C:\windows\system32\fservice.exe Not Found!

Tags

windows

Options

-Sky-

Per essere, o non essere.

Group: [HOSTED]
Posts: 564
Joined: 30-August 08
From: UK
Member No.: 67,096
myCENT:76.25

Post #1 post

Dec 19 2008, 04:52 PM

Hey guys!

For a few months now this malware infection has been getting worse and worse since the day I got it. I am using AVG Anti-Virus, and that rubbish software has not even detected it at all... this FSERVICE.EXE file is somehow hidden from the "Search" function on Windows XP Home Edition. I am not sure how to remove this infection as it hides in the Registry or some kind. There is a list of what it does/ and is. (NOTE: This information I am going to post may be informative to/for others!)

QUOTE

Associated Malware Groups
The filename is associated with the malware groups:

System Back Door
Cloaked Malware
Rootkit
Malicious Software

File Behavior
FSERVICE.EXE has been seen to perform the following behavior:

The Process is packed and/or encrypted using a software packing process
Can Send email using SMTP protocols
Communicates with other computers using FTP connections
This Process sends MIME Email
This Process Contains User Mode Rootkit Functionality and can hide itself from the running process list
Modifies System Runtime Policies to limit system usability
Adds a Registry Key (DXCOM) to auto start Programs on system start up
Disables the built in Windows File Protection System
This process creates other processes on disk
This Process Deletes Other Processes From Disk
Executes a Process
The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
Terminates Processes
Creates a TCP port which listens and is available for communication initiated by other computers
Writes to another Process's Virtual Memory (Process Hijacking)
Can communicate with other computer systems using HTTP protocols
Creates system tray popups, messages, errors and security warnings
Uses DNS to retrieve the IP address for web sites
Modifies Windows Initialization And System Settings Used On Start up
Adds products to the system registry
Adds a Registry Key (RUN) to auto start Programs on system start up
Enables an In Process Object/Server - Common with DLL Injections
Registers a Dynamic Link Library File
Creates a hidden window which can be used to run other programs without your knowledge
Disables the Windows Built in Firewall enabling rogue processes to access the internet without your knowledge or permission

FSERVICE.EXE has been the subject of the following behavior:

Created as a process on disk
Executed as a Process
Added as a Registry Key (DXCOM) to auto start Programs on system start up
Has code inserted into its Virtual Memory space by other programs
Deleted as a process from disk
Copied to multiple locations on the system
Registered as a Dynamic Link Library File
Added as a Registry auto start to load Program on Boot up
Terminated as a Process

File Name Aliases
FSERVICE.EXE can also use the following file names:

SSERVICE.EXE
96671838.SVD
SERVICES.EXE
29436276.SVD
NGUIDE26.EXE
NGUIDE60.EXE
NGUIDE63.EXE
NGUIDE31.EXE
NGUIDE62.EXE
NGUIDE65.EXE
NGUIDE78.EXE
NGUIDE79.EXE
NGUIDE46.EXE
FSERVICE .EXE
84772041.EXE
25650581.SVD
88778315.EXE
LNCOM.EXE
16867189.SVD

Filesizes
The following file size has been seen:

350,764 bytes
315,904 bytes
197,734 bytes

Vendor, Product and Version Information
Files with the name FSERVICE.EXE have been seen to have the following Vendor, Product and Version Information in the file header:

; ; 1, 0, 0, 2
; ; 3, 2, 2, 0

File Type
The filename FSERVICE.EXE is used by multiple object types including executable programs,objects.

File Activity
One or more files with the name FSERVICE.EXE creates, deletes, copies or moves the following files and folders:

Deletes c:\windows\system32\fservice.exe
Deletes c:\windows\system\sservice.exe
Deletes c:\windows\services.exe
Copies filec:\windows\system32\fservice.exe to c:\windows\services.exe
Copies filec:\windows\system32\fservice.exe to c:\windows\system32\fservice.exe
Copies filec:\windows\system32\fservice.exe to c:\windows\system\sservice.exe
Creates c:\windows\system32\winkey.dll
Deletes c:\windows\Pplugin4.exe
Deletes c:\windows\Pplugin8.exe
Deletes c:\windows\Pplugin10xa.exe
Deletes c:\windows\eimsn.exe
Deletes c:\windows\winp9.exe
Deletes c:\windows\PpluginCd.dll
Creates c:\windows\system32\reginv.dll
Copies filec:\windows\services.exe to c:\windows\system32\fservice.ex
Copies filec:\windows\services.exe to c:\windows\system\sservice.ex

