On that special day, , (prion-no-spam@cotse.net.invalid) said...

You didn't find *that* by googling?

http://computercops.biz/postp105599.html


Gabriele Neukam

Gabriele.Spamfighter.Neukam@t-online.de


--
Ah, Information. A property, too valuable these days, to give it away,
just so, at no cost.

"Gabriele Neukam" <Gabriele.Spamfighter.Neukam@t-online.de> wrote in message
news:ck6cm5$khf$03$1@news.t-online.com...
Yes Gabriele I found that site straight away.Call me dumb but I still don't
know what servic.exe is from reading anything at that site.Would you be so
kind and explain exactly what servic.exe is,and what it is trying to
do.Thanks.

"Adysthemic" <asifidsay@imprivate.com> wrote in message
news:10me5qu4sltkefa@corp.supernews.com...
My infection is the same as yours,just the IPs differ.All point to the same
university in Taiwan though.I deleted the file
from windows system.The infection seems to be gone.How did you verify that
it was truly gone?Adaware and NAV never found anything,nor did spybot.I
don't see any more spontaneous internet activity anymore.Adysthemic

On that special day, Adysthemic, (asifidsay@imprivate.com) said...

Is it really that important to know what it does, in detail? It *is*
bad, that is obvious, as it does show signs of nastyness. And within the
first posting on the forum, you find the keyword "winpup", which is
infamous.

There you are. It seems to be a shove-masses-of-ad-popus-into-your-face
trojan. It might be a newer version, as the "servic.exe" isn't mentioned
in the reports.

If you managed to get rid of it, it is better for you, no doubt. I would
rather prefer not to try this thingie on my own computer, as I don't
have a "guinea pig" standing around, that I could sacrifice for a test
run of this beast.


Gabriele Neukam

Gabriele.Spamfighter.Neukam@t-online.de


--
Ah, Information. A property, too valuable these days, to give it away,
just so, at no cost.

On that special day, , (prion-no-spam@cotse.net.invalid) said...



You think, this was a firewall? Well, why is there a line in the log,
that says,
You have even quoted that. A valid Sygate file should contain the usual
info, version and other stuff in the "properties" dialog.

And as the regulars are saying all time, a *name* tells nothing about
the identity of a "virus" or other application. A file is easily
renamed.

You can only identify it by having a Virusscanner examine it. And only
if the producer of said Virusscanner has set up a web page with some
information on this specific variant and what it does (900 pages only
for Agobot?), you'll know exactly what it does.

BTW:
http://www.windowsstartup.com/wso/br...rt=100&end=125
and
http://www.windowsstartup.com/wso/br...rt=100&end=125
don't show any entry that makes servic.exe appear to be valid. But that
is only an indication, not more.

If you really want to find out, what they are *doing*, you'll have to
look in other places. We are happy with removing them and even better,
avoding them.

I found another page mentioning this servic.exe, unfortunaltely it is
using non-latin characters. But note this HijackThis! log.

O4 - HKLM\..\Run: [Sygate Personal Firewall Start] servic.exe
....
O4 - HKLM\..\RunServices: [Sygate Personal Firewall Start] servic.exe

Again this (misleading?) entry. A visit to the Sygate forum didn't help
much, as the term "servic.exe" didn't appear there anywhere. "Sorry - no
matches. Please try some different terms." The only thing I can say is,
that a *free* Sygate firewall runs as "smc.exe", not "servic.exe". I
don't know about the corporate version.

mentions a gigantic list of anti virus programs and firewall processes
that are meant to be terminated by this specific worm that was detected
in April. "servic.exe" is *not* among the names. This "servic" filename
still looks fishy, IMHO.


Gabriele Neukam

Gabriele.Spamfighter.Neukam@t-online.de


--
Ah, Information. A property, too valuable these days, to give it away,
just so, at no cost.