Services.exe Hijack

Discussion in 'General Software' started by =BF=, Oct 3, 2004.

  1. =BF=

    =BF= Member

    Joined:
    Jun 27, 2001
    Messages:
    1,238
    Location:
    BrisVegas
    Has anyone else had to deal with this services.exe hijack yet?

    It's getting in through Internet Explorer and appears to install a hidden control file which either writes or downloads services.exe and registers that file in the registry under run. It alters or creates a dialup account which dials 001143xxxxxxxx with a username derived from the logon user name.

    I've seen 4 of these in the last 2 days and can't find any info on it. Nor can I find the name of the control file or where it is loaded. All this equals a format and reinstall at the moment.

    The only common link are the porn sites listed in IE history which non of the users have ever visited.

    HiJackThis etc, can remove the operating files (services.exe) but nothing can find the control file.

    Where else in the registry are files launched from? /run and /appinit don't show anything and no BHO's are doing it.
     
    Last edited: Oct 3, 2004
  2. CAESAR

    CAESAR Member

    Joined:
    Jan 2, 2002
    Messages:
    273
    Location:
    Wallan
  3. blaqDeaph

    blaqDeaph Member

    Joined:
    Jul 27, 2004
    Messages:
    1,155
    Location:
    127.0.0.1
    Tried some of the common ones:

    Ad-Aware
    Spybot
     
  4. OP
    OP
    =BF=

    =BF= Member

    Joined:
    Jun 27, 2001
    Messages:
    1,238
    Location:
    BrisVegas
    Tried all my normal tools and they detect and delete the services.exe file but whatever this hidden file is, it just reinstalls services.exe. Next time I'll try an aftermarket task manager and see if it can spot the dll name of the control file. I'd like to know where it's being loaded.

    I did do another one this week but ad-aware deleted it and it didn't return. I had previously installed sun java on this guys machine so it must be using an MSJava bug to install the hidden control file.
     
    Last edited: Oct 6, 2004
  5. blaqDeaph

    blaqDeaph Member

    Joined:
    Jul 27, 2004
    Messages:
    1,155
    Location:
    127.0.0.1
    Boot into safe mode. Does the services.exe run? If so, kill it.

    Then go to the registry editor and delete(backup first) all entries under the

    HKEY_CURRENT_USER\Software\Microsoft\WIndows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\Software\Microsoft\WIndows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\Software\Microsoft\WIndows\CurrentVersion\RunOnce
    HKEY_LOCAL_MACHINE\Software\Microsoft\WIndows\CurrentVersion\RunOnceEx

    Also delete entries from your startup folder.

    If services.exe still persists to run, then its not being run on startup, but rather when one program executes. This could mean that the virus has corrupted a program file that you run normally (ie. a game or smth like that).

    Also, check:

    HKEY_CLASSES_ROOT\exefile\shell\open\command
    HKEY_CLASSES_ROOT\exefile\shell\runas\command
    there should be only 1 entry, default, and it should look like:

    Code:
    "\"%1\" %*"
    
     
  6. dohzer

    dohzer Member

    Joined:
    Jan 5, 2002
    Messages:
    5,447
    Location:
    Melbourne
    When it says "Number of files cleaned" does that mean the number of files that were infected but are now clean??
     
  7. aL4n

    aL4n Member

    Joined:
    Aug 18, 2003
    Messages:
    714
    I HAD THE SAME PROB...... tried everything i could, scanned using 10 different tools, 4 different virus scanners and still the stupid thing comes back.. the programs picks it up then i go del it but as soon as i connect to da net it comes back :tired:
     
  8. Hom3br3w

    Hom3br3w Member

    Joined:
    Dec 22, 2003
    Messages:
    1,026
    Location:
    GNE BSH
    Finding the solution is usually much harder it is to fix the initail problem.

    Two words: Use Firefox
     
  9. fallen

    fallen Member

    Joined:
    Jan 23, 2003
    Messages:
    258
    Location:
    Canberra
    One sneaky loading point worth checking out is:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

    It should only read "explorer.exe" but often it'll be used to also load something else at the same time by reading as "explorer.exe fsck_pc.exe".

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit should only be c:\windows\system32\userinit.exe also.

    Hopefully this helps you out in solving this. If not, it's good knowledge to have 'cause there are some annoying trojans that seem to use it. I've also started seeing trojans that mask portions of the registry that include their loading points which basically forces you to edit the registry from a boot cd. If the trojan is loaded in the Winlogon\Shell key it runs in Safe Mode as well as normal mode, forcing you to do a remote edit.
     
