Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Services.exe missing after every restart


  • This topic is locked This topic is locked
14 replies to this topic

#1 Rob327

Rob327

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 04 December 2012 - 01:56 PM

I was recently asked to clean an infected Win7 computer that would not boot. With rescue discs (updated versions of AVG and Windows Defender offline scanners) I cleaned what appeared to be a ZeroAccess infection.

With the infection cleaned the computer still would not boot. BSOD 0x000000F4. At this point I ran Farbar scan tool which indicated a missing services.exe file. The farbar log was otherwise very clean.

From the windows recovery environment I ran SFC /SCANNOW to replace the missing services.exe file. I then tried to boot Windows again but got the same 0x000000F4 blue screen. From the recovery envrionment I checked and again services.exe was missing from system32. Once more I replaced the file, and this time confirmed that it had in fact been replaced. Tried to boot Windows but again same result, blue screen, and services.exe again missing.

I've tried replacing it half a dozen times to no avail. It simply gets deleted as soon as I attempt to actually boot into Windows. Same thing happens if trying to boot to safe mode after replacing services.exe.

Repeated offline scans turn up nothing but I can't seem to solve the problem. Any ideas would be greatly appreciated.

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:27 PM

Posted 04 December 2012 - 07:11 PM

I'll report this topic to appropriate helpers.
Hold on...

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,929 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:27 PM

Posted 04 December 2012 - 08:12 PM

:welcome: Lets give it a try.

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:27 PM

Posted 04 December 2012 - 08:34 PM

Hello, Just letting you know I moved this to the Virus, Trojan, Spyware, and Malware Removal Logs forum,where it will stay.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Rob327

Rob327
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 04 December 2012 - 08:41 PM

Thanks, I'll post the log when I get back to work tomorrow.

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,929 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:27 PM

Posted 04 December 2012 - 08:47 PM

:thumbup2:

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 Rob327

Rob327
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 05 December 2012 - 02:16 PM

This is taken after replacing services.exe using sfc/ scannow, confirming that it is there, then one reboot resulting in the 0x000000F4 blue screen. Another note, I have already removed any start up items I could from the registry. Thanks!

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 02-12-2012
Ran by SYSTEM at 04-12-2012 19:52:10
Running from E:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [ISTray] "C:\Program Files\PC Tools Security\pctsGui.exe" /hideGUI [2670008 2012-03-20] (PC Tools)
HKLM\...\Run: [PCTools FGuard] C:\Program Files\PC Tools Security\BDT\FGuard.exe [x]
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.100.254

==================== Services (Whitelisted) ===================

2 Browser Defender Update Service; "C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe" [571320 2012-03-20] (Threat Expert Ltd.)
2 sdAuxService; C:\Program Files\PC Tools Security\pctsAuxs.exe [402336 2012-03-20] (PC Tools)
2 sdCoreService; C:\Program Files\PC Tools Security\pctsSvc.exe [1118648 2012-03-20] (PC Tools)
3 ThreatFire; C:\Program Files\PC Tools Security\TFEngine\TFService.exe service [71008 2012-03-20] (PC Tools)

