Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Popup ads and blocked sites (avast reports Win32:Fasec)


  • This topic is locked This topic is locked
3 replies to this topic

#1 Nwart

Nwart

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 31 December 2008 - 01:08 PM

Hello,

As the topic title says, a computer in my personal network is infected by a trojan that makes popup windows and block access to some sites (malwarebytes.org and ad-aware updates for example).
It runs under Vista home premium SP1.

It seemed to be a DNS changer trojan (it has been reported as such one time) but oddly I entered manually the DNS server IP from my ISP and they haven't changed.

Each time I open a browser, avast reports that C:\windows\system32\msqpdxtsecvrhq.dll is infected by Win32:Fasec [Trj].
I can't move it to quarantine (avast says that it's used by another process).

Thanks in advance for your help :thumbsup:

Here is the DDS log :

DDS (Version 1.1.0) - NTFSx86
Run by Anne at 18:21:32.77 on 2008-12-31
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Édition Familiale Premium 6.0.6001.1.1252.1.1036.18.2815.1877 [GMT 1:00]

AV: avast! antivirus 4.8.1229 [VPS 081223-0] *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\PSIService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\atwtusb.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\system32\atwtusb.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Windows\System32\nvraidservice.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\WTMKM.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\conime.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Anne\Desktop\dds.scr

============== Pseudo HJT Report ===============

mStart Page = hxxp://fr.fr.acer.yahoo.com
mDefault_Page_URL = hxxp://fr.fr.acer.yahoo.com
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Programme d'aide de l'Assistant de connexion Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 52\axcmd.exe" /automount
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Acer Empowering Technology Monitor] c:\acer\empowering technology\SysMonitor.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\x86\eDSloader.exe
mRun: [PCMMediaSharing] c:\program files\acer arcade live\acer homemedia connect\kernel\dms\PCMMediaSharing.exe
mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe
mRun: [eRecoveryService]
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
mRun: [Apanel] c:\acersw\config\NewSetApanel.cmd
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [MacrokeyManager] WTMKM.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
TCP: {3463CBB6-6110-4A29-84FF-C94B47675F65} = 212.27.40.240,212.27.40.241

================= FIREFOX ===================

FF - ProfilePath - c:\users\anne\appdata\roaming\mozilla\firefox\profiles\03ubm8sc.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

============= SERVICES / DRIVERS ===============

R0 nvrd32;NVIDIA nForce RAID Driver;c:\windows\system32\drivers\nvrd32.sys [2008-3-21 131616]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-6-23 111184]
R2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;"c:\program files\acer arcade live\acer homemedia connect\kernel\dms\CLMSServer.exe" [2008-3-21 269448]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-6-23 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2008-6-23 51792]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-12-4 3032360]
R2 WTService;WTService;c:\windows\system32\atwtusb.exe -s []
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2008-12-4 15144]
S1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [2008-7-3 23168]
S3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-3-21 30752]
S3 WSVD;WSVD;\??\c:\windows\system32\drivers\WSVD.sys [2008-6-23 80744]

