Firewall warnings about services.exe

Discussion in 'Computer Security' started by Arthur T., Feb 29, 2004.

  1. Arthur T.

    Arthur T. Guest

    I'm running Win2000 with Outpost as my firewall. (In case
    it matters, I'm also using Opera for WWW, Agent for usenet, and
    Proxomitron as proxy for Opera.)

    For the last few weeks, I've been getting occasional warning
    messages from Outpost that services.exe is requesting an incoming
    UDP connection with various IP addresses on various port numbers.
    Among the port numbers are 5488, 16162, 31552, 11036.

    I've been blocking each new combination of IP addr and port
    #. Once, I tried totally blocking services.exe, but then I
    couldn't browse the internet.

    It sounds as though *something* malicious is being
    attempted. Since it's from my services.exe, it sounds like it's
    coming from me, rather than the outside. That's scary.

    I've run AdAware & Spybot; both say I'm pretty clean. I've
    Googled, but I haven't found any other reports of anything like
    this, though I can't go through the thousands of hits I get when
    I get more than a handful.

    Does anyone have any suggestions of how I should proceed?
     
    Arthur T., Feb 29, 2004
    #1
    1. Advertisements

  2. Arthur T.

    Kerodo Guest

    You should be able, in your firewall, to block incoming traffic to
    Services.Exe while allowing outgoing traffic. Then things should work ok.
     
    Kerodo, Feb 29, 2004
    #2
    1. Advertisements

  3. Arthur T.

    Arthur T. Guest

    In Message-ID:<[email protected]>,
    This also causes "could not connect to remote server" when
    attempting to browse the web. (I'm having problems finding out
    just what services.exe is supposed to do and what ports it should
    validly be using.)
     
    Arthur T., Feb 29, 2004
    #3
  4. Arthur T.

    Mimic Guest

    Havnt got time to read, but services.exe is the name NetSky.B runs under..
    check symantec.com
    --
    Mimic

    ZGF0YWZsZXhAY2FubmFiaXNtYWlsLmNvbQ== ( www.hidemyemail.net )
    "Without knowledge you have fear. With fear you create your own nightmares."
    "Alzheimer's, cheaper than rohypnol"
    "There are 10 types of people in the world. Those that understand Binary,
    and those that dont."
    "He who controls Google, controls the world".
     
    Mimic, Feb 29, 2004
    #4
  5. Arthur T.

    Kerodo Guest

    That's odd. Must be something else going on then. Services.exe never
    connects outbound here and I'd never allow inbound connections to it
    either. Everything works fine here. Sorry I can't offer more help...
     
    Kerodo, Feb 29, 2004
    #5
  6. Arthur T.

    Arthur T. Guest

    In Message-ID:<>,
    I see that several trojans copy themselves as services.exe.
    I though I had been practicing safe computing and didn't need an
    anti-virus program. It looks like I was wrong. I'm getting one
    and will run it, soon.

    Thank you very much.
     
    Arthur T., Feb 29, 2004
    #6
  7. Arthur T.

    Arthur T. Guest

    In Message-ID:<>,
    I downloaded and ran AVG. No hits. I restored copy of my
    services.exe file from 10 months ago, and it exactly matches my
    current one. (Firewall started showing activity in this file
    only a few weeks ago.) While I know that these don't *prove*
    that I don't have a virus/worm/trojan/whatever, it seems like
    strong evidence.

    My guess is that my firewall is protecting me, but I'd like
    to know what it's protecting me from. Any other guesses, hints,
    or suggestions?
     
    Arthur T., Feb 29, 2004
    #7
  8. Arthur T.

    Dazz Guest

    You could have a look at
    http://tds.diamondcs.com.au/index.php?page=faq .

    Also, even though you downloaded and ran AVG, did you update it with
    the latest anti-virus definitions before scanning?

    Unfortunately, using out of date virus definitions is almost as bad as
    not using anti-virus software to begin with. :-(

    Dazz
     
    Dazz, Mar 1, 2004
    #8
  9. Arthur T.

    Mimic Guest

    what Dazz said, and how did you compare the services file? use
    md5 to be sure it hasnt been modified.

    --
    Mimic

    ZGF0YWZsZXhAY2FubmFiaXNtYWlsLmNvbQ== ( www.hidemyemail.net )
    "Without knowledge you have fear. With fear you create your own nightmares."
    "Alzheimer's, cheaper than rohypnol"
    "There are 10 types of people in the world. Those that understand Binary,
    and those that dont."
    "He who controls Google, controls the world".
     
    Mimic, Mar 1, 2004
    #9
  10. Arthur T.

    Arthur T. Guest

    In Message-ID:<>,
    My virus database says 2004-02-28.
    Thanks for this info. I'll give it a try.
     
    Arthur T., Mar 1, 2004
    #10
  11. Arthur T.

    Arthur T. Guest

    In Message-ID:<>,
    Command prompt COMP command. That does a byte-by-byte
    comparison of the whole file.
     
    Arthur T., Mar 1, 2004
    #11
  12. Arthur T.

    Arthur T. Guest

    In Message-ID:<>,
    First, I'd like to thank everyone who responded. I still
    haven't found my problem, but these were all good suggestions.
    I'm still working on some of them (for instance, the Trojan
    Defence Suite).

    Second, at least one of the IP addresses that showed up was
    traced to lacnic.net. A non-profit I'm with recently got some
    e-mail failure messages that were traced to spam from them with a
    return address of our non-profit. The messages were sent before
    my first problems, so I think my firewall has been saving me.
    But, perhaps I have an inkling of what it has saved me from.

    I'll report back the results of the TDS.

    In the meantime, would/could anyone try an experiment for
    me? Could someone with Win2k set their firewall to disallow all
    incoming to services.exe and then see if they can browse the web?
    I haven't been able to get an expanation (that I can understand)
    as to what services.exe does. One of the suggestions was to set
    my firewall up just that way. I'd like to know if it's just me
    that has a problem with that firewall definition.

    Again, thank you to all who've been helping me.
     
    Arthur T., Mar 1, 2004
    #12
  13. Arthur T.

    vic Guest

    I've seen this type of action before and don't remember if I ever found out
    exactly which one of the "services.exe" was trying to connect out. The best
    site for looking at this stuff is from Black Viper.

    http://www.blackviper.com/WinXP/servicecfg.htm

    http://www.blackviper.com

    After going through this site your machine is bound to run much better, mine
    does (you can test at pcpitstop.com for free - you don't have to register).
    Just make sure you read the descriptions for each service and decide if you
    use it or it's dependencies. Once you turn something off you can test
    immediately to see if that causes anything negative to happen or not.

    Good Luck,
    vic
     
    vic, Mar 2, 2004
    #13
  14. Arthur T.

    Arthur T. Guest

    In Message-ID:<>,
    Yes, a lot of good info there. It may be that I need
    services.exe for DHCP (as described at blackviper). Given that,
    I rescind my request for others to try disabling it via their
    firewall.

    It's hard to believe that this information is out there, but
    NOT at Microsoft's site.
     
    Arthur T., Mar 2, 2004
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.