Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows/system32/services.exe Keeps Closings Down My Computers


  • Please log in to reply
8 replies to this topic

#1 David Newsum

David Newsum

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 31 January 2006 - 06:09 AM

Hello

My Firewall started telling me about a week ago that Windows/System32/Services.exe was trying to access the internet which I thought was strange, expecially as it was trying to access a wierd site nothing to do with microsoft.
I didn't let it but later on I had to disable my Firewall briefly while I connected to my website to upload my data. (I don't know why but my web server won't allow me to connect through a firewall, even if I allow everything)

Anyway at this point Services.exe got access to the internet and then it said I had 60 second before my computer would restart and this message:

"Services.exe terminated unexpectedly with status code 1073741674"

I have run every possible virus and adware scan going and they have all come up clean, I've searched the internet for solutions and found nothing except for someone who had the same error on this site.

He said he fixed it simply by deleting sysbus32.sys but I've searched for that file and don't appear to have it on my computer?

here is the Hijackthis report:

Logfile of HijackThis v1.99.1
Scan saved at 15:00:43, on 31/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\QK SMTP Server 3\QKSmtpServer3.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [pro] C:\winstall.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/08974b5d542137...ip/RdxIE601.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe



If anybody could please help I'd really appreciate it.

Many thanks

David

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:26 PM

Posted 31 January 2006 - 09:46 AM

Click on start, then run, and type the following in the Open: field

notepad c:\windows\system.ini

Now press enter. Post the contents of this file as a reply to this topic.

#3 David Newsum

David Newsum
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 31 January 2006 - 09:59 AM

Thanks for your quick response, here is what it said:

; for 16-bit app support
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
[network]
Bios=29361454

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:26 PM

Posted 31 January 2006 - 11:21 AM

Download this program:

submit files packer

Highlight the files listed below in bold and right-click and selecting copy.

C:\winstall.exe


Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example grinler.cab).

Then go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.


I need to get an export of the files being started via the SharedTaskScheduler registry key.

Please download the following file and save it to your desktop:

getsts.exe

Once it has downloaded, please double-click on the file, which should now be on your desktop. When the program is finished, it will create a text file on your desktop called getsts.txt and open it in notepad.

Please post the contents of this notepad as a reply to this topic.

#5 David Newsum

David Newsum
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 01 February 2006 - 04:48 AM

I've sent the archive file and here is the getst file below.

Thanks

David


SharedTaskScheduler exporter by Grinler

{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader => %SystemRoot%\system32\browseui.dll

{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon => %SystemRoot%\system32\browseui.dll

Edited by David Newsum, 01 February 2006 - 04:50 AM.


#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:26 PM

Posted 01 February 2006 - 02:42 PM

To use RootKit Revealer please make sure you are logged in as an Administrator to the computer.
  • Please download and unzip Rootkit Revealer to your desktop.
  • Please leave the defaults set as they are to:
    • Hide NTFS Metadata Files: this option is on by default
    • Scan Registry: this option is on by default.
  • Launch rootkit revealer on the system and press the Scan button.
    RootkitRevealer scans the system reporting its actions in a status area at the bottom of its window and noting discrepancies in the output list. It may take a long time please disconnect from the internet and leave the PC to be scanned until it is finished.
  • The log can be very large please edit out the items in the following folders in the log : C:\RECYCLER\NPROTECT and C:\System Volume Information, if in the log, before posting it.
  • Please post the balance of the log here in this thread using Add Reply (please double check that it has all been posted as it may be too long for one post)]
Then Download and Save blacklite to your desktop.
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
leave [X]scan through windows explorer checked,
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there... like "wbemtest.exe"
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
Copy and paste this log along with the rootkit revealer log.

#7 David Newsum

David Newsum
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 04 February 2006 - 10:08 AM

Here is the Rootkit revealer log:

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 04/02/2006 18:40 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\sysbus32 04/02/2006 18:39 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\sysbus32 30/01/2006 01:22 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\sysbus32 04/02/2006 18:39 0 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\$UZCD.AVG 04/02/2006 18:52 49.00 MB Hidden from Windows API.
C:\Documents and Settings\DEN\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys 26/01/2006 21:08 0 bytes Hidden from Windows API.
C:\Documents and Settings\DEN\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bbc.co.uk 16/01/2006 16:30 0 bytes Hidden from Windows API.
C:\Documents and Settings\DEN\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bbc.co.uk\settings.sol 16/01/2006 16:30 79 bytes Hidden from Windows API.
C:\Documents and Settings\DEN\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#local 11/05/2005 01:32 0 bytes Hidden from Windows API.
C:\Documents and Settings\DEN\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#local\settings.sol 11/05/2005 01:32 75 bytes Hidden from Windows API.
C:\Documents and Settings\DEN\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#opinz.co.uk 22/01/2006 15:03 0 bytes Hidden from Windows API.
C:\Documents and Settings\DEN\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#opinz.co.uk\settings.sol 22/01/2006 15:03 81 bytes Hidden from Windows API.
C:\Documents and Settings\DEN\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#pandora.com 02/12/2005 15:41 0 bytes Hidden from Windows API.
C:\Documents and Settings\DEN\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#pandora.com\settings.sol 02/12/2005 15:41 81 bytes Hidden from Windows API.
C:\Documents and Settings\DEN\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol 26/01/2006 21:08 414 bytes Hidden from Windows API.
C:\Documents and Settings\DEN\Desktop\Sys 30/01/2006 02:11 0 bytes Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 04/02/2006 18:41 64.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\system32\drivers\sysbus32.sys 18/01/2006 02:26 45.14 KB Hidden from Windows API.

Edited by David Newsum, 04 February 2006 - 10:12 AM.


#8 David Newsum

David Newsum
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:26 AM

Posted 04 February 2006 - 10:14 AM

Here is backlite log:

02/04/06 19:08:45 [Info]: BlackLight Engine 1.0.30 initialized
02/04/06 19:08:45 [Info]: OS: 5.1 build 2600 (Service Pack 2)
02/04/06 19:08:45 [Note]: 7019 4
02/04/06 19:08:45 [Note]: 7005 0
02/04/06 19:09:17 [Note]: 7006 0
02/04/06 19:09:17 [Note]: 7011 1260
02/04/06 19:09:17 [Note]: FSRAW library version 1.7.1014
02/04/06 19:10:05 [Info]: Hidden file: C:\WINDOWS\system32\drivers\sysbus32.sys
02/04/06 19:10:05 [Note]: 10002 1
02/04/06 19:11:36 [Note]: 7007 0

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:26 PM

Posted 04 February 2006 - 01:55 PM

Download the attached bat file and save it to your desktop. Double-click the sysbus.bat on your desktop and when the notepad opens, post the contents of that notepad as a reply to this topic.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users