services.exe high cpu usage...

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by KiLL CraZy, Apr 1, 2010.

  1. KiLL CraZy

    KiLL CraZy Private E-2

    So I started getting my symantec antivirus poping up everytim i booted my computer (windows xp) and it would say it detected something, quarantine it, reboot and it will be removed, always did that and everytime I rebooted the popup would always come back and realized my internet was dramatically taking for ever to load simple pages and sometimes wont load at all. So I figured I had some sort of malware or something. I starting going through the awesome malware removal guide like usual, was going through the process with no problem until I got to the step on using SUPERAntiSpyware...

    I ran it, it detected 3 things, it removed them, then rebooted the pc bc it asked, and thats where the problem started...

    at first when it rebooted, it would get to the windows logo loading screen and then after a few seconds would reboot again... and it just kept doing that as a loop... then I F8 it to get into safe mode, would attempt to load up safe mode... and just reboot again in the windows screen... F8 again, attempted safe mode with network, and once again rebooted at windows screen, then I tried the other option wihch was load windows with previously working settings I believed it was called and that did the trick, but once windows did load, thats when the service.exe CPU usage is at 99% and now I literally can't use the computer bc it takes for ever to do anything, so until I get that issue resolved I can't perform the rest of the malware guide on that computer, does anyone have a solution on fixing this service.exe high cpu usage?

    also I managed to get a the SASlog and a screen shot off that computer, the virus/malware prompt box that my antivirus was telling me I had b4 I started attempting the malware guide removal.

    im not sure if the SAS removed something that wasn't supposed to be removed which is causing the high cpu?

    P.S. im probably not gonna be available for the next day or 2 to attempt to fix the pc but I will be looking at the thread to see any solutions so any help would greatly appreciate it, thanks!
     

    Attached Files:

    • SASlog.txt
      File size:
      841 bytes
      Views:
      6
    • 1.jpg
      1.jpg
      File size:
      88.6 KB
      Views:
      14
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you managed to get the snapshot and the SAS log, perhaps you can do more than you think. We understand that it may be slow, but you will not have much of a choice, unless you want to remove the hard disk to work on it in another PC or unless you want to build a special boot CD (obviously using another PC) so that you can attempt to clean components of the infection.

    Are the two files shown in your snapshot, still on the PC or were they deleted?

    Does Task Manager open ( even if it takes a long time)? If so, do you see any unknown processes running?


    See if you can boot in safe mode now with your cable to the internet unplugged. Then try to run ComboFix and then MGtools. Attach any log you can get. We need more info.
     
  3. KiLL CraZy

    KiLL CraZy Private E-2

    ok, here is the CombiFix and MGL...

    I am able to open task manager even though it takes a little more time for it to open and to my knowledge I don't see anything weird on it, ill try and take a snapshot of it also to upload so you can take a look at it, and when I tried to run the SAS log, it recommend to turn off my antivirus which I tried but every time I disabled it it would re-enable automatically for some reason so it did the scan with it on, and as to the pop ups, I dont get them anymore after the first SUPERAntispyware scan it seems, so im hoping now the only problem im having is the services.exe CPU usage but once that is fixed, I will contirue with the malware guide to be 100% sure
     

    Attached Files:

  4. KiLL CraZy

    KiLL CraZy Private E-2

    and here is the taskmanager
     

    Attached Files:

  5. KiLL CraZy

    KiLL CraZy Private E-2

    Any ideas? =\
     
  6. KiLL CraZy

    KiLL CraZy Private E-2

    ok so I did some searching around and found out that the sevices.exe could possibly be a virus/malware hence its using the CPU 100%... but I can't seem to find a way to get rid of if so far, any tips?
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No your services.exe process is valid. It is just that you have malware hooked into it. Possibly a form of Conficker.

    ComboFix did not finish properly running last time. Let's try a fix to see if we can make any improvment.



    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.


    Now see if Malwarebytes and SUPERAntiSpyware will run.

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


    Then attach the below logs:
    • C:\avenger.txt
    • the Malwarebytes and SUPERAntiSpyware logs if they ran
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  9. KiLL CraZy

    KiLL CraZy Private E-2

    ok, did all the steps you said, didn't encounter any problems during the scans... only thing I did realize was with avenger one of the files wasn't removed because it said it wasn't found? but im sure you will see that in the log, I noticed you mentioned let's fix to get combofix to do a proper scan but I did not try combofix yet because you didn't mention it in the guide to do so yet, just putting that out there. =]

    other then all the scans, the pc is still running services.exe at 100% CPU... =\

    I shall wait for your next step =]
     

    Attached Files:

  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You must disable Spybot's Teatimer as requested in the READ & RUN ME. See this: How to disable Spybot's TeaTimer You should not even have this running at all since you have CounterSpy running. Between the two of them, your PC will slow down quite a bit.

