1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Services.exe is sending spam emails - Malware, Trojan, Zombie

Discussion in 'Virus & Other Malware Removal' started by CADTopel, Nov 3, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. CADTopel

    CADTopel Thread Starter

    Joined:
    Nov 3, 2008
    Messages:
    1
    I have discovered that the services.exe process is sending email out to many addresses on an intermittent basis. My ISP (Time Warner) has shut down my modem 3 times already due to complaints that my IP was sending spam. After I got them to re-open my connection, The problem then comes up again in another 30 days. So it would seem to be intermittent, but what I found out today is that the trojan isn't active all the time. It will quiet for awhile, but every 10-15 minutes, it starts a lot of internet activity.

    Tracking down the process involved using netstat -ano which shows all the network activity and the process involved. What I found was that normally there were only 2-3 Established connections, but when the virus went active that there were many many established connections. When I ran netstat w/o arguments so it would look up to whom the computer was connected, I noticed that all of the connections were to SMTP ports on a myriad of services (I'm attaching that file showing a quiescent period followed by all the connections). I'm also attaching a picture of the task manager showing that the problem process ID, 608, is services.exe

    I used runscanner to determine if the files that were present were signed correctly, but it didn't notice anything about services.exe. i.e. it gave no report whether the hash on the file was good or not (Does anyone know what the SHA1 should be?)

    All of the connections are from the services.exe process. The file itself is located in the right directory (i.e. windows\system32) but it must be infected. How can I get rid of this once and for all?

    Thanks for any Help!

    PS: Computer is running XP Home with all updated patches (but not fully patched before the virus was installed probably)
     

    Attached Files:

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/765620