IPB

Welcome Guest ( Log In | Register )



Tags
windows    
 
 Reply to this topicStart new topic

C:\windows\system32\fservice.exe Not Found!

, Helpful Information about this infection!
-Sky-
no avatar
Per essere, o non essere.
*********
Group: [HOSTED]
Posts: 743
Joined: 30-August 08
From: Italy
Member No.: 67,096
myCENT:94.67
Post #1 post Dec 19 2008, 04:52 PM
Hey guys!

For a few months now this malware infection has been getting worse and worse since the day I got it. I am using AVG Anti-Virus, and that rubbish software has not even detected it at all... this FSERVICE.EXE file is somehow hidden from the "Search" function on Windows XP Home Edition. I am not sure how to remove this infection as it hides in the Registry or some kind. There is a list of what it does/ and is. (NOTE: This information I am going to post may be informative to/for others!)

QUOTE
Associated Malware Groups
The filename is associated with the malware groups:
  • System Back Door
  • Cloaked Malware
  • Rootkit
  • Malicious Software


File Behavior
FSERVICE.EXE has been seen to perform the following behavior:

  • The Process is packed and/or encrypted using a software packing process
  • Can Send email using SMTP protocols
  • Communicates with other computers using FTP connections
  • This Process sends MIME Email
  • This Process Contains User Mode Rootkit Functionality and can hide itself from the running process list
  • Modifies System Runtime Policies to limit system usability
  • Adds a Registry Key (DXCOM) to auto start Programs on system start up
  • Disables the built in Windows File Protection System
  • This process creates other processes on disk
  • This Process Deletes Other Processes From Disk
  • Executes a Process
  • The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
  • Terminates Processes
  • Creates a TCP port which listens and is available for communication initiated by other computers
  • Writes to another Process's Virtual Memory (Process Hijacking)
  • Can communicate with other computer systems using HTTP protocols
  • Creates system tray popups, messages, errors and security warnings
  • Uses DNS to retrieve the IP address for web sites
  • Modifies Windows Initialization And System Settings Used On Start up
  • Adds products to the system registry
  • Adds a Registry Key (RUN) to auto start Programs on system start up
  • Enables an In Process Object/Server - Common with DLL Injections
  • Registers a Dynamic Link Library File
  • Creates a hidden window which can be used to run other programs without your knowledge
  • Disables the Windows Built in Firewall enabling rogue processes to access the internet without your knowledge or permission


FSERVICE.EXE has been the subject of the following behavior:

  • Created as a process on disk
  • Executed as a Process
  • Added as a Registry Key (DXCOM) to auto start Programs on system start up
  • Has code inserted into its Virtual Memory space by other programs
  • Deleted as a process from disk
  • Copied to multiple locations on the system
  • Registered as a Dynamic Link Library File
  • Added as a Registry auto start to load Program on Boot up
  • Terminated as a Process


File Name Aliases
FSERVICE.EXE can also use the following file names:

  • SSERVICE.EXE
  • 96671838.SVD
  • SERVICES.EXE
  • 29436276.SVD
  • NGUIDE26.EXE
  • NGUIDE60.EXE
  • NGUIDE63.EXE
  • NGUIDE31.EXE
  • NGUIDE62.EXE
  • NGUIDE65.EXE
  • NGUIDE78.EXE
  • NGUIDE79.EXE
  • NGUIDE46.EXE
  • FSERVICE .EXE
  • 84772041.EXE
  • 25650581.SVD
  • 88778315.EXE
  • LNCOM.EXE
  • 16867189.SVD


Filesizes
The following file size has been seen:

  • 350,764 bytes
  • 315,904 bytes
  • 197,734 bytes


Vendor, Product and Version Information
Files with the name FSERVICE.EXE have been seen to have the following Vendor, Product and Version Information in the file header:

  • ; ; 1, 0, 0, 2
  • ; ; 3, 2, 2, 0


File Type
The filename FSERVICE.EXE is used by multiple object types including executable programs,objects.

File Activity
One or more files with the name FSERVICE.EXE creates, deletes, copies or moves the following files and folders:

  • Deletes c:\windows\system32\fservice.exe
  • Deletes c:\windows\system\sservice.exe
  • Deletes c:\windows\services.exe
  • Copies filec:\windows\system32\fservice.exe to c:\windows\services.exe
  • Copies filec:\windows\system32\fservice.exe to c:\windows\system32\fservice.exe
  • Copies filec:\windows\system32\fservice.exe to c:\windows\system\sservice.exe
  • Creates c:\windows\system32\winkey.dll
  • Deletes c:\windows\Pplugin4.exe
  • Deletes c:\windows\Pplugin8.exe
  • Deletes c:\windows\Pplugin10xa.exe
  • Deletes c:\windows\eimsn.exe
  • Deletes c:\windows\winp9.exe
  • Deletes c:\windows\PpluginCd.dll
  • Creates c:\windows\system32\reginv.dll
  • Copies filec:\windows\services.exe to c:\windows\system32\fservice.ex
  • Copies filec:\windows\services.exe to c:\windows\system\sservice.ex


