Question about strange System Event Log Message: soylentgreen ser

[Guest]

I occasionally have my computer freeze while using Cakewalk Sonar software
for mixing audio. When this happens, I am forced to reboot the computer via
the reset switch. After doing so, I always check the drives for consistency.
Since checking C: (my system drive) requires rebooting the system, I always
check the system event logs after rebooting to see the message printed out by
the chkdsk program (or its equivalent). Lately, I've been seeing a new
message that is a rather strange one:

"The soylentgreen service was successfully sent a start control."

This is repeated a number of times as I browse through the system event
messages that are issued during boot-up.

Here's a little more info on one of these messages:

Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7035
Date: 7/9/2007
Time: 12:04:18 PM
User: xxxxxxxxxxxxxxxx/xxxxxxxx
Computer: xxxxxxxxxxxxx
Description: The soylentgreen service was successfully sent a start control.

More strangeness!!! As I browsed through the System Even Log, I received a
message saying the event log was corrupt and now there is a red 'x' to the
left of the "System" selection in the left hand frame and the right hand
frame no longer shows any messages - just a message saying "No items to show
in this view."

1) Is the event log corruption benign and just a result of my rebooting the
computer via the reset switch? (Suggestions to uncorrput/fix this would also
be appreciated).

2) Is the strange event log message about the "soylentgreen service" benign
and just some microsoft programmer's sense of humour?

OR...

Should I be worried about having a cracked computer.

FWIW, I keep my XP computer up to date daily with regard to Norton/Symantec
Anti-Virus and Firewall signatures. I also regularly check and upgrade to
the latest MS service pack. Also, I run checks once a day for spyware and
malware with Spybot and AdAware. From those checks, the system seems clean.
Still, this is a strange and new message, so I thought I'd check to see if
any of you have run across this.

Nick
--

 

[Guest]

I occasionally have my computer freeze while using Cakewalk Sonar software
for mixing audio. When this happens, I am forced to reboot the computer via
the reset switch. After doing so, I always check the drives for consistency.
Since checking C: (my system drive) requires rebooting the system, I always
check the system event logs after rebooting to see the message printed out by
the chkdsk program (or its equivalent). Lately, I've been seeing a new
message that is a rather strange one:

"The soylentgreen service was successfully sent a start control."

This is repeated a number of times as I browse through the system event
messages that are issued during boot-up.

Here's a little more info on one of these messages:

Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7035
Date: 7/9/2007
Time: 12:04:18 PM
User: xxxxxxxxxxxxxxxx/xxxxxxxx
Computer: xxxxxxxxxxxxx
Description: The soylentgreen service was successfully sent a start control.

More strangeness!!! As I browsed through the System Even Log, I received a
message saying the event log was corrupt and now there is a red 'x' to the
left of the "System" selection in the left hand frame and the right hand
frame no longer shows any messages - just a message saying "No items to show
in this view."

1) Is the event log corruption benign and just a result of my rebooting the
computer via the reset switch? (Suggestions to uncorrput/fix this would also
be appreciated).

2) Is the strange event log message about the "soylentgreen service" benign
and just some microsoft programmer's sense of humour?

OR...

Should I be worried about having a cracked computer.

FWIW, I keep my XP computer up to date daily with regard to Norton/Symantec
Anti-Virus and Firewall signatures. I also regularly check and upgrade to
the latest MS service pack. Also, I run checks once a day for spyware and
malware with Spybot and AdAware. From those checks, the system seems clean.
Still, this is a strange and new message, so I thought I'd check to see if
any of you have run across this.

Nick
--

I think it is a screen saver downloaded, try to scan for malware and
on-line scanner to get better/another opinion.
HTH.
nass

 

[Guest]

I think it is a screen saver downloaded, try to scan for malware and
on-line scanner to get better/another opinion.
HTH.
nass

Hi Nass,

I haven't downloaded any screen savers. In fact, I don't run any screen
saver at all as it can screw up my audio editing application. Also, as I
mentioned above, I _do_ scan for malware - using 3 programs: AdAware and
SpyBot (once a day) and with Symantec AntiVirus (weekly). None of them
indicate any infections. I know that's no guarantee, but I do my due
diligence faithfully in this regard.

