Originally Posted by fusionx

Hit a news site I hadn't been to for a long time, and noticed the page taking a long time to load. Then my browser froze up. Then Outlook crashed. Then..

Here's where it get's interesting.

ESET NOD32 didn't notice anything odd going on.

Windows Defender popped up a window saying some changes were being made to the registry. Of course I denied the changes.

The Defender window pointed to a file c:\windows\system32\servises.exe - notice the spelling - and also listed the registry keys that were affected.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \\servises
HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run\\servises
HKCU\Software\Microsoft\CurrentVersion\Run\\servis es
HKCU\Software\Microsoft\CurrentVersion\Policies\Ex plorer\Run\s\ervises
HKU\[user-id string]\Software\Microsoft\CurrentVersion\Run\\servises
HKU\[user-id string]\Microsoft\Windows\CurrentVersion\policies\Explore r\Run\\servises

The Run Keys were simply: C:\WINDOWS\system32\servises.exe

Scanning the files directly with ESET did nothing.

I also found a file called _id.dat in the \windows\system32 folder with the same date/time stamp as the servises.exe file.

Scary stuff.. if NOD32 doesn't know what it is, I'd be surprised if any other virus/malware software would recognize it.