  10. blaqDeaph

    blaqDeaph Member

    Joined:
    Jul 27, 2004
    Messages:
    1,155
    Location:
    127.0.0.1
    Maybe its just SP2, but windows prompted me whether or not to run the file, in the similar way that IE prompts you before downloading a file.

    In the Run command box i typed: explorer.exe c:\test.exe
     
  11. fallen

    fallen Member

    Joined:
    Jan 23, 2003
    Messages:
    258
    Location:
    Canberra
    Nah, it does that on my PC as well [SP1] if you type it in a run prompt. However, try modifying the key I mentioned so that it loads something along with explorer.exe. I cbf rebooting at the moment to test :D

    I've definitely seen a few trojans do it quite effectively, most notably the Prorat family.
     
  12. kripz

    kripz Member

    Joined:
    Sep 29, 2004
    Messages:
    2,834
    Location:
    Near Frankston
    Is services.exe spyware??????????????

    its in my processes right now.... win2k.. i thought it had something to do with networking, its on my school comps 2
     
  13. Hom3br3w

    Hom3br3w Member

    Joined:
    Dec 22, 2003
    Messages:
    1,026
    Location:
    GNE BSH
    Mine 2 but i'm on DSL and my box don't have no modem atached to it. Sygate personal Firewall hasn't complaqined about it either.

    Wierd.
     
  14. Dan!el

    Dan!el Member

    Joined:
    Dec 24, 2001
    Messages:
    2,945
    Location:
    Melbourne
    Check c:\windows\system32\dllcache\ for the .exe as it may be there. You'll have to delete it there first then delete it the other one. Windows will come up with some box saying critical file deleted/bla bla bla, just click ignore/cancel/go away. :)
     
  15. fallen

    fallen Member

    Joined:
    Jan 23, 2003
    Messages:
    258
    Location:
    Canberra
    services.exe is a legitimate system file as long as it's located in c:\windows\system32\. Spyware/adware and trojans like to load files that are named the same or similar from different locations so that they look like system files. svchost.exe is another one that's popular for obfuscating naughty files.

    You might want to get hold of a third-party process viewer to help track down which ones are legit and which ones aren't, though. Generally the viral ones will be detected by up-to-date virus definitions, too.
     
  16. OP
    OP
    =BF=

    =BF= Member

    Joined:
    Jun 27, 2001
    Messages:
    1,238
    Location:
    BrisVegas
    Thanks, I remember seeing startups in there ages ago, now you mention it, the swen virus used them to take a foot hold, but I didn't check them for this pig of a thing, I'd forgotten about them. I definately need a tool that just shows what is starting up at boot on a machine.

    I haven't seen another one of these types of hijacks in a week. That's really sus. It as though they were testing something ?
     
  17. OP
    OP
    =BF=

    =BF= Member

    Joined:
    Jun 27, 2001
    Messages:
    1,238
    Location:
    BrisVegas
    Services.exe is also a critical process under NT.

    Using Taskmanager, you can't kill the real one but you can kill the trojan.
     
    Last edited: Oct 12, 2004
  18. fallen

    fallen Member

    Joined:
    Jan 23, 2003
    Messages:
    258
    Location:
    Canberra
    http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

    That might be close to what you're after. It _does_ miss some of the more sneaky loading points like the ones mentioned but it covers most of the others. One good thing I've found is that if a trojan is monitoring regedt32 and hiding parts of the registry, then this tool will still show the loading points so you know there's something there. You just won't be able to edit them from within Windows while the trojan's running so you'll need to break out something like WinUBCD or ERD Commander.

    EDIT: Just downloaded the updated version and it also lists the sneaky locations. w00t :)
     
    Last edited: Oct 13, 2004
  19. OP
    OP
    =BF=

    =BF= Member

    Joined:
    Jun 27, 2001
    Messages:
    1,238
    Location:
    BrisVegas
    Excellent, many thanks. I'll check it out. I'm really sick of telling people they need a format and I'm sick of doing it :)

    I've been using reglite to get around the bastards hiding from me. Obviously it's not enough.
     
    Last edited: Oct 12, 2004
  20. TaroT

    TaroT Member

    Joined:
    Jan 18, 2002
    Messages:
    8,705
    Location:
    Hazelbrook nsw 2779

Share This Page