# CPU Usage 100% services.exe Problem



## rlsoultz

Recently my WinXP home computer began running very slow.
I noticed that it appeared to be lunging, so I started Task Manager an observed the CPU Usage continuously cycling between almost 0 - 100%.

I have also had problems with the computer suddenly rebooting especially when I was using various security related programs.
These programs included:

1. SuperAntiSpyWare when scanning would get so far into the 'Files' scan, but after the memory and registry were scanned. I had to boot in safe mode to eventually get the program to scan without causing a reboot.

2. MSConfig.exe when I would attempt to stop the event logging service.

The CPU Usage is very low when I boot in Safe Mode and it doesn't reboot itself.

The task that drives the usage up is services.exe.

I downloaded Process Explorer to try to determine what was happening, and it also shows that Services.Exe is the process which drives the CPU usage up in a cyclic pattern. When I clicked on this process and looked at the properties, the TCP/IP tab shows multiple TCP/IP Addresses that i do not recognize, starting and stopping.

I have SBC DSL and a 2Wire DSL Wireless Router/Modem. This router is connected to the desktop via a CAT-5 cable, and my laptop connects via wireless. I have 32bit WEP security enabled and only allow my laptop to connect to this LAN.

At the same time that I noticed the increased CPU usage, I also noticed that the trayicon for the 2Wire HomeNetwork Portal had turned gray and shows a status of network 'down'. Yet, I can connect to the Internet, albeit very slowly due to the CPU usage.

I have posted the HiJackThis Log file, the Un-Install List and the SuperAntiSpyware Scan Log, in hopes that someone can help me.

Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:33 PM, on 7/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Yahoo!\Antivirus\ISafe.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Yahoo!\Antivirus\VetMsg.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\RunDll32.exe
F:\Program Files\2Wire\2PortalMon.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
F:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
F:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Trend Micro\HijackThis\fred.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - F:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [2wSysTray] F:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "F:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = F:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = F:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n024p/EN/install/gtdownlr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{16AEF566-A274-4F1F-9A78-96344CDB1436}: NameServer = 202.171.32.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A3B4B24-78F0-413A-857F-4059239579B4}: NameServer = 202.171.32.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D8C87EB-4A91-4388-8AD6-0F451EE2F04A}: NameServer = 202.171.32.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{AABBF634-64CC-42EB-B449-6F6A518C014B}: NameServer = 202.171.32.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{E69E7D68-4F0A-437E-89EC-F74F221F4758}: NameServer = 202.171.32.38
O17 - HKLM\System\CS1\Services\Tcpip\..\{16AEF566-A274-4F1F-9A78-96344CDB1436}: NameServer = 202.171.32.38
O17 - HKLM\System\CS2\Services\Tcpip\..\{16AEF566-A274-4F1F-9A78-96344CDB1436}: NameServer = 202.171.32.38
O17 - HKLM\System\CS3\Services\Tcpip\..\{16AEF566-A274-4F1F-9A78-96344CDB1436}: NameServer = 202.171.32.38
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - F:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - F:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - F:\WINDOWS\system32\YPCSER~1.EXE

--

UNINSTALL_LIST.TXT

Adobe Flash Player 9
Adobe PhotoDeluxe 2.0
Adobe Reader 8
Adobe® Photoshop® Album Starter Edition 3.0
AT&T Yahoo! Applications
Canon PIXMA iP4000
Canon Utilities Easy-PhotoPrint
C-Media 3D Audio
HijackThis 2.0.2
Hollywood FX Pack 26 - Extra FX
InterVideo WinDVD Creator 2
Java(TM) SE Runtime Environment 6 Update 1
Microsoft Office 2000 Professional
Pinnacle Hollywood FX 4.6
Plextor ConvertX AV100U A/V Capture Device Driver
QuickTime
Reader Rabbit Preschool(R) Sparkle Star Rescue!(TM)
Reader Rabbit Thinking Adventures Ages 4-6
SBC Yahoo! DSL Home Networking Installer
Sonic RecordNow!
Sonic Update Manager
Street Atlas USA 4.0
Studio 8
SUPERAntiSpyware Free Edition
Update for Windows XP (KB931836)
VideoLAN VLC media player 0.8.6b

-----

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/15/2007 at 00:27 AM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 00:39:33

Memory items scanned : 258
Memory threats detected : 0
Registry items scanned : 4781
Registry threats detected : 0
File items scanned : 37827
File threats detected : 1

Adware.Tracking Cookie
F:\Documents and Settings\[MYNAME]\Cookies\[MYNAME]@doubleclick[1].txt
-----


----------



## rlsoultz

I can't find anything malicious, but am not an expert. Could someone with malware experience please look the above reports over and advise.

Thanks


----------



## cybertech

Closing duplicate thread, please continue here: http://forums.techguy.org/security/596409-help-please-cpu-100-services.html


----------

