Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected with win32:fasec

  • Please log in to reply
1 reply to this topic

#1 jmanton14


  • Members
  • 1 posts
  • Local time:04:38 AM

Posted 19 January 2009 - 05:29 PM

Hi. I am a first time user to this forum. The service you offer is great - thanks!

Yesterday, I began receiving some strange error messages on the screen notifying me that a process had an error and asking if I wanted to close or ignore it. When I researched the message this morning on threatexpert (and other sites) I found that I had the win32Fasec trojan. I made sure avast was up to date and used ccleaner to delete/disable a startup item.

I believe that the trojan is removed but wanted to make sure. Any help you could provide would be greatly appreciated.



DDS (Ver_09-01-18.01) - NTFSx86
Run by AngryKoala at 17:18:31.09 on Mon 01/19/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.72 [GMT -5:00]

AV: avast! antivirus 4.8.1296 [VPS 090119-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\CCleaner\ccleaner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\AngryKoala\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride =;*.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: SFCDisable=-99 (0xffffff9d)
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
BHO: EWPP - No File
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {E64D64F2-68C8-471B-8A6D-9F254E8A82F4} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [IPInSightLAN 02] "c:\program files\visual networks\visual ip insight\sbc\IPClient.exe" -l
mRun: [IPInSightMonitor 02] "c:\program files\visual networks\visual ip insight\sbc\IPMon32.exe"
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: acousticspot.com\www
Trusted Zone: avast.com\www
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\angryk~1\applic~1\mozilla\firefox\profiles\pnr837vg.default\
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\ign\download manager\npfpdlm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-1-19 111184]
R1 NEOFLTR_540_11529;Juniper Networks TDI Filter Driver (NEOFLTR_540_11529);c:\windows\system32\drivers\NEOFLTR_540_11529.sys [2007-1-29 57591]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-1-19 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-1-19 352920]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-19 20560]
R4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-1-19 155160]
R4 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2007-10-3 3712]
S3 ewdmaudn;ewdmaudn;\??\c:\docume~1\angryk~1\locals~1\temp\ewdmaudn.sys --> c:\docume~1\angryk~1\locals~1\temp\ewdmaudn.sys [?]
S3 Msiapsaira;Msiapsaira; [x]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20040908.033\NAVENG.Sys [2004-9-9 68168]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20040908.033\NavEx15.Sys [2004-9-9 617288]
S3 SAVRT;SAVRT;\??\c:\program files\norton antivirus\savrt.sys --> c:\program files\norton antivirus\SAVRT.SYS [?]
S4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2004-9-9 258048]
S4 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2004-9-9 90112]
S4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2003-8-15 237568]
S4 navapsvc;Norton AntiVirus Auto Protect Service;"c:\program files\norton antivirus\navapsvc.exe" --> c:\program files\norton antivirus\navapsvc.exe [?]
S4 SAVRTPEL;SAVRTPEL;\??\c:\program files\norton antivirus\savrtpel.sys --> c:\program files\norton antivirus\SAVRTPEL.SYS [?]
S4 SAVScan;SAVScan;c:\program files\norton antivirus\savscan.exe --> c:\program files\norton antivirus\SAVScan.exe [?]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2004-8-29 585728]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program

files\viewpoint\common\ViewpointService.exe [?]

=============== Created Last 30 ================

2009-01-16 11:49 52,670 a------- c:\windows\Sysvxd.exe
2008-12-26 00:08 1,560,576 a------- c:\windows\system32\nvcuda.dll
2008-12-26 00:08 1,253,376 a------- c:\windows\system32\NvPVEnc.ax

==================== Find3M ====================

2009-01-19 14:58 0 a------- c:\windows\system32\drivers\lvuvc.hs
2008-12-23 21:58 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-12-17 06:02 2,229 a------- c:\documents and settings\angrykoala\nah_log.dat
2008-12-16 21:15 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-30 13:33 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-28 08:35 2,274 a------- c:\windows\system32\TDSSlxwp.dll
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-03-15 19:06 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2006-03-03 22:49 40 a------- c:\documents and settings\angrykoala\language.dat

============= FINISH: 17:19:34.10 ===============

BC AdBot (Login to Remove)


#2 kahdah


  • Security Colleague
  • 11,138 posts
  • Gender:Male
  • Location:Florida
  • Local time:05:38 AM

Posted 30 January 2009 - 08:28 AM

Hello jmanton14

Welcome to BleepingComputer :thumbup2:

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.

Please include the contents of the following in your next reply:

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users