Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Services.exe high CPU usage


  • Please log in to reply

#16
DaNeeLo

DaNeeLo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
It's very hard to make Process Monitor run, cancel events and then set the filter, because the application doesnt respond to any inputs since it reaches 100% events in seconds: now, for example, i cant cancel events because as soon as ProcMon start it got stuck and goes out of memory (a lot of windows appears on the screen sayin that).
However, as soon i can set the filter and save the file i send it to you; i try to explain what i see in the main window of ProcMon when it doesnt get stuck...
if i scroll down i see the same services.exe for thousand of times, doin something in that Enum folder (maybe it's a registry, i dont know), and it happens in a very short time (as i told you before the program reaches 100% events in some seconds).
Just to have an idea on how things go on a "normal" pc, i downloaded and runned ProcMon on this laptop now i'm usin to write to you: i dont see tons of events, i can let the program run without stoppin it catchin events and it doesnt crash and, most interesting thing, services.exe is not involved in that thousand of events i see on my "ill" computer.
Sorry if i'm not that clear, i do my best to "talk" a good english....
As soon as i'm able to "catch" that ProcMon File, ill' send it to ya email.
Thanx Again Ron for your kindness!
  • 0

Advertisements


#17
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
(I'm assuming you have process monitor on your desktop. If not move it to your desktop)

Start, Run, cmd, OK to open a command window.

Change to your desktop:

cd  %userprofile%\desktop

procmon.exe  /NoConnect

(This should allow you to set the filter.  If not then once it opens, File, Open logfile.pml where logfile.pml is the log you attached.  Then set the filter and close the Process Monitor.)


procmon.exe  /Quiet  /SaveAs  log.pml

(As soon as it comes up hit the X to close it out.  This should give you a file called log.pml that won't be too awfully big)


The last one of these I had it was something in Plug and Play that was causing the problem. If we used msconfig to turn off Plug&Play then Services dropped to near nothing.
  • 0

#18
DaNeeLo

DaNeeLo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts

The last one of these I had it was something in Plug and Play that was causing the problem. If we used msconfig to turn off Plug&Play then Services dropped to near nothing.

Yes, this is my case too: i tried in msconfig to disable the Plug and Play service, and services.exe dropped down, close to zero (i can see this in the Process Explorer too, that upnpmgr.dllrelated, i think, to those kernel32.dll threads)...but i've read that the PnP service is essential for the system to survive, so it cant be disabled forever; the problem started as soon as i plugged the USB pendrive , maybe it's something related to a Plug and Play action gone wrong, i dont know, i'm only supposing it... i'll try your instructions to have the log from ProcMon tomorrow, as soon as i come back home and i'll send it to ya mail.....at this point i'm gettin very curious about the issue that is causin this problem....
I really appreciate what you're doin for me: i'm learning a lot of interesting things!!

Edited by DaNeeLo, 10 December 2011 - 07:48 AM.

  • 0

#19
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
I got your email. That is the correct reg export.

I'm working my way through now. Trying to figure out what is going on. On my XP it just goes down through the registry one after the other every once in a while. In yours it seems to jump around a lot more and never stops.
  • 0

#20
DaNeeLo

DaNeeLo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Thanx Ron, i really hope you can find the culprit!
  • 0

#21
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
Not finding much of any use.

Could you uninstall ASUS SmartDoctor if you have it. I don't see it in the uninstall list but sometimes there is an uninstall option in All Programs. It's supposed to be the source of the EIO_XP file that TDSSKiller does not like and that sometimes shows up in the event logs.



I did find this:

http://support.microsoft.com/kb/833228

and this:

http://forums.techgu...-plug-play.html

Do you have anything plugged up to a USB port? What monitor do you have?

Have you tried speccy again with the Plug and Play service turned off?



Have you ever tried SP3? I don't like to do this when there are problems but it might help in this case:

You need to update to XP SP3. Running SP2 you will get a lot more of these infections.

If this is an AMD CPU then you need to get KB953356:
http://www.microsoft...ang=en&id=23751
and install it first.


