c:\windows\services.exe and port 80

Original Message

Name: bartmaker2
Date: June 28, 2004 at 03:54:38 Pacific
Subject: c:\windows\services.exe and port 80
OS: WIN XP home SP1
CPU/Ram: AMD 2Mhz/1GB

Comment:

This is not the c:\windows\system32\services that is part the integral part of Win XP.
Zonealarm shows c:\windows\services.exe continuosly trying to connect to 207.46.xxx.xxx ((Microsoft addresses)via port 80.
I can kill the process and delete services.exe from the drive, but it shows back up even after disabling system restore.
I have run Norton, Spybot, TDS3, stinger, etc.
I have all MS services(autoupdate, time, etc..) turned off.
I initially thought it was Netsky, but no scanner detects it.
I have checked the registry run, run once and Run\Services for "services.exe", but can't find it.
I can not find how services.exe is starting or what is starting it. I looked in the msconfig for run/load/shell commands in the win.ini/system.ini.

I tried writing a batch file using Taskkill, PSkill, process.exe and other similar utils to just kill services.exe on reboot, but they try to kill the valid(system32\services.exe)
TASKKILL will let me specify the owner of the process to kill the correct services.exe, but returns a message saying that services.exe is vital and can't be killed, no matter what switch I use.
Sorry for the long email, but i want to provide as much info as possible so someone can help.
Thanks
Bart
Please help!!!!!

Report Offensive Message For Removal

Response Number 1

Name: bartmaker2
Date: June 28, 2004 at 04:15:53 Pacific
Subject: c:\windows\services.exe and port 80

Reply: (edit)

I forgot to add, after numerous(many!!) attempts to connect on port 80, it will start trying other ports.

Report Offensive Follow Up For Removal

Response Number 2

Name: bartmann22
Date: June 28, 2004 at 14:22:57 Pacific
Subject: c:\windows\services.exe and port 80

Reply: (edit)

Success!!!!
SVG
I tried all the antivirus scanners and nothing help.
Used Security Task Manager and was able to look inside the process and see how it was created.
The following executables were installed by active x installer.
c:\windows\services.exe
c:\windows\system32\mssyncr.exe
The following keys were found:
[HKEY_USERS\S-1-5-21-3921047617-2713423431-535997716-1003\Software\Microsoft\Search Assistant\ACMru]
[HKEY_USERS\S-1-5-21-3921047617-2713423431-535997716-1003\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="E54DHdLbPahxa"
"001"="mssyncr.exe"
[HKEY_USERS\S-1-5-21-3921047617-2713423431-535997716-1003\Software\Microsoft\Search Assistant\ACMru\5604]
"000"="wwCwiCw"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44AC6201-B203-10CC-1F32-A0BC12E2014D}]
"StubPath"="C:\\WINDOWS\\System32\\mssyncr.exe"
Once I cleared these keys and deleted mssyncr.exe and services.exe, rebooted, no more problem.
Thanks for the ideas!!!
Bart

Report Offensive Follow Up For Removal


C:\WINDOWS\hp.htm and start space h services.exe / java.exe dc379c8.exe and related problems Virus: Winter.exe and proper.exe hidr.exe and flec006.exe and exefld	h91746.exe and Ultimate Defender? Comwiz.exe and Winnet.exe howiper.exe and DNS Trouble wupdater.exe and other viruses services.exe (x2) sucking cpu time