Okay so here it goes.

I was working on a CMS earlier and I got pissed off with my text editor. So I downloaded a new one. Little to my knowledge it was a bogus.

It installed and during the installation my PC got really slow. PC Wizard did not recognise that there was much CPU usage going on about 3-7%. I thought seeming I had been running it all day and most of the night until early hours of the morning I would restart it, ooops!

When I boot up now I click on my username "Josh" when I click it I get a dong as if it were a windows error or notification. The screen takes a little longer than usuall to load but then the screen appears with a little dialog box. Title "C:\Program" with the message "Windows could not find the directory C:\Program".

I then get everything trying to log me in (im's and stuff) but to no adue. I show that I am connected to the internet and when I open FF or IE it is unsually quick about dimising the page as a "Page load error". At this point I disabled my wireless adapter and ripped it from the USB :P.

I thought imediately that it was a virus so I went to open Norton Internet Security 2009, wich by the way was not running wich is a little strange also. So I opened the Task Manager and saw nothing unsuall but two processes.

1) services.exe | Josh | 50 | 4,556K
2) services.exe | Josh | 00 | 0,556K

LOL. The first process doesn't ever rise above 50 CPU usage and never drops below. It just stays at 50 all the time everytime.

I thought I would need a restore and I opened the restore client. I click the 5th (2 days ago) and clicked restore. As always it showed me a warning about it can be undone and my files will still be intact or whatever. So I click next.........


Nada. The clever little fucking thing has block not only my Wireless but Norton IS 2009 AND Microsofts Restore Client. I thought hey if the proccess is running under my username I will boot in safe mode.

However the even clever thing about this nasty peice of turd is that it still happens in Safe Mode I only see maybe 10 processes but 2 of them are the ones I listed above.

I still can not access the restore client and in safe mode when trying to kill the process (via the task manager) it tells me "This is an important windows proccess, windows can not shut this down" or something similar anyhow.

I was wondering maybe I could use Command Prompt to manually kill the proccess and hopefully unlock the Restore Client?

I thought I would get your advice first. I don't really want to format the hard drive as I think I have lost the Windows CD and I have important files I need with no other SATA PC's available. I have this laptop but wouldn't like to take it apart as it is a HP and the Tech Squad would probably throw a tantrum.

Please, please, please help me!

P.S: Sorry for the long winded post :D


8 Years
Discussion Span
Last Post by Josh Connerty

A little update, the second proccess is a system proccess and seems okay. As for the first it was supporting server (program) that I can only presume was theifing my data.

I actually killed it by ending the program LOL!!!!

Just downloading malware bytes.


Josh... services.exe... go into system32 and rename any services.exe you find there, say to servicesA.exe and so on. The real services.exe will be replaced in a few seconds by Windows File Protection System from a copy in cache. You will only be able to delete the renamed ones after a restart. There should be none in c:\Windows\
services.exe should be run by the System, not by a User...?!
But first, get hold of MBAM, and run it after renaming those files.
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon, and UPDATE it.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button.
When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].

MBAM can still be installed and updated without a connection. Using a flashdrive on another system, download & save the installer file from http://www.majorgeeks.com/Malwarebyt...are_d5756.html, then dl the latest updates file: http://www.gt500.org/malwarebytes/database.jsp , both to a thumbdrive.
Run the installer, when it completes uncheck the Launch and Update boxes to finish. Next, dclick the mbam-rules.exe file, it will install into MBAM.
Start MBAM via the icon and ...


Resolved, to conclude I had to edn teh program server and that killed the proccess under my username called services.exe that then allowed me to access the internet and download mbam however I had to rename mbab as the hacker was blocking the mbam.exe proccess.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.