Registry Activity
One or more files with the name FSERVICE.EXE creates or modifies the following registry keys and values:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Bulas 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings FW_KILL 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings XP_FW_Disable 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings XP_SYS_Recovery 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings ICQ_UIN xnt/on,hq/bnl
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings ICQ_UIN2 046007686
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Kurban_Ismi whbuhl
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Mail uhl/b`lds`Ax`inn/bnl/cs
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Online_List iuuq;..vvv/xntsrhud/bnl.bfh,cho.qsns`u/bfh
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Port 4001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Sifre 032547
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Hata Error cant find 2.0.0 .dll
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings KSil 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings LanNotifie
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Tport 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings ServerVersionInt 19


Network Activity
One or more files with the name FSERVICE.EXE performs the following network events:
  • DNS Lookup192.168.0.2 AMANDA-2077D546
  • DNS Lookup68.178.130.69 www.yoursite.com
  • DNS Lookup143.215.15.125 you.no-ip.com
  • DNS Lookup you.no-ip.com
  • DNS Lookup www.icq.com
  • DNS name server92.168.0.1


Website Activity
One or more files with the name FSERVICE.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.

  • TCP:192.168.0.1:53 Port:17
  • TCP:143.215.15.125:4112 Port:15
  • TCP:143.215.15.125:41100 Port:15
  • Port 80 IP:68.178.130.69

And I hope the above information about these infections are useful to others.

This post has been edited by -Sky-: Dec 19 2008, 04:54 PM
Go to the top of the page
+Quote Post
miladinoski
no avatar
Anime fanatic!
*********
Group: [HOSTED]
Posts: 528
Joined: 30-June 08
From: Macedonia
Member No.: 64,391
myCENT:83.32
Post #2 post Dec 19 2008, 05:05 PM
Or maybe try this fix. wink.gif
Go to the top of the page
+Quote Post
-Sky-
no avatar
Per essere, o non essere.
*********
Group: [HOSTED]
Posts: 743
Joined: 30-August 08
From: Italy
Member No.: 67,096
myCENT:94.67
Post #3 post Dec 19 2008, 05:50 PM
Nah. I reformatted my PC and now It's fixed. tongue.gif I installed McAfee Security Suite from a Disc of mine and I only use Firefox. And I am 100% saying GOOD BYE to my hacks that was on my PC too! From now on I am not downloading any torrent from torrent sites as they may also contain a malicious infection in the .exe's.

I strongly suggest to all other members of Trap17 to NEVER visit torrent/warez sites anymore (if you do visit them). Warez-BB mostly as it contains active infections/threats on the site. Anyway if you do get the same infection as I did, then I RECOMMEND you to get it removed ASAP !!

I left my infection for near enough over 2 months, maybe 3 months and think of what it did. It infected my entire system32 folder, including parts of my WINDOWS directory.

-Sky.
Go to the top of the page
+Quote Post
iGuest
no avatar
Hail Caesar!
*********************
Group: Members
Posts: 5,876
Joined: 21-September 07
Member No.: 50,369
Post #4 post Yesterday, 01:30 AM
C:\windows\system32\services.exe terminated Unexpectedly
C:\windows\system32\fservice.exe Not Found!

I am receiving the following error message when booting up one of my systems: NT Authority System C:\windows\system32\services.Exe terminated Unexpectedly with status code - 1073741482 System will now shut down. Where after the system shuts down. This happens on boot, error message shows up as soon as the log on screen does. I was able to boot in safe mode, however nothing would run due to the compromised services.Exe. -question by Sabina
Go to the top of the page
+Quote Post
« Next Oldest · Operating Systems · Next Newest »
 

Reply to this topicStart new topic

Collapse

> Similar Topics

    Topic Title Replies Topic Starter Views Last Action
No New Posts   5 bluedragon 2,102 17th October 2009 - 02:34 PM
Last post by: iG-drew
No New Posts   7 jailbox 10,797 6th September 2004 - 11:53 AM
Last post by: synderoxide
No new   33 The Simpleton 587 1st November 2009 - 12:41 PM
Last post by: The Simpleton
No New Posts   2 dontmaimyourself 11,791 2nd August 2004 - 08:55 AM
Last post by: Spectre
No new   17 pr3dr49 24,248 18th March 2009 - 07:08 AM
Last post by: aloKNsh
No new 25 stingray001 5,967 11th May 2009 - 01:20 AM
Last post by: artsemail2000
No New Posts   10 zhangzy 19,299 24th September 2004 - 01:58 PM
Last post by: goranche
No New Posts   5 stevey 10,302 20th August 2004 - 06:14 PM
Last post by: Spectre
No new   14 Thunder 22,963 24th September 2004 - 01:25 AM
Last post by: akz
No new   18 dundun2007 27,748 9th January 2009 - 08:40 AM
Last post by: kudmus
No New Posts 5 toykoldkilla 1,080 24th July 2006 - 04:39 AM
Last post by: toykoldkilla
No New Posts   13 tonyused 2,747 7th February 2009 - 12:08 PM
Last post by: Ash-Bash
No New Posts   4 stevey 9,587 28th September 2009 - 06:29 AM
Last post by: donneo
No New Posts   11 Zenchi 16,915 14th October 2004 - 12:04 PM
Last post by: NTNguyen
No New Posts   1 farh1n 5,314 11th August 2007 - 02:21 PM
Last post by: odomike


 

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

RSS Open Discussion Time is now: 7th November 2009 - 11:41 PM
© 2009  Trap17: Open Discussion, Free Web Hosting. a member of xisto.

Web Hosting Powered by ComputingHost.com.