NSanityHD Posted December 18, 2008 Share Posted December 18, 2008 (edited) Hey guys! For a few months now this malware infection has been getting worse and worse since the day I got it. I am using AVG Anti-Virus, and that shit software has not even detected it at all... this FSERVICE.EXE file is somehow hidden from the "Search" function on Windows XP Home Edition. I am not sure how to remove this infection as it hides in the Registry or some kind. There is a list of what it does/ and is. (NOTE: This information I am going to post may be informative to/for others!) Associated Malware Groups The filename is associated with the malware groups: System Back Door Cloaked Malware Rootkit Malicious Software File Behavior FSERVICE.EXE has been seen to perform the following behavior: The Process is packed and/or encrypted using a software packing process Can Send email using SMTP protocols Communicates with other computers using FTP connections This Process sends MIME Email This Process Contains User Mode Rootkit Functionality and can hide itself from the running process list Modifies System Runtime Policies to limit system usability Adds a Registry Key (DXCOM) to auto start Programs on system start up Disables the built in Windows File Protection System This process creates other processes on disk This Process Deletes Other Processes From Disk Executes a Process The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents Terminates Processes Creates a TCP port which listens and is available for communication initiated by other computers Writes to another Process's Virtual Memory (Process Hijacking) Can communicate with other computer systems using HTTP protocols Creates system tray popups, messages, errors and security warnings Uses DNS to retrieve the IP address for web sites Modifies Windows Initialization And System Settings Used On Start up Adds products to the system registry Adds a Registry Key (RUN) to auto start Programs on system start up Enables an In Process Object/Server - Common with DLL Injections Registers a Dynamic Link Library File Creates a hidden window which can be used to run other programs without your knowledge Disables the Windows Built in Firewall enabling rogue processes to access the internet without your knowledge or permission FSERVICE.EXE has been the subject of the following behavior: Created as a process on disk Executed as a Process Added as a Registry Key (DXCOM) to auto start Programs on system start up Has code inserted into its Virtual Memory space by other programs Deleted as a process from disk Copied to multiple locations on the system Registered as a Dynamic Link Library File Added as a Registry auto start to load Program on Boot up Terminated as a Process Country Of Origin The filename FSERVICE.EXE was first seen on Jun 17 2007 in the following geographical regions of the Prevx community: TUNISIA on Jun 17 2007 SPAIN on Dec 21 2007 KOREA, REPUBLIC OF on Dec 21 2007 The UNITED KINGDOM on Mar 25 2008 NETHERLANDS on Apr 10 2008 File Name Aliases FSERVICE.EXE can also use the following file names: SSERVICE.EXE 96671838.SVD SERVICES.EXE 29436276.SVD NGUIDE26.EXE NGUIDE60.EXE NGUIDE63.EXE NGUIDE31.EXE NGUIDE62.EXE NGUIDE65.EXE NGUIDE78.EXE NGUIDE79.EXE NGUIDE46.EXE FSERVICE .EXE 84772041.EXE 25650581.SVD 88778315.EXE LNCOM.EXE 16867189.SVD Filesizes The following file size has been seen: 350,764 bytes 315,904 bytes 197,734 bytes Vendor, Product and Version Information Files with the name FSERVICE.EXE have been seen to have the following Vendor, Product and Version Information in the file header: ; ; 1, 0, 0, 2 ; ; 3, 2, 2, 0 File Type The filename FSERVICE.EXE is used by multiple object types including executable programs,objects. File Activity One or more files with the name FSERVICE.EXE creates, deletes, copies or moves the following files and folders: Deletes c:\windows\system32\fservice.exe Deletes c:\windows\system\sservice.exe Deletes c:\windows\services.exe Copies filec:\windows\system32\fservice.exe to c:\windows\services.exe Copies filec:\windows\system32\fservice.exe to c:\windows\system32\fservice.exe Copies filec:\windows\system32\fservice.exe to c:\windows\system\sservice.exe Creates c:\windows\system32\winkey.dll Deletes c:\windows\Pplugin4.exe Deletes c:\windows\Pplugin8.exe Deletes c:\windows\Pplugin10xa.exe Deletes c:\windows\eimsn.exe Deletes c:\windows\winp9.exe Deletes c:\windows\PpluginCd.dll Creates c:\windows\system32\reginv.dll Copies filec:\windows\services.exe to c:\windows\system32\fservice.ex Copies filec:\windows\services.exe to c:\windows\system\sservice.ex Registry Activity One or more files with the name FSERVICE.EXE creates or modifies the following registry keys and values: HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Bulas 1 HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings FW_KILL 1 HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings XP_FW_Disable 0 HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings XP_SYS_Recovery 1 HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings ICQ_UIN xnt/on,hq/bnl HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings ICQ_UIN2 046007686 HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Kurban_Ismi whbuhl HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Mail uhl/b`lds`Ax`inn/bnl/cs HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Online_List iuuq;..vvv/xntsrhud/bnl.bfh,cho.qsns`u/bfh HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Port 4001 HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Sifre 032547 HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Hata Error cant find 2.0.0 .dll HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings KSil 1 HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings LanNotifie HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Tport 0 HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings ServerVersionInt 19 Network Activity One or more files with the name FSERVICE.EXE performs the following network events: DNS Lookup192.168.0.2 AMANDA-2077D546 DNS Lookup68.178.130.69 www.yoursite.com DNS Lookup143.215.15.125 you.no-ip.com DNS Lookup you.no-ip.com DNS Lookup www.icq.com DNS name server92.168.0.1 Website Activity One or more files with the name FSERVICE.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use. TCP:192.168.0.1:53 Port:17 TCP:143.215.15.125:4112 Port:15 TCP:143.215.15.125:41100 Port:15 Port 80 IP:68.178.130.69 If ANYONE can help me remove this infection It would be greatly appreciated! And I hope the above information about these infections are useful to others. -Ice Edited December 18, 2008 by I©e Link to comment Share on other sites More sharing options...
DemonDelight Posted December 18, 2008 Share Posted December 18, 2008 IS your AVG set to the highest protection settings? if so make sure the virus definitions are up to date. Other than that i have no clue. Ive been using Avast, but im thinking about moving toward Trend Micro, because it seems to stay on top of everything a lot better. Link to comment Share on other sites More sharing options...
WRX22B1998 Posted December 19, 2008 Share Posted December 19, 2008 Well ive used AVG since we got rid of norton in 2001...i never got any viruses or malware that didnt get detected and automatically fixed. sorry to break it to you, but avg isnt shit. as for that, if its done that many things you'll be running around in circles trying to get rid of it, as it has infected startup folders, reg keys, system files. it would be quicker to get a xp sp2 disc, then backup all your data to a external and reformat and reinstall XP. then start over. not kidding you'll be there for hoursss! Link to comment Share on other sites More sharing options...
Damjan Posted January 8, 2009 Share Posted January 8, 2009 Sorry for month bumps,(i know Kel fixed the problem already,but i found out the problem).It's a Game-Thief.My buddy had it on his laptop,suspecting he wanted free Steam games,and they would be recognized as Steam ones,once he downloaded them.I found this with Combofix there. Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now