services.exe application error at 0x37001160 - win xp pro wont boot all the way
Hi there. As you can see, I have been working with a couple great folks over on the malware forum with the initial thought that this might be malware related, but it is looking less like malware and more like a windows system problem. So they have suggested posting here to allow a Windows Expert to take a look.
Below is some of the post to provide you with background. The first couple posts have all the specifics about the symptoms. I will be very happy to fill in any blanks that you wish.
What do I need to do and where do I begin to fix this problem?? PLEASE HELP!! Thank you very much. -max
====BACKGROUND POSTS from our efforts with the Malware folks========
running win xp pro SP2 - all updates.
I was in the process of installing BitDefender v10 and at the same time windows update was doing it's thing with some updates from this week. Anyway, both installations got hung up. I was able to cancel the bit defender install, and it appeared to do a rollback with the backward progress bar, etc, but it didn't look like it completed all the way. The Windows update also said it did not intall successfully. They were both hung up. So after 10 mins of no activity, I rebooted. Now, I get the following red X error msg when my computer starts up:
<Services.exe application error. The instruction at "0x37001160" referenced memory at "0x37001160". The memory could not be "read". Click OK to terminate the program, click cancel to debug the program.>
After clicking OK, it gives the same services.exe red X error message. Another OK and it give the same error message but with "explorer.exe", twice. And then finally it give the same error message for "lsass.exe". When these red X errors are done, the "NT Authority System" begins the 1 minute shutdown with the message <due to \windows\system32\services.exe, status code 1073741819.> The PC never makes it to the desktop, no desktop icons appear, no taskbar. After the 1 minute countdown, the PC does not shutdown - it just hangs there. FYI - I can do a ctrl-alt-del while it is hanging there and after about 3-4 mins the task manager appears, if that means anything.
I can start in safe mode and safe mode with networking. So it looks like I screwed up my laptop.
I've read several sites that seem to think it has to do with a worm, but I think the symptoms are not quite the same. In any event, I scanned for viruses with upto-date defs and online scanners and found none. no lsass virus either.
All this because I was installing that dang BitDefender to help a friend create a rescue CD!! Arghhh. Bottom line, what do I need to do and where do I begin to fix this problem?? I have little computer experience to fix this sort of thing. PLEASE HELP!!
Thank you,
maxwelltf
profdlp 01-11-2007 07:37 PM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
We had another member with the same error message. Post a HijackThis log. If we spot anything rotten we'll go from there. If not, we'll check out other possibilities.
maxwelltf 01-11-2007 07:50 PM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
Hi thanks. Yes, I read tiger's thread, but there are some differences. Namely, my system restore was turned off. I am almost in disbelief as to how that can be, but it is true. It is turned off. So, I figured I should start a fresh thread on the the subject. HJT log is attached. Hope this helps.... Thanks for your help so much!
profdlp 01-11-2007 07:52 PM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
You can go ahead and post the HJT log here if you want. If I see anything suspicious I'll send this thread over to our crack SVT Swat Team for cleanup.
maxwelltf 01-11-2007 07:54 PM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
Here it is inline...
Logfile of HijackThis v1.99.1
Scan saved at 4:50:21 PM, on 1/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.e xe
C:\Program Files\HJT\Analyse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/reso...scbase8460.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1156438812346
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/...npseatools.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpf...qdiagh.cab?326
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (file missing)
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
===================end
profdlp 01-11-2007 08:02 PM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
Try clicking Start>>Run, type in msconfig, then click OK. Go to the startup tab and uncheck any non-essential programs you see. After that, see if you can boot normally.
I'd include anything having to do with BitDefender, since it looks like the messed up installation may be the source of your problem:
Quote:
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
I'd also disable any Services related to BitDefender for the time being.
