Win32: Fasec32 [Trj] - Help please

[Ghuani]

Hello, I am here to request your help because I really do not know what to do.

This morning when I tried to launch Internet Explorer I got a message by my Avast 4.8 informing that the file C:\Windows\System32\msqpdxssfxjkix.dll was infected with the malware Win32: Fasec32 [trj].

I tried clicking the 'Delete' button but immediately after confirming the deletion the same pop-up appeared, after deleting it about 4 times the browser launched. And this happens every time I try to launch IE or Firefox.

The recommended action is to 'move to chest', but after i click I get a message saying that it couldn't be done because the file was in use (probably because it's a Windows file, I think).

Please help and explain me what I should do.


Kind Regards,
Ghuani

[CharleyO]

***

Welcome to the forums, Ghuani.   

No, this is not a Windows file and I did not get any results from the below ScanDoo/google search.

http://g.s.scandoo.com/search?hl=en&meta=on&q=msqpdxssfxjkix.dll

So, this makes the file very suspicious to me.

Please download HijackThis from the link below. Do not download HJT to the desktop but instead download it into it's own folder on the hard drive.

Run the program but do not make any fixes and then post the log results using the "copy & paste" method. It will probably take more than one post to be able to get the complete log posted.

OR, you can post it as an attachment to your post by clicking on "Additional Options..." below left of the posting box.  Someone will review your log and then offer help.

http://filehippo.com/download_hijackthis/


***

[DavidR]

If you have XP, vista32bit or Win2k, you could enable a boot time scan (runs before windows starts so the file shouldn't be in use). Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php.

The file name looks like a randomly generated one, common to a vundo infection, so there are probably other things you need to fix and HiJackThis is an analysis tool that helps us to help you.

[Ghuani]

Thank you all very much. 

Me and my dad found a way to delete it. Apparently it wasn't that hard to get rid of it.
And I learned that it's best to re-boot first. "A boot a day keeps the doctor away".

You can lock this now 


You all seem like a great community by the way, I'll be sure to drop by more often 

[DavidR]

No problem, welcome to the forums.

[Ghuani]

Never mind, it's still there. 

I'll do what you guys said and I'll report in a couple of minutes.


If it helps it's a laptop Lenovo 3000 N200 and I have Vista Home Edition (I think).

Doing the boot time scan now.

[DavidR]

Hopefully that will be able to remove it.

If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again. What is your firewall ?

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

1. SUPERantispyware On-Demand only in free version.
2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

[Ghuani]

The boot-time scan has finished and it has found the infected file, wich I ordered to be deleted. (Should I have moved it to chest instead?)
The firewall that is running is Windows Firewall.
I have also noticed that the system and the browser is running slower. 

The log I got from HJT is attached.


What should I do now?

Thank you in advance,
Ghuani

[essexboy]

Hmm HJT shows nothing so we will take a two pronged approach to this.  First we will run a general purpose cleaner and then an analysis scan

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

THEN

Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.scr to run the tool.
• When done, DDS.txt will open.
• Click Yes at the next prompt for Optional Scan.
• Save both reports to your desktop.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Please attach the second file; Attach.txt.

[DavidR]

The boot-time scan has finished and it has found the infected file, wich I ordered to be deleted. (Should I have moved it to chest instead?)
The firewall that is running is Windows Firewall.
<snip>

Deletion is never a good first option (you have none left), though in this case not a problem, but a bad habit to get into - 'first do no harm' don't delete, send virus to the chest and investigate.

Your firewall might not be doing you any favours as the Vista firewall has outbound protection disabled by default. Even when enabled it isn't very friendly as it is rule based and you have to make the rules. Vista Firewall Control, check out this topic for some user friendly help for the Vista Firewall, Outbound protection, http://forum.avast.com/index.php?topic=30234.0

Work through the applications that essexboy has suggested posting/attaching any requested logs/files.

[Ghuani]

Thank you, I have downloaded Malwarebytes and did the scan, had 4 Trojans    Deleted the new 3 easily but the one that has causing me problems had to be deleted on reboot.
After the desinfection I did another scan and found nothing 

Log:
***
Malwarebytes' Anti-Malware 1.31
Database version: 1597
Windows 6.0.6001 Service Pack 1

02-01-2009 20:37:16
mbam-log-2009-01-02 (20-37-16).txt

Scan type: Quick Scan
Objects scanned: 65639
Time elapsed: 5 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\System32\msqpdxssfxjkix.dll (Trojan.TDSS) -> Delete on reboot.
C:\Windows\System32\drivers\msqpdxeyvppreq.sys (Trojan.Agent) -> Quarantined and deleted successfully.

***

Also downloaded DDS but (probably because of scripts) I couldn't make it work.
Can someone tell me how to disable scripts that are blocking it, please.


Thanks,
~Ghuani

[essexboy]

You have the TDSS rootkit so I will need a stronger tool to kill that as MBAM has only made it visible

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[Ghuani]

Ok, did that, the log is attached.
Some parts are in portuguese, but you probably can figure it out. (?)


Also, as I shut down avast! antivirus, the following message popped up at the sytem tray: "The file or directory C:\Windows\inf\SMSvcHost 3.0.0.0 is corrupt and unreadable. Please run the Chkdsk utility."
A few minutes later a similar message popped up.



Greetings,
Ghuani

[essexboy]

Looks like MBAM is getting better at removing TDSS as it was gone.  

Reference the popup I would recommend that you run a checkdisc to ensure that all is OK

But otherwise you look clean  

[Ghuani]

Wow, thank you all so much