==================== Drivers (Whitelisted) ====================

3 AGR1310_60; C:\Windows\System32\DRIVERS\AGR1310_60.sys [77824 2007-01-19] (Agere Systems)
3 LGDMEBTN; C:\Windows\System32\DRIVERS\LGDMEBTN.sys [16384 2006-12-13] (LG Electronics Inc.)
3 PCTBD; C:\Windows\System32\Drivers\PCTBD.sys [70736 2012-03-20] (PC Tools)
0 PCTCore; C:\Windows\System32\drivers\PCTCore.sys [383368 2012-03-16] (PC Tools)
0 pctDS; C:\Windows\System32\drivers\pctDS.sys [342168 2012-02-28] (PC Tools)
0 pctEFA; C:\Windows\System32\drivers\pctEFA.sys [909728 2012-02-28] (PC Tools)
1 pctgntdi; \??\C:\Windows\System32\drivers\pctgntdi.sys [253352 2012-03-20] (PC Tools)
3 pctplsg; \??\C:\Windows\System32\drivers\pctplsg.sys [70536 2012-03-20] (PC Tools)
1 PCTSD; C:\Windows\System32\Drivers\PCTSD.sys [203088 2012-03-20] (PC Tools)
0 TfFsMon; C:\Windows\System32\drivers\TfFsMon.sys [54328 2012-03-20] (PC Tools)
3 TfNetMon; \??\C:\Windows\system32\drivers\TfNetMon.sys [35264 2012-03-20] (PC Tools)
0 TFSysMon; C:\Windows\System32\drivers\TfSysMon.sys [574424 2012-03-20] (PC Tools)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2012-12-03 13:05 - 2012-12-03 13:09 - 00000000 ___AD C:\Kaspersky Rescue Disk 10.0
2012-12-02 20:49 - 2012-12-02 20:49 - 00000000 ____D C:\FRST
2012-12-02 19:30 - 2012-12-02 19:30 - 00144760 ____A C:\Windows\Minidump\120212-76222-01.dmp
2012-12-02 18:53 - 2012-12-02 18:55 - 00000000 ____D C:\Windows\System32\config\mybackup
2012-12-02 17:56 - 2012-12-03 00:16 - 00000000 ____D C:\Windows\Microsoft Antimalware
2012-11-04 12:41 - 2012-12-04 16:32 - 147876635 ____A C:\Windows\MEMORY.DMP
2012-11-04 11:10 - 2012-11-04 11:10 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-11-04 11:06 - 2012-12-02 19:30 - 00000000 ____D C:\Windows\Minidump


==================== One Month Modified Files and Folders ========

2012-12-04 16:32 - 2012-11-04 12:41 - 147876635 ____A C:\Windows\MEMORY.DMP
2012-12-04 16:32 - 2011-07-14 04:56 - 00009312 ____A C:\Windows\PFRO.log
2012-12-03 13:09 - 2012-12-03 13:05 - 00000000 ___AD C:\Kaspersky Rescue Disk 10.0
2012-12-03 00:16 - 2012-12-02 17:56 - 00000000 ____D C:\Windows\Microsoft Antimalware
2012-12-02 20:49 - 2012-12-02 20:49 - 00000000 ____D C:\FRST
2012-12-02 19:59 - 2011-07-13 18:27 - 00000000 ____D C:\Program Files\PC Tools Security
2012-12-02 19:34 - 2011-07-10 21:54 - 00726142 ____A C:\Windows\System32\PerfStringBackup.INI
2012-12-02 19:31 - 2009-07-13 20:39 - 00026441 ____A C:\Windows\setupact.log
2012-12-02 19:30 - 2012-12-02 19:30 - 00144760 ____A C:\Windows\Minidump\120212-76222-01.dmp
2012-12-02 19:30 - 2012-11-04 11:06 - 00000000 ____D C:\Windows\Minidump
2012-12-02 19:30 - 2011-07-13 18:27 - 01420711 ____A C:\Windows\System32\Drivers\Cat.DB
2012-12-02 19:30 - 2011-07-10 22:02 - 00000000 ____D C:\users\Bryce
2012-12-02 19:30 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-12-02 18:55 - 2012-12-02 18:53 - 00000000 ____D C:\Windows\System32\config\mybackup
2012-11-04 15:40 - 2011-07-13 19:06 - 00000000 ____D C:\Users\Bryce\AppData\Roaming\Azureus
2012-11-04 15:40 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore
2012-11-04 15:40 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\registration
2012-11-04 15:40 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\AppCompat
2012-11-04 11:10 - 2012-11-04 11:10 - 00000000 __SHD C:\Windows\System32\%APPDATA%

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-05-19 08:57:18
Restore point made on: 2012-05-20 00:00:38
Restore point made on: 2012-05-27 12:01:15
Restore point made on: 2012-06-05 08:07:15
Restore point made on: 2012-06-12 23:29:42
Restore point made on: 2012-06-14 00:00:54
Restore point made on: 2012-06-21 21:47:29
Restore point made on: 2012-06-26 19:50:14
Restore point made on: 2012-07-04 18:53:33
Restore point made on: 2012-07-12 07:36:44
Restore point made on: 2012-07-19 21:10:45
Restore point made on: 2012-08-28 17:52:50
Restore point made on: 2012-11-04 11:56:33

==================== Memory info ===========================

Percentage of memory in use: 33%
Total physical RAM: 1014.49 MB
Available physical RAM: 669.67 MB
Total Pagefile: 1014.49 MB
Available Pagefile: 669.02 MB
Total Virtual: 2047.88 MB
Available Virtual: 1963.22 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:93.16 GB) (Free:27.54 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: (WDO_MEDIA32) (Removable) (Total:14.52 GB) (Free:14.03 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 93 GB 1024 KB
Disk 1 Online 14 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 93 GB 31 KB

=========================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 93 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 14 GB 4032 KB

=========================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E WDO_MEDIA32 FAT32 Removable 14 GB Healthy

=========================================================

Last Boot: 2012-11-04 11:48

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,929 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:27 PM

Posted 05 December 2012 - 03:27 PM

Run FRST as you did before.

