Firewall warnings about services.exe

I'm running Win2000 with Outpost as my firewall. (In case
it matters, I'm also using Opera for WWW, Agent for usenet, and
Proxomitron as proxy for Opera.)

For the last few weeks, I've been getting occasional warning
messages from Outpost that services.exe is requesting an incoming
UDP connection with various IP addresses on various port numbers.
Among the port numbers are 5488, 16162, 31552, 11036.

I've been blocking each new combination of IP addr and port
#. Once, I tried totally blocking services.exe, but then I
couldn't browse the internet.

It sounds as though *something* malicious is being
attempted. Since it's from my services.exe, it sounds like it's
coming from me, rather than the outside. That's scary.

I've run AdAware & Spybot; both say I'm pretty clean. I've
Googled, but I haven't found any other reports of anything like
this, though I can't go through the thousands of hits I get when
I get more than a handful.

Does anyone have any suggestions of how I should proceed?

 

You should be able, in your firewall, to block incoming traffic to
Services.Exe while allowing outgoing traffic. Then things should work ok.

 

In Message-ID:<[email protected]>,

This also causes "could not connect to remote server" when
attempting to browse the web. (I'm having problems finding out
just what services.exe is supposed to do and what ports it should
validly be using.)

 

Havnt got time to read, but services.exe is the name NetSky.B runs under..
check symantec.com
--
Mimic

ZGF0YWZsZXhAY2FubmFiaXNtYWlsLmNvbQ== ( www.hidemyemail.net )
"Without knowledge you have fear. With fear you create your own nightmares."
"Alzheimer's, cheaper than rohypnol"
"There are 10 types of people in the world. Those that understand Binary,
and those that dont."
"He who controls Google, controls the world".

 

That's odd. Must be something else going on then. Services.exe never
connects outbound here and I'd never allow inbound connections to it
either. Everything works fine here. Sorry I can't offer more help...

 

In Message-ID:<>,

I see that several trojans copy themselves as services.exe.
I though I had been practicing safe computing and didn't need an
anti-virus program. It looks like I was wrong. I'm getting one
and will run it, soon.

Thank you very much.

 

In Message-ID:<>,

I downloaded and ran AVG. No hits. I restored copy of my
services.exe file from 10 months ago, and it exactly matches my
current one. (Firewall started showing activity in this file
only a few weeks ago.) While I know that these don't *prove*
that I don't have a virus/worm/trojan/whatever, it seems like
strong evidence.

My guess is that my firewall is protecting me, but I'd like
to know what it's protecting me from. Any other guesses, hints,
or suggestions?

 

You could have a look at
http://tds.diamondcs.com.au/index.php?page=faq .

Also, even though you downloaded and ran AVG, did you update it with
the latest anti-virus definitions before scanning?

Unfortunately, using out of date virus definitions is almost as bad as
not using anti-virus software to begin with. :-(

Dazz

 

what Dazz said, and how did you compare the services file? use
md5 to be sure it hasnt been modified.

--
Mimic

ZGF0YWZsZXhAY2FubmFiaXNtYWlsLmNvbQ== ( www.hidemyemail.net )
"Without knowledge you have fear. With fear you create your own nightmares."
"Alzheimer's, cheaper than rohypnol"
"There are 10 types of people in the world. Those that understand Binary,
and those that dont."
"He who controls Google, controls the world".

 

In Message-ID:<>,

My virus database says 2004-02-28.

Thanks for this info. I'll give it a try.

 

In Message-ID:<>,

Command prompt COMP command. That does a byte-by-byte
comparison of the whole file.

 

In Message-ID:<>,

First, I'd like to thank everyone who responded. I still
haven't found my problem, but these were all good suggestions.
I'm still working on some of them (for instance, the Trojan
Defence Suite).

Second, at least one of the IP addresses that showed up was
traced to lacnic.net. A non-profit I'm with recently got some
e-mail failure messages that were traced to spam from them with a
return address of our non-profit. The messages were sent before
my first problems, so I think my firewall has been saving me.
But, perhaps I have an inkling of what it has saved me from.

I'll report back the results of the TDS.

In the meantime, would/could anyone try an experiment for
me? Could someone with Win2k set their firewall to disallow all
incoming to services.exe and then see if they can browse the web?
I haven't been able to get an expanation (that I can understand)
as to what services.exe does. One of the suggestions was to set
my firewall up just that way. I'd like to know if it's just me
that has a problem with that firewall definition.

Again, thank you to all who've been helping me.

 

I've seen this type of action before and don't remember if I ever found out
exactly which one of the "services.exe" was trying to connect out. The best
site for looking at this stuff is from Black Viper.

http://www.blackviper.com/WinXP/servicecfg.htm

http://www.blackviper.com

After going through this site your machine is bound to run much better, mine
does (you can test at pcpitstop.com for free - you don't have to register).
Just make sure you read the descriptions for each service and decide if you
use it or it's dependencies. Once you turn something off you can test
immediately to see if that causes anything negative to happen or not.

Good Luck,
vic

 

In Message-ID:<>,

Yes, a lot of good info there. It may be that I need
services.exe for DHCP (as described at blackviper). Given that,
I rescind my request for others to try disabling it via their
firewall.

It's hard to believe that this information is out there, but
NOT at Microsoft's site.