I don't know why I've never noticed this before as I check everything in the 'Processes' list on a regular basis but tonight this jumped out at me.

services.exe

When checking, I came up with this:

QUOTE

Process Information Process File: services or services.exe Process Name: Windows Service Controller   Description: services.exe is a part of the Microsoft Windows Operating System and manages the operation of starting and stopping services. This process also deals with the automatic starting of services during the comptuers boot-up and the stopping of servicse during shut-down. This program is important for the stable and secure running of your computer and should not be terminated. Note: services.exe is also a process which is registered as the W32.Randex.R Trojan. This Trojan allows attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.

One is vital and the other should be removed immediately, but they're both the same!
How are you supposed to know if the one you have is a Trojan or not?

Pat

The good one is installed here: C:\Windows\System32\Services.exe

You can also check the properties: see who the manufacturer is and what the date on the file is.

As Steve R Jones says, the legitimate one can be found in C:\Windows\System32\Services.exe; if yours is anywhere else then it's almost certainly malware.

Malware makers are increasingly resorting to such tricks as using the same filenames as legitimate files and random filenames, and often it's only once you know the path that you can determine whether what you're running is genuine or not.

And in addition to the above, the normal services.exe shouldn't be starting on its own, and if it was there would be a window showing the list of services. A malware version would be starting so the trojan can do its dirty deeds, but no window would be showing with it. A check of the properties on the one in system32 should show 5.1.2600.0 version and a 99 KB filesize dated 8/28/02 (this from an XP Home system without SP2).

Thankyou Steve, Angus and Jim for your information and help, really appreciate it.

I've done a thorough check and happy to say the one installed is the legit one from 'Uncle

Bill'.

That really put the wind up me though for a while...

Pat

After reading Pat's post and becoming concerned, I went to check this info on my machine. According to Jim's description of what the file should look like, mine is all "OK" except for the date . . . on mine it is 08/18/2001.

My machine is XP PRO and so I am wondering if that makes a difference (as opposed to XP HOME?) Do you guys think that's alright, or should I be off on a wild goose chase looking for a bad nasty somewhere?

Thanks Much, Mrs. B

Well, my version, date, and size are different. I do have SP2 ????????????????????

kenneth

Oh, version is 5.1.2600.2180

Hi Kenneth,
In a big hurry to get this posted as I'm having gigantic problems with Verizon dsl AGAIN. Can't stay connected to the Internet longer than a minute or so. Tomorrow Verizon and I go to war.

On this machine I have exactly the same as you even down to the second. (Well mine says 12:56:55am but that would be due to pacific time)

Better run or I won't be able to post this.

Ta-ta, hope to see you all soon.

Pat

One day I'll tell you what I think of Verizon when they allow x-rated postings here...Grrrrr!

Different 'flavors' of Windows and service pack updates can result in different versions and dates of the files.