Services.exe in c:\windows

[solved] Services.exe in c:\windows

My software firewall (kerio 4) alerts me with several alerts, one of them:

[4/7/2004 1:10:08]
Direction: outgoing
Local Point: 0.0.0.0, port 1954
Adapter: NVIDIA nForce MCP Networking Controller - Pakketplanner-minipoort
Remote Point: origin2.microsoft.com [207.46.250.252], port http [80]
Protocol: TCP
Application path: C:\WINDOWS\services.exe
Description: services
File version:
Size: 6.748
Created: 2003/5/29, 09:52:40
Modified: 2003/5/29, 09:52:40
Accessed: 2003/12/31, 14:44:06

It seems, this application is trying to make an outgoing connection to Microsoft and others.

The system on which it occurs has WinXP Professional.

As far I know, the application services.exe normally is in the windows\system32 directory, it is there too with another size: 101.888 and date (9-7-2001).

I have scanned the application with Kaspersky AV, F-Secure AV and TDS, and no alarm at all.

Logfile of HijackThis v1.98.0
Scan saved at 16:13:12, on 4-7-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\services.exe
C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Executive Software\Diskeeper Administrator\Controller\AdminServer.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\System32\GEARSec.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\GFI\LANguard Network Security Scanner 5.0\lnssatt.exe
C:\WINDOWS\System32\SRVANY.EXE
C:\Program Files\ISDNCID\isdncid.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\SLEE503.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PowerQuest\V2i Protector 2.0\Agent\PQV2iSvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\DC-216 Utility\Systemtray.exe
C:\Program Files\Trust\AMI MOUSE 250SP WIRELESS OPTICAL\lwbwheel.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
C:\Program Files\CpuIdle\cpuidle.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\WINDOWS\System32\HPHipm11.exe
C:\WINDOWS\System32\LVComS.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Speaking Clock Deluxe\SpClDlx.exe
C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
C:\PROGRA~1\COMMON~1\Nokia\Services\ServiceLayer.exe
C:\Program Files\RAM Saver Pro\ramsaverpro.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Wireless Watch\WirelessWatch.exe
C:\Program Files\Steganos Security Suite 6\sss.exe
C:\Program Files\Steganos Security Suite 6\safe.exe
C:\Program Files\Steganos Security Suite 6\spm.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
C:\ScanPanel\ScnPanel.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\Sitecom\Bluetooth Software\BtStackServer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kavmm.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kwsprod.exe
C:\Program Files\eMule\eMule.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Ontrack\PowerDesk\PDExplo.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\TEMP\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.wilderssecurity.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.wilderssecurity.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Dave's Play Toy
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {16664845-0E00-11D2-8059-000000000000} - (no file)
O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - C:\PROGRA~1\IDA\idaiehlp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CleanRegPath] C:\PROGRA~1\DC-216 Utility\CleanReg.exe
O4 - HKLM\..\Run: [ADSLSYSTEMTRAY] C:\PROGRA~1\DC-216 Utility\Systemtray.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Trust\AMI MOUSE 250SP WIRELESS OPTICAL\lwbwheel.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [CpuIdle] C:\Program Files\CpuIdle\cpuidle.exe
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\System32\LVComS.exe
O4 - HKLM\..\Run: [KAV50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kwsprod.exe" -run -n Workstation -v 5.0.0.0
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Dave"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [Speaking Clock Deluxe] "C:\Program Files\Speaking Clock Deluxe\SpClDlx.exe"
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [Internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun
O4 - HKCU\..\Run: [RAMSaverPro] C:\Program Files\RAM Saver Pro\ramsaverpro.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Wireless Watch#Autostart] "C:\Program Files\Wireless Watch\WirelessWatch.exe"
O4 - HKCU\..\Run: [SSS6_Suite] "C:\Program Files\Steganos Security Suite 6\sss.exe" /booting
O4 - HKCU\..\Run: [SSS6_SAFE] "C:\Program Files\Steganos Security Suite 6\safe.exe" /booting
O4 - HKCU\..\Run: [SSS6_SPM] "C:\Program Files\Steganos Security Suite 6\spm.exe" /booting
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Dave"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: ScanPanel.lnk = C:\ScanPanel\ScnPanel.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Alles downloaden met &ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Do&wnload met &ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download ALL with IDA - C:\Program Files\IDA\idaieall.htm
O8 - Extra context menu item: Download with IDA - C:\Program Files\IDA\idaie.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {0BCBCDD8-E5D9-417D-A752-C2DA929A21BF} - C:\PROGRA~1\COPERN~1\CopernicAgentExt.dll
O9 - Extra 'Tools' menuitem: Track Page Using Copernic Agent - {0BCBCDD8-E5D9-417D-A752-C2DA929A21BF} - C:\PROGRA~1\COPERN~1\CopernicAgentExt.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\CopernicAgent.exe
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\CopernicAgent.exe
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\CopernicAgent.exe
O9 - Extra button: Preispiraten 2.1.1 - {86DE8B3B-1EB7-4386-84BD-EBE94348A913} - C:\Program Files\Preispiraten\Preispiraten2\preispiraten2ie.exe
O9 - Extra button: Joyo - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - (no file)
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe
O9 - Extra button: PowerWord - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - (no file)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: eBay Homepage - {D4951B60-8FF9-4813-B716-FF3E75386E74} - http://www.preispiraten.de/cgi-bin/e/tracker_short.pl?http://www.ebay.de (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/nl/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

