Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Services.exe trying to mail


  • Please log in to reply
18 replies to this topic

#1 sdb1980

sdb1980

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 13 July 2009 - 04:12 PM

My internet has been slow for weeks. At first, I thought it was my connection. My ISP sent a tech out and everything was fine. A few weeks later, they sent me a letter saying my IP was being flagged for abuse and they would shut me down if I didn't correct the problem.

I ran Spybot, Malwarebytes, and AVG which did not detect anything, and I made sure to update each one before I performed the scan. So, I picked Zone Alarm and it immediately told me services.exe was trying to send mail. So I blocked the program in Zone Alarm Firewall and instantly my internet connection was running perfect.

Okay, so I've temporarily stopped the problem but now I need to FIX the problem. When the zone alarm alert pops up after everytime I reset my computer, it says the infected file is windows/services32/services.exe. This is the legit windows service I thought?

So I put in my installation disk and ran Start >> Run >> sfc /scannow to see if the file was corrupted. It ran for about 40 minutes and then just turned off. I'm guessing it didn't find anything.

What can I do? Any advice is greatly appreciated and thanks for your time.

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:49 PM

Posted 14 July 2009 - 05:56 PM

Try uploading the services.exe file to Jotti for analysis.

You could try copying a clean copy of the services.exe file into the C:\WINDOWS\system32 directory in Safe Mode.

There might be a copy of the file in this directory: C:\WINDOWS\system32\dllcache
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 sdb1980

sdb1980
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 15 July 2009 - 02:33 PM

Thanks, will try those things and update.

#4 sdb1980

sdb1980
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 15 July 2009 - 04:50 PM

Okay, uploaded it to Jotti. It didn't find anything. The services.exe file in C:\WINDOWS\system32\dllcache is 108KB. Is this the normal file size? I double checked in C:\WINDOWS\system32\ and now I don't even see services.exe (yes, I have it set to view hidden files).

Would it help if I used HiJackThis or something similar?

#5 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:49 PM

Posted 15 July 2009 - 05:05 PM

108KB is the correct size. I just double-checked on the machine I'm using now and services.exe is in the system32 directory. Process Explorer also shows it running from that location.

I understand that it is normal for services.exe to connect to the internet.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#6 sdb1980

sdb1980
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 15 July 2009 - 10:15 PM

108KB is the correct size. I just double-checked on the machine I'm using now and services.exe is in the system32 directory. Process Explorer also shows it running from that location.

I understand that it is normal for services.exe to connect to the internet.


Okay. I have no idea where this backdoor mailer is then. All I know is my ISP is upset, my internet was slow, and I need to get it fixed. :thumbsup:

I'm thinking reformat since no spyware programs are finding anything at all. Zone Alarm blocks it, but that only masks the problem and doesn't fix it.

So frustrating. Anything else I can try? Thanks again for all your help. :flowers:

#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:49 PM

Posted 15 July 2009 - 10:22 PM

Try using Process Explorer to see if you can find out where it is lurking.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 sdb1980

sdb1980
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 16 July 2009 - 04:15 PM

Try using Process Explorer to see if you can find out where it is lurking.


I downloaded it, but not quite sure what I'm looking for here. I might be in above my head. I know how to do simple tasks, but when it comes to finding spyware/malware I'm lost. Thanks for the continued help, do you know of any other good programs which might help me narrow this down?

#9 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:49 PM

Posted 16 July 2009 - 04:46 PM

When you run Process Explorer look through the list of processes on the left hand side of the screen. Find the process named services.exe, right-click on it and select Properties. Then copy the Path and paste it back here. Check through the entire list of processes as there may be more than one called services.exe.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#10 sdb1980

sdb1980
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 21 July 2009 - 04:10 AM

When you run Process Explorer look through the list of processes on the left hand side of the screen. Find the process named services.exe, right-click on it and select Properties. Then copy the Path and paste it back here. Check through the entire list of processes as there may be more than one called services.exe.


Hey, sorry for the delay in my reply, been out of town. I checked the path and it is the legit services path - windows/system32/services.exe.

ZoneAlarm is still telling me it is "trying to transmit email messages". So, I block it with ZA firewall and then it just comes back every time I restart my computer.

I am scratching my head here. Maybe upload a hijack this log? I really don't know what else to do at this point.

#11 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:49 PM

Posted 21 July 2009 - 05:31 AM

Update Malwarebytes, run a quick scan and post the log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#12 sdb1980

sdb1980
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 21 July 2009 - 03:25 PM

Update Malwarebytes, run a quick scan and post the log.


In safe mode or normal mode? Thanks :thumbsup:

#13 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:49 PM

Posted 21 July 2009 - 04:23 PM

Normal Mode.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#14 sdb1980

sdb1980
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:49 AM

Posted 21 July 2009 - 06:55 PM

Here's the Malwarebytes log you requested. It came back clean. I also posted a hijack this log in this thread -> http://www.bleepingcomputer.com/forums/topic243209.html, in case you wanted to see that too. Thanks.


Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 2

7/21/2009 7:53:15 PM
mbam-log-2009-07-21 (19-53-15).txt

Scan type: Quick Scan
Objects scanned: 86770
Time elapsed: 8 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#15 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,994 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:49 AM

Posted 22 July 2009 - 04:51 PM

Topic reopened and HiJack This log deleted.

Back to you Budapest.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users