hijacked services.exe ?

[Jeff]

Recently, when I boot up my XP Home, Zone Alarm asks permission for
services.exe to access the internet. ZA's help says this is a normal
service and that I should alow it.

My concern is that I do not remember getting this request for services to
access the internet before the past 3-4 days and I am therefore suspicious.
Could a virus, trojan, etc camouflage itself as "services.exe"? My virus
checker, adware checkers, etc find nothing bad on my drive.

Advice appreciated.

--

Jeff Williams
Email address deliberately false to avoid spam
(e-mail address removed)
Outgoing mail is certified Virus Free by AVG

 

[Jeff]

Thank you very much for replying and especially for giving me that URL. I
went there and it said that in XP, the file services.exe should be located
at c:\windows\system32\services.exe and that if it was located at
c:\windows\services.exe, then I most likely had the "W32Netsky" virus.

So I searched for services.exe and found I had it in 3 locations:
1. c:\windows\system32\services.exe (which is correct)
2. in Windows\prefetch (which I guessed is correct)
3. c:\windows\services.exe

Even though my virus checker (AVG) could find no viruses, I downloaded
Symantec's FixNetsky tool and ran it twice as directed by their website,
with a hard boot between. It did not find the virus either. But, I am now
left with the dilemma as to why the duplicate file c:\windows\services.exe
exists on my PC - which is probably why ZoneAlarm asked me about it
suddenly. I would like to delete the c:\windows\services.exe file since the
original correct one exists at c:\windows\system32\services.exe but am
afraid that might screw the system.

Do you know if it is normal for c:\windows\services.exe to exist in XP Home
in addition to c:\windows\system32\services.exe ? Any advice would be
appreciated.

--

Jeff Williams
Email address deliberately false to avoid spam
(e-mail address removed)
Outgoing mail is certified Virus Free by AVG

 

[Alex Nichol]

Thank you very much for replying and especially for giving me that URL. I
went there and it said that in XP, the file services.exe should be located
at c:\windows\system32\services.exe and that if it was located at
c:\windows\services.exe, then I most likely had the "W32Netsky" virus.

So I searched for services.exe and found I had it in 3 locations:
1. c:\windows\system32\services.exe (which is correct)
2. in Windows\prefetch (which I guessed is correct)

It is legitimate to have a file there (though my system does not) - it
would though be something like service.exe-12345678.pf A simple
services.exe there is decidedly suspicious, as is

3. c:\windows\services.exe

I would delete both of those, keeping the one in system32 and see what
happens. It may be one of those things that foul up file associations,
so I would first go to http://www.dougknox.com/xp/xp_fixes.html and get
the File Association fixes so as to have them on hand.

It may be a piece of 'hijack' rather than a virus, so I would not trust
just to AVG for clearing up - see http://rgharper.mvps.org/cleanit.htm
for good advice

 

[Jeff]

The prefetch one does have a number after it and I deleted it easily.
However, the "c:\windows\services.exe" one however would not allow me to
delete it, telling me access it denied. I checked its attributes and it only
has the "archive flag" set. It is not read only, hidden or system file. It
is also only 6K in size.

I'll try to delete it in safe mode unless you have other advice.

--

Jeff Williams
Email address deliberately false to avoid spam
(e-mail address removed)
Outgoing mail is certified Virus Free by AVG

 

[Jeff]

I was finally able to delete "c:\windows\services.exe". I did it by renaming
it to "serv.exe" and then it let me delete it. It is now in my Recycle bin
till I decide what to do with it.

When I checked what processes were running I saw there were 2 "services.exe"
running. One was owned by system and the other one was in my name. I could
not terminate the one in my name.

I will now reboot and see if all hell breaks loose.

--

Jeff Williams
Email address deliberately false to avoid spam
(e-mail address removed)
Outgoing mail is certified Virus Free by AVG

 

[Jeff]

No good. After I rebooted, the 6K services.exe was back in
c:\windows\services.exe and two different services.exe were running as
processes. :-(

--

Jeff Williams
Email address deliberately false to avoid spam
(e-mail address removed)
Outgoing mail is certified Virus Free by AVG

 

[Jeff]

I do not know what to do. I isolated my PC, wiped (using acronis privacy
suite) my internet temporary files. I deleted the c:\windows\services.exe
file under Safe Start, (the second services did not load under safe start
when I checked running processes), I wiped all free space on the disk in
Safe mode, and when I reboot, it is there again!

