Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Not sure what the culprit is

  • This topic is locked This topic is locked
3 replies to this topic

#1 stephenck


  • Members
  • 3 posts
  • Local time:07:46 AM

Posted 17 June 2009 - 11:05 PM

I have Shaw cable and I installed Shaw Secure and I believe it has a file called fsdc32.exe.
Well I downloaded an ISO last night, put it on a DVD and then I put the DVD back into my computer. It spun up and then my computer slowed way down.
I checked the processes and saw fsdc32.exe multiple times with SYSTEM as several usernames and also my username.
I rebooted and ran malwarebytes but it didn't find anything, I even ran MBAM in safe mode and still nothing.
I tried scanning but it would slow way down.
So I uninstalled Shaw Secure which got rid of fsdc32.exe but I am worried something has been left on my machine.
Shaw Secure was running fine for months until I tried the DVD last night.
So I think it's still on my computer. I hope one of you can help me out.

I also just noticed that when I'm surfing the net that sometimes it will take me to this coupon mountain site or volutions. When I'm using chrome to search for something it will take me to the coupon mountain page.

HEre's the DDS log.

DDS (Ver_09-05-14.01) - NTFSx86
Run by Newbie at 20:58:06.51 on Wed 06/17/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1226 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NETGEAR\NETGEAR SCU\Z-SANService.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\Newbie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Newbie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Newbie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Newbie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Newbie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.newsleecher.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} -
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.0.1225.9868\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [LaunchList] c:\program files\pinnacle\studio 11\LaunchList2.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Google Update] "c:\documents and settings\newbie\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [LMPDPSRV] c:\windows\system32\spool\drivers\w32x86\3\LMPDPSRV.EXE
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRunOnce: [srePostpone] rundll32.exe c:\windows\system32\zonelabs\srescan.dll,DoSpecialAction
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoho~1.lnk - c:\program files\autohotkey\AutoHotkey.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lexmar~1.lnk - c:\program files\lexmark x125\LEX125SU.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ncprot~1.lnk - c:\program files\sec\natural color pro\NCProTray.exe
uPolicies-explorer: NoSMHelp = 01000000
uPolicies-explorer: NoActiveDesktop = 01000000
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoSMMyDocs = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoTrayItemsDisplay = 00000000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://dev.srtest.com/srl_bin/sysreqlab3.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.photogize.com/bponet/ImageUploader5.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxp://www.photogize.com/bponet/ImageUploader4.cab
Handler: asp - {8D32BA61-D15B-11d4-894B-000000000000} - c:\windows\system32\hsppp.dll
Handler: hsp - {8D32BA61-D15B-11d4-894B-000000000000} - c:\windows\system32\hsppp.dll
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\quicktax 2008\ic2008pp.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: x-asp - {8D32BA61-D15B-11d4-894B-000000000000} - c:\windows\system32\hsppp.dll
Handler: x-hsp - {8D32BA61-D15B-11d4-894B-000000000000} - c:\windows\system32\hsppp.dll
Handler: x-mem1 - {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} - c:\windows\system32\WowCtl2.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 nvrd32;NVIDIA nForce RAID Driver;c:\windows\system32\drivers\nvrd32.sys [2008-1-25 125440]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2004-11-18 10240]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-17 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-17 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-17 108552]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-6-17 150544]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2008-3-22 8576]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-6-17 365448]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-10-29 587096]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-6-17 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-17 298776]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
R2 SFSZ;DataPlow SFS for Zetera Storage Devices;c:\windows\system32\drivers\sfsz.sys [2007-12-7 345984]
R2 Z-SANService;Z-SAN Service;c:\program files\netgear\netgear scu\Z-SANService.exe [2007-12-7 376891]
R3 ZetBus;Zetera Virtual Bus;c:\windows\system32\drivers\ZetBus.sys [2007-12-7 15488]
S0 ZetSFD;ZetSFD;c:\windows\system32\drivers\ZetSFD.sys [2007-12-7 12800]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 XDva090;XDva090;\??\c:\windows\system32\xdva090.sys --> c:\windows\system32\XDva090.sys [?]
S3 ZetMPD;ZetMPD;c:\windows\system32\drivers\ZetMPD.sys [2007-12-7 5120]

