Firewall warnings about services.exe

I'm running Win2000 with Outpost as my firewall. (In case
it matters, I'm also using Opera for WWW, Agent for usenet, and
Proxomitron as proxy for Opera.)

For the last few weeks, I've been getting occasional warning
messages from Outpost that services.exe is requesting an incoming
UDP connection with various IP addresses on various port numbers.
Among the port numbers are 5488, 16162, 31552, 11036.

I've been blocking each new combination of IP addr and port
#. Once, I tried totally blocking services.exe, but then I
couldn't browse the internet.

It sounds as though *something* malicious is being
attempted. Since it's from my services.exe, it sounds like it's
coming from me, rather than the outside. That's scary.

I've run AdAware & Spybot; both say I'm pretty clean. I've
Googled, but I haven't found any other reports of anything like
this, though I can't go through the thousands of hits I get when
I get more than a handful.

Does anyone have any suggestions of how I should proceed?
--
Arthur T. - If address is munged, reply to: ar23hur "at" pobox "dot" com

Arthur T.

Arthur T. wrote:
> I'm running Win2000 with Outpost as my firewall. (In case
> it matters, I'm also using Opera for WWW, Agent for usenet, and
> Proxomitron as proxy for Opera.)
>
> For the last few weeks, I've been getting occasional warning
> messages from Outpost that services.exe is requesting an incoming
> UDP connection with various IP addresses on various port numbers.
> Among the port numbers are 5488, 16162, 31552, 11036.
>
> I've been blocking each new combination of IP addr and port
> #. Once, I tried totally blocking services.exe, but then I
> couldn't browse the internet.
>
> It sounds as though *something* malicious is being
> attempted. Since it's from my services.exe, it sounds like it's
> coming from me, rather than the outside. That's scary.
>
> I've run AdAware & Spybot; both say I'm pretty clean. I've
> Googled, but I haven't found any other reports of anything like
> this, though I can't go through the thousands of hits I get when
> I get more than a handful.
>
> Does anyone have any suggestions of how I should proceed?

You should be able, in your firewall, to block incoming traffic to
Services.Exe while allowing outgoing traffic. Then things should work ok.

Kerodo

In Message-ID:<o1b0c.22130$aZ3.11499@fed1read04>,
Kerodo <> wrote:

>Arthur T. wrote: <much snipped>
>> For the last few weeks, I've been getting occasional warning
>> messages from Outpost that services.exe is requesting an incoming
>> UDP connection with various IP addresses on various port numbers.
>> Among the port numbers are 5488, 16162, 31552, 11036.
>>
>> Once, I tried totally blocking services.exe, but then I
>> couldn't browse the internet.
>>
>> Does anyone have any suggestions of how I should proceed?
>
>You should be able, in your firewall, to block incoming traffic to
>Services.Exe while allowing outgoing traffic. Then things should work ok.

This also causes "could not connect to remote server" when
attempting to browse the web. (I'm having problems finding out
just what services.exe is supposed to do and what ports it should
validly be using.)
--
Arthur T. - If address is munged, reply to: ar23hur "at" pobox "dot" com

Arthur T.

"Arthur T." <> wrote in message
news:...
> I'm running Win2000 with Outpost as my firewall. (In case
> it matters, I'm also using Opera for WWW, Agent for usenet, and
> Proxomitron as proxy for Opera.)
>
> For the last few weeks, I've been getting occasional warning
> messages from Outpost that services.exe is requesting an incoming
> UDP connection with various IP addresses on various port numbers.
> Among the port numbers are 5488, 16162, 31552, 11036.
>
> I've been blocking each new combination of IP addr and port
> #. Once, I tried totally blocking services.exe, but then I
> couldn't browse the internet.
>
> It sounds as though *something* malicious is being
> attempted. Since it's from my services.exe, it sounds like it's
> coming from me, rather than the outside. That's scary.
>
> I've run AdAware & Spybot; both say I'm pretty clean. I've
> Googled, but I haven't found any other reports of anything like
> this, though I can't go through the thousands of hits I get when
> I get more than a handful.
>
> Does anyone have any suggestions of how I should proceed?
> --
> Arthur T. - If address is munged, reply to: ar23hur "at" pobox "dot" com

Havnt got time to read, but services.exe is the name NetSky.B runs under..
check symantec.com
--
Mimic

ZGF0YWZsZXhAY2FubmFiaXNtYWlsLmNvbQ== ( www.hidemyemail.net )
"Without knowledge you have fear. With fear you create your own nightmares."
"Alzheimer's, cheaper than rohypnol"
"There are 10 types of people in the world. Those that understand Binary,
and those that dont."
"He who controls Google, controls the world".

