Just avoided a trojan/worm/something...

[fusionx]

Hit a news site I hadn't been to for a long time, and noticed the page taking a long time to load. Then my browser froze up. Then Outlook crashed. Then..

Here's where it get's interesting.

ESET NOD32 didn't notice anything odd going on.

Windows Defender popped up a window saying some changes were being made to the registry. Of course I denied the changes.

The Defender window pointed to a file c:\windows\system32\servises.exe - notice the spelling - and also listed the registry keys that were affected.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \\servises
HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run\\servises
HKCU\Software\Microsoft\CurrentVersion\Run\\servis es
HKCU\Software\Microsoft\CurrentVersion\Policies\Ex plorer\Run\s\ervises
HKU\[user-id string]\Software\Microsoft\CurrentVersion\Run\\servises
HKU\[user-id string]\Microsoft\Windows\CurrentVersion\policies\Explore r\Run\\servises

The Run Keys were simply: C:\WINDOWS\system32\servises.exe

Scanning the files directly with ESET did nothing.

I also found a file called _id.dat in the \windows\system32 folder with the same date/time stamp as the servises.exe file.

Scary stuff.. if NOD32 doesn't know what it is, I'd be surprised if any other virus/malware software would recognize it.

[HomerSimpson]

nod32 protect you from viruses but not from trojans/worms and other shit...
try using something like hijackthis or some antispyware software.
you can find some to download for free at www.filehorse.com

[niche25]

Eset Nod32 is only an AV, try Eset's Smart Security or maybe Windows Defender. If that doesn't work, format & install Linux or go to www.apple.com and get a Mac.

[Major (Tom)]

Quote:

Originally Posted by fusionx

Hit a news site I hadn't been to for a long time, and noticed the page taking a long time to load. Then my browser froze up. Then Outlook crashed. Then..

Here's where it get's interesting.

ESET NOD32 didn't notice anything odd going on.

Windows Defender popped up a window saying some changes were being made to the registry. Of course I denied the changes.

The Defender window pointed to a file c:\windows\system32\servises.exe - notice the spelling - and also listed the registry keys that were affected.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \\servises
HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run\\servises
HKCU\Software\Microsoft\CurrentVersion\Run\\servis es
HKCU\Software\Microsoft\CurrentVersion\Policies\Ex plorer\Run\s\ervises
HKU\[user-id string]\Software\Microsoft\CurrentVersion\Run\\servises
HKU\[user-id string]\Microsoft\Windows\CurrentVersion\policies\Explore r\Run\\servises

The Run Keys were simply: C:\WINDOWS\system32\servises.exe

Scanning the files directly with ESET did nothing.

I also found a file called _id.dat in the \windows\system32 folder with the same date/time stamp as the servises.exe file.

Scary stuff.. if NOD32 doesn't know what it is, I'd be surprised if any other virus/malware software would recognize it.

NOD sucks.. trust me
Duke

[qxm]

use avast instead....... also. keep a copy af hijackthis handy to spot suspicious bullshit........

[FreeHugeMovies]

i miss u

[EscortBiz]

good thing you catched it or your machine tonight would be sending out spam non stop just did a search on this pretty nuts (spam.mailbot.m)

[woj]

What browser were you using?

[fusionx]

Quote:

Originally Posted by FreeHugeMovies

i miss u

Drinking again?

[fusionx]

Quote:

Originally Posted by niche25

Eset Nod32 is only an AV, try Eset's Smart Security or maybe Windows Defender. If that doesn't work, format & install Linux or go to www.apple.com and get a Mac.

My apologies - it is actually Smart Security, fully updated, etc.

[polish_aristocrat]

do you still have the servises.exe process running? I hope not.

Consider the following - download malwarebytes antimalware free version http://malwarebytes.org/ and run a full scan.

After that you might also run Combofix, here's a full guide, read it carefully before using Combofix. http://www.bleepingcomputer.com/comb...o-use-combofix

[fusionx]

Quote:

Originally Posted by polish_aristocrat

do you still have the servises.exe process running? I hope not.

Consider the following - download malwarebytes antimalware free version http://malwarebytes.org/ and run a full scan.

After that you might also run Combofix, here's a full guide, read it carefully before using Combofix. http://www.bleepingcomputer.com/comb...o-use-combofix

servises.exe never actually ran. It was set up to run when the system restarted, thank goodness.

Frustrating.. I've found at least 5 different names/descriptions for what appears to be the same "root" of the trojan/worm. Zotob-I, Trojan.Spadenf, Troj/Agent-KGI, Troj/Agent-JUJ , and several others...

I'm running MalwareBytes right now.. nothing so far. My system is patched up, and some of those patches were fixes for this beastie. I'm guessing that's why Outlook just crashed instead of being compromised.

ComboFix is an amazing tool. Use with care

I think I got lucky

[cess]

Quote:

Originally Posted by HomerSimpson

nod32 protect you from viruses but not from trojans/worms and other shit...

O RLY?

http://www.virus-radar.com/stat_01_c...index_enu.html

http://www.eset.com/company/article/...?contentID=917

http://www.av-comparatives.org/image...c_report22.pdf