I have been experiencing this problem since the past two months. At least once a week I get the 60 second countdown before shutdown warning because of the process services.exe. Once the computer restarts I get a message that the service and controller app has encountered an error.

Here is a link to what the message look like:
http://media.photobucket.com/image/system%20shutdown/adhyry2/SystemShutdown.jpg?o=5

I am running XPsp3(fully updated) and the following security software: Avast 5 free, Threatfire,Comodo firewall and Superantispyware. Which are fully updated and none of them found any problems. I have also done an online scan with Bitdefender and it found nothing as well.

Is this a possible infection ???

Hi Quadcore,

Typical MS Winsock2 error, to fix this see here: http://forum.avast.com/index.php?topic=37542.msg537764#msg537764 First apply the WinSock Fix for your OS, according to the download link given there;

Furthermore:
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows

1. Click Start, and then click Run.
2. In the Open box, type regedit, and then click OK.
3. In Registry Editor, navigate to the following subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock2
4. Right-click Winsock2, and then click Delete on the shortcut menu that appears.
5. Click Yes to confirm the deletion of the key.
6. Repeat steps 3 through 5 to remove the following registry subkeys (if present):
   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winsock2
   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Winsock2
   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Winsock2
7. Quit Registry Editor.
8. Restart Windows normally,

If problems remain, report back here, also consider this info:
http://windowsxp.mvps.org/services.exe.htm
In case of malicious services.exe
services.exe
line

The services.exe file is installed and used by CoolWebSearch, CoolWebSearch.xpsystem, EggHead Trojan, Backdoor.IRC.mIRC-based, GreenScreen, Anits, NS Keylogger, WALI, Clickbank, Replace, Rontokbro, Ritdoor, Sober.s, Sober.t, Sober.v, Foobot, Sober.x, Secefa, Secefa.b, Secefa.c, Redplut, Dragodor, Hilder, BraveSentry, BookmarkerTrojan, Bookmarker.Trojan, Conficker B++, Warezov, Allinonesecurityv.com, Ghost Antivirus and Trojan.FakeSpyguard.
(click on the name(s) to read more about the infection).

services.exe Automatic Detection

WARNING!!! services.exe file can be related to spyware. Your computer’s security and privacy may be at risk.

Manual Detection

Below are manual removal instructions for services.exe so you can remove the unwanted file from your PC. Always be sure to back up your PC before you modify anything.

Step 1: Use Windows File Search Tool to Find services.exe Path

1. Go to Start > Search > All Files or Folders.
2. In the “All or part of the the file name” section, type in “services.exe” file name(s).
3. To get better results, select “Look in: Local Hard Drives” or “Look in: My Computer” and then click “Search” button.
4. When Windows finishes your search, hover over the “In Folder” of “services.exe”, highlight the file and copy/paste the path into the address bar. Save the file’s path on your clipboard because you’ll need the file path to delete services.exe in the following manual removal steps.

Step 2: Use Windows Task Manager to Remove services.exe Processes

1. To open the Windows Task Manager, use the combination of CTRL+ALT+DEL or CTRL+SHIFT+ESC.
2. Click on the “Image Name” button to search for “services.exe” process by name.
3. Select the “services.exe” process and click on the “End Process” button to kill it.

* Read more about How to kill services.exe Processes

Step 3: Detect and Delete Other services.exe Files

1. To open the Windows Command Prompt, go to Start > Run > cmd and then press the “OK” button.
2. Type in “dir /A name_of_the_folder” (for example, C:\Spyware-folder), which will display the folder’s content even the hidden files.
3. To change directory, type in “cd name_of_the_folder”.
4. Once you have the file you’re looking for type in del “name_of_the_file”.
5. To delete a file in folder, type in “del name_of_the_file”.
6. To delete the entire folder, type in “rmdir /S name_of_the_folder”.
7. Select the “services.exe” process and click on the “End Process” button to kill it.

services.exe Recommendation

Certain file extensions come from parasite applications. If you decide to remove unknown file extensions manually, you might do irreversible harm to your PC.
First report your findings and then wait for instructions,

polonus

Hey polonus, thanks for the reply. When I removed the winsock2 from the registry and then restarted my computer, upon bootup, Avast gave me a warning that the web-shield had been disabled, my internet connection said “limited or no connectivity” and my computer’s speed decreased enormously.

As for deletion of services.exe, I searched all files and folders (local drives and my computer) and here are the results:

Name: services.exe.hdmp
In folder: C:\Documents and Settings\Administrator\Local Settings\Temp\WER2796.dir00

Name: services.exe.mdmp
In folder: C:\Documents and Settings\Administrator\Local Settings\Temp\WER2796.dir00

Name: Services
In folder: C:\WINDOWS$NtUninstallKB956572$

Name: Services
In folder: C:\WINDOWS\system32

Name: Services
In folder: C:\WINDOWS$hf_mig$\KB956572\SP3QFE

Which one should I highlight for step one ?

Here is the verdict according to the first two finds: http://www.threatexpert.com/report.aspx?md5=1ad1fb773748c63c5f074689bfeb20d5
or http://www.threatexpert.com/report.aspx?md5=60bb90be167acec7cefcf4c1ff1508c4
Thinks there is a hupigon or vundo-like infection, denoted by the last find you give us…

Do nothing yet, but first start a clean boot like is being described here: http://support.microsoft.com/kb/310353

Then next lets take a look with Malwarebytes

Please download Malwarebytes’ Anti-Malware from here: http://www.besttechie.net/tools/mbam-setup.exe

Please rename the file BEFORE downloading to zztoy.exe instead of mbam-setup.exe

MBAM may “make changes to your registry” as part of its disinfection routine. If using other security programs that detect registry changes, they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Double Click zztoy.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select “Perform Full Scan”, then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire MBAM report as ab added TXT file (even if it does not find anything) in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Awaiting your logfile txt,

polonus

Here is the log:

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4599

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/12/2010 9:30:52 PM
mbam-log-2010-09-12 (21-30-52).txt

Scan type: Full scan (C:|)
Objects scanned: 176715
Time elapsed: 50 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information_restore{585339ED-6C38-4E45-A654-0534195C4E00}\RP431\A0127741.exe (RiskWare.Tool.CK) → Quarantined and deleted successfully.

Hi Quadcore,

Riskware is software that can be risky for the user (FTP, IRC, MIrc, RAdmin, utility of remote administration). The term comes from Kaspersky who came up with it. If you find the feature annoying, consider disabling it, or try configuring things to your liking - there are plenty of options available, as well as an extensive help file, in this case MBAM quarentined the item.

Download KillBox onto your desktop…
See to it that you have the latest version of this :
http://www.killbox.net/
Click in the left top corner on “Download KillBox”.
The download will start immediately.
You will get an executable to use at once, named “KillBox.exe”
Lance Killbox.

In the window Full Path of File to Delete, copy-paste
the following :

c:\windows\System.exe

Tack “Delete on Reboot”.
Click “All Files”.
Click the white cross within the red circle.
KillBox will then ask yo :
“Files will be Removed on Reboot, Do you want to reboot now ?”

Clique “Yes”.

How is your computer now?

polonus

Thanks for your help Polonus. I got the following message from killbox: “PendingFileRenameOperations Registry Data has been removed by external process !” Does this mean the killbox worked successfully? Also why did none of my security programs including Avast catch the RiskWare.Tool.CK?

Hi Quadcore,

Because other programs probably not see it as riskware or it was recognized but could not be dealt with properly. Some av are rather stricter in this sense than others in what they consider to be riskware.
Anyway you got rid of it with killbox in a proper fashion.
Glad we could help,

polonus