Nick
--

 

[Guest]

Hi Nass,

I haven't downloaded any screen savers. In fact, I don't run any screen
saver at all as it can screw up my audio editing application. Also, as I
mentioned above, I _do_ scan for malware - using 3 programs: AdAware and
SpyBot (once a day) and with Symantec AntiVirus (weekly). None of them
indicate any infections. I know that's no guarantee, but I do my due
diligence faithfully in this regard.

Nick
--

If you put this text in the search engine (local to your Hard drive) and see
what folder/Path will come up and see its properties for clues.
Also you can try the internet search?.
* soylentgreen service *
You can download these excellent tools and see what running in the
background including FileMon:
Download these tools to see the running processes in real-time and you
can search them to make sure they are Legit.
"Process Explorer for Windows v10.21"
http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx
"AutoRuns for Windows v8.61 By Mark Russinovich and Bryce Cogswell"
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/Autoruns.mspx
</Optional::>
HTH.
nass
===
www.nasstec.co.uk

 

[Vanguard]

in message

"The soylentgreen service was successfully sent a start control."

Since the name of the service is in the registry, what happens when you
search for "soylent" in the registry? You might then be able to find
the inprocserver program name. If regedit.exe doesn't work then you
better start investigating if you are infected.

 

[Guest]

in message


Since the name of the service is in the registry, what happens when you
search for "soylent" in the registry? You might then be able to find
the inprocserver program name. If regedit.exe doesn't work then you
better start investigating if you are infected.

I searched for the string "soylentgreen" as well as "soylent" in the
registry and there were no instances of it found.

Strange.

As far as investigating if my computer is infected, what would you suggest?
I have ran Spybot and Adaware as well as Symantec Antivirus scans and they
all came up with no infections.

Nick
--

 

[Guest]

If you put this text in the search engine (local to your Hard drive) and see
what folder/Path will come up and see its properties for clues.

I tried this and no files or directories have this string in their name.

However, you gave me a good idea: I will run an overnight search through
every file on my computer to see if that string can be found.

Also you can try the internet search?

I tried that too, but it didn't yield anything that looked helpful in trying
to figure this out.

You can download these excellent tools and see what running in the
background including FileMon:
Download these tools to see the running processes in real-time and you
can search them to make sure they are Legit.
"Process Explorer for Windows v10.21"
http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx
"AutoRuns for Windows v8.61 By Mark Russinovich and Bryce Cogswell"
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/Autoruns.mspx

I'll try those and see if I can find anything. Thanks Naas and Vanguard for
you suggestions. I'll keep looking and let you what I find.

Nick
--

 

[Guest]

I tried this and no files or directories have this string in their name.

However, you gave me a good idea: I will run an overnight search through
every file on my computer to see if that string can be found.


I tried that too, but it didn't yield anything that looked helpful in trying
to figure this out.


I'll try those and see if I can find anything. Thanks Naas and Vanguard for
you suggestions. I'll keep looking and let you what I find.

Nick
--

Hi Nick,
Are you sure you wrote down the correct name, have pick again in the Event
Viewer and double click the error message, what info there?.
Is it soylent green for a game or is it The soylentgreen service was
successfully sent a start control?.
The AutoRun is grate tool will show you lots running processes and services,
just click on the Tabs on the top.
You receive an error message when you try to open the IPSec MMC policy on a
Windows Server 2003-based computer
(Event ID: 7035)
http://support.microsoft.com/kb/870910

https://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=324214&SiteID=1
http://research.microsoft.com/~danyelf/publications/fisher_dissertation.pdf
HTH.
nass

 

[Guest]

Hi Naas,


I tried both those tools and didn't find anything matching that string when
using their search tools.

Hi Nick,
Are you sure you wrote down the correct name, have pick again in the Event
Viewer and double click the error message, what info there?.

I didn't write the name, I selected it with the mouse and pasted it. Also,
the info in the event viewer message is in my original post - selected,
copied and pasted into the newsgroup post.

Is it soylent green for a game or is it The soylentgreen service was
successfully sent a start control?.

The message is:

"The soylentgreen service was successfully sent a start control."

Additional info' shown by the event viewer is:

Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7035
Date: 7/9/2007
Time: 12:04:18 PM
User: xxxxxxxxxxxxxxxx/xxxxxxxx
Computer: xxxxxxxxxxxxx
Description: The soylentgreen service was successfully sent a start control.

