Jump to content
Sign in to follow this  
NSanityHD

C:\WINDOWS\system32\fservice.exe not found!

Recommended Posts

Hey guys!

For a few months now this malware infection has been getting worse and worse since the day I got it. I am using AVG Anti-Virus, and that shit software has not even detected it at all... this FSERVICE.EXE file is somehow hidden from the "Search" function on Windows XP Home Edition. I am not sure how to remove this infection as it hides in the Registry or some kind. There is a list of what it does/ and is. (NOTE: This information I am going to post may be informative to/for others!)

Associated Malware Groups

The filename is associated with the malware groups:

fileinfoicon_alert.gif System Back Door

fileinfoicon_alert.gif Cloaked Malware

fileinfoicon_alert.gif Rootkit

fileinfoicon_alert.gif Malicious Software

File Behavior

FSERVICE.EXE has been seen to perform the following behavior:

fileinfoicon_arrow.gif The Process is packed and/or encrypted using a software packing process

fileinfoicon_arrow.gif Can Send email using SMTP protocols

fileinfoicon_arrow.gif Communicates with other computers using FTP connections

fileinfoicon_arrow.gif This Process sends MIME Email

fileinfoicon_arrow.gif This Process Contains User Mode Rootkit Functionality and can hide itself from the running process list

fileinfoicon_arrow.gif Modifies System Runtime Policies to limit system usability

fileinfoicon_arrow.gif Adds a Registry Key (DXCOM) to auto start Programs on system start up

fileinfoicon_arrow.gif Disables the built in Windows File Protection System

fileinfoicon_arrow.gif This process creates other processes on disk

fileinfoicon_arrow.gif This Process Deletes Other Processes From Disk

fileinfoicon_arrow.gif Executes a Process

fileinfoicon_arrow.gif The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents

fileinfoicon_arrow.gif Terminates Processes

fileinfoicon_arrow.gif Creates a TCP port which listens and is available for communication initiated by other computers

fileinfoicon_arrow.gif Writes to another Process's Virtual Memory (Process Hijacking)

fileinfoicon_arrow.gif Can communicate with other computer systems using HTTP protocols

fileinfoicon_arrow.gif Creates system tray popups, messages, errors and security warnings

fileinfoicon_arrow.gif Uses DNS to retrieve the IP address for web sites

fileinfoicon_arrow.gif Modifies Windows Initialization And System Settings Used On Start up

fileinfoicon_arrow.gif Adds products to the system registry

fileinfoicon_arrow.gif Adds a Registry Key (RUN) to auto start Programs on system start up

fileinfoicon_arrow.gif Enables an In Process Object/Server - Common with DLL Injections

fileinfoicon_arrow.gif Registers a Dynamic Link Library File

fileinfoicon_arrow.gif Creates a hidden window which can be used to run other programs without your knowledge

fileinfoicon_arrow.gif Disables the Windows Built in Firewall enabling rogue processes to access the internet without your knowledge or permission

FSERVICE.EXE has been the subject of the following behavior:

fileinfoicon_arrow.gif Created as a process on disk

fileinfoicon_arrow.gif Executed as a Process

fileinfoicon_arrow.gif Added as a Registry Key (DXCOM) to auto start Programs on system start up

fileinfoicon_arrow.gif Has code inserted into its Virtual Memory space by other programs

fileinfoicon_arrow.gif Deleted as a process from disk

fileinfoicon_arrow.gif Copied to multiple locations on the system

fileinfoicon_arrow.gif Registered as a Dynamic Link Library File

fileinfoicon_arrow.gif Added as a Registry auto start to load Program on Boot up

fileinfoicon_arrow.gif Terminated as a Process

Country Of Origin

The filename FSERVICE.EXE was first seen on Jun 17 2007 in the following geographical regions of the Prevx community:

TN.gif TUNISIA on Jun 17 2007

ES.gif SPAIN on Dec 21 2007

KR.gif KOREA, REPUBLIC OF on Dec 21 2007

UK.gif The UNITED KINGDOM on Mar 25 2008

NL.gif NETHERLANDS on Apr 10 2008

File Name Aliases

FSERVICE.EXE can also use the following file names:

fileinfoicon_alias.gif SSERVICE.EXE

fileinfoicon_alias.gif 96671838.SVD

fileinfoicon_alias.gif SERVICES.EXE

fileinfoicon_alias.gif 29436276.SVD

fileinfoicon_alias.gif NGUIDE26.EXE

fileinfoicon_alias.gif NGUIDE60.EXE

fileinfoicon_alias.gif NGUIDE63.EXE

fileinfoicon_alias.gif NGUIDE31.EXE

fileinfoicon_alias.gif NGUIDE62.EXE

fileinfoicon_alias.gif NGUIDE65.EXE

fileinfoicon_alias.gif NGUIDE78.EXE

fileinfoicon_alias.gif NGUIDE79.EXE

fileinfoicon_alias.gif NGUIDE46.EXE

fileinfoicon_alias.gif FSERVICE .EXE

fileinfoicon_alias.gif 84772041.EXE

fileinfoicon_alias.gif 25650581.SVD

fileinfoicon_alias.gif 88778315.EXE

fileinfoicon_alias.gif LNCOM.EXE

fileinfoicon_alias.gif 16867189.SVD

Filesizes

The following file size has been seen:

fileinfoicon_filesize.gif 350,764 bytes

fileinfoicon_filesize.gif 315,904 bytes

fileinfoicon_filesize.gif 197,734 bytes

Vendor, Product and Version Information

Files with the name FSERVICE.EXE have been seen to have the following Vendor, Product and Version Information in the file header:

fileinfoicon_vendor.gif ; ; 1, 0, 0, 2

fileinfoicon_vendor.gif ; ; 3, 2, 2, 0

File Type

The filename FSERVICE.EXE is used by multiple object types including executable programs,objects.