=============== Created Last 30 ================

2008-12-31 17:53 <DIR> --d----- C:\ComboFix
2008-12-31 17:53 318,976 a------- c:\windows\system32\CF26188.exe
2008-12-31 17:50 318,976 a------- c:\windows\system32\CF25614.exe
2008-12-31 17:50 161,792 a------- c:\windows\SWREG.exe
2008-12-31 17:50 98,816 a------- c:\windows\sed.exe
2008-12-31 17:49 318,976 a------- c:\windows\system32\CF25414.exe
2008-12-31 16:36 <DIR> --d----- c:\users\anne\appdata\roaming\Malwarebytes
2008-12-31 16:36 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-31 16:36 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-31 16:36 <DIR> --d----- c:\programdata\Malwarebytes
2008-12-31 16:36 <DIR> --d----- c:\progra~2\Malwarebytes
2008-12-31 16:36 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-31 14:21 <DIR> --d----- c:\program files\CCleaner
2008-12-30 18:24 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2008-12-30 18:24 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-30 18:24 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2008-12-30 17:04 <DIR> --d----- c:\program files\Lavasoft
2008-12-30 17:04 <DIR> --d----- c:\programdata\Lavasoft
2008-12-30 17:03 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-30 16:46 <DIR> --d----- c:\program files\Trend Micro
2008-12-28 17:54 <DIR> --d----- c:\programdata\Corel
2008-12-28 17:54 <DIR> --d----- c:\progra~2\Corel
2008-12-28 16:00 848 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-12-28 16:00 88 ---shr-- c:\windows\system32\48C6442587.sys
2008-12-19 10:41 28,672 a------- c:\windows\system32\Apphlpdm.dll
2008-12-19 10:41 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2008-12-19 10:33 2,048 a------- c:\windows\system32\tzres.dll
2008-12-19 10:31 2,927,104 a------- c:\windows\explorer.exe
2008-12-19 10:31 2,868,736 a------- c:\windows\system32\mf.dll
2008-12-19 10:31 996,352 a------- c:\windows\system32\WMNetMgr.dll
2008-12-19 10:31 94,720 a------- c:\windows\system32\logagent.exe
2008-12-18 20:54 <DIR> --d----- c:\users\anne\Tracing
2008-12-18 20:20 296,960 a------- c:\windows\system32\gdi32.dll
2008-12-18 20:15 3,426,072 a------- c:\windows\system32\d3dx9_32.dll
2008-12-18 20:14 <DIR> --d----- c:\program files\Microsoft SQL Server Compact Edition
2008-12-18 20:13 <DIR> --d----- c:\program files\Microsoft
2008-12-18 20:13 <DIR> --d----- c:\program files\Windows Live SkyDrive
2008-12-18 20:08 827,392 a------- c:\windows\system32\wininet.dll
2008-12-18 19:17 <DIR> --d----- c:\program files\common files\Windows Live
2008-12-05 00:11 308,584 a------- c:\windows\WLXPGSS.SCR
2008-12-04 15:11 <DIR> --d----- c:\users\anne\appdata\roaming\WTablet
2008-12-04 14:35 3,708,200 a------- c:\windows\system32\PenTablet.cpl
2008-12-04 14:35 1,532,082 a------- c:\windows\system32\PenTablet.znc
2008-12-04 14:35 11,440 a------- c:\windows\system32\drivers\WacomVKHid.sys
2008-12-04 14:34 13,480 a------- c:\windows\system32\drivers\wacomvhid.sys
2008-12-04 14:34 11,312 a------- c:\windows\system32\drivers\wacommousefilter.sys
2008-12-04 14:34 15,144 a------- c:\windows\system32\drivers\wacmoumonitor.sys
2008-12-04 14:34 <DIR> --d----- c:\windows\system32\WTablet
2008-12-04 14:34 3,032,360 a------- c:\windows\system32\Pen_Tablet.exe
2008-12-04 14:34 128,296 a------- c:\windows\system32\Pen_Tablet.dll
2008-12-04 14:34 <DIR> --d----- c:\program files\Tablet
2008-12-04 14:23 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-04 14:21 1,191,936 a------- c:\windows\system32\msxml3.dll
2008-12-04 14:21 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2008-12-04 14:21 1,645,568 a------- c:\windows\system32\connect.dll
2008-12-04 14:21 212,480 a------- c:\windows\system32\drivers\mrxsmb10.sys
2008-12-04 14:21 712,704 a------- c:\windows\system32\WindowsCodecs.dll
2008-12-04 14:21 425,472 a------- c:\windows\system32\PhotoMetadataHandler.dll
2008-12-04 14:21 347,648 a------- c:\windows\system32\WindowsCodecsExt.dll
2008-12-04 14:21 1,334,272 a------- c:\windows\system32\msxml6.dll
2008-12-04 14:14 428,544 a------- c:\windows\system32\EncDec.dll
2008-12-04 14:14 293,376 a------- c:\windows\system32\psisdecd.dll
2008-12-04 14:14 217,088 a------- c:\windows\system32\psisrndr.ax
2008-12-04 14:14 80,896 a------- c:\windows\system32\MSNP.ax
2008-12-04 14:14 177,664 a------- c:\windows\system32\mpg2splt.ax
2008-12-04 14:12 1,524,736 a------- c:\windows\system32\wucltux.dll
2008-12-04 14:11 83,456 a------- c:\windows\system32\wudriver.dll
2008-12-04 14:11 162,064 a------- c:\windows\system32\wuwebv.dll
2008-12-04 14:11 31,232 a------- c:\windows\system32\wuapp.exe
2008-12-02 22:37 49,480 a------- c:\windows\system32\sirenacm.dll

==================== Find3M ====================

2008-12-31 17:57 668,580 a------- c:\windows\system32\perfh00C.dat
2008-12-31 17:57 122,972 a------- c:\windows\system32\perfc00C.dat
2008-12-31 09:06 76 a------- c:\users\anne\appdata\roaming\wklnhst.dat
2008-12-04 14:35 86,016 a------- c:\windows\inf\infstrng.dat
2008-12-04 14:35 51,200 a------- c:\windows\inf\infpub.dat
2008-12-04 14:35 86,016 a------- c:\windows\inf\infstor.dat
2008-11-26 18:17 51,792 a------- c:\windows\system32\drivers\aswMonFlt.sys
2008-11-01 04:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-11-01 04:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-11-01 04:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-11-01 04:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-11-01 04:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-06-23 19:11 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-21 09:37 340,236 a------- c:\windows\inf\perflib\040c\perfi.dat
2008-01-21 09:37 340,236 a------- c:\windows\inf\perflib\040c\perfh.dat
2008-01-21 09:37 37,390 a------- c:\windows\inf\perflib\040c\perfd.dat
2008-01-21 09:37 37,390 a------- c:\windows\inf\perflib\040c\perfc.dat
2008-01-21 03:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 18:22:03.39 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Nwart

Nwart
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 09 January 2009 - 08:31 AM

It seems there is a lot of people needing help, and it could be long before someone has time to help me with this.
Never mind, I'll just try to revert my PC to factory settings.
You can ignore my request :thumbsup:

#3 BHowett

BHowett

    Malware Hunter


  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:40 PM

Posted 10 January 2009 - 07:01 PM

Hello and welcome to Bleeping Computer my name is BHowett and I will be helping you get sorted.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know.

If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Thanks and again sorry for the delay.

Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE

Posted Image

Please do not PM me asking for support. Post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!
Search the Forums | Forum Help
Posted Image
My help is always free, but if you feel I have helped you and would like to make a small donation, please click ---> Posted Image


#4 BHowett

BHowett

    Malware Hunter


  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:40 PM

Posted 16 January 2009 - 10:33 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Posted Image

Please do not PM me asking for support. Post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!
Search the Forums | Forum Help
Posted Image
My help is always free, but if you feel I have helped you and would like to make a small donation, please click ---> Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users