Registry Activity
One or more files with the name FSERVICE.EXE creates or modifies the following registry keys and values:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Bulas 1
HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings FW_KILL 1
HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings XP_FW_Disable 0
HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings XP_SYS_Recovery 1
HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings ICQ_UIN xnt/on,hq/bnl
HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings ICQ_UIN2 046007686
HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Kurban_Ismi whbuhl
HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Mail uhl/b`lds`Ax`inn/bnl/cs
HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Online_List iuuq;..vvv/xntsrhud/bnl.bfh,cho.qsns`u/bfh
HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Port 4001
HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Sifre 032547
HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Hata Error cant find 2.0.0 .dll
HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings KSil 1
HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings LanNotifie
HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Tport 0
HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings ServerVersionInt 19

Network Activity
One or more files with the name FSERVICE.EXE performs the following network events:

DNS Lookup192.168.0.2 AMANDA-2077D546
DNS Lookup68.178.130.69 www.yoursite.com
DNS Lookup143.215.15.125 you.no-ip.com
DNS Lookup you.no-ip.com
DNS Lookup www.icq.com
DNS name server92.168.0.1

Website Activity
One or more files with the name FSERVICE.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.

TCP:192.168.0.1:53 Port:17
TCP:143.215.15.125:4112 Port:15
TCP:143.215.15.125:41100 Port:15
Port 80 IP:68.178.130.69

And I hope the above information about these infections are useful to others.

This post has been edited by -Sky-: Dec 19 2008, 04:54 PM

miladinoski View Member Profile Anime fanatic! Group: [HOSTED] Posts: 518 Joined: 30-June 08 From: Macedonia Member No.: 64,391 myCENT:60.48	Post #2 Dec 19 2008, 05:05 PM Or maybe try this fix.

-Sky-

Per essere, o non essere.

Group: [HOSTED]
Posts: 564
Joined: 30-August 08
From: UK
Member No.: 67,096
myCENT:76.25

Post #3 post

Dec 19 2008, 05:50 PM

Nah. I reformatted my PC and now It's fixed.

I installed McAfee Security Suite from a Disc of mine and I only use Firefox. And I am 100% saying GOOD BYE to my hacks that was on my PC too! From now on I am not downloading any torrent from torrent sites as they may also contain a malicious infection in the .exe's.

I strongly suggest to all other members of Trap17 to NEVER visit torrent/warez sites anymore (if you do visit them). Warez-BB mostly as it contains active infections/threats on the site. Anyway if you do get the same infection as I did, then I RECOMMEND you to get it removed ASAP !!

I left my infection for near enough over 2 months, maybe 3 months and think of what it did. It infected my entire system32 folder, including parts of my WINDOWS directory.

-Sky.

« Next Oldest · Operating Systems · Next Newest »

Topic Title	Replies	Topic Starter	Views	Last Action
Hardware Issue With Windows Vista - Sound Card Acting Wierd [resolved]	4	bluedragon	1,566	27th June 2008 - 01:38 PM Last post by: rvalkass
Jokes (No Post Count) Windows Rg	7	jailbox	10,364	6th September 2004 - 11:53 AM Last post by: synderoxide
Operating Systems Windows XP?????	2	dontmaimyourself	11,352	2nd August 2004 - 08:55 AM Last post by: Spectre
Software Windows -> Linux 12	17	pr3dr49	23,475	18th March 2009 - 07:08 AM Last post by: aloKNsh
Computers Windows Xp Sp3 - High Alert 123	25	stingray001	4,712	11th May 2009 - 01:20 AM Last post by: artsemail2000
Operating Systems Windows History 12	10	zhangzy	18,759	24th September 2004 - 01:58 PM Last post by: goranche
Operating Systems windows longhorn	5	stevey	9,948	20th August 2004 - 06:14 PM Last post by: Spectre
Operating Systems Windows Xp SP2 12	14	Thunder	22,228	24th September 2004 - 01:25 AM Last post by: akz
Operating Systems Windows Xp Lite? 12	18	dundun2007	27,003	9th January 2009 - 08:40 AM Last post by: kudmus
Introductions Just Found This Great Site.	5	toykoldkilla	831	24th July 2006 - 04:39 AM Last post by: toykoldkilla
Freebie Stuff Windows Live Messenger 12	13	tonyused	2,065	7th February 2009 - 12:08 PM Last post by: Ash-Bash
Software Cpanel For Windows	3	stevey	9,166	15th June 2009 - 07:16 AM Last post by: gannimel
Software Alternitive Windows Shell 12	11	Zenchi	16,288	14th October 2004 - 12:04 PM Last post by: NTNguyen
Operating Systems How To Change Language Of Windows Xp	1	farh1n	4,903	11th August 2007 - 02:21 PM Last post by: odomike
Software Windows 2000 Pro	3	Trystim	6,908	30th September 2004 - 01:49 AM Last post by: Trystim

C:\windows\system32\fservice.exe Not Found!

, Helpful Information about this infection!