Mimic

Arthur T. wrote:
> In Message-ID:<o1b0c.22130$aZ3.11499@fed1read04>,
> Kerodo <> wrote:
>
>
>>Arthur T. wrote: <much snipped>
>>
>>> For the last few weeks, I've been getting occasional warning
>>>messages from Outpost that services.exe is requesting an incoming
>>>UDP connection with various IP addresses on various port numbers.
>>>Among the port numbers are 5488, 16162, 31552, 11036.
>>>
>>>Once, I tried totally blocking services.exe, but then I
>>>couldn't browse the internet.
>>>
>>> Does anyone have any suggestions of how I should proceed?
>>
>>You should be able, in your firewall, to block incoming traffic to
>>Services.Exe while allowing outgoing traffic. Then things should work ok.
>
>
> This also causes "could not connect to remote server" when
> attempting to browse the web. (I'm having problems finding out
> just what services.exe is supposed to do and what ports it should
> validly be using.)
That's odd. Must be something else going on then. Services.exe never
connects outbound here and I'd never allow inbound connections to it
either. Everything works fine here. Sorry I can't offer more help...

Kerodo

In Message-ID:<MY-dnWhdOZIy-dzdRVn->,
"Mimic" <> wrote:

>Havnt got time to read, but services.exe is the name NetSky.B runs under..
>check symantec.com

I see that several trojans copy themselves as services.exe.
I though I had been practicing safe computing and didn't need an
anti-virus program. It looks like I was wrong. I'm getting one
and will run it, soon.

Thank you very much.

--
Arthur T. - If address is munged, reply to: ar23hur "at" pobox "dot" com

Arthur T.

In Message-ID:<>,
Arthur T. <> wrote:

>In Message-ID:<MY-dnWhdOZIy-dzdRVn->,
>"Mimic" <> wrote:
>
>>Havnt got time to read, but services.exe is the name NetSky.B runs under..
>>check symantec.com
>
> I see that several trojans copy themselves as services.exe.
>I though I had been practicing safe computing and didn't need an
>anti-virus program. It looks like I was wrong. I'm getting one
>and will run it, soon.

I downloaded and ran AVG. No hits. I restored copy of my
services.exe file from 10 months ago, and it exactly matches my
current one. (Firewall started showing activity in this file
only a few weeks ago.) While I know that these don't *prove*
that I don't have a virus/worm/trojan/whatever, it seems like
strong evidence.

My guess is that my firewall is protecting me, but I'd like
to know what it's protecting me from. Any other guesses, hints,
or suggestions?
--
Arthur T. - If address is munged, reply to: ar23hur "at" pobox "dot" com

Arthur T.

On Sun, 29 Feb 2004 11:35:31 -0500, Arthur T. <>
wrote:

<snipped>

> My guess is that my firewall is protecting me, but I'd like
>to know what it's protecting me from. Any other guesses, hints,
>or suggestions?

You could have a look at
http://tds.diamondcs.com.au/index.php?page=faq .

Also, even though you downloaded and ran AVG, did you update it with
the latest anti-virus definitions before scanning?

Unfortunately, using out of date virus definitions is almost as bad as
not using anti-virus software to begin with.

Dazz

Dazz

"Arthur T." <> wrote in message
news:...
> In Message-ID:<>,
> Arthur T. <> wrote:
>
> >In Message-ID:<MY-dnWhdOZIy-dzdRVn->,
> >"Mimic" <> wrote:
> >
> >>Havnt got time to read, but services.exe is the name NetSky.B runs
under..
> >>check symantec.com
> >
> > I see that several trojans copy themselves as services.exe.
> >I though I had been practicing safe computing and didn't need an
> >anti-virus program. It looks like I was wrong. I'm getting one
> >and will run it, soon.
>
> I downloaded and ran AVG. No hits. I restored copy of my
> services.exe file from 10 months ago, and it exactly matches my
> current one. (Firewall started showing activity in this file
> only a few weeks ago.) While I know that these don't *prove*
> that I don't have a virus/worm/trojan/whatever, it seems like
> strong evidence.
>
> My guess is that my firewall is protecting me, but I'd like
> to know what it's protecting me from. Any other guesses, hints,
> or suggestions?
> --
> Arthur T. - If address is munged, reply to: ar23hur "at" pobox "dot" com

what Dazz said, and how did you compare the services file? use
md5 to be sure it hasnt been modified.

--
Mimic

ZGF0YWZsZXhAY2FubmFiaXNtYWlsLmNvbQ== ( www.hidemyemail.net )
"Without knowledge you have fear. With fear you create your own nightmares."
"Alzheimer's, cheaper than rohypnol"
"There are 10 types of people in the world. Those that understand Binary,
and those that dont."
"He who controls Google, controls the world".

Mimic

In Message-ID:<>,
Dazz <> wrote:

>Also, even though you downloaded and ran AVG, did you update it with
>the latest anti-virus definitions before scanning?

My virus database says 2004-02-28.

>You could have a look at
>http://tds.diamondcs.com.au/index.php?page=faq .

Thanks for this info. I'll give it a try.

--
Arthur T. - If address is munged, reply to: ar23hur "at" pobox "dot" com

Arthur T.