(I have xxx'd out the User and Computer info')

The AutoRun is grate tool will show you lots running processes and services,
just click on the Tabs on the top.
You receive an error message when you try to open the IPSec MMC policy on a
Windows Server 2003-based computer
(Event ID: 7035)
http://support.microsoft.com/kb/870910

https://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=324214&SiteID=1
http://research.microsoft.com/~danyelf/publications/fisher_dissertation.pdf
HTH.
nass

I'll keep investigating. Thanks!

Nick
--

 

[Vanguard]

I searched for the string "soylentgreen" as well as "soylent" in the
registry and there were no instances of it found.

Strange.

Maybe the service name is what the program reports it is. In that case,
my next suggestion is to search for the string within files. However,
the file search included in Windows XP is defective in that Microsoft
decided that it won't show files for which there is no viewer to look
inside the file. Instead use Agent Ransack (yeah, I know, a bad product
name) which is the free version of File Locator.

As far as investigating if my computer is infected, what would you
suggest?
I have ran Spybot and Adaware as well as Symantec Antivirus scans and
they
all came up with no infections.

While I still have Ad-Aware and Spybot S&D (only as on-demand scanners),
I feel they've gone downhill regarding both detection rate and healing
the system. Some others to try (all free):

- AVG Anti-Rootkit
- SysInternals Rootkit Revealer
- SuperAntiSpyware
- AVG Anti-Spyware

While I still like Symantec AV CE, I'm no longer recommending Norton AV.
Coverage for Norton AV has dropped to 96% but often the newest pests are
within the last 2% (see
http://www.av-comparatives.org/seiten/ergebnisse_2007_02.php). PrevX
isn't free but they probably have a trial version.

 

[Guest]

Maybe the service name is what the program reports it is. In that case,
my next suggestion is to search for the string within files. However,
the file search included in Windows XP is defective in that Microsoft
decided that it won't show files for which there is no viewer to look
inside the file. Instead use Agent Ransack (yeah, I know, a bad product
name) which is the free version of File Locator.

I'll do that tonight. I was going to do it using some CYGWIN UNIX tools I
have installed, but I'll give Agent Ransack a look to see if that might be a
handier way of doing this.

While I still have Ad-Aware and Spybot S&D (only as on-demand scanners),
I feel they've gone downhill regarding both detection rate and healing
the system. Some others to try (all free):

- AVG Anti-Rootkit
- SysInternals Rootkit Revealer
- SuperAntiSpyware
- AVG Anti-Spyware

Thanks! I'll give them a try.

While I still like Symantec AV CE, I'm no longer recommending Norton AV.
Coverage for Norton AV has dropped to 96% but often the newest pests are
within the last 2% (see
http://www.av-comparatives.org/seiten/ergebnisse_2007_02.php). PrevX
isn't free but they probably have a trial version.

I shall have a look at that as well.

Thanks!!! I'll report back tomorrow on what I find.

Nick
--

 

[Vanguard]

in message

I'll do that tonight. I was going to do it using some CYGWIN UNIX
tools I
have installed, but I'll give Agent Ransack a look to see if that
might be a
handier way of doing this.

Besides the DOS wildcarding that DOS/Windows users are accustomed, Agent
Ransack (File Locator) can also let you use PCRE (Perl core regular
expressions). Sometimes regular expressions come in quite handy to
further narrow down the matches using better match criteria.

 

[Guest]

Name "soylentgreen" strongly suggests work of hacker - comes from 60s sci-fi
book.

To find malware without specialist tools:

1) Search for all .exe or .dll files modified between appropriate dates.

2) Web search, and eliminate all those which are genuinely installed by you
or microsoft in the correct directories. Record date/times of suspect files.

3) Search for all files modified on those dates, and record those within a
minute of the suspects from (2) - these files will contain the hidden copy of
the .exe or .dll.

4) Re-name the suspects from (2) by prefixing with xxz_ or some such.

5) Re-start the computer and see what doesn't work any more. Also see which
suspect .exe or .dll files magically re-appear.

6) Now you can search the registry for the re-appearing files from (5), and
the associated 'support' files from (3).