You should be offered the SP3 update from MS Updates but if not you can get it from:

http://technet.micro...indows/bb794714


Make sure you have System Restore working so you can back it out if it doesn't work (Uninstall SP3 then run System Restore to get back to the last Restore Point before you uinstall SP3).
  • 0

#22
DaNeeLo

DaNeeLo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
I'm glad to hear from you!
I dont think i have ASUS Smart Doctor, never seen in the Add-Remove program, however i'll check for it once i'm home; i've read the Microsoft article and it seems to be my case, but the hotfix download is not available now: however it says that the hotfix works only if i have SP1, mine is SP2 (i'll try this hotfix, once the download will be available, i'll set a restore point first).
I disconnected everything from usb ports, except my wireless mouse and the keyboard; i have a CRT monitor LG Studioworks 700s connected via vga cable; i havent tried Speccy with the plug and play service off (i'll try it and i'll make you know).
I'm afraid to install SP3, however i downloaded the packages and tried to install, but it get stuck during the installation: i tried both in normal and in safe mode, but it's the same thing.
I want to ask you a question that may sounds stupid: it is possible that the system is still tryin to read something from that USB pendrive that started all this mess? Maybe it's tryin to search for it, without finding it: i remember i disconnected it without the safe unplugging mode.
Once i'm home i'll check for all this stuff and then i'll let you know...thanx for your interest Ron!
  • 0

#23
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
I don't think the hotfix will help you so don't try it.

SP3 should work OK. If you don't have an intel CPU then you need to install the patch first.

Right click on My Computer and select Device Manager then View, check Show Hidden Devices.

Do you see any red or yellow marks on any of the drivers in the right pane?

Click on the + in front of Universal Serial Bus Controllers

Start at the bottom of the list and right click and uninstall each item.

Turn on Plug and Play and reboot.
  • 0

#24
DaNeeLo

DaNeeLo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
I'll try to install SP3, i'll follow your instructions, but i have to install it with the plug and play service off, since the other times i tried (with PnP on), the installation got stuck.
I've just done the following steps:

-In safe boot, i've disabled the Plug and Play service, then i booted into normal mode;

-I've runned Speccy and this time it worked, even though a little error window appeared: in the log you'll surely see that Speccy didnt detected the audio card (that is embedded in the motherboard), the optical drive and the hard drive, but maybe it's because of the Plug and Play service disabled;

-I've finally had access to Device Manager, but no devices are listed; i've checked Show Hidden Devices, but nothing appeared;

-I left the Device Manager window opened, and then i tried to turn on the Plug and Play service...and a strange thing happened:as i right clicked the service, and choose Properties a little window appeared sayin this: "Configuration Manager: Plug and Play service or the requested service is not available"; i clicked ok and i've had access to the Plug and Play window, and i setted it to Automatic;

-I got back to Device Manager, refreshed the window but still no devices are shown.

I dont remember if i told you that when services.exe is eatin CPU, if i try to Install a device using Hardware Installation from control panel, a window appear alertin me to finish the current device installation before startin another one: i think this is a fact that confirm that the issue is something related to this infamous Plug and Play.

I hope i've given you some useful infos, in the attachment the Speccy's log

Attached Files


Edited by DaNeeLo, 12 December 2011 - 06:33 AM.

  • 0

#25
DaNeeLo

DaNeeLo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Disabling Plug and Play, made the Sigverif analysis running: in the attachment the jpeg showin the report.

P.S.
CPU temperature is ok now, it was surely due to that intensive extra-work of the PnP service that now is blocked.

Attached Thumbnails

  • Sigverif.JPG

  • 0

Advertisements


#26
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
It you turn on Plug and Play and boot into Safe Mode do you have Device Manager then?
  • 0

#27
DaNeeLo

DaNeeLo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
No, i cant access to Device Manager neither in Safe Mode with PnP on...this is the dilemma...
I've just created a restore point, and i'm startin to upgrade to SP3, i hope everything will be alright!
  • 0

#28
DaNeeLo

DaNeeLo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
The upgrade to SP3 is done: no crash, installation was good..but the problem is still there...
  • 0

#29
DaNeeLo

DaNeeLo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Just a simple question....
Browsing in the servicepackfiles directory (using the prompt), i've located the file services.exe that is 109056 Bytes; the services.exe file in c:\windows\system32 is 111104 Bytes..can it mean anything important? Shouldnt they be the same size?
  • 0

#30
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
Let's look:

Copy the text in the code box by highlighting and Ctrl + c

/md5start
services.exe
/md5stop

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run SCAN button at the top
Let the program run unhindered, OTL will NOT reboot the PC when it is done. Save the log and copy and paste it to a reply.

This will show us all of the services.exe files on the system and give us their dates and mp5 checksums.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP