Digital Stronghold

January 7, 2008

Removing virus services.exe and fservice.exe

Filed under: Progressive Studies

The virus consists of the following.

C:\Windows\system32\fservice.exe and
C:\Windows\services.exe

The virus is a key logger. It sends an email message every time a connection to the internet is made. It blocks the Windows XP Protect Shield and System Restore services.

Removing the virus:

1. Kill fservice.exe
- Use TASKKILL /F /IM fservice.exe
- If it doesn’t work on the first attempt, use NTSD -P [PID of fservice.exe] then quit the debugger to kill the task.

2. Kill services.exe
- Kill the bogus one not the genuine services.exe
- Follow procedure in number 1.

3. Delete all occurrences of fservice.exe and the fake services.exe
- Do not delete the real services.exe found in C:\Windows\system32

4. Clean the registry for entries containing fservice.exe and the fake services.exe

5 Comments »

The URI to TrackBack this entry is: http://eradicus.blogsome.com/2008/01/07/removing-viruses-servicesexe-and-fserviceexe-2/trackback/

  1. While this program was active I could not run Windows Scandisk or Defrag. It is impossible to terminate the Trojan process as Windows believes it to be a system process. The fservice.exe can be deleted but returns on a reboot. Every time I deleted services.exe from WIN.INI and SYSTEM.INI start up list it would come back. The Ad-Aware SE program found the programs, the related registry entries, and identified them as Backdoor.Prorat.16 Trojan but when Ad-Aware tried to delete them the computer would lock up. I was finally able to kill services.exe and fservice.exe by using the process manager in HijackThis 2.2 then manually deleted the two EXE files. The Ad-Aware SE program was then able to delete the registry entries.

    Comment by Angel Elf — February 20, 2008 @ 1:38 am

  2. You can follow procedure number 1 for terminating the process. Use NTSD -P [PID of fservice.exe] on the command line. Then, do the same for services.exe if HijackThis could not handle it. After successfully terminating those processes, proceed to steps 3 and 4.

    Comment by Joset Anthony Zamora — February 20, 2008 @ 9:29 am

  3. I want to remove the virous in the computer

    Comment by Shivananja KN — February 29, 2008 @ 2:30 pm

  4. I want remove the vrious in my computer

    Comment by Shivananja KN — February 29, 2008 @ 2:31 pm

  5. I want to remove the virous from my desk top computer

    Comment by Shivananja KN — March 10, 2008 @ 9:14 am

RSS feed for comments on this post.

Leave a comment

Line and paragraph breaks automatic, e-mail address never displayed, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>



Anti-spam measure: please retype the above text into the box provided.

Theme designed by Joset Anthony Zamora