Help. My legit sevices.exe is downloading various trojans

[reallypissed-off]

Hi, i need help bad, services.exe is requesting connection to various sites and when i allow this, it downloads various trojans n **** .it is the legit services.exe, but i cant suss out what is using it. Im using zonelabs security suite and scans r coming up clean. can ne1 help me?

 

[madmatt]

I hate to break it to you. But a legit version of "services.exe" will not connect to the Internet, especially for the reasons you described.

You likely have a virus or a trojan of some sort that is not being detected.

First thing I would do is disconnect your computer from the Internet or any network. I would delete all Temporary Internet Files and all files located in the following two locations:

C:\Documents and Settings\username\Local Settings\Temp
C:\WINDOWS\Temp

I would verifiy the version information of "services.exe". It should be 5.1.2600.2180 if you are all up-to-date.

I would also run from CMD "sfc /scannow" since this is a system file.

I would verify what is starting up using MSCONFIG and services.msc. Uncheck and disable anything that doesn't make sense. Ask when in doubt.

Start with this and let's see what happens.

 

[reallypissed-off]

wel, ive deleted loadsa crap from the temp folders,files like win1a.tmp right through to win5f.tmp. none of them contain ne data.Ive also disabled any non essential services and startups.The only services.exe i can find on the comp is the the legit one from microsoft version 5.1.2600.2180 .I cant find anything in the registry either. At the min i have services.exe blocked from accessing the net with zonealarm but it keeps trying to access various google websites.If allowed to access it, then it connects to ftp.icq.com n starts downloading again.Im also getting a warning from zonealarm saying - Windows NT logon application is trying to use Services and Controller app to access the internet, also google website, its also the legit winlogon.exe as well. somebody help me please

 

[madmatt]

Did you run "sfc /scannow" from CMD?

 

[reallypissed-off]

yeah i did run it. Didnt inform me of ne problems.

 

[madmatt]

Try running an online virus scan. There may be something wrong with your ZoneAlarm installation.

http://safety.live.com/
http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym

Also, please post a Hijack This log (http://www.merijn.org/downloads.html).

Chances are, since whatever trojan/virus/malware you are infected with, you'll have to reformat to be safe since it has infected system services (those are very difficult to get rid of at times).

Start being more careful with where you go and what you download.

 

[reallypissed-off]

This all started when i installed a new hard drive bout a week ago. no service packs left me wide open 2 infection. took 4ever to get the servicepack updates on dial up.

Logfile of HijackThis v1.99.1
Scan saved at 15:29:26, on 01/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Admin\Desktop\hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe "
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\Admin\Desktop\hijackthis\HijackThis.exe /startupscan
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151017852663
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151097609862
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

[madmatt]

I thought you said you had ZoneAlarm? You also have AntiVir PersonalEdition Classic on this computer?

Did the online scans find anything wrong?