What could be nasty here?

Thanks for your help,

Ciao,

Smokey​

 

There's no Startup entry for this 'rogue' services.exe file in your log; it may indeed have registered itself to start as a additional service, or to be launched some other way.

Please do the following:

In Hijack This, press "Config" > "Miscellaneous Tools".
Under the "Generate Startuplist log" button, check the "List also minor sections" box.

Now press "Generate Startuplist Log"
This will generate a text file that will list all applications that are loaded from practically every known startup location.

Go to Edit > select all, copy it and post its contents here.

 

Ok, there we go:

StartupList report, 4-7-2004, 18:32:55
StartupList version: 1.52.2
Started from : C:\TEMP\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\services.exe
C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Executive Software\Diskeeper Administrator\Controller\AdminServer.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\System32\GEARSec.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\GFI\LANguard Network Security Scanner 5.0\lnssatt.exe
C:\WINDOWS\System32\SRVANY.EXE
C:\Program Files\ISDNCID\isdncid.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\SLEE503.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PowerQuest\V2i Protector 2.0\Agent\PQV2iSvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\DC-216 Utility\Systemtray.exe
C:\Program Files\Trust\AMI MOUSE 250SP WIRELESS OPTICAL\lwbwheel.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
C:\Program Files\CpuIdle\cpuidle.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\WINDOWS\System32\HPHipm11.exe
C:\WINDOWS\System32\LVComS.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Speaking Clock Deluxe\SpClDlx.exe
C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
C:\PROGRA~1\COMMON~1\Nokia\Services\ServiceLayer.exe
C:\Program Files\RAM Saver Pro\ramsaverpro.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Wireless Watch\WirelessWatch.exe
C:\Program Files\Steganos Security Suite 6\sss.exe
C:\Program Files\Steganos Security Suite 6\safe.exe
C:\Program Files\Steganos Security Suite 6\spm.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
C:\ScanPanel\ScnPanel.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\Sitecom\Bluetooth Software\BtStackServer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kavmm.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kwsprod.exe
C:\Program Files\eMule\eMule.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Ontrack\PowerDesk\PDExplo.exe
C:\TEMP\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
BTTray.lnk = ?
ScanPanel.lnk = C:\ScanPanel\ScnPanel.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
CHotkey = mHotkey.exe
ledpointer = CNYHKey.exe
InstantAccess = C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
RegisterDropHandler = C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
CARPService = carpserv.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
WinFaxAppPortStarter = wfxsnt40.exe
DiTask.exe = "C:\Program Files\Eicon\Diva\DiTask.exe"
Divamon.exe = "C:\Program Files\Eicon\Diva\Divamon.exe"
Eicon TechnologyLAN_DAEMON = "C:\Program Files\Eicon\Diva\watch.exe"
CGServer = "C:\Program Files\Eicon\Diva\cgserver.exe"
RCScheduleCheck = C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
Opware12 = "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
Fix-It AV = C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
SpeedTouch USB Diagnostics = "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
SoundMan = SOUNDMAN.EXE
CleanRegPath = C:\PROGRA~1\DC-216 Utility\CleanReg.exe
ADSLSYSTEMTRAY = C:\PROGRA~1\DC-216 Utility\Systemtray.exe
LWBMOUSE = C:\Program Files\Trust\AMI MOUSE 250SP WIRELESS OPTICAL\lwbwheel.exe
HPHmon04 = C:\WINDOWS\System32\hphmon04.exe
HPHUPD04 = "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
Share-to-Web Namespace Daemon = C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
DAEMON Tools-1033 = "C:\Program Files\D-Tools\daemon.exe" -lang 1033
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Nokia Tray Application = C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
NvMixerTray = C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
CpuIdle = C:\Program Files\CpuIdle\cpuidle.exe
MBM 5 = "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
LVCOMS = C:\WINDOWS\System32\LVComS.exe
KAV50 = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kwsprod.exe" -run -n Workstation -v 5.0.0.0

