c:\windows\services.exe and port 80

Vote Down
Score
1
Vote Up
bartmaker2 June 28, 2004 at 03:54:38 Pacific
Specs: WIN XP home SP1, AMD 2Mhz/1GB

This is not the c:\windows\system32\services that is part the integral part of Win XP.

Zonealarm shows c:\windows\services.exe continuosly trying to connect to 207.46.xxx.xxx ((Microsoft addresses)via port 80.

I can kill the process and delete services.exe from the drive, but it shows back up even after disabling system restore.

I have run Norton, Spybot, TDS3, stinger, etc.

I have all MS services(autoupdate, time, etc..) turned off.

I initially thought it was Netsky, but no scanner detects it.

I have checked the registry run, run once and Run\Services for "services.exe", but can't find it.

I can not find how services.exe is starting or what is starting it. I looked in the msconfig for run/load/shell commands in the win.ini/system.ini.


I tried writing a batch file using Taskkill, PSkill, process.exe and other similar utils to just kill services.exe on reboot, but they try to kill the valid(system32\services.exe)

TASKKILL will let me specify the owner of the process to kill the correct services.exe, but returns a message saying that services.exe is vital and can't be killed, no matter what switch I use.

Sorry for the long email, but i want to provide as much info as possible so someone can help.

Thanks

Bart
Please help!!!!!



Reply ↓  Report •


#1
Vote Down
Score
0
Vote Up
bartmaker2 June 28, 2004 at 04:15:53 Pacific

I forgot to add, after numerous(many!!) attempts to connect on port 80, it will start trying other ports.

Reply ↓  Report •

#2
Vote Down
Score
4
Vote Up
bartmann22 June 28, 2004 at 14:22:57 Pacific

Success!!!!

SVG

I tried all the antivirus scanners and nothing help.

Used Security Task Manager and was able to look inside the process and see how it was created.

The following executables were installed by active x installer.

c:\windows\services.exe
c:\windows\system32\mssyncr.exe

The following keys were found:

[HKEY_USERS\S-1-5-21-3921047617-2713423431-535997716-1003\Software\Microsoft\Search Assistant\ACMru]

[HKEY_USERS\S-1-5-21-3921047617-2713423431-535997716-1003\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="E54DHdLbPahxa"
"001"="mssyncr.exe"

[HKEY_USERS\S-1-5-21-3921047617-2713423431-535997716-1003\Software\Microsoft\Search Assistant\ACMru\5604]
"000"="wwCwiCw"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44AC6201-B203-10CC-1F32-A0BC12E2014D}]
"StubPath"="C:\\WINDOWS\\System32\\mssyncr.exe"

Once I cleared these keys and deleted mssyncr.exe and services.exe, rebooted, no more problem.

Thanks for the ideas!!!

Bart


Reply ↓  Report •

Reply to Message Icon Start New Discussion
Related Posts

« persitent hijacking IE Hijack? »

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Ask the Community!
Describe your Problem
Example: Hard Drive Not Detected on My PC