Tech Support banner

Status
Not open for further replies.
1 - 6 of 6 Posts

·
Registered
Joined
·
53 Posts
Discussion Starter #1
I am using W2KPro SP2. Everytime I try connecting to my internet, "services.exe" starts using anywhere between 95% - 100% of the CPU and doesnt let any other task run. This happens as soon as my Dialup Connection dialog box says "Registering with the network". It stays stuck there while services.exe is busy using up the CPU. The same thing happens when I click "disconnect" on the connection icon in the system tray. Any idea what could be causing this?

Symantec Antivirus found a virus on the computer a few days ago by the name "W32.Gaobot" and removed it. Would that have damaged the services.exe or any linked library that is causing this?

All help is really appreciated. Just to make things clearer, I have attached a jpg image with this.
 

Attachments

·
TSF Team Emeritus, Security Team
Joined
·
10,821 Posts
It may have done some damage or left behind some problems in its wake.

Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Run a scan and save the log file. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. Open up the result.txt file created. Copy the whole result.txt log and post it in the forum. Do not fix anything in HijackThis since they may be harmless.
 

·
Registered
Joined
·
53 Posts
Discussion Starter #3
HijackThis Ananlyser Result file

Here is the HIjackThis Analyser result file, but I am pretty positive that there is no spyware on my computer, and I have manually configured my firewall to allow only specific programs to access the internet. I also have Web Activity Monitor that monitors all TCP/IP, Winsock, SMTP activities and port connections and shows which programs are sending/receiving data. It does not show any other program accessing the net other than the ones I am using or ones that I know are supposed to access. Anyway, here's the result log:

--------------------------------------------------------------------------
Log was analyzed using HijackThis Analyzer - Updated on 12/6/04
Get updates at http://www.greyknight17.com/download.htm#programs

Logfile of HijackThis v1.98.2
Scan saved at 6:11:34 PM, on 12/15/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINNT\system32\spoolsv.exe
E:\Program Files\Common Files\Symantec Shared\ccProxy.exe
E:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
E:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
E:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\Explorer.EXE
E:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - Startup: Symantec Client Firewall.lnk = E:\Program Files\Common Files\Symantec Shared\ccApp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINNT\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINNT\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{773EC6C4-3642-4FCD-9C9F-BA9B1EDFD401}: NameServer = 202.54.10.2 202.54.1.30
O17 - HKLM\System\CS1\Services\Tcpip\..\{773EC6C4-3642-4FCD-9C9F-BA9B1EDFD401}: NameServer = 202.54.10.2 202.54.1.30


End of HijackThis Analyzer Log.
 

·
TSF Team Emeritus, Security Team
Joined
·
10,821 Posts
Hi fes,

You are correct, that you log is pretty clean. The 09 Related entries are part of Alexa, but relatively benign. A couple tools to try:

Download WinsockFix and unzip it. Then double-click on it to run it.

Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds.
 

·
Registered
Joined
·
53 Posts
Discussion Starter #5
Some revelation

Here's something more which I just found out.
I blocked all net traffic from my firewall software before connecting to the internet, and when the dialog box said "Registering on the networK" where services.exe usually starts giving troubles, it didnt take time at all. As soon as it said "registering. . ." it got connected. I wonder if any program is causing services.exe to malfunction while it sends/receives data from some address. Since all this happens before I am told that I am connected, the connection status doesnt show any bytes sent/received. It shows hardly few hundred bytes recd/sent which cant be much anyway.

I havent run Ad-Aware yet, I just finished downloading it, but this thing just came to my notice so i reported. Also, another thing is that, after I am connected, the only data sent/recd. is by the softwares I am using to access the net. I mean to say, once I am properly online, the malware (if any) is not accessing the net. Do you have any idea if such program exists?

Thanks for all the help till now!
 

·
Registered
Joined
·
53 Posts
Discussion Starter #6
Problem Solved

I ran winsockfix and it solved my problem. It's not troubling me any more. thanks a lot. As for my last post "some revelation", I realised that blocking traffic from the firewall wasnt necessary, because I had already ran winsockfix and it had fixed the prob, but forgot to mention that.

Thanks once again.
 
1 - 6 of 6 Posts
Status
Not open for further replies.
Top