Just avoided a trojan/worm/something... - GoFuckYourself.com

fusionx · 06-22-2009, 03:57 PM

Hit a news site I hadn't been to for a long time, and noticed the page taking a long time to load. Then my browser froze up. Then Outlook crashed. Then..

Here's where it get's interesting.

ESET NOD32 didn't notice anything odd going on.

Windows Defender popped up a window saying some changes were being made to the registry. Of course I denied the changes.

The Defender window pointed to a file c:\windows\system32\servises.exe - notice the spelling - and also listed the registry keys that were affected.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \\servises
HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run\\servises
HKCU\Software\Microsoft\CurrentVersion\Run\\servis es
HKCU\Software\Microsoft\CurrentVersion\Policies\Ex plorer\Run\s\ervises
HKU\[user-id string]\Software\Microsoft\CurrentVersion\Run\\servises
HKU\[user-id string]\Microsoft\Windows\CurrentVersion\policies\Explore r\Run\\servises

The Run Keys were simply: C:\WINDOWS\system32\servises.exe

Scanning the files directly with ESET did nothing.

I also found a file called _id.dat in the \windows\system32 folder with the same date/time stamp as the servises.exe file.

Scary stuff.. if NOD32 doesn't know what it is, I'd be surprised if any other virus/malware software would recognize it.

HomerSimpson · 06-22-2009, 06:38 PM

nod32 protect you from viruses but not from trojans/worms and other shit...
try using something like hijackthis or some antispyware software.
you can find some to download for free at www.filehorse.com

niche25 · 06-22-2009, 07:15 PM

Eset Nod32 is only an AV, try Eset's Smart Security or maybe Windows Defender. If that doesn't work, format & install Linux or go to www.apple.com and get a Mac.

Major (Tom) · 06-22-2009, 08:41 PM

Quote:

Originally Posted by fusionx

Hit a news site I hadn't been to for a long time, and noticed the page taking a long time to load. Then my browser froze up. Then Outlook crashed. Then..

Here's where it get's interesting.

ESET NOD32 didn't notice anything odd going on.

Windows Defender popped up a window saying some changes were being made to the registry. Of course I denied the changes.

The Defender window pointed to a file c:\windows\system32\servises.exe - notice the spelling - and also listed the registry keys that were affected.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \\servises
HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run\\servises
HKCU\Software\Microsoft\CurrentVersion\Run\\servis es
HKCU\Software\Microsoft\CurrentVersion\Policies\Ex plorer\Run\s\ervises
HKU\[user-id string]\Software\Microsoft\CurrentVersion\Run\\servises
HKU\[user-id string]\Microsoft\Windows\CurrentVersion\policies\Explore r\Run\\servises

The Run Keys were simply: C:\WINDOWS\system32\servises.exe

Scanning the files directly with ESET did nothing.

I also found a file called _id.dat in the \windows\system32 folder with the same date/time stamp as the servises.exe file.

Scary stuff.. if NOD32 doesn't know what it is, I'd be surprised if any other virus/malware software would recognize it.

NOD sucks.. trust me
Duke

qxm · 06-22-2009, 08:57 PM

use avast instead....... also. keep a copy af hijackthis handy to spot suspicious bullshit........

FreeHugeMovies · 06-22-2009, 08:58 PM

i miss u

EscortBiz · 06-22-2009, 09:10 PM

good thing you catched it or your machine tonight would be sending out spam non stop just did a search on this pretty nuts (spam.mailbot.m)

woj · 06-22-2009, 09:45 PM

What browser were you using?

fusionx · 06-23-2009, 07:01 AM

Quote:

Originally Posted by FreeHugeMovies

i miss u

Drinking again?

fusionx · 06-23-2009, 07:02 AM

Quote:

Originally Posted by niche25

Eset Nod32 is only an AV, try Eset's Smart Security or maybe Windows Defender. If that doesn't work, format & install Linux or go to www.apple.com and get a Mac.

My apologies - it is actually Smart Security, fully updated, etc.

polish_aristocrat · 06-23-2009, 07:07 AM

do you still have the servises.exe process running? I hope not.

Consider the following - download malwarebytes antimalware free version http://malwarebytes.org/ and run a full scan.

After that you might also run Combofix, here's a full guide, read it carefully before using Combofix. http://www.bleepingcomputer.com/comb...o-use-combofix

fusionx · 06-23-2009, 11:28 AM

Quote:

Originally Posted by polish_aristocrat

do you still have the servises.exe process running? I hope not.

Consider the following - download malwarebytes antimalware free version http://malwarebytes.org/ and run a full scan.

After that you might also run Combofix, here's a full guide, read it carefully before using Combofix. http://www.bleepingcomputer.com/comb...o-use-combofix

servises.exe never actually ran. It was set up to run when the system restarted, thank goodness.

Frustrating.. I've found at least 5 different names/descriptions for what appears to be the same "root" of the trojan/worm. Zotob-I, Trojan.Spadenf, Troj/Agent-KGI, Troj/Agent-JUJ , and several others...