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

Index Washer = C:\Program Files\Webroot\Washer\WashIdx.exe "Dave"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

RegisterDropHandler = C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe
ATI Launchpad =
ATI Remote Control = C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
Speaking Clock Deluxe = "C:\Program Files\Speaking Clock Deluxe\SpClDlx.exe"
Bandwidth Monitor Pro = "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
Internet Download Accelerator = C:\Program Files\IDA\ida.exe -autorun
RAMSaverPro = C:\Program Files\RAM Saver Pro\ramsaverpro.exe
Window Washer = C:\Program Files\Webroot\Washer\wwDisp.exe
Wireless Watch#Autostart = "C:\Program Files\Wireless Watch\WirelessWatch.exe"
SSS6_Suite = "C:\Program Files\Steganos Security Suite 6\sss.exe" /booting
SSS6_SAFE = "C:\Program Files\Steganos Security Suite 6\safe.exe" /booting
SSS6_SPM = "C:\Program Files\Steganos Security Suite 6\spm.exe" /booting
SpySweeper = "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

Index Washer = C:\Program Files\Webroot\Washer\WashIdx.exe "Dave"

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44AE4113-C121-10CC-1F32-A0BC12E2014D}]
StubPath = C:\WINDOWS\System32\msapplg.exe

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - (no file) - {16664845-0E00-11D2-8059-000000000000}
(no name) - C:\PROGRA~1\IDA\idaiehlp.dll - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6}
(no name) - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - c:\windows\downloaded program files\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

1 Copernic Intra-Daily ~DAVE-E0THNENAX8 Dave.job
2 Copernic Daily ~DAVE-E0THNENAX8 Dave.job
3 Copernic Weekly ~DAVE-E0THNENAX8 Dave.job
4 Copernic Monthly ~DAVE-E0THNENAX8 Dave.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Checkers Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\msgrchkr.dll
CODEBASE = http://messenger.zone.msn.com/binary/msgrchkr.cab

[PCPitstop Utility]
InProcServer32 = C:\WINDOWS\DOWNLO~1\PCPITS~1.DLL
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

[{6CB5E471-C305-11D3-99A8-000086395495}]
CODEBASE = http://toolbar.google.com/data/nl/big/1.1.62-big/GoogleNav.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37912.4804513889

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Solitaire Showdown Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\solitaireshowdown.dll
CODEBASE = http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Omgeving voor AFD-netwerkondersteuning: \SystemRoot\System32\drivers\afd.sys (autostart)
aslm75: \??\C:\WINDOWS\system32\drivers\aslm75.sys (autostart)
Aspi32: System32\drivers\aspi32.sys (autostart)
Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)
ATI Smart: C:\WINDOWS\system32\ati2sgag.exe (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Intelligente achtergrondsoverdrachtservice: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Bluetooth Serial Driver: \??\C:\WINDOWS\System32\drivers\btserial.sys (autostart)
Bluetooth Port Client Driver: \??\C:\WINDOWS\System32\drivers\btslbcsp.sys (autostart)
Bluetooth Service: C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe (autostart)
Crypkey License: crypserv.exe (autostart)
Services voor cryptografie: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Eicon CAPI 2.0-stuurprogramma: System32\DRIVERS\DISDN\capi202k.sys (autostart)
Eicon-poortstuurprogramma: System32\DRIVERS\DISDN\diport40.sys (autostart)
Diskeeper: C:\Program Files\Executive Software\Diskeeper\DkService.exe (autostart)
Diskeeper Administrator Service: C:\Program Files\Executive Software\Diskeeper Administrator\Controller\AdminServer.exe (autostart)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
ElbyCDIO Driver: System32\Drivers\ElbyCDIO.sys (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Fix-It Task Manager: C:\PROGRA~1\VCOM\Fix-It\mxtask.exe -Service (autostart)
GEARSecurity: %SystemRoot%\System32\GEARSec.exe (autostart)
GFI LANguard N.S.S. 5.0 attendant service: "C:\Program Files\GFI\LANguard Network Security Scanner 5.0\lnssatt.exe" -service (autostart)
Help en ondersteuning: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
IrDA Protocol: System32\DRIVERS\irda.sys (autostart)
Infraroodmonitor: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
ISDNCid: %SystemRoot%\System32\SRVANY.EXE (autostart)
KLBLMain: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation 5\kavmm.exe -run bl -n Workstation -v 5.0.0.0 -ttsr 10000000 (autostart)
Kerio Personal Firewall 4: C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" (autostart)
mdmxsdk: System32\DRIVERS\mdmxsdk.sys (autostart)
NWLink IPX/SPX/NetBIOS-compatibel transportprotocol: System32\DRIVERS\nwlnkipx.sys (autostart)
NWLink NetBIOS: System32\DRIVERS\nwlnknb.sys (autostart)
NWLink SPX/SPXII-protocol: System32\DRIVERS\nwlnkspx.sys (autostart)
SAP Agent: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
oodld: \??\C:\Program Files\OO Software\DriveLED\oodleddr.sys (autostart)
pavdrv: System32\DRIVERS\pavdrv51.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC-services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Steganos Live Encryption Engine (Version 503) [Driver]: \??\C:\WINDOWS\System32\drivers\SLEE503.sys (autostart)
Steganos Live Encryption Engine (Version 503) [Service]: C:\WINDOWS\System32\SLEE503.exe (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore-service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
StreamDispatcher: System32\DRIVERS\strmdisp.sys (autostart)
SVKP: \??\C:\WINDOWS\System32\SVKP.sys (autostart)
Thema's: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Uploadbeheer: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
V2i Protector: C:\Program Files\PowerQuest\V2i Protector 2.0\Agent\PQV2iSvc.exe (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration-service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------

