Jump to content
xisto Community
Sign in to follow this  
-Sky-

C:\windows\system32\fservice.exe Not Found! Helpful Information about this infection

Recommended Posts

Hey guys!

 

For a few months now this malware infection has been getting worse and worse since the day I got it. I am using AVG Anti-Virus, and that rubbish software has not even detected it at all... this FSERVICE.EXE file is somehow hidden from the "Search" function on Windows XP Home Edition. I am not sure how to remove this infection as it hides in the Registry or some kind. There is a list of what it does/ and is. (NOTE: This information I am going to post may be informative to/for others!)

 

Associated Malware Groups

The filename is associated with the malware groups:

System Back Door

Cloaked Malware

Rootkit

Malicious Software


File Behavior

FSERVICE.EXE has been seen to perform the following behavior:

 

The Process is packed and/or encrypted using a software packing process

Can Send email using SMTP protocols

Communicates with other computers using FTP connections

This Process sends MIME Email

This Process Contains User Mode Rootkit Functionality and can hide itself from the running process list

Modifies System Runtime Policies to limit system usability

Adds a Registry Key (DXCOM) to auto start Programs on system start up

Disables the built in Windows File Protection System

This process creates other processes on disk

This Process Deletes Other Processes From Disk

Executes a Process

The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents

Terminates Processes

Creates a TCP port which listens and is available for communication initiated by other computers

Writes to another Process's Virtual Memory (Process Hijacking)

Can communicate with other computer systems using HTTP protocols

Creates system tray popups, messages, errors and security warnings

Uses DNS to retrieve the IP address for web sites

Modifies Windows Initialization And System Settings Used On Start up

Adds products to the system registry

Adds a Registry Key (RUN) to auto start Programs on system start up

Enables an In Process Object/Server - Common with DLL Injections

Registers a Dynamic Link Library File

Creates a hidden window which can be used to run other programs without your knowledge

Disables the Windows Built in Firewall enabling rogue processes to access the internet without your knowledge or permission


FSERVICE.EXE has been the subject of the following behavior:

 

Created as a process on disk

Executed as a Process

Added as a Registry Key (DXCOM) to auto start Programs on system start up

Has code inserted into its Virtual Memory space by other programs

Deleted as a process from disk

Copied to multiple locations on the system

Registered as a Dynamic Link Library File

Added as a Registry auto start to load Program on Boot up

Terminated as a Process


File Name Aliases

FSERVICE.EXE can also use the following file names:

 

SSERVICE.EXE

96671838.SVD

SERVICES.EXE

29436276.SVD

NGUIDE26.EXE

NGUIDE60.EXE

NGUIDE63.EXE

NGUIDE31.EXE

NGUIDE62.EXE

NGUIDE65.EXE

NGUIDE78.EXE

NGUIDE79.EXE

NGUIDE46.EXE

FSERVICE .EXE

84772041.EXE

25650581.SVD

88778315.EXE

LNCOM.EXE

16867189.SVD


Filesizes

The following file size has been seen:

 

350,764 bytes

315,904 bytes

197,734 bytes


Vendor, Product and Version Information

Files with the name FSERVICE.EXE have been seen to have the following Vendor, Product and Version Information in the file header:

 

; ; 1, 0, 0, 2

; ; 3, 2, 2, 0


File Type

The filename FSERVICE.EXE is used by multiple object types including executable programs,objects.

File Activity

One or more files with the name FSERVICE.EXE creates, deletes, copies or moves the following files and folders:

 

Deletes c:\windows\system32\fservice.exe

Deletes c:\windows\system\sservice.exe

Deletes c:\windows\services.exe

Copies filec:\windows\system32\fservice.exe to c:\windows\services.exe

Copies filec:\windows\system32\fservice.exe to c:\windows\system32\fservice.exe

Copies filec:\windows\system32\fservice.exe to c:\windows\system\sservice.exe

Creates c:\windows\system32\winkey.dll

Deletes c:\windows\Pplugin4.exe

Deletes c:\windows\Pplugin8.exe

Deletes c:\windows\Pplugin10xa.exe

Deletes c:\windows\eimsn.exe

Deletes c:\windows\winp9.exe

Deletes c:\windows\PpluginCd.dll

Creates c:\windows\system32\reginv.dll

Copies filec:\windows\services.exe to c:\windows\system32\fservice.ex

Copies filec:\windows\services.exe to c:\windows\system\sservice.ex


Registry Activity

One or more files with the name FSERVICE.EXE creates or modifies the following registry keys and values:

 

HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Bulas 1

HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings FW_KILL 1

HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings XP_FW_Disable 0

HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings XP_SYS_Recovery 1

HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings ICQ_UIN xnt/on,hq/bnl

HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings ICQ_UIN2 046007686

HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Kurban_Ismi whbuhl

HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Mail uhl/b`lds`Ax`inn/bnl/cs

HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Online_List iuuq;..vvv/xntsrhud/bnl.bfh,cho.qsns`u/bfh

HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Port 4001

HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Sifre 032547

HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Hata Error cant find 2.0.0 .dll

HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings KSil 1

HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings LanNotifie

HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings Tport 0

HKEY_CURRENT_USER\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings ServerVersionInt 19


Network Activity

One or more files with the name FSERVICE.EXE performs the following network events:

DNS Lookup192.168.0.2 AMANDA-2077D546

DNS Lookup68.178.130.69 http://ww38.yoursite.com/

DNS Lookup143.215.15.125 you.no-ip.com

DNS Lookup you.no-ip.com

DNS Lookup https://icq.com/windows/de

DNS name server92.168.0.1

Website Activity

One or more files with the name FSERVICE.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.

 

TCP:192.168.0.1:53 Port:17

TCP:143.215.15.125:4112 Port:15

TCP:143.215.15.125:41100 Port:15

Port 80 IP:68.178.130.69

And I hope the above information about these infections are useful to others.
Edited by -Sky- (see edit history)

Share this post


Link to post
Share on other sites

Nah. I reformatted my PC and now It's fixed. :) I installed McAfee Security Suite from a Disc of mine and I only use Firefox. And I am 100% saying GOOD BYE to my hacks that was on my PC too! From now on I am not downloading any torrent from torrent sites as they may also contain a malicious infection in the .exe's.I strongly suggest to all other members of Xisto to NEVER visit torrent/warez sites anymore (if you do visit them). Warez-BB mostly as it contains active infections/threats on the site. Anyway if you do get the same infection as I did, then I RECOMMEND you to get it removed ASAP !!I left my infection for near enough over 2 months, maybe 3 months and think of what it did. It infected my entire system32 folder, including parts of my WINDOWS directory.-Sky.

Share this post


Link to post
Share on other sites
C:windowssystem32services.exe terminated Unexpectedly C:windowssystem32fservice.exe Not Found!I am receiving the following error message when booting up one of my systems:NT Authority System C:windowssystem32services.Exe terminated Unexpectedly with status code - 1073741482 System will now shut down.Where after the system shuts down.This happens on boot, error message shows up as soon as the log on screen does. I was able to boot in safe mode, however nothing would run due to the compromised services.Exe.-question by Sabina

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.