS\Temp\
C:\DOCUMENT AND SETTINGS\your account\LOCAL SETTINGS\Temporary Internet files
C:\DOCUMENT AND SETTINGS\all other accounts\LOCAL SETTINGS\Temporary Internet files
C:\Windows\Temp 
Then click "Empty all folders" (blue lightning) to delete the contents in the preset folders.

then...

Please download "Blacklight" from F-secure:
http://www.f-secure.com/blacklight/help/
Add it to a folder of its own and run it. Accept the license agreement and hit "Scan". A log will be created in the same folder with name :fsbl2006xxx.log, where the X:s are the date and time of the scan. Copy the content here and lets have a look.

Die Hard :)
I create and edit my posts in GS-NOTES

Offline kronostar

  • Jr. Member
  • **
  • Posts: 24
    • View Profile
Re: Services.exe shutting down computer
« Reply #40 on: March 22, 2006, 11:44:54 AM »
03/22/06 06:41:22 [Info]: BlackLight Engine 1.0.33 initialized
03/22/06 06:41:22 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/22/06 06:41:23 [Note]: 7019 4
03/22/06 06:41:23 [Note]: 7005 0
03/22/06 06:41:27 [Note]: 7006 0
03/22/06 06:41:27 [Note]: 7011 472
03/22/06 06:41:28 [Note]: FSRAW library version 1.7.1015
03/22/06 06:50:07 [Note]: 7006 0
03/22/06 06:50:07 [Note]: 7011 2900
03/22/06 06:50:07 [Note]: FSRAW library version 1.7.1015
03/22/06 06:50:52 [Note]: 7007 0

Offline kronostar

  • Jr. Member
  • **
  • Posts: 24
    • View Profile
Re: Services.exe shutting down computer
« Reply #41 on: March 22, 2006, 11:58:04 AM »
I have 2 accounts on my computer.  When running clean temp folders on my main one I could only clean those folders.  The installed program wasn't available on my other account and I had to install it again there to clean those programs.  Also for Black light it would not let me run it from the other account saying either I didn't have access to it or when I redownloaded it to another directory it claimed not to be a win32 program.  Tried this a few times, but only succeeded in bringing up the services.exe error countdown or a nvsc.exe error.

Offline kronostar

  • Jr. Member
  • **
  • Posts: 24
    • View Profile
Re: Services.exe shutting down computer
« Reply #42 on: March 24, 2006, 04:59:31 AM »
Logfile of HijackThis v1.99.1
Scan saved at 12:06:17 AM, on 3/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Azureus\Azureus.exe
C:\PROGRA~1\DVDREG~1\DVDRegionFree.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


Offline Eric the Red

  • ISO/IEC 27001:2013
  • Administrator
  • Hero Member
  • *****
  • Posts: 1618
  • Would somebody please pass me a beer!
    • View Profile
Re: Services.exe shutting down computer
« Reply #43 on: March 25, 2006, 09:30:22 PM »
kronostar,

To disable the system shutdown when it starts click on "Start" then "Run", then type in:

shutdown -a

and click "OK".

Then go to http://vil.nai.com/vil/averttools.asp and download the "Stinger tool" (usage instructions are on the same page), run it and see what it finds.
"The time to start running is around about the "e" in "Hey, you!" "

The information I provide is provided "AS IS" without warranty, and confers no rights.

Offline kronostar

  • Jr. Member
  • **
  • Posts: 24
    • View Profile
Re: Services.exe shutting down computer
« Reply #44 on: March 27, 2006, 12:13:48 AM »
Hello Eric the red,

Thanks for the reminder and continuing help.  I still have the problem.  Stinger didn't bring anything up to my knowledge.  I ran it and it was scanning through all my directories, I left my computer for a while and when I returned the menu was  as it was before the scan.

Since being here I installed zone alarms firewall.  I'm very unfamiliar with it but over the last 2 days it's blocked several hundred "Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet" from a variety of 192.168.*.* and ports.