File Activity

One or more files with the name FSERVICE.EXE creates, deletes, copies or moves the following files and folders:

fileinfoicon_fileactivity.gif Deletes c:\windows\system32\fservice.exe

fileinfoicon_fileactivity.gif Deletes c:\windows\system\sservice.exe

fileinfoicon_fileactivity.gif Deletes c:\windows\services.exe

fileinfoicon_fileactivity.gif Copies filec:\windows\system32\fservice.exe to c:\windows\services.exe

fileinfoicon_fileactivity.gif Copies filec:\windows\system32\fservice.exe to c:\windows\system32\fservice.exe

fileinfoicon_fileactivity.gif Copies filec:\windows\system32\fservice.exe to c:\windows\system\sservice.exe

fileinfoicon_fileactivity.gif Creates c:\windows\system32\winkey.dll

fileinfoicon_fileactivity.gif Deletes c:\windows\Pplugin4.exe

fileinfoicon_fileactivity.gif Deletes c:\windows\Pplugin8.exe

fileinfoicon_fileactivity.gif Deletes c:\windows\Pplugin10xa.exe

fileinfoicon_fileactivity.gif Deletes c:\windows\eimsn.exe

fileinfoicon_fileactivity.gif Deletes c:\windows\winp9.exe

fileinfoicon_fileactivity.gif Deletes c:\windows\PpluginCd.dll

fileinfoicon_fileactivity.gif Creates c:\windows\system32\reginv.dll

fileinfoicon_fileactivity.gif Copies filec:\windows\services.exe to c:\windows\system32\fservice.ex

fileinfoicon_fileactivity.gif Copies filec:\windows\services.exe to c:\windows\system\sservice.ex

Registry Activity

One or more files with the name FSERVICE.EXE creates or modifies the following registry keys and values:

fileinfoicon_registry.gif HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Bulas 1

fileinfoicon_registry.gif HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings FW_KILL 1

fileinfoicon_registry.gif HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings XP_FW_Disable 0

fileinfoicon_registry.gif HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings XP_SYS_Recovery 1

fileinfoicon_registry.gif HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings ICQ_UIN xnt/on,hq/bnl

fileinfoicon_registry.gif HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings ICQ_UIN2 046007686

fileinfoicon_registry.gif HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Kurban_Ismi whbuhl

fileinfoicon_registry.gif HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Mail uhl/b`lds`Ax`inn/bnl/cs

fileinfoicon_registry.gif HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Online_List iuuq;..vvv/xntsrhud/bnl.bfh,cho.qsns`u/bfh

fileinfoicon_registry.gif HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Port 4001

fileinfoicon_registry.gif HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Sifre 032547

fileinfoicon_registry.gif HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Hata Error cant find 2.0.0 .dll

fileinfoicon_registry.gif HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings KSil 1

fileinfoicon_registry.gif HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings LanNotifie

fileinfoicon_registry.gif HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Tport 0

fileinfoicon_registry.gif HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings ServerVersionInt 19

Network Activity

One or more files with the name FSERVICE.EXE performs the following network events:

DNS Lookup192.168.0.2 AMANDA-2077D546

DNS Lookup68.178.130.69 www.yoursite.com

DNS Lookup143.215.15.125 you.no-ip.com

DNS Lookup you.no-ip.com

DNS Lookup www.icq.com

DNS name server92.168.0.1

Website Activity

One or more files with the name FSERVICE.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.

TCP:192.168.0.1:53 Port:17

TCP:143.215.15.125:4112 Port:15

TCP:143.215.15.125:41100 Port:15

Port 80 IP:68.178.130.69

If ANYONE can help me remove this infection It would be greatly appreciated!

And I hope the above information about these infections are useful to others.

-Ice

Edited by I©e

Share this post


Link to post
Share on other sites

IS your AVG set to the highest protection settings? if so make sure the virus definitions are up to date. Other than that i have no clue. Ive been using Avast, but im thinking about moving toward Trend Micro, because it seems to stay on top of everything a lot better.

Share this post


Link to post
Share on other sites

Well ive used AVG since we got rid of norton in 2001...i never got any viruses or malware that didnt get detected and automatically fixed. sorry to break it to you, but avg isnt shit.

as for that, if its done that many things you'll be running around in circles trying to get rid of it, as it has infected startup folders, reg keys, system files. it would be quicker to get a xp sp2 disc, then backup all your data to a external and reformat and reinstall XP. then start over. not kidding you'll be there for hoursss!

Share this post


Link to post
Share on other sites

Sorry for month bumps,(i know Kel fixed the problem already,but i found out the problem).It's a Game-Thief.My buddy had it on his laptop,suspecting he wanted free Steam games,and they would be recognized as Steam ones,once he downloaded them.I found this with Combofix there.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×