=============== Created Last 30 ================

2009-06-17 19:16 <DIR> --d----- c:\docume~1\newbie\applic~1\MailFrontier
2009-06-17 19:08 <DIR> --d----- c:\program files\Zone Labs
2009-06-17 19:07 <DIR> --d----- c:\program files\AVG
2009-06-17 19:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-06-17 01:08 <DIR> --d----- c:\program files\Trend Micro
2009-06-12 23:21 <DIR> --d----- c:\program files\iPod
2009-06-09 21:26 <DIR> --d----- c:\program files\Realtek AC97
2009-06-07 20:34 <DIR> --d----- c:\program files\Ventrilo
2009-06-07 20:33 <DIR> --d----- c:\program files\VentSrv
2009-06-03 22:52 <DIR> --d----- c:\program files\Bulk Rename Utility
2009-06-03 20:59 <DIR> --d----- c:\docume~1\newbie\applic~1\IrfanView
2009-06-03 19:28 <DIR> --d----- c:\program files\Lavalys
2009-05-27 01:05 <DIR> --d----- c:\program files\common files\INCA Shared
2009-05-26 19:16 <DIR> --d----- c:\program files\uTorrent
2009-05-26 19:15 <DIR> --d----- c:\docume~1\newbie\applic~1\uTorrent
2009-05-25 00:09 34 a------- c:\documents and settings\newbie\jagex_runescape_preferences.dat
2009-05-24 09:00 <DIR> --d----- c:\docume~1\newbie\applic~1\Intuit Canada
2009-05-24 09:00 <DIR> --d----- c:\program files\common files\AnswerWorks 4.0
2009-05-24 09:00 <DIR> --d----- c:\program files\common files\Intuit
2009-05-24 09:00 <DIR> --d----- c:\program files\QuickTax 2008
2009-05-24 08:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit Canada
2009-05-23 01:28 <DIR> --d----- c:\docume~1\newbie\applic~1\WildTangent
2009-05-23 01:27 <DIR> --d----- c:\program files\WildGames
2009-05-23 01:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\WildTangent

==================== Find3M ====================

2007-12-26 20:08 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007122620071227\index.dat

============= FINISH: 21:00:23.29 ===============

Attached Files

Edited by stephenck, 17 June 2009 - 11:08 PM.

BC AdBot (Login to Remove)



#2 stephenck

  • Topic Starter

  • Members
  • 3 posts
  • Local time:07:46 AM

Posted 18 June 2009 - 03:25 PM

A bit more to this, the hijacking of my web surfing is becoming more prominent. I'll click on a link but end up somewhere else.
I ran lavasoft adaware and found a trojan and something called 90210.exe which I deleted but this link hijacking or web page redirection is still going on.

I'm about ready to format the system drive and reinstall windows just to fix the issue.

If I did get a trojan or backdoor what's the chances of it being on the other hard drive and if I reinstall windows on a formatted drive would that help to clear anyone from getting in?

i do my online billing using this computer so i'm very worried about it.

#3 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:46 PM

Posted 23 June 2009 - 06:17 PM

Hello and welcome to Bleeping Computer. Sorry for the delay the forums here at BC are always
very busy and we do are best to keep up. If you no longer require any help could you let me no
please, so this topic can be closed.

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:
  • Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
  • Copy and paste all logs requested in you reply, Do not attach them unless asked too.
  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
  • Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
  • If I do not hear back from you within 5 days of my last post, then this topic will be closed.
First I would like to see a new log since alot could have changed since your origional post.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)


#4 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:46 PM

Posted 28 June 2009 - 06:08 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users