If that gets you back in business, try uninstalling BitDefender completely, reboot, then give it another shot. I'm sure this has occurred to you by now, but you're playing with fire to try and update two things at the same time - especially if one of them is a MS Hotfix via Windows Update.
maxwelltf 01-11-2007 08:09 PM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
OK done. Unchecked all unessentials, including any items with BD in the name. Unable to boot normal. :-(
Did you notice that there are several files "missing" in the log? They mostly look like windows system files. seems to line up with the services, lsass, and explorer app errors, no?
10-4 on the double install wasnt intentional - forgot it was running in the background. argghhhh!!!
profdlp 01-11-2007 08:15 PM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
It appears that this one may be up to no good. (Ignore the advice to buy their program - our guys will get you fixed up at no charge.)
I'm going to turn this over to our experts in the field to see what they advise. If the problem persists after they've given you a clean bill of health I'll have them send it back here for more noodling.
maxwelltf 01-11-2007 08:16 PM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
Ok thanks. I'll wait to hear from them. Thought that Prevx software was pretty solid. Hmmm.
jmoney3457 01-11-2007 08:35 PM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
prof is right, it appears that particular file is added by a worm..see here for more info..lets begin cleaning you up
please do this..Download ATF Cleaner
* Double-click ATF-Cleaner.exe to run the program.
* Click Select All found at the bottom of the list.
* Click the Empty Selected button.
If you use Firefox browser, do this also:
* Click Firefox at the top and choose Select All from the list.
* Click the Empty Selected button.
* NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
* Click Opera at the top and choose Select All from the list.
* Click the Empty Selected button.
* NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
then, First download AVG anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
1. Once you have downloaded AVG anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
2. Once the setup is complete you will need run AVG and update the definition files.
3. On the main screen select the icon "Update" then select the "Update now" link.
* Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
6. Under "Reports"
* Select "Automatically generate report after every scan"
* Un-Select "Only if threats were found"
Close AVG anti-spyware, Do Not run a scan just yet, we will shortly.
1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while AVG is scanning, it may interfere with the scanning process
2. Lauch AVG-anti-spyware by double-clicking the icon on your desktop.
3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
4. AVG will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
5. If you have any infections you will prompted, then select "Apply all actions"
6. Next select the "Reports" icon at the top.
7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
8. Close AVG and reboot your system back into Normal Mode and post the results of the AVG report scan.
maxwelltf 01-11-2007 08:39 PM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
Ok - I'll do the steps. It will take me this evening to do so.
In the meantime, however, isnt Bit Defender a legit app or not? What about Prevx?
Finally, is there any concern about the system files listed as "missing" in the HJT log? Does it not appear there is something wrong there - perhaps from the install gone wrong?
profdlp 01-11-2007 09:19 PM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
Quote:
Originally Posted by maxwelltf
...Finally, is there any concern about the system files listed as "missing" in the HJT log? Does it not appear there is something wrong there - perhaps from the install gone wrong?
I'll defer to the experts on this one (and you couldn't ask for better help than what you'll get from jmoney), but I know that at least one of those (msgrapp.dll) is commonly missing from a lot of HJT logs I've seen.
Bitdefender is a fine program, but trying to install it on an already infected machine is likely what caused the problem to begin with. (Not that you had any way of knowing that.) It's like your doctor telling you not to take the flu shot if you think you may already have the flu.
As for Prevx, I have nothing against it, but I'm always a little wary of programs which find a problem and then tell you to cough up some dough to get it fixed. Most of the trustworthy AntiVirus programs (like BitDefender) allow you to do an online scan and actually fix your problems before they start asking for your money.
maxwelltf 01-12-2007 02:46 AM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
Thanks JMoney - all steps completed. Here is the AVG log. I have not tried to reboot into normal mode yet. Will await your next steps.
Thanks - maxwelltf.
AVG Anti-Spyware - Scan Report
+ Created at: 11:44:16 PM 1/11/2007
+ Scan result:
C:\Documents and Settings\Administrator\Desktop\066dbba1b07d9fe3110 ba60066448d386.zip/McAfee VirusScan Enterprise - v.8.0i.exe -> Trojan.Small : Cleaned with backup (quarantined).
