Windows 2000 (Pro and Server) having services.exe error and rebooting

A

Alex

Hey Everyone,

I have a strange dilemma. I'd say probably a quarter of our Windows
2000 systems (Server and Professional) have started giving the
following error and rebooting:

Window Title: System Shutdown
Message: This system is shutting down, Please save all work in
progress and log off. Any unsaved changes will be lost. This
shutdown was initiated by NT AUTHORITY\SYSTEM
Time before shutdown: 00:00:60 (sixty second countdown)
Message:The system process 'C:\WINNT\system32\services.exe' terminated
unexpectedly with status code 128. The system will now shut down and
restart.

Each system has all the latest updates and on Service Pack 4, plus the
virus scanner in each system was updated just yesterday. We're not
sure why this is affecting only a few systems and not all of them as
we have many Win 2K systems working fine.

Some things to note. I have reviewed http://support.microsoft.com/kb/318447
and this KB does not refer to 2K Pro, only Server. But I have checked
the key it suggests HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\Lanmanserver\Shares - but there are no shares setup on most
of the systems so there's no entries in this key. This isn't the
problem.

What's odd is when we disconnect the system form the network, it does
not reboot. I've seen a few folks mention this when having the same
issue, but no one has submitted a resolution.

Any suggestions? We're about to contact Microsoft support, but it
sucks paying that kinda money for a bug in their software.

Thanks for your time and help, and any ideas on how to resolve all
this.

Alex
 
W

What's in a Name?

In
Alex said:
Hey Everyone,

I have a strange dilemma. I'd say probably a quarter of our Windows
2000 systems (Server and Professional) have started giving the
following error and rebooting:

Window Title: System Shutdown
Message: This system is shutting down, Please save all work in
progress and log off. Any unsaved changes will be lost. This
shutdown was initiated by NT AUTHORITY\SYSTEM
Time before shutdown: 00:00:60 (sixty second countdown)
Message:The system process 'C:\WINNT\system32\services.exe' terminated
unexpectedly with status code 128. The system will now shut down and
restart.

Each system has all the latest updates and on Service Pack 4, plus the
virus scanner in each system was updated just yesterday. We're not
sure why this is affecting only a few systems and not all of them as
we have many Win 2K systems working fine.

Some things to note. I have reviewed
http://support.microsoft.com/kb/318447 and this KB does not refer to
2K Pro, only Server. But I have checked
the key it suggests HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Services\Lanmanserver\Shares - but there are no shares setup on most
of the systems so there's no entries in this key. This isn't the
problem.

What's odd is when we disconnect the system form the network, it does
not reboot. I've seen a few folks mention this when having the same
issue, but no one has submitted a resolution.

Any suggestions? We're about to contact Microsoft support, but it
sucks paying that kinda money for a bug in their software.

Thanks for your time and help, and any ideas on how to resolve all
this.

Alex

Could be an infection. No reboot when disconnected sounds like a worm.
Have you scanned with a different AV than your main AV?

max
--
Playing Nice on Usenet:
http://oakroadsystems.com/genl/unice.htm#xpost
My Pages:
Virus Removal Instructions
http://home.neo.rr.com/manna4u/
Keeping Windows Clean
http://home.neo.rr.com/manna4u/keepingclean.html
Windows Help and Tools
http://home.neo.rr.com/manna4u/tools.html
Change nomail.afraid.org to gmail.com to reply.
nomail.afraid.org is setup specifically for use in USENET
Feel free to use it yourself.
 
A

Alex

In









Could be an infection. No reboot when disconnected sounds like a worm.
Have you scanned with a different AV than your main AV?

max
--

Hi Max,

We have pulled a few drives and scanned them from other systems, but
nothing. It's just odd because most of the errors are documented
within the Microsoft Knowledgebase, but the 'fixes' either don't apply
to the OS we're getting the problem with or don't fix the problem when
they are implemented. Below are the knowledge bases that describe
some of the issues:

http://support.microsoft.com/kb/318447 (but we're also getting this on
Win 2K Pro, which this KB doesn't apply to)
http://support.microsoft.com/kb/328477

And svchost.exe at startup giving the message: The exception unknown
software exception (0xc0000409) occurred in the application at
location 0x5b86a3c0.
Then another box saying Generic Host process for Win32 Services has
encountered a problem and needs to close.

Even this error I did find a note on MS's website, but it's
http://support.microsoft.com/?kbid=888817 and related to Windows Small
Business Server 2003... but we've gotten this on Windows XP.

What I don't get is if this were a virus, I'd think it would be on
many more PC's then it is, plus I'd assume a virus scanner on some PC
would detected it. Plus it's happening to Windows 2000 Pro, 2000
Server, XP, and even 2003 Server, and though each is having different
symptoms, it seems installing all the MS updates and rebooting has
been fixing the problem. Also we're finding a slew of folks online
over the years have and many of these issues, but none globally as we
have.

It's almost like a Microsoft timebomb that's forcing every system to
hose without all the updates. I've even ran a packet analyzer and I'm
not seeing any strange traffic on the network. I know that ideally
every PC needs to be updated, but with a large network it's impossible
to catch all the updates at once.

This is just way crazy... and surely we're not the only one
experiencing this.

Alex
 
J

Jim Howes

Sounds very much like an outbreak of some variant the sasser/msblaster and other
related worms; This vulnerability has been fixed since 2004.
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
See also
http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx

Because the vulnerable software is different between WinXP and Win2K and is a
buffer overflow, what infects WinXP may crash Win2K and vice versa. A virus
scan of the affected system will probably reveal nothing because the malware was
memory resident at the time of the crash.

There is one variant of this worm that actually removes the original worm, and
downloads the microsoft patch for you. My Weird-o-meter went off the scale there.

Use a network scanning tool (such as Wireshark) to look out for systems hurling
packets around at random to port 445/tcp, 139/tcp
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top