Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Services.exe anomally


  • Please log in to reply
28 replies to this topic

#1 Gingerninja106

Gingerninja106

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 23 April 2010 - 02:26 PM

Hi there,

Hopefully an easy issue for you today. I'm running Vista have been having problems with services.exe lately taking anywhere between 30-60% cpu after boot up. I've ran Process Explorer and isolated it to a very specific thing. Unfortunately I have no knowledge on things as deep into the computer as this and was wondering whether someone could take a look at the folloing screenprint and help me.

Posted Image

I have found that if I suspend the selected process within services.exe (known as services.exe+0x1388d) the high usage immediately stops with (as far as I have experienced) no detrimental effects.

I'd be grateful if someone could tell me what this links to (is it a file, driver, program etc?) and a solution that would be fantastic.

If it's helpful, here is the stack (as at the moment it was suspended) for anyone who needs it

ntkrnlpa.exe!KeWaitForMultipleObjects+0xadc
ntkrnlpa.exe!IoQueueWorkItemEx+0x11d8
ntkrnlpa.exe!NtOpenThreadTokenEx+0x1e66
ntkrnlpa.exe!KiDeliverApc+0xce
ntkrnlpa.exe!KeSetTimerEx+0x76b
ntkrnlpa.exe!KeWaitForSingleObject+0x492
ntkrnlpa.exe!KeTestAlertThread+0x78
ntkrnlpa.exe!KiCheckForKernelApcDelivery+0x24
ntkrnlpa.exe!IofCallDriver+0x64
ntkrnlpa.exe!FsRtlAreNamesEqual+0x2b9
ntkrnlpa.exe!NtQueryDirectoryFile+0x5b
ntkrnlpa.exe!ZwQueryLicenseValue+0xbd6
ntdll.dll!KiFastSystemCallRet
services.exe+0xe674
services.exe+0xe452
services.exe+0xe3a6
services.exe+0xe290
services.exe+0xd681
services.exe+0x14440
services.exe+0x13951
kernel32.dll!BaseThreadInitThunk+0x12
ntdll.dll!RtlInitializeExceptionChain+0x63
ntdll.dll!RtlInitializeExceptionChain+0x36


Thanks!

Edited by Andrew, 24 April 2010 - 12:10 PM.
Mod Edit: Removed Extraneous BBCode Tag - AA


BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:03:38 AM

Posted 23 April 2010 - 03:11 PM

Have you done any malware scans yet?

#3 hamluis

hamluis

    Moderator


  • Moderator
  • 55,247 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:10:38 PM

Posted 23 April 2010 - 03:28 PM

How long does this CPU usage range last?

Is it only momentary?

Louis

#4 Gingerninja106

Gingerninja106
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 24 April 2010 - 10:25 AM

"Have you done any malware scans yet?"

I have scanned using Malware Bytes, AVG, Spybot, AdAware and Trend Micro Homecall (I think it was). Other than pulling a few other things which were spyware-related, nothing has solved the cpu issue.

"How long does this CPU usage range last?

Is it only momentary?"

The CPU usage begins when I turn the computer on, on most occasions will permanently run (if left to) however maybe 1 in 15 times it will stop itself after 15-20 minutes and the usage will be back down to the usual 2-3%.

Thanks guys

#5 keyboardNinja

keyboardNinja

    Bleepin' Ninja


  • BC Advisor
  • 4,815 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:teh interwebz
  • Local time:09:38 PM

Posted 24 April 2010 - 10:59 AM

Do you have active protection turned on for more than one of those anti-malware programs? If so, you should only have one.

As a general rule, using more than one anti-spyware program like Malwarebytes' Anti-Malware, SuperAntispyware, Spybot S&D, Ad-Aware, etc will not conflict with each other or your anti-virus if using only one of them for real time protection and others as stand-alone scanners. In fact, doing so increases your protection coverage without causing the same kind of conflicts or affecting the stability of your system that can occur when using more than one anti-virus. The overlap of protection from using different signature databases will aid in detection and removal of more threats when scanning your system for malware. However, if using all their real-time resident shields (TeaTimer, Ad-Watch, MBAM Protection Module, Spyware Terminator Shields, etc) together at the same time, there can be conflicts when each application tries to compete for resources and exclusive rights to perform an action. Additionally, competing tools may even provide redundant alerts which can be annoying and/or confusing.



We are going to disable startup programs to determine if one or any of them are causing this slowness.

To perform a diagnostic startup, follow these steps:

1. Click Start, click Run, type msconfig, and then click OK.
2. On the General tab, click Diagnostic Startup, and then click OK.
3. Restart your computer.

Now, go to the Startup tab of msconfig and check the box next to one startup program > Apply > OK > reboot

You will have to do this one program at a time (enable, reboot) until you find the one(s) that is causing the lagging.
PICNIC - Problem In Chair, Not In Computer

Posted Image Posted Image

20 Things I Learned About Browsers and the Web

#6 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:03:38 AM

Posted 24 April 2010 - 12:32 PM

Do you still have those logs available from your scans? If so post them.

#7 Gingerninja106

Gingerninja106
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 25 April 2010 - 08:40 AM

"We are going to disable startup programs to determine if one or any of them are causing this slowness.