::Report end
whintersby 01-12-2007 06:26 AM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
Quote:
Originally Posted by profdlp
As for Prevx, I have nothing against it, but I'm always a little wary of programs which find a problem and then tell you to cough up some dough to get it fixed. Most of the trustworthy AntiVirus programs (like BitDefender) allow you to do an online scan and actually fix your problems before they start asking for your money.
Hi Prof,
Just thought I'd inform you that Prevx1 does not ask for payment in order to scan and remove any malware. They offer a free trial which is valid for at least 30days and offers the full capabilities of the software - including FREE REMOVAL of any malware infections it finds.
You are only asked to pay if you wish to keep the software after the trial ends.
I'm a big fan of Prevx1 (have been a member of their beta program for the last year) and recommend this to anyone with a malware infection. It has improved leaps and bounds over the last 12 months and I haven't seen it fail at removing a piece of malware yet.
All the best,
Whintersby
jmoney3457 01-12-2007 07:01 AM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
Quote:
Originally Posted by profdlp
(and you couldn't ask for better help than what you'll get from jmoney)
thanks prof:)
Quote:
Originally Posted by maxwelltf
In the meantime, however, isnt Bit Defender a legit app or not? What about Prevx?
Finally, is there any concern about the system files listed as "missing" in the HJT log? Does it not appear there is something wrong there - perhaps from the install gone wrong?
yes bitdefender is a HIGHLY regarded anti virus program ranking high among AV programs, prevx is legit also..though I have no personal experience with it and have heard mostly good things about it...yes the *missing files* is a bug in the current version of HJT, it's only true for 02-3 entries:)...lastly please post new HJT Log max:)
maxwelltf 01-12-2007 11:34 AM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
Thanks Jmoney - OK - here's a new HJT log. Have done all this from safe mode. havent try to boot to nrormal mode since doing AVG scan. will await next steps. -max
Logfile of HijackThis v1.99.1
Scan saved at 8:38:50 AM, on 1/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.e xe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HJT\Analyse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/reso...scbase8460.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1156438812346
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/...npseatools.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpf...qdiagh.cab?326
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (file missing)
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
Trogan 01-12-2007 11:42 AM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
Sorry to jump in the thread like this. However, I don't have good knows.
The file identified by Prof belongs to the IRCBot Trojan, which has Backdoor functionality. This gives intruders complete control of your computer, logging key strokes, stealing information, etc.
You are strongly advised to do the following immediately!:
* Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.
* Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
* From a clean computer, change *all* of your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
o Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.
Because of its backdoor functionality, your PC is very likely compromised and there is no way to be sure it can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.
To help you make a more informed decision, please read the following articles:
* Danger: Remote Access Trojans.
* When should I re-format? How should I reinstall?
* How Do I Handle Possible Identify Theft, Internet Fraud and Credit Card Fraud?
Should you have any questions, please feel free to ask
Please let me know your decision and we'll get started with clean up if that's what you choose.
maxwelltf 01-12-2007 11:52 AM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
Hello Trogan - well now that some of the blood has returned to my head - I have a couple questions: How can you tell it is infected with IRCBot? This is my primary Laptop and has all my personal files, but I do not use it for banking except Paypal and Hotmail and will change those passwords now from this clean PC. (However this PC has been on the network with the Laptop - so how can we tell if it is inected as well?)
I truly expected these current set of problems to be from a simultaneous program installation and "windows XP update", both of which hung and were uncleanly stopped with a reboot.
My decision to clean/correct the laptop and not reformat the hard drive. I can attempt an OS reinstall, but I must find the Win XP Pro CD and not 100% sure I can find it.
max
Trogan 01-12-2007 12:10 PM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
Hi Max
Quote:
Hello Trogan - well now that some of the blood has returned to my head - I have a couple questions: How can you tell it is infected with IRCBot? This is my primary Laptop and has all my personal files, but I do not use it for banking except Paypal and Hotmail and will change those passwords now from this clean PC. (However this PC has been on the network with the Laptop - so how can we tell if it is inected as well?)