    Question: Does your Symantec software also include and antispyware component? If yes, you need to uninstall CounterSpy.

    You now need to make sure Teatimer really got disabled and is not running, and then shutdown CounterSpy and also Symantec. Then try running ComboFix as instructed in the READ & RUN ME. Attach the log if it runs. If it does not run in normal boot mode, try safe mode.


    Are you still having problems?
     
  11. KiLL CraZy

    KiLL CraZy Private E-2

    No, Symantec is only a virus scanner, not a antispyware, in the combifix guide is recommends to turn off any virus scanners and such during its scan but symantec is giving me problems on disabling it.... you think I should uninstall that and uninstall counterspy (if its also giving me problems on disabling, not sure, havent tried it yet) before I re-run combofix?
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just try running ComboFix in safe boot mode. If that does not work, then uninstall Symantec and CounterSpy and retry ( normal mode 1st ).

    Did stopping Teatimer have any effect on your CPU use? If you uninstall CounterSpy and Symantec, also take note of your CPU use.
     
  13. KiLL CraZy

    KiLL CraZy Private E-2

    ok, i disabled tea timer, (and yes my CPU usage was still high, I started getting that problem before I installed spybot) I uninstalled counterspy, and was able to disable my antivirus. (CPU still high)

    I ran Combofix twice, the first time I ran it seemed to have went smooth but i got a weird error at the end, which was why I scanned it a second time to be safe but the same error appeared, it doesn't appear to be a serious error, I did take a snap shot and posted it below, that would pop up right after the blue screen of combofix closed, and after I clicked "Yes" in the box nothing happened so I just closed the log and looked for the combo fix log in my C drive.

    Combofix1 is my first scan and Combofix2 is my second scan.

    I tried booting into safe mode but after the pc booted up, it would bring me to the blue screen to log on to either "Administrator" or "Andrew" which I found odd bc I thought that my andrew one was the administrator... but either way, once I got to that screen I had no power over my mouse or keyboard to choose an option so I was pretty much stuck at that screen and just had to reboot the pc in normal mode to do the scans. I even connected another keyboard and mouse to the pc and I still had no control over the mouse to choose an option, so just rebooted in normal and the mouse and keyborad worked again, odd.

    and so far my pc is still running a 100% CPU usage... :cry

    what else should I try?
     

    Attached Files:

  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I did not suggest disabling it. You cannot disable all of it properly. You would have to go in and stop and disable all services and processes to do this otherwise some components and hooks are still in effect. To properly test whether the problems are at all related to Symantec, it needs to be fully uninstalled and then a new scan and log from MGtools should be attached so that we can verify it uninstalled since it frequently does not.

    Currently, it is not looking like you have malware problems.


    Your andrew account is just an an account that has administrator priviledges. It is not the Administrator account.

    Harware/driver or setup issues in your BIOS. Not malware. Possibly related to what the below is mentioning about Legacy Devices:

    http://whitecanyon.com/esupport/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=83
     
  15. KiLL CraZy

    KiLL CraZy Private E-2

    The reason I disabled antivirus was bc in the combofix guide it suggested to have all virus/antispyware software off b4 doing the scan.

    Do you propose I should Uninstall Symantec and re-run MGtools and post those logs?

    And I looked into the BIOS settings and I search up and down and didn't find anything about Legacy Devices.... The closes thing I could find as to regards of USB devices was in the VIA OnChip PCI Device settings were options such as:

    OnChip USB Controller [All Enabled]
    OnChip USB 2.0 Controller [Enabled]

    and as u can see they were already enabled.

    :( what should I do next?
     
  16. KiLL CraZy

    KiLL CraZy Private E-2

    I just wanted to say thank you chaslang for all the help you provided me. But I think I'm
    just going to buy a new hdd to back up my stuff if it let's me and re-install windows. I can't take this anymore and I'm loosing my mind with this. Haha. I do appreciate the help you have provided me with and hope you guys keep fighting the battle against spyware. Kudos
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Good luck with your reinstall and surf safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds