I used AVAST and it detected that my fservice.exe at system32 folder had a virus, so I choose to deleate it permantly , now whenever I restart my computer , there will be a error , I use XP when I click on the welcome screen on a user It just hangs there until I press clt + Alt + Del , then there is a pop up error that says , fservice.exe is not found , oh man wtf ANYONE GOT THIS exe FILE CAN SEND TO ME PLEASE? my mail
Hi,
- that’s why you shouldn’t delete, but MOVE to chest, if you don’t know what you’re doing
- that’s most probably a BACKDOOR-file (Optix.Pro or so)
- Please post a hijackthis-Log here for diagnostics
→ see link "VirusRemoval"below in my sig for details
ok , now i know , but if u have the fservice.exe file can YOU PLEASE I BEG you upload it here for me PLEASE?
a) I don’t have it
b) it’s not a legitimate Windows-files
c) it’s dangerous malware
d) I don’t distribute malware, especially to inexperienced users
e) follow above instructions (make a Hijackthis-Log in SafeMode) & read links and we’ll sort this
then how can I stop the error from poping out? How can I stop the shit?
-
CLICK & READ there where it says “CLICK HERE!”
(Blue words/lines are Web-LINKS here: you can click and read them) -
Download & Unpack HIJACKTHIS (which is a Startup-diagnostics & cleaning Tool)
-
reboot to SafeMode (F8-Boot)
-
Run Hijackthis, click “Scan”, then Click “Save Log” (note the folder/filename where you saved it to)
-
reboot normally, open the saved Hijackthis-Logfile and mark© its contents and paste here as an answer
checkmark the line
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe
in Hijackthis
-
also checkmark all entries that are Marked red here:
http://hijackthis.de/logfiles/4c0397ab137ed0e373606129306ff83f.html -
and all red or yellow entries in O1, O2, O8 & O16 lines
THEN: click “FixChecked”, then reboot and the message should be gone
your PC will of course be still loaded with Malware, but who cares …
(you obviously didn’t → no adequate protection, but visiting porn/suspicious sites: not a wise move)
This is the result that my HJT log analyzer gives:
CHECKING HIJACKTHIS, INTERNET EXPLORER, WINDOWS AND SOFTWARE FIREWALL:
You are using the latest version of HijackThis.
You are using the latest version of Internet Explorer.
No software firewall detected. If you are not using a
hardware firewall, it is highly recommended to install one.
THESE ITEMS ARE HARMFULL AND SHOULD BE FIXED/REMOVED :
r1 - hkcu\software\microsoft\internet explorer\main,search bar = about:blank
r1 - hklm\software\microsoft\internet explorer\main,default_page_url = about:blank
r0 - hklm\software\microsoft\internet explorer\main,local page = http://www.the-exit.com
f2 - reg:system.ini: shell=explorer.exe c:\windows\system32\fservice.exe
o1 - hosts: 24.109.155.167 update.nprotect.com
o1 - hosts: 24.109.155.167 update.nprotect.net
o2 - bho: pk ie plugin - {1e1b2879-88ff-11d3-8d96-d7acac95951a} - c:\windows\system32\bpkwb.dll
o4 - hklm..\run: [spyware stormer] c:\program files\spyware stormer\spywarestormer.exe
o4 - hklm..\run: [winupdt] rundll32.exe c:\windows\hloadhttp.dll,_mainrd
o4 - hklm..\run: [spyhunter] c:\windows\tcposmod.exe
o4 - hklm..\run: [jammer2nd] c:\windows\jammer2nd.exe
o4 - hklm..\run: [hprotect.exe] c:\windows\system32\hprotect.exe
o4 - hklm..\run: [dss] c:\windows\tcposmod.exe
o4 - hkcu..\run: [wnsi] c:\windows\system32\wnscpsv.exe
o4 - hkcu..\run: [actual windows manager] c:\program files\actual windows manager\actualwindowsmanagercenter.exe
o8 - extra context menu item: >>> free porn galleries <<< - javascript:{document.location=‘http://sexmaxx.com/freegalleries.htm’;}
o8 - extra context menu item: download all files by hidownload - c:\progra~1\hidown~1\hdgetall.htm
o8 - extra context menu item: download by hidownload - c:\progra~1\hidown~1\hdget.htm
o9 - extra button: (no name) - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - (no file)
o9 - extra ‘tools’ menuitem: sun java console - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - (no file)
o9 - extra button: hidownload - {f4fba929-a891-492c-a0f6-5c79cc4f1742} - c:\progra~1\hidown~1\hidownload.exe
o16 - dpf: {03f998b2-0e00-11d3-a498-00104b6eb52e} (metastreamctl class) - https://components.viewpoint.com/adobe/mtsinstallers/metastream3.cab?url=http://www.irobotmovie.com/english_nna/atmosphere/index.html
o16 - dpf: {15ad4789-cdb4-47e1-a9da-992ee8e6bad6} - http://public.windupdates.com/get_file.php?bt=ie&p=cc06fae0c5ce5e53c21bbcb067bafa2669a8f3cc9bf62eb65f31f229f0bf3037e6b6c7de8b77c1691c31a7a022e9d947db95c2df87b2028996eb59cfdba645:ad6c8f07bb920312228695168af3c74a