Ciao,

Smokey​

 

Well, there's absolutely no reference to a Services.exe file i your Windows folder anywhere, except of course in your Running Processes...

Would you please find that file, rightclick it, choose properties, and tell us whether that helps to determine what it could be?

Also, would you please upload the file (the one in C:\Windows, to be sure!) to these two excellent on line file scanners in order to be tested :

Dialogue Science on-line virus checker
Kasperski anti virus checker

It would be interesting to see what these scanners make of it.

 

Properties c:\windows\services.exe: 6.748 bytes
On disc: 8.192 bytes
Date: 5-29-2003

Have checked the file with the online-scanners you mentioned, KAV AV for Workstations, F-Secure AV and TDS.

Results: clear

BTW: Results of KAV Online:

Scanned file: services.exe

services.exe - packed with MEW
services.exe - OK

Statistics:
Known viruses: 91980 Updated: 04-07-2004
File size (Kb): 7 Virus bodies: 0
Files: 2 Warnings: 0
Archives: 0 Suspicious: 0

What the h*ck could it be?

As you have seen, it have tried to make an outgoing connection, within 1 hour maybe 30 times, and to different destinations.......

Maybe I am stupid, I understand more from security then common people (I think), but just in this case I don't know what happens and why.

Ciao,

Smokey​

 

BTW: I have just renamed the file, rebooted the system, and now, after the reboot, the file have placed itself again in the windows directory......

 

It's a mystery to me... Would you please send a copy of the file to nosuchuserATxs4all.nl for analysis? (replace 'AT' by @).

I'll see what I can find out.


Thanks!

 

Send the nasty one to the email-adress above.

Let's see what it brings......

 

Thank you, got it!

I'll execute the file later tonight, and will log what happens. Will keep you posted.

 

OK, I executed the file and logged its install; no significant Registry changes were recorded.

Subsequently, the file indeed attempted to access the Net, and proved impossible to delete; it even resisted attempts to end process on it using Task Manager.

Here's how to get rid of it:

Download TheKillbox: http://broadbandmedic.com/download/


Unzip, launch the application, go to Menu > Action, and check 'Delete on Reboot'

In the following window, go to File > Add File. Now browse to Services.exe > Then go to 'Action' > Process and Reboot

You'll be prompted to reboot; do so. Subsequently, the file will be gone.

Good luck,

 

Hi Tony,

First, thanks for your efforts to help me.

Have done what you advised, but, services.exe still appears....
Very strange, there was only one solution: a system restore.

My luck: every 3 hours I do an incremental backup on all my systems with V2i Protector, so a clean system minus 3 hours of work is back again and virus-free.

I still don't know what the real cause of all problems is, and that is making me crazy 'cause I don't like it at all that something nasty happens and I don't can find out why.

Ciao,

Smokey​

 

That's strange, as I was able to delete the file the way I described, using PendingFileRenameOperations.
However that may have been because of the way I installed it; it could well be a different story at your end.

Anyway, good to hear you're up and running again.

 

That's indeed the most important issue: running again clean!

Another important issue: I found out what the nasty is (was):

a variant of the TrojanDownloader.Win32.Delf virus.

Exact name of the variant: TrojanDownloader.Win32.Delf.cq. virus.

Let's have fun again,

Ciao,

Smokey​