This should give you sufficient info to identify the suspects to search web,
to eliminate their start-up commands in registry, and to re-name the
'support' files.

Note you have kept all the suspect material renamed 'xxz_*' for forensic work.

 

[Guest]

Name "soylentgreen" strongly suggests work of hacker - comes from 60s sci-fi
book.

Those are my sentiments as well. The choice of "soylentgreen" as a name for
a service does sound suspicious. Then again, programmers sometimes have a
strange sense of humor and it is possible that it's benign. None-the-less,
I'm subjecting it to some scrutiny as it sounds suspicious.

Last night I grep'd through all the files on my hard drive and found the
following:

1) "soylentgreen" was in my IE, Firefox and related caches (expected, as
I've been searching the 'net)

2) The string was also found in a PCI utility that runs at boot time
dbldawgboot.exe:

"Q:\UlyssesPCI\PciDriver\objfre_wnet_x86\i386\soylentgreen.pdb"

This string was detected in the file using the cygwin grep utility. I used
the strings utility to list the ascii strings in the executable and found the
above string. Perhaps that's the cuprit that's responsible for the
suspicious start-up message?

3) I took a closer look at the Event Manager report and here's what I found:

Item: Value:
=========== =================
Category None
Company Name Microsoft Corporation
Date 7/9/2007
Event ID 7035
File Name netevent.dll
Product Version 5.1.2600.0
Source Service Control Manager

The remaining two fields are Time and Type, but I don't think they are of
any significance.

Anybody have any idea why netevent.dll and the Service Control Manager may
be involved in this? (I'm pretty familiar with UNIX, but unfortunately am
not expert in the working of Windows, so I'd appreciate any enlightenment
that is provided).

By the way, I found that information out by clicking on the link in the
following text shown in the Event Viewer's Property box:

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

The above information came up after clicking on the above link. There was
also a question as to whether to continue asking permission to send this
info' to Microsoft and I inadvertantly pressed the NO button and now this
info' doesn't come up anymore, it just takes me to the MS web site which
doesn't show as much detail. Is there any way I can reverse that setting, so
the Event Viewer does ask me - and more importantly show me the info it's
going to sent to MS?

Also, I'm going to be in contact with the author of the dbldawg utility to
see if it may be his software that is causing these messages - and will
report back what I find.

One more thing: I ran the rootkitrealer s/w I obtained on Nass's
recommendation and it didn't find anything other than a few benign items.

Nick
--

 

[Vanguard]

in message

Those are my sentiments as well. The choice of "soylentgreen" as a
name for
a service does sound suspicious. Then again, programmers sometimes
have a
strange sense of humor and it is possible that it's benign.

While doing software QA, I found an error message saying something like,
"This error should never occur. If you see it, the product has crawled
under a rock and died." Well, open another bug report to suggest a
differently worded error message, I guess.

Nothing from scanning using the suggested anti-malware products yet?

 

[Guest]

While doing software QA, I found an error message saying something like,
"This error should never occur. If you see it, the product has crawled
under a rock and died." Well, open another bug report to suggest a
differently worded error message, I guess.

Nothing from scanning using the suggested anti-malware products yet?

I downloaded, installed and ran scans with all of them and aside from a few
tracking cookies and a couple of false positives, they found nothing
infecting my system.

I still haven't heard back from the author of dbldawgboot.exe, but having
run all those scans does make me feel a little more comfortable that my PC is
not infected and the the message about soylentgreen may be benign. Still I
will be vigilant and will be checking my firewall logs more carefully over
the next little while to be sure that something isn't slipping through that
shouldn't. When I do hear from the dbldawgboot.exe s/w author I will post a
message to let you know if I'm correct in surmising that it was his s/w that
is responsible for the "soylentgreen" messages in the system log.

Thanks to everyone for their suggestions and help. This has been a good
learning experience for me (one that I'm sure will continue).

Nick
--

 

[Guest]

I still haven't heard back from the author of dbldawgboot.exe, but having
run all those scans does make me feel a little more comfortable that my PC is
not infected and the the message about soylentgreen may be benign.

I did hear back from the author of the dbldawgboot.exe utility and he
confirmed that it is his program that is responsible for the "soylentgreen"
messages, so the messages are benign and not a sign of an infection.

Thanks to everyone who helped!!!

Nick
--