To perform a diagnostic startup, follow these steps:

1. Click Start, click Run, type msconfig, and then click OK.
2. On the General tab, click Diagnostic Startup, and then click OK.
3. Restart your computer.

Now, go to the Startup tab of msconfig and check the box next to one startup program > Apply > OK > reboot

You will have to do this one program at a time (enable, reboot) until you find the one(s) that is causing the lagging."

Firstly, I have checked and the only resident shield I can see running is from AVG. Thre rest don't appear anywhere until I physically open the program.

I ran the diagnostic startup however the services.exe still appeared before I could even begin checking the rest of the services. I assume this means it is a Windows service causing the problem? If it helps, when i turned the lapop on just now, I logged straight into Process Explorer before the spike in CPU had occured and had the services.exe highlighted. I noticed that at exactly the same time as the services.exe started stealing resources, a new entry appeared in the bottom of the screen (highlighted green for a split second) called C:\Windows\LastGood.Tmp.


Do you still have those logs available from your scans? If so post them.


Unfortunately I don't have the logs, though none of them seemed to provide anything on interest that I remember (to my untrained eye!)

Edited by Gingerninja106, 25 April 2010 - 08:41 AM.


#8 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:03:38 AM

Posted 25 April 2010 - 11:57 AM

Can you perform the following scans:

http://www.malwarebytes.org/mbam.php and http://wwwsuperantispyware.com and post the logs here.

#9 Gingerninja106

Gingerninja106
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 28 April 2010 - 02:41 PM

Can you perform the following scans:

http://www.malwarebytes.org/mbam.php and http://wwwsuperantispyware.com and post the logs here.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/27/2010 at 09:02 PM

Application Version : 4.35.1002

Core Rules Database Version : 4857
Trace Rules Database Version: 2669

Scan type : Complete Scan
Total Scan Time : 01:00:18

Memory items scanned : 650
Memory threats detected : 0
Registry items scanned : 6818
Registry threats detected : 0
File items scanned : 37455
File threats detected : 3

Adware.Tracking Cookie
C:\Users\Mike\AppData\Roaming\Microsoft\Windows\Cookies\mike@content.yieldmanager[1].txt
C:\Users\Mike\AppData\Roaming\Microsoft\Windows\Cookies\mike@adbrite[1].txt
C:\Users\Mike\AppData\Roaming\Microsoft\Windows\Cookies\mike@ad.yieldmanager[1].txt








Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4046

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

28/04/2010 20:38:11
mbam-log-2010-04-28 (20-38-11).txt

Scan type: Full scan (C:\|)
Objects scanned: 306214
Time elapsed: 1 hour(s), 58 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:03:38 AM

Posted 28 April 2010 - 02:47 PM

Can you take a screenshot of the main Process Explorer Window, and take a screen shot of it with your mouse hovering over the svchost process that is giving your the CPU Spikes?

#11 Gingerninja106

Gingerninja106
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 28 April 2010 - 03:18 PM

Can you take a screenshot of the main Process Explorer Window, and take a screen shot of it with your mouse hovering over the svchost process that is giving your the CPU Spikes?


There doesn't seem to be an individual svchost giving the issue, seems to sitting with services.exe. Here's a shot:

Posted Image


EDIT: Shortly after posting the above, the process seems to have stopped. Services.exe is still running however no cpu hog (and the services.exe+0x1388d has disappeared from the threads tab)

Edited by Gingerninja106, 28 April 2010 - 03:22 PM.


#12 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:03:38 AM

Posted 28 April 2010 - 03:31 PM

Your Winlogon.exe is not in the right path that is suspicious behavior. It should be in c:\windows\system32\

not by itself.

#13 Gingerninja106

Gingerninja106
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 28 April 2010 - 03:41 PM

Your Winlogon.exe is not in the right path that is suspicious behavior. It should be in c:\windows\system32\

not by itself.


When I hover over it in Process Explorer, it does show a ile path of c:\windows\system32\winlogon.exe. Is there anything I can do to check this?

I've done a system search and found the following

Posted Image

Uploaded with ImageShack.us

anything look suspicious?

Edited by Gingerninja106, 28 April 2010 - 03:46 PM.


#14 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:03:38 AM

Posted 28 April 2010 - 03:46 PM

Your Winlogon.exe is not in the right path that is suspicious behavior. It should be in c:\windows\system32\

not by itself.


When I hover over it in Process Explorer, it does show a ile path of c:\windows\system32\winlogon.exe. Is there anything I can do to check this?



That was a bit of a brain fart, I was expecting the full path to be also part of the Command Line Column View.

#15 Gingerninja106

Gingerninja106
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 28 April 2010 - 04:03 PM

Your Winlogon.exe is not in the right path that is suspicious behavior. It should be in c:\windows\system32\

not by itself.


When I hover over it in Process Explorer, it does show a ile path of c:\windows\system32\winlogon.exe. Is there anything I can do to check this?



That was a bit of a brain fart, I was expecting the full path to be also part of the Command Line Column View.


Indeed, would certainly make sense wouldn't it! Did you see my added screen print?

I'm at a loss as to what else the service could be!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users