Win32:Fasec Trojan & BV.Autorun-E Worm - Help Pls.

[chuKKy]

I am an Avast 4.8 Home Edition user and recently decided to run an intense scan rather than the normal scan's I periodically run.  The intense scan found two problems, (1)Win32:Fasec [trJ] in files A0065059.com & jah31970.exe  (2)BV.Autorun-E [WRM] in file A0065076.inf.  I chose the Avast recommended option to quarantine the files which it did successfully. 

I am slightly worried now as to wether I have actually eliminated the virus's as I have noticed some other unusual things.  I run Zone Alarm Security Suite and have just noticed in the alerts and log section that a Global Windows Hook it trying to establish itself almost constantly (repeats between 10 seconds and ten minutes) c:\program files\Internet Explorer\iexplorer.exe.
Another strange thing, I am set up as the windows administrator, however it will now not let me perform the 'Delete Browsing History' which until very recently worked.

I don't know if I am being paranoid or have good reason to be worried, can anyone help me please?

Regards
Martin

[Lisandro]

I suggest the general cleaning procedure before anything else...

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Disable System Restore and then reenable it again.
7. Immunize your system with SpywareBlaster.
8. Check if you have insecure applications with Secunia Software Inspector.

[chuKKy]

I have completed all of the steps that you listed.  
I didn't get any hits using the Avast! antirootkit but got some listings when using Rootkit Unhooker.  Log below from Rootkit Unhooker, Hijack This log to follow next due to maximum post characters being reached.

Thanks for your help so far.  

Regards
Martin.

RkUnhooker report generator v0.7
==============================================
Rootkit Unhooker kernel version: 3.8.341.552
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================

ntkrnlpa.exe+0x0002AC00, Type: Inline - RelativeJump 0x80501C00 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002AC54, Type: Inline - RelativeJump 0x80501C54 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002AD4C, Type: Inline - RelativeJump 0x80501D4C [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002AD6C, Type: Inline - RelativeJump 0x80501D6C [ntkrnlpa.exe]
ntkrnlpa.exe+0x0006AA6A, Type: Inline - RelativeJump 0x80541A6A [ntkrnlpa.exe]
tcpip.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification 0xF4130428 [vsdatant.sys]
tcpip.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xF4130454 [vsdatant.sys]
tcpip.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xF4130460 [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification 0xF7781B1C [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification 0xF7781B28 [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xF7781B3C [vsdatant.sys]
wanarp.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification 0xF7781B4C [vsdatant.sys]
IDT-->Int 0x00000020, Type: IDT modification [srescan.sys]
[444]services.exe-->advapi32.dll-->CreateProcessAsUserW, Type: IAT modification 0x01001074 [unknown_code_page]
[444]services.exe-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x01001100 [unknown_code_page]
[1792]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268 [shimeng.dll]
[1792]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218 [shimeng.dll]
[1792]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C [shimeng.dll]
[1792]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4 [shimeng.dll]
[1792]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4 [shimeng.dll]
[1792]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x78051488 [shimeng.dll]
[1792]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C [shimeng.dll]

[chuKKy]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:58:58, on 28/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Seagate\AutoBackup\MemeoBackup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Admin Martin.ORIGINAL\My Documents\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: AutoBackup Launcher.lnk = C:\Program Files\Seagate\AutoBackup\MemeoLauncher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher 2.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229904650109
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - Unknown owner - C:\WINDOWS\system32\bgsvcgen.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7797 bytes

[CharleyO]

***

Welcome to the forums, chukky.   

I see nothing to worry about in your HJT log but a second opinion would be good to have.


***

[chuKKy]

Thanks for your kind welcome CharleyO.

A couple of things bothering me still :-

1) I can't delete browsing history any more from the tools menu on Internet Explorer even though I am the Administrator.

2) The constant blocking by Zonealarm of a Global Windows Hook attempting to be set, details:-

Internet Explorer is trying to monitor your system to observe what events are occurring.

The current security setting for Internet Explorer does not permit this action. Your computer is safe. 
Inside the OSFirewall alert 
 
 
 
Alert property Alert property value Technical explanation
Program Name Internet Explorer A program running on your computer, which attempted an action that it is not currently permitted to perform. 
Filename C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe The filename of the program that ZoneAlarm Security Suite found on your computer. 
Program Size 633632 The size of the program executable file in bytes. 
Program MD5 9d3db9adfabd2f0bc778ec03250a3abb The MD5 hash, or number, that uniquely identifies the executable. 
Smart Checksum 93ed0eabe541991ba05a9280f5da8b9f The SKIMP hash, or number, that uniquely identifies the executable. 
Date Modified Oct-15-2008 07:06:26 AM The date when C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe was most recently modified. 
Event Type Execution The event involved executing Windows instructions. 
Sub Event Type ExecutionGlobalWindowsHook Internet Explorer attempted to set a Windows hook without a specific thread.
 