Looking at the link Prof posted (http://fileinfo.prevx.com/adware/qqc...SASVC.EXE.html) shows its an IRCBot and some other research shows this. If you post a HijackThis log from the PC after we have finished with the Laptop, I'll take a look at it.
Quote:
I truly expected these current set of problems to be from a simultaneous program installation and "windows XP update", both of which hung and were uncleanly stopped with a reboot.
Could have been, but not sure. It may be that the Bot knew something was being installed and decided to cause damage? I don't know. Bots can do damage if not caught and removed early.
Quote:
My decision to clean/correct the laptop and not reformat the hard drive. I can attempt an OS reinstall, but I must find the Win XP Pro CD and not 100% sure I can find it.
Lets try and do a clean up.
Please do the following...
1. Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
* Finally paste the contents of the Report.txt, along with a new HijackThis log in your next post.
2. I need to see another log from HijackThis.
* Run Hijackthis.
* Click on Open the Misc Tools section.
* Next click on Open uninstall manager.
* Press the Save list button.
* Save the file to your desktop, with the default name of uninstall_list
* Copy & Paste the entire contents of that file in your in your next post.
3. Please post the following...
1) SDFix Report.txt
2) Uninstall list
3) New HijackThis log
maxwelltf 01-12-2007 12:32 PM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
OK - I will do the steps and report back. (BTW - I can only boot into safe mode - normal mode hangs with the services.exe error.) I truly appreciate your help with this. Being the way I am, I do want to ask you about the msasvc.exe file: Doesn't the HJT log say that the msasvc.exe file is missing? I searched the laptop HD for msasvc.exe and it does not appear to be on the HD (hidden files shown). Is it possible that the *authentic* Microsoft msasvc.exe file that belongs in WINDOWS\SYSTEM32\ was corrupted or incompletely loaded during the interrupted windows XP update and, since it is missing, is part of the laptop's bootup problem?
This laptop has always been behind a firewall and is always up to date with Windows Update. I am pretty religious about it.
Will proceed with your steps and will anxiously await your thoughts. -max
Below is some of the post to provide you with background. The first couple posts have all the specifics about the symptoms. I will be very happy to fill in any blanks that you wish.
What do I need to do and where do I begin to fix this problem?? PLEASE HELP!! Thank you very much. -max
====BACKGROUND POSTS from our efforts with the Malware folks========
running win xp pro SP2 - all updates.
I was in the process of installing BitDefender v10 and at the same time windows update was doing it's thing with some updates from this week. Anyway, both installations got hung up. I was able to cancel the bit defender install, and it appeared to do a rollback with the backward progress bar, etc, but it didn't look like it completed all the way. The Windows update also said it did not intall successfully. They were both hung up. So after 10 mins of no activity, I rebooted. Now, I get the following red X error msg when my computer starts up:
<Services.exe application error. The instruction at "0x37001160" referenced memory at "0x37001160". The memory could not be "read". Click OK to terminate the program, click cancel to debug the program.>
After clicking OK, it gives the same services.exe red X error message. Another OK and it give the same error message but with "explorer.exe", twice. And then finally it give the same error message for "lsass.exe". When these red X errors are done, the "NT Authority System" begins the 1 minute shutdown with the message <due to \windows\system32\services.exe, status code 1073741819.> The PC never makes it to the desktop, no desktop icons appear, no taskbar. After the 1 minute countdown, the PC does not shutdown - it just hangs there. FYI - I can do a ctrl-alt-del while it is hanging there and after about 3-4 mins the task manager appears, if that means anything.
I can start in safe mode and safe mode with networking. So it looks like I screwed up my laptop.
I've read several sites that seem to think it has to do with a worm, but I think the symptoms are not quite the same. In any event, I scanned for viruses with upto-date defs and online scanners and found none. no lsass virus either.
All this because I was installing that dang BitDefender to help a friend create a rescue CD!! Arghhh. Bottom line, what do I need to do and where do I begin to fix this problem?? I have little computer experience to fix this sort of thing. PLEASE HELP!!
