GoFuckYourself.com - Adult Webmaster Forum - View Single Post

fusionx · 06-22-2009, 03:57 PM

Hit a news site I hadn't been to for a long time, and noticed the page taking a long time to load. Then my browser froze up. Then Outlook crashed. Then..

Here's where it get's interesting.

ESET NOD32 didn't notice anything odd going on.

Windows Defender popped up a window saying some changes were being made to the registry. Of course I denied the changes.

The Defender window pointed to a file c:\windows\system32\servises.exe - notice the spelling - and also listed the registry keys that were affected.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \\servises
HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run\\servises
HKCU\Software\Microsoft\CurrentVersion\Run\\servis es
HKCU\Software\Microsoft\CurrentVersion\Policies\Ex plorer\Run\s\ervises
HKU\[user-id string]\Software\Microsoft\CurrentVersion\Run\\servises
HKU\[user-id string]\Microsoft\Windows\CurrentVersion\policies\Explore r\Run\\servises

The Run Keys were simply: C:\WINDOWS\system32\servises.exe

Scanning the files directly with ESET did nothing.

I also found a file called _id.dat in the \windows\system32 folder with the same date/time stamp as the servises.exe file.

Scary stuff.. if NOD32 doesn't know what it is, I'd be surprised if any other virus/malware software would recognize it.

06-22-2009, 03:57 PM
fusionx Confirmed User Industry Role: Join Date: Nov 2003 Location: Olongapo City, Philippines Posts: 4,618	Just avoided a trojan/worm/something... Hit a news site I hadn't been to for a long time, and noticed the page taking a long time to load. Then my browser froze up. Then Outlook crashed. Then.. Here's where it get's interesting. ESET NOD32 didn't notice anything odd going on. Windows Defender popped up a window saying some changes were being made to the registry. Of course I denied the changes. The Defender window pointed to a file c:\windows\system32\servises.exe - notice the spelling - and also listed the registry keys that were affected. HKLM\Software\Microsoft\Windows\CurrentVersion\Run \\servises HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run\\servises HKCU\Software\Microsoft\CurrentVersion\Run\\servis es HKCU\Software\Microsoft\CurrentVersion\Policies\Ex plorer\Run\s\ervises HKU\[user-id string]\Software\Microsoft\CurrentVersion\Run\\servises HKU\[user-id string]\Microsoft\Windows\CurrentVersion\policies\Explore r\Run\\servises The Run Keys were simply: C:\WINDOWS\system32\servises.exe Scanning the files directly with ESET did nothing. I also found a file called _id.dat in the \windows\system32 folder with the same date/time stamp as the servises.exe file. Scary stuff.. if NOD32 doesn't know what it is, I'd be surprised if any other virus/malware software would recognize it.