Join or sign in Register for your free TechRepublic membership or if you are already a member, sign in using your preferred method below. Use Your Email Use FacebookUse Linkedin

Is this a virus or what?

Locked

Can anyone PLEASE tell me what this is?

I started getting the following message a couple of days ago:

“This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM

Time before shutdown: 00:00:XX

Message
The system process
‘C:\WINDOWS\system32\services.exe’ terminated unexpectedly with status code – 1073741819. The system will now shut down and restart.”

The computer shuts down and reboots about every 10 to 15 minutes, regardless of what I’m doing (even if the system is just sitting idle).

NO new programs or services were recently installed!

I ran 3 different virus scans on-line, scanned in safe-mode AND real mode with McAfee, Norton, AntiVir and Avast. ALL came up clean.

Ran detect and removal tool for W32.Blaster worm — came up clean.

Ran detect and removal tool for W32.Sasser worm — came up clean.

Ran detect and removal tool for W32.Blackmal.E worm — came up clean.

Scanned with AdAware — came up clean.

Scanned with EWIDO — came up clean.

Scanned with Trend Micro (formerly SpySubtract) — came up clean

The problem still persists.

Any advice (short of “reinstall Windows XP”) would be greatly appreciated.

System info:
HP Pavilion 700
AMD Athlon XP 1600+ 1.39GHz
512 MB RAM
Windows XP Home Edition SP2 (set on automatic update)
System Restore turned OFF
Cable modem (Windows XP Firewall enabled!)
Home Network on Linksys Router (BEFSR41 V.2)

Topic

trojan

In reply to Is this a virus or what?

What that is is a leftover from a Sasser worm
the tool I use is
http://vil.nai.com/vil/stinger/
I usually run it both in normal and safe mode.
Sometimes you have to manually removel the exe file avserv2.exe. And at times it will create a second Lsass.exe file named lsasss.exe

to disable to NT shutdown until you can run your fixes just type in the run box “shutdown -a

No Luck!

In reply to trojan

Thanks for the reply, Jim. I downloaded the AVERT Stinger as you suggested and ran it in both, normal and Safe Mode.
Both scans came up CLEAN!
I also did a search for avserv2.exe and lsasss.exe, but neither file was found anywhere on my system (using “find” in regedit brought no results either).

“shutdown -a” works fine to keep the system going temporarily for the purpose of trying to fix it, but then I can’t shut it down normally. Have to push the power button until it turns off.

Same problem

In reply to No Luck!

Has anyone found a fix for this problem yet?

This may not be what it seems

In reply to Same problem

The good olf KISS method seems to apply sometimes in IT world. Services.exe is an essential process in your operating system and it can not even be closed from Task Manager. If it crashes, many important services are shut down and conseqently, the OS needs to close to automatically restart of the dead services.

just a thought:
As your PC is still running fine, try ending all not required processes via Task Manager. Perhaps you will find a different exe file that is casing this.

If that keeps happening, one might have to try using a different user profile on the machine. Another approach involves using the WinXP CD to Repair Windows.

Good luck!

No known cure

In reply to Same problem

Unfortunately, I have to tell you, I never did find out what caused this problem or how to “fix” it. I tried a system recovery, then a Windows XP repair install…neither one helped. I finally gave up, and did a complete reinstall of Windows XP (including completely reformatting the hard drive).
Whatever caused this error message seemed to have been something embedded deep into the operating system itself. None of the dozens of anti-virus, anti-spyware, or anti-malware scans I ran ever turned up anything that would cause this particular problem (similar ones, but not the exact same one). I’ll be curious to see if anyone ever figures out what this is.

Sasser Removal Tool

In reply to Is this a virus or what?

Review article:
http://support.microsoft.com/?scid=kb;en-us;841720.
Also, try common antispyware tools such as: XoftSpy, HijackThis, Spybot (search and Destroy) and AdAware. The last 3 are free.

I strongly recommend running that Sasser removal (also free).

I have almost identical Machine to your and the combination software I mentioned prevented that automatic shutdown message for over 2 years now.

“shutdown -a” – this command rules. It stops the shutdown to give you more time to wack the malware out of your system.

Been there, done that

In reply to Sasser Removal Tool

Thanks for the reply, but as I stated in my original post, I’ve already ran the Sasser detect and removal tool (in both normal and safe mode) and it came up clean.
Also ran detect and removal tools for Blackmal.E, W32Blaster, Zobot, and a couple of other worms without finding anything.
Scans with Ewido, AdAware, Trend Micro (formerly SpySubtract), Spybot S&D and 3 or 4 on-line malware scans also came up clean.

I posted a description of the problem I’m having along with Screen Shots and a HijackThis log last Thursday at
http://castlecops.com/t149387-C_WINDOWS_system32_services_exe_terminated_unexpectedly.html
I haven’t received any kind of response there yet.
Running out of ideas!

What about drivers?

In reply to Been there, done that

I have had almost a similar problem before which I managed to sort out when I reinstalled the system board drivers. I was running WinXP SP1 on a Compaq Evo machine. I realise you did the repair install,, but at times that is not enough. Sorry I have just found this post but I hope if someone else gets a similar problem they could try out this solution and we see what happens. Cheers!

Passing this on

In reply to Is this a virus or what?

someone on TechRepublic posted this and I grabbed it for a friend:
http://www.sysinfo.org/startupinfo.html
now you have it too. Don’t forget rootkits along with all the other various malicious code floating around out there.

You might just want to do a repair install anyway

In reply to Is this a virus or what?

It’s windows after all, It may be a lot easier to spend two installing windows and drivers again (add an extra hour for applications if windows doesn?t allow for a repair install) than to spend too much time buggerising about looking for malware.

MS word spellcheck picks up malware but not buggerising WTF?

[Author]

Replies