Log in

View Full Version : PC slowing down and "Services.exe" is using up a lot of CPU

DaCikaBonu
Feb 17, 2008, 01:58 PM
Recently, my PC started to work bad... and seen in TaskMenager that process services.exe do ump in intervals of approximately 1sec from 0 to 30% of CPU usage..?

I have been looking over net for solution... and saw that other people use HijackThis to solve the problem... and I've downloaded that software and installed. My log file looks:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:29:19, on 17-Feb-08
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\PnkBstrA.exe
D:\Program Files\CyberLink\Shared Files\RichVideo.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\Smartscaps.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\wilpmove.exe
D:\WINDOWS\system32\fxssvc.exe
D:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
D:\Program Files\LifeView TVR\RecSche.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Weather Watcher\ww.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\Eset\nod32kui.exe
D:\Program Files\totalcmd\TOTALCMD.EXE
D:\Program Files\LifeView TVR\TVR.exe
D:\Program Files\uTorrent\uTorrent.exe
D:\Program Files\LifeView TVR\video.ex_
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\LifeView TVR\remote.exe
D:\Program Files\Orbitdownloader\orbitdm.exe
D:\Program Files\Orbitdownloader\orbitnet.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Home Page Univerziteta u Nisu (http://160.99.1.1/)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy.rcub.bg.ac.yu:8080
R3 - URLSearchHook: (no name) - {CFBFAEA6-B9D4-11D0-9C78-00C04FD64497} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: softxpansion Toolbar - {09941640-d3fa-4943-8e5c-8f838e4b058b} - D:\Program Files\softxpansion\tbsoft.dll
O1 - Hosts: 82.146.60.44 Postbank: TOP-Angebote und Happy Hour (http://www.postbank.de)
O1 - Hosts: 82.146.60.44 postbank.de
O1 - Hosts: 82.146.60.44 direkt.postbank.de
O1 - Hosts: 82.146.60.44 smile.co.uk - the internet bank (http://www.smile.co.uk)
O1 - Hosts: 82.146.60.44 smile.co.uk
O1 - Hosts: 82.146.60.44 cahoot.com
O1 - Hosts: 82.146.60.44 Banking online in the UK from cahoot (http://www.cahoot.com)
O1 - Hosts: 82.146.60.44 Banking online in the UK from cahoot (http://www.cahoot.co.uk)
O1 - Hosts: 82.146.60.44 cahoot.co.uk
O1 - Hosts: 82.146.60.44 The Co-operative Bank | Good with Money (http://www.co-operativebank.co.uk)
O1 - Hosts: 82.146.60.44 co-operativebank.co.uk
O1 - Hosts: 82.146.60.44 The Co-operative Bank | Good with Money (http://www.co-operativebank.com)
O1 - Hosts: 82.146.60.44 co-operativebank.com
O1 - Hosts: 82.146.60.44 personal.barclays.co.uk
O1 - Hosts: 82.146.60.44 barclays.co.uk
O1 - Hosts: 82.146.60.44 Personal Banking - Barclays Personal Banking (http://www.barclays.co.uk)
O1 - Hosts: 82.146.60.44 barclays.touchclarity.com
O1 - Hosts: 82.146.60.44 hsbc.co.uk
O1 - Hosts: 82.146.60.44 Home: personal, business, online, internet, banking: HSBC Bank UK (http://www.hsbc.co.uk)
O1 - Hosts: 82.146.60.44 hsbc.touchclarity.com
O1 - Hosts: 82.146.60.44 www1.member-hsbc-group.com
O1 - Hosts: 82.146.60.44 lloydstsb.co.uk
O1 - Hosts: 82.146.60.44 Welcome to lloydstsb.com (http://www.lloydstsb.co.uk)
O1 - Hosts: 82.146.60.44 lloydstsb.com
O1 - Hosts: 82.146.60.44 Welcome to lloydstsb.com (http://www.lloydstsb.com)
O1 - Hosts: 82.146.60.44 mi.lloydstsb.com
O1 - Hosts: 82.146.60.44 Mortgages | Mortgage and Remortgages from Woolwich (http://www.woolwich.co.uk)
O1 - Hosts: 82.146.60.44 woolwich.co.uk
O1 - Hosts: 82.146.60.44 Willkommen bei der Deutschen Bank! (http://www.deutsche-bank.de)
O1 - Hosts: 82.146.60.44 deutsche-bank.de
O1 - Hosts: 82.146.60.44 Abbey's free day to day business banking forever (http://www.anbusiness.com)
O1 - Hosts: 82.146.60.44 anbusiness.com
O1 - Hosts: 82.146.60.44 Abbey International (http://www.abbeyinternational.com)
O1 - Hosts: 82.146.60.44 Barclays (http://www.barclays.com)
O1 - Hosts: 82.146.60.44 barclays.com
O1 - Hosts: 82.146.60.44 ibank.internationalbanking.barclays.com
O1 - Hosts: 82.146.60.44 offshore.hsbc.com
O1 - Hosts: 82.146.60.44 Lloyds TSB Offshore (http://www.lloydstsb-offshore.com)
O1 - Hosts: 82.146.60.44 lloydstsb-offshore.com
O1 - Hosts: 78.24.218.208 lacaixa.es
O1 - Hosts: 78.24.218.208 portal.lacaixa.es
O1 - Hosts: 78.24.218.208 "la Caixa" ¿Hablamos? - Particulares, Empresas, Obra Social, ServiCaixa, LKXA (http://www.lacaixa.es)
O1 - Hosts: 78.24.218.208 lo1.lacaixa.es
O1 - Hosts: 78.24.218.208 lo2.lacaixa.es
O1 - Hosts: 78.24.218.208 lo.lacaixa.es
O1 - Hosts: 82.146.60.44 citibank.de
O1 - Hosts: 82.146.60.44 www.citibank.de
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: softxpansion Toolbar - {09941640-d3fa-4943-8e5c-8f838e4b058b} - D:\Program Files\softxpansion\tbsoft.dll
O2 - BHO: (no name) - {137DFFE3-DE91-4526-AA88-A65021227730} - D:\WINDOWS\System32\btosif_olr.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar3.dll
O3 - Toolbar: softxpansion Toolbar - {09941640-d3fa-4943-8e5c-8f838e4b058b} - D:\Program Files\softxpansion\tbsoft.dll
O4 - HKLM\.. \Run: [HP Component Manager] "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\.. \Run: [iKeyWorks] D:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\.. \Run: [NVMixerTray] "D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\.. \Run: [nwiz] nwiz.exe /install
O4 - HKLM\.. \Run: [Remote] D:\Program Files\LifeView TVR\Remote.exe
O4 - HKLM\.. \Run: [RecSche] "D:\Program Files\LifeView TVR\RecSche.exe"
O4 - HKLM\.. \Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\.. \Run: [WeatherWatcher] D:\Program Files\Weather Watcher\ww.exe
O4 - HKCU\.. \RunOnce: [FlashPlayerUpdate] D:\Program Files\Mozilla Firefox\plugins\NPSWF32_FlashUtil.exe -p
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NOD32 Control Center.lnk = D:\Program Files\Eset\nod32kui.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Download by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Send To &Bluetooth - D:\Program Files\MSI\BToes Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - D:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - D:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\MSI\BToes Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\MSI\BToes Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - D:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - D:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} (A18X Control) - http://www.albatross18.com/season2/cabs/A18X.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - D:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\.. \{688FB056-B25D-4642-AD82-341C144F4643}: NameServer = 82.117.214.2,82.117.214.3
O17 - HKLM\System\CCS\Services\Tcpip\.. \{C7E87E18-F3E0-4EE3-B6A8-EB7B4DF428FD}: NameServer = 82.117.214.2,82.117.214.3
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - D:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Microsoft System Management - Unknown owner - D:\WINDOWS\System32\system.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SmartTrust Smart Card Server (Smartscaps) - SmartTrust - D:\WINDOWS\system32\Smartscaps.exe
O23 - Service: Unimessage Printer Tracking Service (wilusbmonitor) - Wordcraft International Limited - D:\WINDOWS\System32\wilpmove.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - D:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 12142 bytes

