multiples couples of "cmd.exe" and "services.exe" at startup

[Maurice]

Hello:
I've serious problem with PC, when I start WIN XP SP2, using task manager, I
notice that there is many "cmd.exe" and "sevices.exe", and the number still
increasing, every second a new couple is generated. so I shut down and then
restart, and immediately at startup, I open task manager and I kill the one
or two "cmd.exe" who are just created. when all cmd.exe are killed, no new
ones are generated. So i use "hibernate" to exit, but sometimes I need a
full restart, the previous problem reappears.

is this a sign of virus? does a reinstallation of windows heal that?

thanks
Maurice

 

[Pegasus \(MVP\)]

Hello:
I've serious problem with PC, when I start WIN XP SP2, using task manager,
I notice that there is many "cmd.exe" and "sevices.exe", and the number
still increasing, every second a new couple is generated. so I shut down
and then restart, and immediately at startup, I open task manager and I
kill the one or two "cmd.exe" who are just created. when all cmd.exe are
killed, no new ones are generated. So i use "hibernate" to exit, but
sometimes I need a full restart, the previous problem reappears.

is this a sign of virus? does a reinstallation of windows heal that?

thanks
Maurice

Click Start / Run / msconfig.exe{OK} and have look at the tasks under the
Startup tab. Anything suspicious there? Also: Does the problem happen in
Safe Mode too?

 

[Maurice]

Click Start / Run / msconfig.exe{OK} and have look at the tasks under the
Startup tab. Anything suspicious there? Also: Does the problem happen in
Safe Mode too?

thanks for help:
using msconfig.exe, I noticed a suspicious setup1018.exe in "D:\Documents
and Settings\morosh\Local Settings\Temp", I deleted the entry, and I
restarted, the problem happens again. I booted in safe mode, it's OK, no
problem. Then back to normal start, and using msconfig.exe I noticed
"ctfmon.exe" located in windows\system32 with "CTF loader" as description.
is it suspicious??

any other idea??

thanks
Maurice

 

[Malke]

Hello:
I've serious problem with PC, when I start WIN XP SP2, using task manager,
I notice that there is many "cmd.exe" and "sevices.exe", and the number
still increasing, every second a new couple is generated. so I shut down
and then restart, and immediately at startup, I open task manager and I
kill the one or two "cmd.exe" who are just created. when all cmd.exe are
killed, no new ones are generated. So i use "hibernate" to exit, but
sometimes I need a full restart, the previous problem reappears.

is this a sign of virus? does a reinstallation of windows heal that?

Go through these general malware removal steps systematically -
http://www.elephantboycomputers.com/page2.html#Removing_Malware

Then you will know if the machine is clean. If the machine is infected, then
certainly a clean-install will take care of it, but it might be easy to
remove the virus/malware. Or not. ;-) It's always your choice.

http://michaelstevenstech.com/cleanxpinstall.html - Clean Install How-To
http://www.elephantboycomputers.com/page2.html#Reinstalling_Windows - What
you will need on-hand

Malke

 

[Jim]

Hello:
I've serious problem with PC, when I start WIN XP SP2, using task manager,
I notice that there is many "cmd.exe" and "sevices.exe", and the number
still increasing, every second a new couple is generated. so I shut down
and then restart, and immediately at startup, I open task manager and I
kill the one or two "cmd.exe" who are just created. when all cmd.exe are
killed, no new ones are generated. So i use "hibernate" to exit, but
sometimes I need a full restart, the previous problem reappears.

is this a sign of virus? does a reinstallation of windows heal that?

thanks
Maurice

It certainly sounds like malware of some sort. What AV software are you
running?

Jim

 

[Jim]

Hello:
I've serious problem with PC, when I start WIN XP SP2, using task manager,
I notice that there is many "cmd.exe" and "sevices.exe", and the number
still increasing, every second a new couple is generated. so I shut down
and then restart, and immediately at startup, I open task manager and I
kill the one or two "cmd.exe" who are just created. when all cmd.exe are
killed, no new ones are generated. So i use "hibernate" to exit, but
sometimes I need a full restart, the previous problem reappears.

is this a sign of virus? does a reinstallation of windows heal that?

thanks
Maurice

My system has only one process which is running services.exe. It has no
processes running cmd.exe.
Conclusion would be that you have malware.
A reinstall would not fix a rootkit (as I understand the term).
Your best approach should be to use David Lipman's Multi_AV.
Jim

 

[Maurice]

It certainly sounds like malware of some sort. What AV software are you
running?