o16 - dpf: {205ff73b-ca67-11d5-99dd-444553540000} (cinstall class) - http://www.spywarestormer.com/files2/install.cab
o16 - dpf: {39b0684f-d7bf-4743-b050-fdc3f48f7e3b} (fileplanet download control class) - http://www.fileplanet.com/fpdlmgr/cabs/fpdc_1_0_0_42.cab
o16 - dpf: {41f17733-b041-4099-a042-b518bb6a408c} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/quicktimeinstaller.exe
o16 - dpf: {74d05d43-3236-11d4-bdcd-00c04f9a3b61} (housecall control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
o16 - dpf: {8e0d4de5-3180-4024-a327-4dfad1796a8d} (messengerstatsclient class) - http://messenger.zone.msn.com/binary/messengerstatsclient.cab28177.cab
o16 - dpf: {9076a11f-5ea6-4a67-bde9-8d3c7c453dac} - http://www.thecoolbar.com/installfiles/coolbar.cab
o16 - dpf: {9eb320ce-be1d-4304-a081-4b4665414bef} (mediaticketsinstaller control) - http://www.mt-download.com/mediaticketsinstaller.cab
o16 - dpf: {e0ce16cb-741c-4b24-8d04-a817856e07f4} - http://cabs.media-motor.net/cabs/ffvg.cab
o16 - dpf: {f04a8ae2-a59d-11d2-8792-00c04f8ef29d} (hotmail attachments control) - http://by8fd.bay8.hotmail.msn.com/activex/hmatchmt.ocx
o16 - dpf: {f54c1137-5e34-4b95-95a5-ba56d4d8d743} (secure delivery) - http://www.gamespot.com/kdx22/download/kdx.cab
o16 - dpf: {ffa6ce4c-2199-4a4f-9542-12e0163d6841} - http://sessa.isprime.com:8080/tel2net/cabdialer.cab
HARMFULL ITEMS IN THE DOCUMENTS AND SETTINGS FOLDER(S) :
o4 - hkcu..\run: [crpe] c:\documents and settings\enoch\application data\umsm.exe
THE FOLLOWING ITEMS ARE NOT NEEDED FOR THE SYSTEM TO WORK
PROPERLY. WE RECOMMEND THEM TO BE REMOVED FROM STARTUP :
o4 - hklm..\run: [updreg] c:\windows\updreg.exe
o4 - hklm..\run: [tkbellexe] “c:\program files\common files\real\update_ob\realsched.exe” -osboot
o4 - hklm..\run: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
o4 - hklm..\run: [sunjavaupdatesched] c:\program files\java\j2re1.4.2_04\bin\jusched.exe
o4 - global startup: microsoft office.lnk = c:\program files\microsoft office\office10\osa.exe
then how can I stop the error from poping out? How can I stop the shit?
I dont wanna sound like your mother but you might just consider where your surfing habits take you and what you pick up along the way
O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - javascript:{document.location=‘http://sexmaxx.com/freegalleries.htm’;}
And remove Spyware Stormer, that is not a trusted application as can be read HERE
how do i get rid of 08
- Disable system restore
- Reboot
- run HijackThis
- tick everything that is harmfull
- click fix
how do u disable system restore , btw I runnign spyware killer v2.1 can it help to disable the pop up everytime I on my com?
Spyware Killer is NOT trusted, read that page I gave you.
OMG I LOVE YOU , YOU ROCK I LOVE THIS KINDA TOTURIAL , I FINNALY FIX MY PROBLEM … OMG I LOVE YOU SO MUCH ^^
Well, good for you…
then please go about fixing the other 101 problems on the PC & SECURE it better,
so you don’t keep spreading malware on the net
(My link to the “Absolutely Safe&Secure Firewall” is only in German, alas …)
Hi,
Yesterday, I had a related problem.
After running a newly downloaded program, all my PC protections were turned off (including the Avast resident ones!) and I got a warning from XP firewall about it.
So I scheduled my Avast antivirus for boot-time scan after setting it to ignore all infected files since I usually prefer to see them in the avast log file (aswBoot.txt) first. It found me the following ones:
File C:\WINDOWS\services.exe is infected by Win32:Prorat-M [Trj]
File C:\WINDOWS\system\sservice.exe is infected by Win32:Prorat-M [Trj]
File C:\WINDOWS\system32\fservice.exe is infected by Win32:Prorat-M [Trj]
File C:\WINDOWS\system32\reginv.dll is infected by Win32:Trojan-gen. {Other}
File C:\WINDOWS\system32\winkey.dll is infected by Win32:Trojan-gen. {Other}
I had to work on my PC for 4-5 hours to clean up completely their infection since I had no clue of the steps that have to be followed.
The last step I faced was the pop-up saying that ‘fservice.exe’ cannot be found since I myself deleted it. To cure it, I went back to the XP registry (by running the command ‘regedit’) and searched for ‘fservice.exe’. Though I am not expert in internal functions of XP, I found out that the warning pop-up was due to the following infected entry in the registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“Shell”=“Explorer.exe c:\windows\system32\fservices.exe”
It must look for normal use as:
“Shell”=“Explorer.exe”
After editing that entry and deleting the extra expression, the warning disappeared as expected.
Kerim