Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Confirm "services.exe" isn't a fake?

  • Please log in to reply
2 replies to this topic

#1 Gondring


  • Members
  • 1 posts
  • Local time:03:40 PM

Posted 28 April 2009 - 08:47 AM

I've tried to do homework so as not to waste experts' time, but I haven't figured out what is going on. I'd appreciate help. And I've read the "before posting" guides, so I hope I am doing this right (though I was confused by the one that talked about posting HJT logs but then asked for posting of DDS ones :thumbsup: ).

Running XP with SP2, and I know where services.exe is supposed to be, but I'm concerned that the one I have in there is a Trojan of some type because I get firewall notifications of services.exe trying to initiate contact with IP addresses in China. I've done Windows Updates except for Service Pack 3 and IE.

There are also other services.exe on my drive in other locations, with later build numbers. I have checked and there are no "service.exe" files, just the plural "serviceS.exe"

No scans I've run (even Malwarebytes' Anti-Malware--which I was told was best for the services.exe trojans) pick up any malware at all (even when I scan the "services.exe" files. But I'm skeptical of their results because of the attempted HTTP traffic iniitated from services.exe.

I'm wondering:
  • What is the information I should have for my services.exe file (size, date, build) if it's authentic?
  • What other steps should I take?
Thank you for your time and assistance.


Edit: Oh, and I have looked at the other "services.exe" trojan info I've seen on Google searches and none of those seem to fit this situation. I hesitate to think I am special enough to have a new one, but I sure am confused by it!

Edited by Gondring, 28 April 2009 - 08:50 AM.

BC AdBot (Login to Remove)


#2 hamluis



  • Moderator
  • 56,566 posts
  • Gender:Male
  • Location:Killeen, TX
  • Local time:01:40 PM

Posted 28 April 2009 - 12:08 PM

This appears to be a good summary: http://www.neuber.com/taskmanager/process/services.exe.html

The legitimate process is services.exe (all lowercase) and it should be located in the System32 folder of Windows.

Multiple instances may occur, from what I read, legitimately. I believe that those who state that anything other than a file in the system32 folder...is bogus...are incorrect. There are other factors to consider (Properties, location, version, size), IMO, when attempting to determine if a file is valid or a malware impostor.

In fact, I find 10 copies of it on this system and I'm pretty sure they are all valid. In addition to the System32 folder, I find copies in SP3 download folders, Software Distribution folder, and the System32\dllcache folder. Versions and file sizes follow: Version 5.1.2600.5512 (108KB) and 5.1.2600.5755 (108KB) and 5.1.2600.2180 (105KB)

These files have all been scanned by SUPERAntispyware, Avira Free, and Spybot...countless times and given a clean bill.

Note that when the filename is all caps, it is something else: http://www.prevx.com/filenames/47633956502...RVICES.EXE.html

Of course...I'm no expert anything, let alone a malware expert. If I had any doubts, I think I would post at BleepingComputer.com - Am I infected What do I do - http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/

FWIW: SP3 is a critical security update. Users who don't have it installed...don't seemingly value their system security, IMO. I employ that same theory for those who don't use a firewall, a reliable, updated AV program...and at least 2 (personal arbitrary number) reliable antispyware/antimalware programs.

I've been wrong before :thumbsup:.


#3 Romeo29


    Learning To Bleep

  • Members
  • 3,194 posts
  • Gender:Not Telling
  • Location:
  • Local time:02:40 PM

Posted 28 April 2009 - 01:26 PM

How to find out if services.exe being run is valid:

1. Download Process Explorer from http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx and run it.
2. Make sure Process Explorer can access internet.
3. In Process Explorer window, select from menu: Options -> Verify Image Signatures.
4. Right click on Services.exe and select Properties
5. If you see verified as shown in the attached picture, then your services.exe is valid and genuine. If you don't see verified, then try clicking the Verify button if it is not grayed out. If it is grayed out, then verification has been done. Also check the command line of services.exe, it should be c:\windows\system32\services.exe. Since services are started by winlogon, you should also see that parent of services.exe is winlogon.exe as shown in the picture.

Also all services are run by only a single instance of service.exe, so you should see only one services.exe in the Process Explorer.

Edited by Romeo29, 28 April 2009 - 01:28 PM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users