Any ideas?

Thanks for your help, I really appreciate it.

Regards

[chuKKy]

Anybody help re my concerns please?

Regards.

[DavidR]

Sorry I gave up on IE as my default browser and Zone Alarm many years ago, so I wouldn't know where to begin.

[Lisandro]

Sorry I gave up on IE as my default browser and Zone Alarm many years ago, so I wouldn't know where to begin.

Me too...

[FurstWan]

I suggest the general cleaning procedure before anything else...

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Disable System Restore and then reenable it again.
7. Immunize your system with SpywareBlaster.
8. Check if you have insecure applications with Secunia Software Inspector.

Great suggestions, although useless.   - Ok, Sorry, no need to throw that at you
Avast Home Edition is the ONLY scanner that detects the Win32-FAREC [trj]. (By the way, it does detect it at boot-scan, says it deletes it, but it can't. It's still there - So that again is pretty useless)
Trend Micro Rootkitbuster: "Virus? What virus?"
Aswar: Congratulations! Your system is clean. (yeah right)
McAfee: Hey Win32 Farec! Come on in buddy! (here's where the trouble started, McAfee just LET THIS ONE THROUGH UNDETECTED!)
Superantispyware - Useless suggestion This is a VIRUS not spyware.
Spywareterminator: - Same thing. Useless.
Avast Antirootkit: "Device C: can't be opened" (Wow! That's a useful utility!)

Anyway, I'm pissed. This #$&^%#$% somehow got into my system, and NONE of the so-called self-proclaimed Professional Anti-Virus Solutions can do a D@MN thing about it.
 
Oh well, nothing you guys can't do anything about. Not your fault. It's the virus-writers (hope they rot in hell forever). Just wanted to blow off some steam I think I'll just reformat the thing.

[DavidR]

Well if it is useless and you have effectively given up what can we do.

I can't believe that you have tried all the suggested options in your quote of Tech's general cleansing script.

The Win32:Fasec malware name is an avast malware name there is no standard naming convention so the malware name could vary from AV to AV (not win32:farec that you mention, there is no malware of that name in the avast virus database). So any google search, etc. you might do on win32:farec will reveal nothing

However, what Win32:Fasec stands for basically is Fake Security Alerts, where pop-ups announce your system is infected/vulnerable, etc. and you should visit site X/download a solution, etc. One program that has had a degree of success in the Fake Alerts/Rogue Programs is MalwareBytes AntiMalware (MBAM in line 3).

I appreciate your angry, but that won't help us to try and help you, other than the avast detection (file name and location) what other symptoms were there.

Whilst formatting will resolve this problem, it certainly won't help you find a resolution which may stop you being infected after your format.

I also don't know if you visited the link in line 8 as the main route of entry on to a system is through vulnerabilities that are being exploited in out of date software.

[Lisandro]

FurstWan, SuperAntispyware and SpywareTerminator detects something more than only spyware.
The same as MBAM.
Help us to help you...

[FurstWan]

Don't get me wrong, I do appreciate the forum as it is. And as I said in my last line: it's not your fault. I was careless enough to let someone use his USB-stick in my PC, and I had McAfee running ($-ware, and it doesn't do the job! Be warned!)
 
My symptoms now:

• c:\resycled\boot.com containing some nasty virus
• Updates for McAfee and AdAware are blocked
• Some weird "msqpdxtenrfyyc.dll" in my C:\Windows\System32 that contains WIN32-FASEC [trj] according to Avast Bootscan
  Avast claims to delete it, but it keeps coming back

I ran all the suggested programs, installed from a CD that I made in a clean system, installed and ran them both in Safe Mode (when possible) and in normal mode of Windows - to no avail. I'm stuck here. I have a virus that can not be dealt with.

[Lisandro]

At this point, maybe full computer on-line scanning:
Kaspersky (very good detection rates)
ESET NOD32
BitDefender (free removal of the malware)

[DavidR]

I suggest you download MBAM and install it update it and run it from safe mode as msqpdxtenrfyyc.dll is a rootkit TDSS (I believe) if you try a forum search for msq*.dll you will find a topic where this file was removed along with one in the system32\drivers\ folder.

essexboy because he saw from the MBAM log that this involved TDSS, a rootkit, suggested another more powerful tool only to find that MBAM had indeed taken it out.

This is one where SAS took out one of these files beginning with msq, http://forum.avast.com/index.php?topic=41033.0, did you run SAS from safe mode (more effective).

I can't find the other topic right know but I would say run MBAM and SAS in safe mode.