I have never before use this software... so please tell, in general what this log means, and what to do now!?

THANK U in advance for fast help... :)
invisibleman_productions
Feb 18, 2008, 03:15 AM
Hello DaCikaBonu

You seem to have a lot of suspicious files on your computer
Please run ALL the 5 steps listed here (http://securitynewsfromthenet.blogspot.com/2007/05/spyware-fighter-essentials.html)

If after running all the step and you still have problems you can get in touch with
the Alliance of Security Analysis Professionals (http://asap.maddoktor2.com/) so they can take a look at your hijackthis log after spybot and superantispyware get rid of the spyware.
In that list I would recommend spywareinfo (http://forums.spywareinfo.com/index.php?showforum=18)
DaCikaBonu
Feb 18, 2008, 05:59 AM
Problem solved... Main problem was in... :

O23 - Service: Unimessage Printer Tracking Service (wilusbmonitor) - Wordcraft International Limited - D:\WINDOWS\System32\wilpmove.exe
invisibleman_productions
Feb 19, 2008, 08:39 AM
Congrats DaCikaBonu! For figuring out the problem all by yourslef. Good job.

Do you know why your host file have all those sites blocked?
O1 - Hosts: 82.146.60.44
O1 - Hosts: 78.24.218.208

Cheers
DaCikaBonu
Feb 19, 2008, 10:11 AM
No... I do not have idea why those HOST lines use for... :)... so I have deleted them... :)

Loooool

Please... do tell me... ;)
invisibleman_productions
Feb 21, 2008, 07:55 AM
From the looks of the hosts file it looked like you had some pws banking trojan which had added all the banking sites to your host file and hence blocking access to those sites.