Infected Services.exe
My cable connection was shaped two days after the start of the billing month, this is very fast for me even when dowloading with p2p.
Since shaping web and email were unusable. I used TCPviewer and found my services.exe is opening lots of smtp connections to yahoo and aol addresses.
I believe this is a spambot hijacking my system, however it is still functioning as a key windows file as if I shut it down windows reboots. I have it blocked now via bitdefender, so I can get here. But how can I go about cleaning the file or at least restoring the original file. It seems it is endemic on my ISP as the only two people I know who use the same ISP have the same symptoms. PS the path is the legit path for services.exe
Am I right or is that usual behaviour for services.exe?
Comments
-
Hi fartzalot,
To be sure all your critical Windows applications are intact, you can do this: click Start -> Run and write cmd <Enter>.
Then write: sfc /SCANNOW <Enter>. This will start Windows File Checker, which will scan all system files. You might need to use the original Windows CD.
Also, if you have doubts about some files in your PC (whatever those files are), you can go to www.virustotal.com and upload the file there. That webpage will scan the file with 30+ different AV products and will tell you the results in a few minutes. If anything seems suspicious to you, put the suspected files in a zip file (protected by the password infected) and attach it on this forum, in the Malware section. It will be studied by BD Virus Analysts and you'll know for sure if the file is infected or not.
Cris.0 -
Well it reports nothing but still C:/windows/system32/services.exe has been opening lots of smtp connections. So I post it here.
/applications/core/interface/file/attachment.php?id=357" data-fileid="357" rel="">services.zip
0 -
You may want to check for rootkits. Have seen this a lot when rustock* is present.
http://vil.nai.com/vil/content/v_140181.htm
Read here how to remove it: http://www.geekstogo.com/forum/How-to-Remo...ns-t140682.html0 -
The rustock fix does not find it. I downloaded GMER and ran it, it found Trojan.peed.hzv and lo and behold Bitdefender noticed it as soon as the scan finished. I guess GMER stopped it from protecting itself.
The trojan does use services.exe as a spam server. Now I have to clean it out.
Thanks for the help.0