Thank you,
maxwelltf
profdlp 01-11-2007 07:37 PM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
We had another member with the same error message. Post a HijackThis log. If we spot anything rotten we'll go from there. If not, we'll check out other possibilities.
maxwelltf 01-11-2007 07:50 PM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
Hi thanks. Yes, I read tiger's thread, but there are some differences. Namely, my system restore was turned off. I am almost in disbelief as to how that can be, but it is true. It is turned off. So, I figured I should start a fresh thread on the the subject. HJT log is attached. Hope this helps.... Thanks for your help so much!
profdlp 01-11-2007 07:52 PM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
You can go ahead and post the HJT log here if you want. If I see anything suspicious I'll send this thread over to our crack SVT Swat Team for cleanup.
maxwelltf 01-11-2007 07:54 PM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
Here it is inline...
Logfile of HijackThis v1.99.1
Scan saved at 4:50:21 PM, on 1/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.e xe
C:\Program Files\HJT\Analyse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/reso...scbase8460.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1156438812346
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/...npseatools.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpf...qdiagh.cab?326
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (file missing)
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
===================end
profdlp 01-11-2007 08:02 PM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
Try clicking Start>>Run, type in msconfig, then click OK. Go to the startup tab and uncheck any non-essential programs you see. After that, see if you can boot normally.
I'd include anything having to do with BitDefender, since it looks like the messed up installation may be the source of your problem:
Quote:
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
I'd also disable any Services related to BitDefender for the time being.
If that gets you back in business, try uninstalling BitDefender completely, reboot, then give it another shot. I'm sure this has occurred to you by now, but you're playing with fire to try and update two things at the same time - especially if one of them is a MS Hotfix via Windows Update.
maxwelltf 01-11-2007 08:09 PM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
OK done. Unchecked all unessentials, including any items with BD in the name. Unable to boot normal. :-(
Did you notice that there are several files "missing" in the log? They mostly look like windows system files. seems to line up with the services, lsass, and explorer app errors, no?
10-4 on the double install wasnt intentional - forgot it was running in the background. argghhhh!!!
profdlp 01-11-2007 08:15 PM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
It appears that this one may be up to no good. (Ignore the advice to buy their program - our guys will get you fixed up at no charge.)
I'm going to turn this over to our experts in the field to see what they advise. If the problem persists after they've given you a clean bill of health I'll have them send it back here for more noodling.
maxwelltf 01-11-2007 08:16 PM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
Ok thanks. I'll wait to hear from them. Thought that Prevx software was pretty solid. Hmmm.
jmoney3457 01-11-2007 08:35 PM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
prof is right, it appears that particular file is added by a worm..see here for more info..lets begin cleaning you up
please do this..Download ATF Cleaner* Double-click ATF-Cleaner.exe to run the program.
* Click Select All found at the bottom of the list.
* Click the Empty Selected button.
If you use Firefox browser, do this also:
* Click Firefox at the top and choose Select All from the list.
* Click the Empty Selected button.
* NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
* Click Opera at the top and choose Select All from the list.
* Click the Empty Selected button.
* NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
then, First download AVG anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
1. Once you have downloaded AVG anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
2. Once the setup is complete you will need run AVG and update the definition files.
3. On the main screen select the icon "Update" then select the "Update now" link.
* Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
6. Under "Reports"
* Select "Automatically generate report after every scan"
* Un-Select "Only if threats were found"
Close AVG anti-spyware, Do Not run a scan just yet, we will shortly.
1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while AVG is scanning, it may interfere with the scanning process
2. Lauch AVG-anti-spyware by double-clicking the icon on your desktop.
3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
4. AVG will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
5. If you have any infections you will prompted, then select "Apply all actions"
6. Next select the "Reports" icon at the top.
7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
8. Close AVG and reboot your system back into Normal Mode and post the results of the AVG report scan.
maxwelltf 01-11-2007 08:39 PM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
Ok - I'll do the steps. It will take me this evening to do so.
