What kind of spyware or virus is this? Do I have to reinstall windows?

MyOwnDemon · Oct 2, 2008

So a few days ago I noticed a huge slowdown in my computer, so I load up task manager and find cmd.exe and services.exe are all running about 50 times each, and they keep multiplying until my computer crashes. I've taken a screenshot. No antivirus/antispyware programs are finding anything at all, and my Firewall isn't working either. Lovely.

Do you think the best thing to do would be to just reinstall windows XP? I've tried literally everything I can think of and nothing is working. I'm backing up all my data right now.

Screenshot below. Any advice/links would be appreciate. Thanks.

Deliguy · Oct 2, 2008

both are system files but that doesn't mean theres not a virus with the same file names. Go to Start Run MSCONFIG >> Start up and check for them. If you see them disable them. They shouldn't be listed in the user startup. Also check the services tab by clicking on it and checking the box saying hide all windows services. Then download hijack this and make sure they're not listed under there. If they are remove them and restart the computer. They may not be spyware/viruses themselves but they can be installers.

_poto_ · Oct 2, 2008

hmmm, to me it looks like a poorly coded rabbit-type virus run amok... or it could be some tard made it like that on purpose to crash people's systems...

you probably already have some shitware on your system other than this... I'd say reformat the bitch just to be safe...

johu · Oct 2, 2008

Get Hijackthis, and paste the log at HijackThis Logfileauswertung to find out what to remove in Hijackthis. That should take care of most of it.

After that, I'd recommend downloading Windows Defender - That + Hijackthis pretty much takes care of anything. If neither of those fully solve the problem, Seccheck ( myNetWatchman - Network Intrusion Detection and Reporting ) will reveal what's still awry - Run that and PM me the addres to the log (or post it here), and I can help analyze it. Used to do some side-work in the computer repair area, and using these tools was all it took to clean systems that other tech guys couldn't figure out how to fix.

MyOwnDemon · Oct 2, 2008

Eli, I tried that above but no luck. Poto, yes that is my last resort weapon. Haha.

Johu - Downloading myNetwatchman and I'll PM you the log.

In the meantime, I have posted my Hijackthis log on this tech support forum if anyone wants to take a look. Here's a link to the thread:

Cmd.exe keeps running over and over. Log file here. - Tech Support Forum

Thanks for the help so far guys.

Gumby! · Oct 2, 2008

The real services.exe is in C:\Windows\System32\services.exe, the one shown in your HJT log is at C:\WINDOWS\services.exe

It's registered to run at startup -> O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe

Use HijackThis to delete the startup entry -> O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe (make sure that's the only thing ticked in Hijackthis!)

Delete everything in your windows\temp folder

Reboot in safe mode, you should be able to delete C:\WINDOWS\services.exe

PM me if you have any questions

MyOwnDemon · Oct 2, 2008

Gumby! said:
The real services.exe is in C:\Windows\System32\services.exe, the one shown in your HJT log is at C:\WINDOWS\services.exe

It's registered to run at startup -> O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe

Use HijackThis to delete the startup entry -> O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe (make sure that's the only thing ticked in Hijackthis!)

Delete everything in your windows\temp folder

Reboot in safe mode, you should be able to delete C:\WINDOWS\services.exe

PM me if you have any questions

It seems to have worked. Thanks a million dude. The services.exe and cmd.exe aren't running anymore (except the ones that are supposed to).

When I ran hijackthis after the safe mode/delete file, that startup entry still shows up but since the file is deleted it's not running. Any way to get rid of that permanently? And by any chance do you know how to fix/reset windows firewall? It's showing up, but all the options are greyed out and I can't change them back to ON.

Anyway, +rep dude. Thanks again!

Deliguy · Oct 2, 2008

go to start >> run >> services.msc >> enter
Find windows firewall. Then right click and click properties
change the startup type to automatic then click start.

If that doesn't do it, it should work after you restart.

LotsOfZeros · Oct 2, 2008

Also check for any exe file in windows and the system & system32 folders. Check for any newly created exe's . Sometimes one writes the other so even if you rid yourself of bogus programs, there might be a backup program rewriting it again.

Check your services too for any strange looking new ones. I'm sure some of them install services to keep running.

Bofu2U · Oct 2, 2008

Also run housecall.trendmicro.com

Search

Search

What kind of spyware or virus is this? Do I have to reinstall windows?

MyOwnDemon

Face Rocker

Deliguy

New member

_poto_

...

johu

Posts Too Much

MyOwnDemon

Face Rocker

Gumby!

New member

MyOwnDemon

Face Rocker

Deliguy

New member

LotsOfZeros

^^^ Bi-Winning ^^^

Bofu2U

Automation Specialist