Hi all,
I am new to this forum and a new owner of PE. I have noticed that services.exe process running on my home PC attempts to connect to a remote IP address using remote port 54. This IP address is located in the UK. This occurs each time I boot the pc. This seems kinda strange and am wondering if this is a trojan. I have read that as long as the services.exe process is running from the %windir%system32 it is legitimate.

I am a novice when it comes to analyzing processes and associated ports and would appreciate any information you can provide. :D

services - services.exe - Process Information
Process File: services or services.exe
Process Name: Windows Service Controller

Description:
services.exe is a part of the Microsoft Windows Operating System and manages the operation of starting and stopping services. This process also deals with the automatic starting of services during the comptuers boot-up and the stopping of servicse during shut-down. This program is important for the stable and secure running of your computer and should not be terminated. Note: services.exe is also a process which is registered as the W32.Randex.R Trojan. This Trojan allows attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.

-{ Quote: "
. I have noticed that services.exe process running on my home PC attempts to connect to a remote IP address using remote port 54. This IP address is located in the UK. This occurs each time I boot the pc. This seems kinda strange and am wondering if this is a trojan." }- Can you please state what is the remote IP address that your computer connects to? I will do a WHOIS check on that IP address to try and find out who it is.
If you have a firewall, you can try blocking that remote IP address, it should prevent the trojan from connecting to the hacker's computer. Do you have a firewall installed on your computer?
Please install a firewall immediately before using TDS-3 to block the trojan from connecting to the hacker. Try Sygate Personal Firewall from here: http://www.majorgeeks.com/download3356.html

After installing the firewall, you can then use the TDS-3 trial version from www.diamondcs.com.au (http://www.diamondcs.com.au) to detect and destroy the active trojan on your computer.

-{ Quote: "Can you please state what is the remote IP address that your computer connects to? I will do a WHOIS check on that IP address to try and find out who it is. " }-

Will the forum staff allow someones IP address to be posted here?

Jimbob

-{ Quote: "Will the forum staff allow someones IP address to be posted here?" }-In this case they are talking about an IP address out on the Internet that their system is connecting to, not their own address. For diagnostic purposes we would allow the posting of that IP address as it may be a good clue as to what is happening there.

First of all,

Thanks for replying.

The IP address is 62.73.174.194. It resolves us100000003-pip.eu.verios.net

I have a zone alarm firewall on the pc and I have already blocked incoming and outgoing traffic to that IP address.

From what I understand it would be normal for services.exe to access ISP DNS servers, Is this correct? Also, as I stated previously, I had read that as long as services.exe is running from %windir%system32 it is not a trojan. This could be incorrect.

I have run Norton antivirus, spybot, wintasks, security task manager, and ewido but none of these applications have detected a trojan.

Thanks.

Hi,

Minimum protection: AV + AT+ FIREWALL.
All others security softwares could be found on this forum.

*Windows Services Configuration: http://www.blackviper.com/WinXP/servicecfg.htm

*To close criticals ports, WWDC, a little tool from GKWEB:
http://www.firewallleaktester.com/wwdc.htm

*Nirsoft utilities:

*IpNetInfo (to find information about an IP)
http://www.nirsoft.net/utils/ipnetinfo.html

*Currports (to find any listening port on your system)
http://www.nirsoft.net/utils/cports.html

*A list of ports used by trojans on a liittle site where to learn a little bit about security: http://www.doshelp.com/trojanports.htm

Best Regards

kareldjag,

Thanks.