I have posted the following in the Security section, but am still not convinced this is a trojan/virus. I was hoping maybe someone in this forum could help. Thanks This is not the c:\windows\system32\services that is part the integral part of Win XP. Zonealarm shows c:\windows\services.exe continuosly trying to connect to 207.46.xxx.xxx ((Microsoft addresses)via port 80. I can kill the process and delete services.exe from the drive, but it shows back up even after disabling system restore. I have run Norton, Spybot, TDS3, stinger, etc. I have all MS services(autoupdate, time, etc..) turned off. I initially thought it was Netsky, but no scanner detects it. I have checked the registry run, run once and Run\Services for "services.exe", but can't find it. I can not find how services.exe is starting or what is starting it. I looked in the msconfig for run/load/shell commands in the win.ini/system.ini. I tried writing a batch file using Taskkill, PSkill, process.exe and other similar utils to just kill services.exe on reboot, but they try to kill the valid(system32\services.exe) TASKKILL will let me specify the owner of the process to kill the correct services.exe, but returns a message saying that services.exe is vital and can't be killed, no matter what switch I use. Sorry for the long email, but i want to provide as much info as possible so someone can help. Thanks Bart Please help!!!!!

Hi Bart, Have you tried this one: ▫ ProcessExplorer (SysInternals) It does seem like a virus that's trying a DenialOfService attack on Microsoft's servers, though. Maybe your scanner just doesn't pick it up. Try AVG Anti-Virus, because I know for sure that that one has a "use heuristics" option (which can evaluate whether something is a variant of a virus) - although other scanners may also have such a function (Norton has it too !?). Don't forget to update it first, before zapping the baddie: ▫ [on-line] BitDefender Anti-Virus ▫ [on-line] RAV Anti-Virus (AV Security) ▫ [on-line] ActiveScan Anti-Virus (Panda) ▫ [on-line] HouseCall Anti-Virus (Trend Micro) ▫ nod32 Anti-Virus (eset) ▫ Avast! Anti-Virus (Avast) ▫ F-Prot Anti-Virus (F-Secure) ▫ [on-line] TrojanScan (GFi) ▫ AVG Anti-Virus (Grisoft) You can also use these general activity-loggers to try and find out what's behind the services.exe: ▫ TDIMon & FileMonitor & RegMonitor (SysInternals) TDIMon for monitoring your connection, FileMonitor for HardDisk use, and RegMonitor for tracking registry-activity. You can watch it in real-time or start logging until you see the virus kick in, and then quickly stop the log, so you get an idea of what's involved. ___________________________________________ ☺ [Belgium, GMT+1]_________________________svg

Thanks. I will try your sugestions and report back later today.

Success!!!! SVG I tried all the antivirus scanners and nothing help. Used Security Task Manager and was able to look inside the process and see how it was created. The following executables were installed by active x installer. c:\windows\services.exe c:\windows\system32\mssyncr.exe The following keys were found: [HKEY_USERS\S-1-5-21-3921047617-2713423431-535997716-1003\Software\Microsoft\Search Assistant\ACMru] [HKEY_USERS\S-1-5-21-3921047617-2713423431-535997716-1003\Software\Microsoft\Search Assistant\ACMru\5603] "000"="E54DHdLbPahxa" "001"="mssyncr.exe" [HKEY_USERS\S-1-5-21-3921047617-2713423431-535997716-1003\Software\Microsoft\Search Assistant\ACMru\5604] "000"="wwCwiCw" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44AC6201-B203-10CC-1F32-A0BC12E2014D}] "StubPath"="C:\\WINDOWS\\System32\\mssyncr.exe" Once I cleared these keys and deleted mssyncr.exe and services.exe, rebooted, no more problem. Thanks for the ideas!!! Bart

Good to see you blasted it yourself! __________________________________________ ☺ [Belgium, GMT+1]_________________________svg