services.exe question

Discussion in 'other security issues & news' started by jcwem, Jan 4, 2005.

Thread Status:
Not open for further replies.
  1. jcwem

    jcwem Registered Member

    Joined:
    Jan 4, 2005
    Posts:
    3
    Hi all,
    I am new to this forum and a new owner of PE. I have noticed that services.exe process running on my home PC attempts to connect to a remote IP address using remote port 54. This IP address is located in the UK. This occurs each time I boot the pc. This seems kinda strange and am wondering if this is a trojan. I have read that as long as the services.exe process is running from the %windir%system32 it is legitimate.

    I am a novice when it comes to analyzing processes and associated ports and would appreciate any information you can provide. :D
     
  2. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    services - services.exe - Process Information
    Process File: services or services.exe
    Process Name: Windows Service Controller

    Description:
    services.exe is a part of the Microsoft Windows Operating System and manages the operation of starting and stopping services. This process also deals with the automatic starting of services during the comptuers boot-up and the stopping of servicse during shut-down. This program is important for the stable and secure running of your computer and should not be terminated. Note: services.exe is also a process which is registered as the W32.Randex.R Trojan. This Trojan allows attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.
     
    Last edited: Jan 5, 2005
  3. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Can you please state what is the remote IP address that your computer connects to? I will do a WHOIS check on that IP address to try and find out who it is.
    If you have a firewall, you can try blocking that remote IP address, it should prevent the trojan from connecting to the hacker's computer. Do you have a firewall installed on your computer?
    Please install a firewall immediately before using TDS-3 to block the trojan from connecting to the hacker. Try Sygate Personal Firewall from here: http://www.majorgeeks.com/download3356.html

    After installing the firewall, you can then use the TDS-3 trial version from www.diamondcs.com.au to detect and destroy the active trojan on your computer.
     
    Last edited: Jan 5, 2005
  4. Jimbob1989

    Jimbob1989 Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    2,529
    Will the forum staff allow someones IP address to be posted here?

    Jimbob
     
  5. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    In this case they are talking about an IP address out on the Internet that their system is connecting to, not their own address. For diagnostic purposes we would allow the posting of that IP address as it may be a good clue as to what is happening there.
     
  6. jcwem

    jcwem Registered Member

    Joined:
    Jan 4, 2005
    Posts:
    3
    First of all,

    Thanks for replying.

    The IP address is 62.73.174.194. It resolves us100000003-pip.eu.verios.net

    I have a zone alarm firewall on the pc and I have already blocked incoming and outgoing traffic to that IP address.

    From what I understand it would be normal for services.exe to access ISP DNS servers, Is this correct? Also, as I stated previously, I had read that as long as services.exe is running from %windir%system32 it is not a trojan. This could be incorrect.

    I have run Norton antivirus, spybot, wintasks, security task manager, and ewido but none of these applications have detected a trojan.

    Thanks.
     
  7. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    Minimum protection: AV + AT+ FIREWALL.
    All others security softwares could be found on this forum.

    *Windows Services Configuration: http://www.blackviper.com/WinXP/servicecfg.htm

    *To close criticals ports, WWDC, a little tool from GKWEB:
    http://www.firewallleaktester.com/wwdc.htm

    *Nirsoft utilities:

    *IpNetInfo (to find information about an IP)
    http://www.nirsoft.net/utils/ipnetinfo.html

    *Currports (to find any listening port on your system)
    http://www.nirsoft.net/utils/cports.html

    *A list of ports used by trojans on a liittle site where to learn a little bit about security: http://www.doshelp.com/trojanports.htm

    Best Regards
     
  8. jcwem

    jcwem Registered Member

    Joined:
    Jan 4, 2005
    Posts:
    3
    kareldjag,

    Thanks.
     
Loading...
Thread Status:
Not open for further replies.