Type the following in the edit box on FRST, after "Search:".

services.exe

It then should look like:

Search: services.exe

Click Search button and post the log (Search.txt) it makes on the USB drive in your next reply.

Download the enclosed file.

Save it in the USB drive next to FRST.

Run FRST as you did before, except that this time around click on the Fix button and wait.

The tool will make a log in the flashdrive (Fixlog.txt) please post it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 Rob327

Rob327
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 05 December 2012 - 04:18 PM

Here's the two files. Please note the search.txt was created after replacing services.exe to c:\windows\system32\
Thanks,
Rob A.

Attached Files



#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,929 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:27 PM

Posted 05 December 2012 - 04:56 PM

That seems to be a parallel install, and services.exe is not missing from the system, so must be something else. Lets first check the MBR.

Download MBRFix from here.

Save and extract its contents to the working computer's desktop. There are three files in the MBRFix folder. From these, only copy the MBRFix.exe application to the USB drive.

Also download the enclosed file and save it in the USB drive replacing the existing one.

Insert the USB drive into the ailing computer.

Now please enter System Recovery Options and run FRST as you did before, except that this time around, press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt). It will also create a file labeled MBRDUMP.txt. Copy and Paste the contents of the Fixlog.txt in your next reply, but attach the MBRDUMP.txt as it is a hex file.

Also it will copy the file C:\Windows\Minidump\120212-76222-01.dmp to the flash drive. Please zip this file and attach it to a reply

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 Rob327

Rob327
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 13 December 2012 - 10:59 AM

It's been busy here at work and I've finally had a chance to get back to this.

I think you're missing what I said in the last post. Services.exe is there in the search only because I have to replace it to confirm whether or not the system will boot. Then after each restart it's deleted again.

It's definitely not a parallel install. I've ruled this out already. That's a backup some previous tech did of all relevant user and system folders prior to upgrading the machine from XP to Win7.

I have made some slight progress this morning. I have found that I can get Windows to boot correctly ONCE if I first boot the machine from a rescue disk and replace the registry from the regback folder, then run sfc /scannow to replace services.exe. Windows will boot fine, but then on the next reboot the same error occurs.

I have found one suspicious line in the registry:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations with a value of "\??\c:\Windows\system32\services.exe"
The same line is found in ControlSet001 and ControlSet002

If I delete these lines they just come back at some point prior to the reboot and the whole process needs to be started again.

I have run MalwareBytes from within Windows and that comes back clean.

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,929 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:27 PM

Posted 14 December 2012 - 12:49 AM

I believe that the PendingFileRenameOperations key is removed from the Session Manager when the registry is restored with the backup, but then respawn at startup.

It is important that I see the MBRDUMP.txt as the command to remove services.exe may originate from there.

If you are able to boot, run TDSSKiller as follows and post its report:

Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    Posted Image
  • Put a checkmark beside loaded modules.
    Posted Image
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    Posted Image
  • Click the Start Scan button.
    Posted Image
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    Posted Image
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Posted Image
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Edited by JSntgRvr, 14 December 2012 - 12:52 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 Rob327

Rob327
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 14 December 2012 - 12:37 PM

Yes that's what I think too.
I've attached the mbrdump. I made this dump AFTER the reboot error, but PRIOR to making any changes to enable it to boot again.

I'm going to replace the registry and services.exe again and attempt to boot and run TDSSKiller, but I have a feeling being forced to reboot by the application will hinder the process.

Attached Files



#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,929 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:27 PM

Posted 14 December 2012 - 01:44 PM

The MBR looks clear. Any results with TDSSKiller?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,929 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:27 PM

Posted 06 January 2013 - 12:55 PM

Due to the lack of feedback this Topic is closed. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users