Jim

I'm using AVG8, I scanned the whole computer without finding anything

thanks for help
Maurice

 

[Malke]

thanks for help:
using msconfig.exe, I noticed a suspicious setup1018.exe in "D:\Documents
and Settings\morosh\Local Settings\Temp", I deleted the entry, and I
restarted, the problem happens again. I booted in safe mode, it's OK, no
problem. Then back to normal start, and using msconfig.exe I noticed
"ctfmon.exe" located in windows\system32 with "CTF loader" as description.
is it suspicious??

Already answered, but here it is again with more details for your
convenience:

Go through these general malware removal steps systematically -
http://www.elephantboycomputers.com/page2.html#Removing_Malware

Include scanning with David Lipman's Multi_AV and follow instructions to do
all scans in Safe Mode. Please see the special Notes regarding using
Multi_AV in Vista.

http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions
http://tinyurl.com/yoeru3 - download link and more instructions

When all else fails, get guided help. Choose one of the specialty forums
listed at the first link. Register and read its posting FAQ. PLEASE DO NOT
POST LOGS IN THE MS NEWSGROUPS.

If you can't do the work yourself (and there is no shame in admitting this
isn't your cup of tea), take the machine to a professional computer repair
shop (not your local equivalent of BigComputerStore/GeekSquad). Please be
aware that not all local shops are skilled at removing malware and even if
they are, your computer may be so infested that Windows will need to be
clean-installed. If possible, have all your data backed up before you take
the machine into a shop.

Malke

 

[HeyBub]

thanks for help:
using msconfig.exe, I noticed a suspicious setup1018.exe in
"D:\Documents and Settings\morosh\Local Settings\Temp", I deleted the
entry, and I restarted, the problem happens again. I booted in safe
mode, it's OK, no problem. Then back to normal start, and using
msconfig.exe I noticed "ctfmon.exe" located in windows\system32 with
"CTF loader" as description. is it suspicious??

CTFMON.EXE is part of MS Office and remains in memory when any part of
Office is loaded. It's okay.

 

[PA Bear [MS MVP]]

A format & reinstall *may* resolve the problem *if* the machine's not on a
LAN network *and* you're not using a router. Otherwise...

Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in
conjunction with some other utilities). HijackThis will NOT fix anything on
its own, but it will help you to both identify and remove any
hijackware/spyware with assistance from an expert. **Post your log to
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://forums.spybot.info/forumdisplay.php?f=22,
http://aumha.net/viewforum.php?f=30, or another appropriate forum for review
by an expert in such matters, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.

 

[Randem]

This may be of some use - http://www.randem.com/visurproblems.html


--
Randem Systems
The Top Inno Setup Script Generator
http://www.randem.com/innoscript.html
http://www.rndem.com/installerproblems.html
http://www.randem.com/vistainstalls.html
http://www.financialtrainingservices.org

 

[Kelly]

If cmd.exe is located in a subfolder of C:\Windows\System32 then the
security rating is 73% dangerous. File size is 23040 bytes (90% of all
occurrence), 36864 bytes. There is no file information. The program has no
visible window. It is not a Windows core file. The application uses ports to
connect to LAN or Internet.

If cmd.exe is located in a subfolder of C:\Windows then the security rating
is 72% dangerous. File size is 648192 bytes. There is no information about
the maker of the file. The program is not visible. It is an unknown file in
the Windows folder. File cmd.exe is not a Windows core file. cmd.exe is able
to record inputs, hide itself, monitor applications.

If cmd.exe is located in C:\ then the security rating is 64% dangerous. File
size is 180736 bytes. http://www.file.net/process/cmd.exe.html

Cleaners that work and they are free:
http://www.kellys-korner-xp.com/xp_s.htm#spy




--

All the Best and Happy Turkey Day,
Kelly (MS-MVP/DTS&XP)

Taskbar Repair Tool Plus!
http://www.kellys-korner-xp.com/taskbarplus!.htm