windows XP boot problem -- services.exe app error at 0x37001160
Hey folks - been working with a couple great folks over on the malware forum with the initial thought that this might be malware related, but at this point the opinion is now that it's looking more like a windows system problem. So here I am. Perhaps a Windows Expert can take a look at this.
Lalptop: Win xp pro SP2 - all updates.
I was in the process of installing BitDefender v10 and at the same time windows update was doing it's thing with some updates from this week. Anyway, both installations got hung up. I was able to cancel the bit defender install, and it appeared to do a rollback with the backward progress bar, etc, but it didn't look like it completed all the way. The Windows update also said it did not intall successfully. They were both hung up. So after 10 mins of no activity, I rebooted.
Now, I get the following red X error msg when my computer starts up:
<<Services.exe application error. The instruction at "0x37001160" referenced memory at "0x37001160". The memory could not be "read". Click OK to terminate the program, click cancel to debug the program.>>
After clicking OK, it gives the same services.exe red X error message a second time. Click OK again and it give the same error message but with "explorer.exe", twice. And then finally it give the same error message for "lsass.exe". When all these red X errors are done, the "NT Authority System" begins the 1 minute shutdown with the message The PC never makes it to the desktop, no desktop icons appear, no taskbar. After the 1 minute countdown, the PC does not shutdown - it just hangs there. FYI - I can do a ctrl-alt-del while it is hanging there and after about 3-4 mins the task manager appears, if that means anything.
I can start in safe mode and safe mode with networking.
So it looks like I screwed up my laptop.
I've read several sites that seem to think it has to do with a worm, but I think the symptoms are not quite the same. In any event, I scanned for viruses with upto-date defs and online scanners and found none. no lsass virus either.
All this because I was installing that dang BitDefender to help a friend create a rescue CD!! Arghhh. Bottom line, what do I need to do and where do I begin to fix this problem?? I have modest computer experience and will work hard to help fix this. PLEASE HELP!!
Thank you,
max
Lalptop: Win xp pro SP2 - all updates.
I was in the process of installing BitDefender v10 and at the same time windows update was doing it's thing with some updates from this week. Anyway, both installations got hung up. I was able to cancel the bit defender install, and it appeared to do a rollback with the backward progress bar, etc, but it didn't look like it completed all the way. The Windows update also said it did not intall successfully. They were both hung up. So after 10 mins of no activity, I rebooted.
Now, I get the following red X error msg when my computer starts up:
<<Services.exe application error. The instruction at "0x37001160" referenced memory at "0x37001160". The memory could not be "read". Click OK to terminate the program, click cancel to debug the program.>>
After clicking OK, it gives the same services.exe red X error message a second time. Click OK again and it give the same error message but with "explorer.exe", twice. And then finally it give the same error message for "lsass.exe". When all these red X errors are done, the "NT Authority System" begins the 1 minute shutdown with the message The PC never makes it to the desktop, no desktop icons appear, no taskbar. After the 1 minute countdown, the PC does not shutdown - it just hangs there. FYI - I can do a ctrl-alt-del while it is hanging there and after about 3-4 mins the task manager appears, if that means anything.
I can start in safe mode and safe mode with networking.
So it looks like I screwed up my laptop.
I've read several sites that seem to think it has to do with a worm, but I think the symptoms are not quite the same. In any event, I scanned for viruses with upto-date defs and online scanners and found none. no lsass virus either.
All this because I was installing that dang BitDefender to help a friend create a rescue CD!! Arghhh. Bottom line, what do I need to do and where do I begin to fix this problem?? I have modest computer experience and will work hard to help fix this. PLEASE HELP!!
Thank you,
max
0
Comments
I know one AV that has strong trojan and detection, it is F-Prot:
you can get a free 30 day trial of it right onto your laptop if safe mode with
networking lets you get online.
If not, use a different computer and get it.
http://www.f-prot.com is the site location, just click on Download on the main page.