In the meantime, however, isnt Bit Defender a legit app or not? What about Prevx?
Finally, is there any concern about the system files listed as "missing" in the HJT log? Does it not appear there is something wrong there - perhaps from the install gone wrong?
profdlp 01-11-2007 09:19 PM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
Quote:
Originally Posted by maxwelltf
...Finally, is there any concern about the system files listed as "missing" in the HJT log? Does it not appear there is something wrong there - perhaps from the install gone wrong?
I'll defer to the experts on this one (and you couldn't ask for better help than what you'll get from jmoney), but I know that at least one of those (msgrapp.dll) is commonly missing from a lot of HJT logs I've seen.
Bitdefender is a fine program, but trying to install it on an already infected machine is likely what caused the problem to begin with. (Not that you had any way of knowing that.) It's like your doctor telling you not to take the flu shot if you think you may already have the flu.
As for Prevx, I have nothing against it, but I'm always a little wary of programs which find a problem and then tell you to cough up some dough to get it fixed. Most of the trustworthy AntiVirus programs (like BitDefender) allow you to do an online scan and actually fix your problems before they start asking for your money.
maxwelltf 01-12-2007 02:46 AM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
Thanks JMoney - all steps completed. Here is the AVG log. I have not tried to reboot into normal mode yet. Will await your next steps.
Thanks - maxwelltf.
AVG Anti-Spyware - Scan Report
+ Created at: 11:44:16 PM 1/11/2007
+ Scan result:
C:\Documents and Settings\Administrator\Desktop\066dbba1b07d9fe3110 ba60066448d386.zip/McAfee VirusScan Enterprise - v.8.0i.exe -> Trojan.Small : Cleaned with backup (quarantined).
::Report end
whintersby 01-12-2007 06:26 AM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
Quote:
Originally Posted by profdlp
As for Prevx, I have nothing against it, but I'm always a little wary of programs which find a problem and then tell you to cough up some dough to get it fixed. Most of the trustworthy AntiVirus programs (like BitDefender) allow you to do an online scan and actually fix your problems before they start asking for your money.
Hi Prof,
Just thought I'd inform you that Prevx1 does not ask for payment in order to scan and remove any malware. They offer a free trial which is valid for at least 30days and offers the full capabilities of the software - including FREE REMOVAL of any malware infections it finds.
You are only asked to pay if you wish to keep the software after the trial ends.
I'm a big fan of Prevx1 (have been a member of their beta program for the last year) and recommend this to anyone with a malware infection. It has improved leaps and bounds over the last 12 months and I haven't seen it fail at removing a piece of malware yet.
All the best,
Whintersby
jmoney3457 01-12-2007 07:01 AM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
Quote:
Originally Posted by profdlp
(and you couldn't ask for better help than what you'll get from jmoney)
thanks prof:)
Quote:
Originally Posted by maxwelltf
In the meantime, however, isnt Bit Defender a legit app or not? What about Prevx?
Finally, is there any concern about the system files listed as "missing" in the HJT log? Does it not appear there is something wrong there - perhaps from the install gone wrong?
yes bitdefender is a HIGHLY regarded anti virus program ranking high among AV programs, prevx is legit also..though I have no personal experience with it and have heard mostly good things about it...yes the *missing files* is a bug in the current version of HJT, it's only true for 02-3 entries:)...lastly please post new HJT Log max:)
maxwelltf 01-12-2007 11:34 AM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
Thanks Jmoney - OK - here's a new HJT log. Have done all this from safe mode. havent try to boot to nrormal mode since doing AVG scan. will await next steps. -max
Logfile of HijackThis v1.99.1
Scan saved at 8:38:50 AM, on 1/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.e xe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HJT\Analyse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/reso...scbase8460.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1156438812346
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/...npseatools.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpf...qdiagh.cab?326
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (file missing)
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
Trogan 01-12-2007 11:42 AM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
Sorry to jump in the thread like this. However, I don't have good knows.