I'm running MalwareBytes right now.. nothing so far. My system is patched up, and some of those patches were fixes for this beastie. I'm guessing that's why Outlook just crashed instead of being compromised.

ComboFix is an amazing tool. Use with care

I think I got lucky

cess · 06-23-2009, 11:46 AM

Quote:

Originally Posted by HomerSimpson

nod32 protect you from viruses but not from trojans/worms and other shit...

O RLY?

http://www.virus-radar.com/stat_01_c...index_enu.html

http://www.eset.com/company/article/...?contentID=917

http://www.av-comparatives.org/image...c_report22.pdf

06-22-2009, 03:57 PM	#1
fusionx Confirmed User Industry Role: Join Date: Nov 2003 Location: Olongapo City, Philippines Posts: 4,618	Just avoided a trojan/worm/something... Hit a news site I hadn't been to for a long time, and noticed the page taking a long time to load. Then my browser froze up. Then Outlook crashed. Then.. Here's where it get's interesting. ESET NOD32 didn't notice anything odd going on. Windows Defender popped up a window saying some changes were being made to the registry. Of course I denied the changes. The Defender window pointed to a file c:\windows\system32\servises.exe - notice the spelling - and also listed the registry keys that were affected. HKLM\Software\Microsoft\Windows\CurrentVersion\Run \\servises HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run\\servises HKCU\Software\Microsoft\CurrentVersion\Run\\servis es HKCU\Software\Microsoft\CurrentVersion\Policies\Ex plorer\Run\s\ervises HKU\[user-id string]\Software\Microsoft\CurrentVersion\Run\\servises HKU\[user-id string]\Microsoft\Windows\CurrentVersion\policies\Explore r\Run\\servises The Run Keys were simply: C:\WINDOWS\system32\servises.exe Scanning the files directly with ESET did nothing. I also found a file called _id.dat in the \windows\system32 folder with the same date/time stamp as the servises.exe file. Scary stuff.. if NOD32 doesn't know what it is, I'd be surprised if any other virus/malware software would recognize it.

06-22-2009, 06:38 PM	#2
HomerSimpson Too lazy to set a custom title Industry Role: Join Date: Sep 2005 Location: Springfield Posts: 13,826	nod32 protect you from viruses but not from trojans/worms and other shit... try using something like hijackthis or some antispyware software. you can find some to download for free at www.filehorse.com __________________ Make a bank with Chaturbate - the best selling webcam program Ads that can't be block with AdBlockers !!! /// Best paying popup program (Bitcoin payouts) !!! PHP, MySql, Smarty, CodeIgniter, Laravel, WordPress, NATS... fixing stuff, server migrations & optimizations... My ICQ: 27429884 \| Email:

06-22-2009, 08:57 PM	#5
qxm Confirmed User Join Date: Jul 2006 Location: NoHo Posts: 5,970	use avast instead....... also. keep a copy af hijackthis handy to spot suspicious bullshit........ __________________ ICQ: 266990876

06-22-2009, 09:10 PM	#7
EscortBiz Fuck Checks, CASH only! Join Date: May 2002 Location: New York City Posts: 19,422	good thing you catched it or your machine tonight would be sending out spam non stop just did a search on this pretty nuts (spam.mailbot.m) __________________ Spanking, Medical Fetish, Sleeping, Strap-on Anal Lesbians, Girls Fucking Guys, Handjob site REAL HOT, Shemales, Anal and Ass Licking sites 100% Real EXCLUSIVE with amazing retention, ccbill payouts, lots of content FREE FTP HOSTING Promote the largest and oldest member paid escort site, Converts 10 times better then any dating site, CCBill payouts ICQ# 158802076

06-22-2009, 09:45 PM	#8
woj <&(©¿©)&> Industry Role: Join Date: Jul 2002 Location: Chicago Posts: 47,882	What browser were you using? __________________ Custom Software Development, email: woj#at#wojfun#.#com to discuss details or skype: wojl2000 or gchat: wojfun or telegram: wojl2000 Affiliate program tools: Hosted Galleries Manager Banner Manager Video Manager Wordpress Affiliate Plugin Pic/Movie of the Day Fansign Generator Zip Manager

06-22-2009, 07:15 PM	#3
niche25 GoFuckYourself Industry Role: Join Date: Nov 2006 Location: Paradise Valley, AZ Posts: 407	Eset Nod32 is only an AV, try Eset's Smart Security or maybe Windows Defender. If that doesn't work, format & install Linux or go to www.apple.com and get a Mac.

06-22-2009, 08:58 PM	#6
FreeHugeMovies Too lazy to set a custom title Join Date: Dec 2001 Location: Charlotte, NC Posts: 14,137	i miss u

06-23-2009, 07:07 AM	#11
polish_aristocrat Too lazy to set a custom title Join Date: Jul 2002 Posts: 40,377	do you still have the servises.exe process running? I hope not. Consider the following - download malwarebytes antimalware free version http://malwarebytes.org/ and run a full scan. After that you might also run Combofix, here's a full guide, read it carefully before using Combofix. http://www.bleepingcomputer.com/comb...o-use-combofix __________________ I don't use ICQ anymore.