Tom's Guide | Tom's Hardware | Tom's Games

Computing.Net > Forums > Security and Virus > c:\windows\services.exe and port 80

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

c:\windows\services.exe and port 80

Reply to Message Icon

Name: bartmaker2
Date: June 28, 2004 at 03:54:38 Pacific
OS: WIN XP home SP1
CPU/Ram: AMD 2Mhz/1GB
Comment:

This is not the c:\windows\system32\services that is part the integral part of Win XP.

Zonealarm shows c:\windows\services.exe continuosly trying to connect to 207.46.xxx.xxx ((Microsoft addresses)via port 80.

I can kill the process and delete services.exe from the drive, but it shows back up even after disabling system restore.

I have run Norton, Spybot, TDS3, stinger, etc.

I have all MS services(autoupdate, time, etc..) turned off.

I initially thought it was Netsky, but no scanner detects it.

I have checked the registry run, run once and Run\Services for "services.exe", but can't find it.

I can not find how services.exe is starting or what is starting it. I looked in the msconfig for run/load/shell commands in the win.ini/system.ini.


I tried writing a batch file using Taskkill, PSkill, process.exe and other similar utils to just kill services.exe on reboot, but they try to kill the valid(system32\services.exe)

TASKKILL will let me specify the owner of the process to kill the correct services.exe, but returns a message saying that services.exe is vital and can't be killed, no matter what switch I use.

Sorry for the long email, but i want to provide as much info as possible so someone can help.

Thanks

Bart
Please help!!!!!




Sponsored Link
Ads by Google

Response Number 1
Name: bartmaker2
Date: June 28, 2004 at 04:15:53 Pacific
Reply:

I forgot to add, after numerous(many!!) attempts to connect on port 80, it will start trying other ports.


0

Response Number 2
Name: bartmann22
Date: June 28, 2004 at 14:22:57 Pacific
Reply:

Success!!!!

SVG

I tried all the antivirus scanners and nothing help.

Used Security Task Manager and was able to look inside the process and see how it was created.

The following executables were installed by active x installer.

c:\windows\services.exe
c:\windows\system32\mssyncr.exe

The following keys were found:

[HKEY_USERS\S-1-5-21-3921047617-2713423431-535997716-1003\Software\Microsoft\Search Assistant\ACMru]

[HKEY_USERS\S-1-5-21-3921047617-2713423431-535997716-1003\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="E54DHdLbPahxa"
"001"="mssyncr.exe"

[HKEY_USERS\S-1-5-21-3921047617-2713423431-535997716-1003\Software\Microsoft\Search Assistant\ACMru\5604]
"000"="wwCwiCw"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44AC6201-B203-10CC-1F32-A0BC12E2014D}]
"StubPath"="C:\\WINDOWS\\System32\\mssyncr.exe"

Once I cleared these keys and deleted mssyncr.exe and services.exe, rebooted, no more problem.

Thanks for the ideas!!!

Bart


0

Sponsored Link
Ads by Google
Reply to Message Icon

Related Posts

See More



Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.


Go to Security and Virus Forum Home


Sponsored links
Ads by Google


Results for: c:\windows\services.exe and port 80
C:\WINDOWS\hp.htm and start space h www.computing.net/answers/security/cwindowshphtm-and-start-space-h/7691.html

services.exe / java.exe www.computing.net/answers/security/servicesexe-javaexe/13205.html

Installer/Hijacker Infestation Help www.computing.net/answers/security/installerhijacker-infestation-help/23557.html