I have always had Zone Alarm on, use updated Ad-Aware, Spybot, Spyware
Blaster, updated AVG, and I still seem to have gotten this damn hijack.
I've run Symantec's FixNetsky in case that was it and it found nothing.
Looks hopeless!

Any suggestions welcomed.

--

Jeff Williams
Email address deliberately false to avoid spam
(e-mail address removed)
Outgoing mail is certified Virus Free by AVG

No good. After I rebooted, the 6K services.exe was back in
c:\windows\services.exe and two different services.exe were running as
processes. :-(

--

Jeff Williams
Email address deliberately false to avoid spam
(e-mail address removed)
Outgoing mail is certified Virus Free by AVG

 

[Jeff]

Looking through my registry I see the c:\windows\services.exe to be
associated with "Download Manager" and "NetAp" in Windows\system32\... I do
have an installed utility called "Internet Download Manager" but don't know
what NetApps is.

Just in case anyone has any ideas.

--

Jeff Williams
Email address deliberately false to avoid spam
(e-mail address removed)
Outgoing mail is certified Virus Free by AVG

No good. After I rebooted, the 6K services.exe was back in
c:\windows\services.exe and two different services.exe were running as
processes. :-(

--

Jeff Williams
Email address deliberately false to avoid spam
(e-mail address removed)
Outgoing mail is certified Virus Free by AVG

 

[Alex Nichol]

The prefetch one does have a number after it and I deleted it easily.
However, the "c:\windows\services.exe" one however would not allow me to
delete it, telling me access it denied. I checked its attributes and it only
has the "archive flag" set. It is not read only, hidden or system file. It
is also only 6K in size.

I'll try to delete it in safe mode unless you have other advice.

Rename it instead. At 6K it is almost certainly a nasty. Then when you
reboot, whatever is bringing it into use will be unable to find it, and
you can try to analyse any complaint. But have the File association fix
to hand - this may *well* be one that has stuck itself in that, and will
result in 'cannot find program needed to run .exe files'

 

[Alex Nichol]

I do not know what to do. I isolated my PC, wiped (using acronis privacy
suite) my internet temporary files. I deleted the c:\windows\services.exe
file under Safe Start, (the second services did not load under safe start
when I checked running processes), I wiped all free space on the disk in
Safe mode, and when I reboot, it is there again!

Try CWShredder - now a bit out of date - at
www.aumha.org/freeware.htm#cwshred

And consult general guidance at http://rgharper.mvps.org/cleanit.htm

It is another program of some sort that is running, and recreating the
service.exe item. These can be the devil to track down. Hijackthis is
probably best bet, but interpreting its logs needs expert guidance - see
the forum on that at
HijackThis Logs:
http://forum.aumha.org/viewforum.php?f=30

(the other forums on security there are also a valuable resource)

 

[Jeff]

Thanks.

--

Jeff Williams
Email address deliberately false to avoid spam
(e-mail address removed)
Outgoing mail is certified Virus Free by AVG

 

[Jeff]

Just wanted to let everyone know FYI.

Everything I had tried so far had failed. My own virus checker (AVG) found
nothing and none of the online ones did except for Kaspersky
(http://www.kaspersky.com/personal) where I submitted the suspicious file
and in seconds it told me it was infected with the
"TrojanDownloader.win32Delf.cq". It suggested I download their trial
program. I did and it identified 9 "objects" infected with this virus or
with the VirusI-Worm.Bagle.ai, which it deleted or repaired. These
infections were on my PC despite my conscienscious use of updated AVG, Zone
Alarm, SpyBot and Adware, etc.

Scary. I think I will buy and switch to Kaspersky's Anti-virus from now on.
Thought others should know.

--

Jeff Williams
Email address deliberately false to avoid spam
(e-mail address removed)
Outgoing mail is certified Virus Free by AVG

 

[Alex Nichol]

Scary. I think I will buy and switch to Kaspersky's Anti-virus from now on.
Thought others should know.

Thanks for letting us know. Kapersky is one of the best programs
(though none is infallible)