Help. My legit sevices.exe is downloading various trojans

Discussion in 'Windows Desktop Systems' started by reallypissed-off, Jun 30, 2006.

  1. reallypissed-off

    reallypissed-off OSNN One Post Wonder

    Messages:
    4
    Hi, i need help bad, services.exe is requesting connection to various sites and when i allow this, it downloads various trojans n **** .it is the legit services.exe, but i cant suss out what is using it. Im using zonelabs security suite and scans r coming up clean. can ne1 help me?
     
  2. madmatt

    madmatt Bow Down to the King Political User

    Messages:
    13,312
    Location:
    New York
    I hate to break it to you. But a legit version of "services.exe" will not connect to the Internet, especially for the reasons you described.

    You likely have a virus or a trojan of some sort that is not being detected.

    First thing I would do is disconnect your computer from the Internet or any network. I would delete all Temporary Internet Files and all files located in the following two locations:

    C:\Documents and Settings\username\Local Settings\Temp
    C:\WINDOWS\Temp

    I would verifiy the version information of "services.exe". It should be 5.1.2600.2180 if you are all up-to-date.

    I would also run from CMD "sfc /scannow" since this is a system file.

    I would verify what is starting up using MSCONFIG and services.msc. Uncheck and disable anything that doesn't make sense. Ask when in doubt.

    Start with this and let's see what happens.
     
  3. reallypissed-off

    reallypissed-off OSNN One Post Wonder

    Messages:
    4
    wel, ive deleted loadsa crap from the temp folders,files like win1a.tmp right through to win5f.tmp. none of them contain ne data.Ive also disabled any non essential services and startups.The only services.exe i can find on the comp is the the legit one from microsoft version 5.1.2600.2180 .I cant find anything in the registry either. At the min i have services.exe blocked from accessing the net with zonealarm but it keeps trying to access various google websites.If allowed to access it, then it connects to ftp.icq.com n starts downloading again.Im also getting a warning from zonealarm saying - Windows NT logon application is trying to use Services and Controller app to access the internet, also google website, its also the legit winlogon.exe as well. somebody help me please
     
  4. madmatt

    madmatt Bow Down to the King Political User

    Messages:
    13,312
    Location:
    New York
    Did you run "sfc /scannow" from CMD?
     
  5. reallypissed-off

    reallypissed-off OSNN One Post Wonder

    Messages:
    4
    yeah i did run it. Didnt inform me of ne problems.
     
  6. madmatt

    madmatt Bow Down to the King Political User

    Messages:
    13,312
    Location:
    New York
    Try running an online virus scan. There may be something wrong with your ZoneAlarm installation.

    http://safety.live.com/
    http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym

    Also, please post a Hijack This log (http://www.merijn.org/downloads.html).

    Chances are, since whatever trojan/virus/malware you are infected with, you'll have to reformat to be safe since it has infected system services (those are very difficult to get rid of at times).

    Start being more careful with where you go and what you download.
     
  7. reallypissed-off

    reallypissed-off OSNN One Post Wonder

    Messages:
    4
    This all started when i installed a new hard drive bout a week ago. no service packs left me wide open 2 infection. took 4ever to get the servicepack updates on dial up.

    Logfile of HijackThis v1.99.1
    Scan saved at 15:29:26, on 01/07/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Admin\Desktop\hijackthis\HijackThis.exe

    F2 - REG:system.ini: Shell=explorer.exe "
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\Admin\Desktop\hijackthis\HijackThis.exe /startupscan
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151017852663
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151097609862
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
  8. madmatt

    madmatt Bow Down to the King Political User

    Messages:
    13,312
    Location:
    New York
    I thought you said you had ZoneAlarm? You also have AntiVir PersonalEdition Classic on this computer?

    Did the online scans find anything wrong?