Removing virus services.exe and fservice.exe
The virus consists of the following.
C:\Windows\system32\fservice.exe and C:\Windows\services.exe
The virus is a key logger. It sends an email message every time a connection to the internet is made. It blocks the Windows XP Protect Shield and System Restore services.
Removing the virus:
1. Kill fservice.exe
- Use TASKKILL /F /IM fservice.exe
- If it doesn’t work on the first attempt, use NTSD -P [PID of fservice.exe] then quit the debugger to kill the task.
2. Kill services.exe
- Kill the bogus one not the genuine services.exe
- Follow procedure in number 1.
3. Delete all occurrences of fservice.exe and the fake services.exe
- Do not delete the real services.exe found in C:\Windows\system32
4. Clean the registry for entries containing fservice.exe and the fake services.exe

While this program was active I could not run Windows Scandisk or Defrag. It is impossible to terminate the Trojan process as Windows believes it to be a system process. The fservice.exe can be deleted but returns on a reboot. Every time I deleted services.exe from WIN.INI and SYSTEM.INI start up list it would come back. The Ad-Aware SE program found the programs, the related registry entries, and identified them as Backdoor.Prorat.16 Trojan but when Ad-Aware tried to delete them the computer would lock up. I was finally able to kill services.exe and fservice.exe by using the process manager in HijackThis 2.2 then manually deleted the two EXE files. The Ad-Aware SE program was then able to delete the registry entries.
Comment by Angel Elf — February 20, 2008 @ 1:38 am
You can follow procedure number 1 for terminating the process. Use NTSD -P [PID of fservice.exe] on the command line. Then, do the same for services.exe if HijackThis could not handle it. After successfully terminating those processes, proceed to steps 3 and 4.
Comment by Joset Anthony Zamora — February 20, 2008 @ 9:29 am
I want to remove the virous in the computer
Comment by Shivananja KN — February 29, 2008 @ 2:30 pm
I want remove the vrious in my computer
Comment by Shivananja KN — February 29, 2008 @ 2:31 pm
I want to remove the virous from my desk top computer
Comment by Shivananja KN — March 10, 2008 @ 9:14 am
thankx
Comment by algharem — January 1, 2009 @ 12:23 am
Does this work on servises.exe.Trojan horse SHeur2.AKRU and where do I typr it.
Comment by Rodney Minich — June 12, 2009 @ 1:17 am
Zone Alarm keeps blocking attempts by services.exe to send mass emails. I end up clicking Deny about a thousand times ever time I log on. I tried disabling outlook express so emails couldn’t be sent but that didn’t work. Then I tried deleting all services.exe files on my computer except the one in windows/win32 and I ran advanced system optimizer to clean my registry and remove all temp files etc but when i rebooted the problem is still there. When I search for services.exe now only the one file shows up and I’m pretty sure that’s the one I can’t delete. I can’t figure out how to get rid of this thing but it’s incredibly annoying.
Comment by Eric — July 4, 2009 @ 12:23 pm