The file identified by Prof belongs to the IRCBot Trojan, which has Backdoor functionality. This gives intruders complete control of your computer, logging key strokes, stealing information, etc.
You are strongly advised to do the following immediately!:
* Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.
* Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
* From a clean computer, change *all* of your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
o Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.
Because of its backdoor functionality, your PC is very likely compromised and there is no way to be sure it can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.
To help you make a more informed decision, please read the following articles:
* Danger: Remote Access Trojans.
* When should I re-format? How should I reinstall?
* How Do I Handle Possible Identify Theft, Internet Fraud and Credit Card Fraud?
Should you have any questions, please feel free to ask
Please let me know your decision and we'll get started with clean up if that's what you choose.
maxwelltf 01-12-2007 11:52 AM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
Hello Trogan - well now that some of the blood has returned to my head - I have a couple questions: How can you tell it is infected with IRCBot? This is my primary Laptop and has all my personal files, but I do not use it for banking except Paypal and Hotmail and will change those passwords now from this clean PC. (However this PC has been on the network with the Laptop - so how can we tell if it is inected as well?)
I truly expected these current set of problems to be from a simultaneous program installation and "windows XP update", both of which hung and were uncleanly stopped with a reboot.
My decision to clean/correct the laptop and not reformat the hard drive. I can attempt an OS reinstall, but I must find the Win XP Pro CD and not 100% sure I can find it.
max
Trogan 01-12-2007 12:10 PM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
Hi Max
Quote:
Hello Trogan - well now that some of the blood has returned to my head - I have a couple questions: How can you tell it is infected with IRCBot? This is my primary Laptop and has all my personal files, but I do not use it for banking except Paypal and Hotmail and will change those passwords now from this clean PC. (However this PC has been on the network with the Laptop - so how can we tell if it is inected as well?)
Looking at the link Prof posted (http://fileinfo.prevx.com/adware/qqc...SASVC.EXE.html) shows its an IRCBot and some other research shows this. If you post a HijackThis log from the PC after we have finished with the Laptop, I'll take a look at it.
Quote:
I truly expected these current set of problems to be from a simultaneous program installation and "windows XP update", both of which hung and were uncleanly stopped with a reboot.
Could have been, but not sure. It may be that the Bot knew something was being installed and decided to cause damage? I don't know. Bots can do damage if not caught and removed early.
Quote:
My decision to clean/correct the laptop and not reformat the hard drive. I can attempt an OS reinstall, but I must find the Win XP Pro CD and not 100% sure I can find it.
Lets try and do a clean up.
Please do the following...
1. Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
* Finally paste the contents of the Report.txt, along with a new HijackThis log in your next post.
2. I need to see another log from HijackThis.
* Run Hijackthis.
* Click on Open the Misc Tools section.
* Next click on Open uninstall manager.
* Press the Save list button.
* Save the file to your desktop, with the default name of uninstall_list
* Copy & Paste the entire contents of that file in your in your next post.
3. Please post the following...
1) SDFix Report.txt
2) Uninstall list
3) New HijackThis log
maxwelltf 01-12-2007 12:32 PM
Re: services.exe app error 0x37001160 - win xp wont boot all the way
OK - I will do the steps and report back. (BTW - I can only boot into safe mode - normal mode hangs with the services.exe error.) I truly appreciate your help with this. Being the way I am, I do want to ask you about the msasvc.exe file: Doesn't the HJT log say that the msasvc.exe file is missing? I searched the laptop HD for msasvc.exe and it does not appear to be on the HD (hidden files shown). Is it possible that the *authentic* Microsoft msasvc.exe file that belongs in WINDOWS\SYSTEM32\ was corrupted or incompletely loaded during the interrupted windows XP update and, since it is missing, is part of the laptop's bootup problem?
This laptop has always been behind a firewall and is always up to date with Windows Update. I am pretty religious about it.
Will proceed with your steps and will anxiously await your thoughts. -max
0
This discussion has been closed.