[imafool4u]

I asked a few people how much memory their services.exe was using in task manager and they gave me ranges of 1,000 to 6,000 kb...Mine's definitely using 60,000 to 80,000 kb of memory, which is reflective of the moderate lag

Any ideas what's wrong?

[Advertisements]

Would a Hijack this log help?

[imafool4u]

Would a Hijack this log help?

[imafool4u]

Logfile of HijackThis v1.99.1
Scan saved at 3:06:49 PM, on 11/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5296.0000)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\DAEMON Tools\daemon.exe
H:\WINDOWS\Mixer.exe
H:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
H:\Program Files\CursorXP\CursorXP.exe
H:\Program Files\AIM\aim.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Program Files\msn messenger\msnmsgr.exe
H:\Program Files\LimeWire\LimeWire.exe
H:\Documents and Settings\Fool\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....cid={SUB_CLCID}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [MSConfig] H:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [DAEMON Tools] "H:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [kav] "H:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CursorXP] H:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [AIM] H:\Program Files\AIM\aim.exe -cnetwait.odl
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\WINDOWS\system32\msjava.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - H:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - H:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - H:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - H:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter...oad/tgctlcm.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://uproar.com/ap...pside_web18.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{29B39846-0902-49E5-B96A-2F1FC54E9A72}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E1F1AB6-CB49-4439-992E-614E2D98C4B0}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E6B83FF-7D89-4F9D-84BF-177F3F3D029B}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F8434A1-FBD0-4387-AF18-9E48552D25E7}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C063327-B8C5-44AD-8A6E-429B3C7E345A}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DF48417-8F9B-4887-B03E-54725AE054FE}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\..\{97EB9257-3A92-48F0-880D-6FA5C3697DC4}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\..\{B12CE733-24EF-4459-ADEE-FC4A03431044}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB6F1781-8F9B-48E1-8685-66E61E10C7EC}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF3359EA-4E47-4E1F-A0CB-1953CB319DB4}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.26 85.255.112.104
O17 - HKLM\System\CS1\Services\Tcpip\..\{29B39846-0902-49E5-B96A-2F1FC54E9A72}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.26 85.255.112.104
O17 - HKLM\System\CS2\Services\Tcpip\..\{29B39846-0902-49E5-B96A-2F1FC54E9A72}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.26 85.255.112.104
O17 - HKLM\System\CS3\Services\Tcpip\..\{29B39846-0902-49E5-B96A-2F1FC54E9A72}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.26 85.255.112.104
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - H:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "H:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll,wbsys.dll
O20 - Winlogon Notify: klogon - H:\WINDOWS\system32\klogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - H:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - H:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - H:\WINDOWS\system32\UAService7.exe (file missing)

[wannabe1]

Hi imafool4u...

Yup...attach a HiJackThis log for me so I can see where that particular exe is running from. Usually Services.exe is legit, but it can also be malware...the difference is in which directory they run from.

wannabe1

[imafool4u]

I have the most boring HijackThis! log in the history of HijackThis! logs

[wannabe1]

There are quite a few suspicious entries in your log.

Click Start, then Run, type regedit and click "Ok". Does the registry editor open?

[imafool4u]

True.

[wannabe1]

True? Does this mean registry editor opened?

Something has tried to disable it...O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Did you change that value?

[imafool4u]

I see the DisableRegistryTools being set equal to 1, but it still opens fine :/

[wannabe1]

Hmmm

Let's let the malware folks have a look at your log. There are a few remnants of infection and some entries that I don't recognize as legit...that's not saying it's an infection, but I can't rule that out, either.

Please go to the Malware Forum and follow the instructions found there.

That will give you several steps that will help you clean up 70 percent of all problems by yourself...then post a hijackthis log in THAT forum. Be patient, the Malware Forum is a very busy place and a two or three day wait is not unusual. DO NOT REPLY TO OR BUMP YOUR OWN LOG. If it shows a reply it may be overlooked as one that is being worked on.

If you are still having problems after getting a clean bill of health from the malware expert, please return to this thread.

wannabe1