The first thing I would do would be to explore the possibility of a hardware issue. My recommendation would be to download MEMTEST86. You'll need to create a bootable diskette or CD w/ it. If you need help w/ that just let us know and we'll step you through it. Place the diskette or CD in its respective drive on your computer and reboot. The computer (if the BIOS boot device priority settings are set to check for bootable media on the floppy drive or the CD drive b4 the HDD) will boot to the disk and start the memory diagnostic automatically. (If it doesn't, let us know. We'll step you through changing your BIOS settings.) Let the diagnostic run for at least a couple of hours. If this test passes w/ no errors, we'll have steps to follow this one in troubleshooting your system.
While trouble-shooting this issue, disconnect all non-essential devices from your computer. Leave only the keyboard, monitor and mouse connected.
BTW, please, make sure that the power supplied to your computer is ok. Either plug the computer directly into an available power outlet or, (preferably) if available, plug the computer into an UPS or quality power surge suppressor. (For more info. re: protecting your computer from power anomalies & events, please, go here.)
To my delight, I have found that not only do I benefitting greatly from the incredible depth of technical knowledge & expertise possessed by many on SMs forums, but that I am increasing my worldly knowledge & non-technical vocabulary as well. Who'd 'a thunk it?!
---
Thankyou for the link professor. I'll give it a read soon as I get a 'tic.... :smiles:
My apologies. I need to go back and read through his posts more carefully....
In the interim, Max, please download Dial-a-Fix and ATF-Cleaner. Burn them to CD so that they can be run in the computer you are experiencing difficulties with. While in Safe Mode, copy both apps. to your desktop...
Unfortunately, my attention's a bit monopolized right now as I'm working on a computer and need to stay focused (so's I don't goof up) while doing that.
Perhaps somone could step in who has some time to help out Max????
Would a Windows CD be of any use? I've asked Max if he has a Windows CD. Have not got an answer
EDIT://
As for "Expert" you rule when it comes to malware, Trogan!!
1) I was able to uninstall Bit Defender - something I wanted to do very much since I suspected it was a cause due to it's incomplete installation. So, as it stands now, I THINK BitDefender has been completely uninstalled - but how do I know for sure. I have read a few posts that people have also THOUGHT that BitDefender was removed, but it continued to cause problems.
2) I have yet to turn back on the services and startup items back on. Plan to do so one at a time. The biggest will be to turn back on services related to Network Assoc antivirus.
3) I seem to be getting a LSA Shell error (several of them) upon each boot up. Posts indicate it might be a Sasser worm - I have used WMRT and FxSasser to check and they came back neg.
4) I am trying to remove CounterSpy (having learned that multiple spyware tools is a bad idea), but keep getting Internal Error 2738.
Ptero - I will download the tools and burn to CD (just to have them as you have said), and run them.
-max
It's fine to have multiple AntiVirus or AntiSpyware tools, so long as only one of them is loaded at any given time. I have several AntiSpyware tools I use on a regular basis, along with a couple of AntiVirus programs. The only one I leave running all the time is AVG AntiVirus; the rest are just there for when I'd like a second opinion and are terminated once they are done doing their thing.
You could try windows own internal System File Checker
If you have a Windows CD, insert it into the CD/DVD Drive.
Close the Window that appears.
(If you don't have a Windows CD, skip on to next steps)
Click Start then Run, then type sfc /scannow in the window.
Click OK.
The scan should take anywhere from 5-15 minutes.
Windows File Protection will scan for altered files.
Ideally it restores any corrupted window files.
Thanks Kentigern - now that I can get into normal mode, I will run the SFC tool and see if it has anything to say, but since I am back to normal mode - hopefully it wont. Does it take any action or does it just check and advise? What happens if it finds something? Doesn't it matter that the CD would be outdated compared to an Windows Updated XP system?
-max
The topic gives quite a lot of info on the different settings etc.
Hope this helps:)
1) verifying Bit Defender was completely installed. There are still some lines in the MSCONFIG tool that reference BitDefender. ???
2) LSA Shell error have gone away - not sure why. Posts indicate it might have been the Sasser worm - I used WMRT and FxSasser to check and they came back neg. Anythin else I should look for?
3) trying to remove CounterSpy, but keep getting Internal Error 2738. Laptop has the latest jscript.dll file from MS installed, so ruled out that cause.
-max
Logfile of HijackThis v1.99.1
Scan saved at 6:03:36 PM, on 1/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\Analyse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156438812346
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe