Author Topic: new to forum... need help! Win32:Fasec  (Read 10829 times)

0 Members and 1 Guest are viewing this topic.

61biscayne

  • Guest
new to forum... need help! Win32:Fasec
« on: August 01, 2009, 07:28:37 PM »
Can someone please offer me some guidance! Upon doing a startup scan, Avast
warns me that I have a Trojan Horse  Win32:Fasec
Internet Explorer keeps redirecting my searches to the wrong pages and
when first opening IE, it asks if I want to continue with the last session.
If I say yes, I'm taken to arbitrary web pages, not my home page.

Any help will be GREATLY appreciated!!!!

c:\windows\system32\uacriiifyasac.dll


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09:08 PM, on 8/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Nova Development\Scrapbook Factory Deluxe 4.0\ReminderApp.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\Common Files\First Alert\TrueWeather.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\HJTInstall.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\HJTInstall.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\HJTInstall.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\HJTInstall.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\HiJackThis.exe

61biscayne

  • Guest
Re: new to forum... need help! Win32:Fasec
« Reply #1 on: August 01, 2009, 07:29:55 PM »
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - (no file)
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ReminderApp] C:\Program Files\Nova Development\Scrapbook Factory Deluxe 4.0\ReminderApp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; yie8)" -"http://etnies.com/games/street-sesh/"
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\Documents and Settings\Administrator\Application Data\Intuit\Quicken\Config\billmind.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: First Alert.lnk = C:\Program Files\Common Files\First Alert\TrueWeather.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Documents and Settings\Administrator\Application Data\Intuit\Quicken\Config\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Documents and Settings\Administrator\Application Data\Intuit\Quicken\Config\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

61biscayne

  • Guest
Re: new to forum... need help! Win32:Fasec
« Reply #2 on: August 01, 2009, 07:30:38 PM »
O15 - Trusted Zone: *.easysite.com
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/WebfettiInitialSetup1.0.1.1.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 14232 bytes

Offline nmb

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3054
Re: new to forum... need help! Win32:Fasec
« Reply #3 on: August 01, 2009, 07:41:51 PM »
Hello 61biscayne

this is some what fishy and the site is marked red in mywot :

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hXXp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/WebfettiInitialSetu p1.0.1.1.cab

there are other unknown entries.

you can download malwarebytes antimalware(mbam) from here: malwarebytes.org (download free verision) install, update and perform full scan. turn off system restore before performing the scan.

you can also do a scan using superantispyware(sas) get it it from here : http://bit.ly/2tLyYv

dont worry about the tracking cookies reported by sas, let sas deal with it.

pos the log of mbam here.

61biscayne

  • Guest
Re: new to forum... need help! Win32:Fasec
« Reply #4 on: August 01, 2009, 07:56:35 PM »
Thanks nmb for the response.
  I have been unable to get either malwarebytes, superantispyware, adaware, or spybot to run
on my computer....I have been working on this problem the last several days. >:(
Is there a chance the trojan is blocking these programs from running?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Re: new to forum... need help! Win32:Fasec
« Reply #5 on: August 01, 2009, 07:58:45 PM »
Is there a chance the trojan is blocking these programs from running?
Sure.

Read the instructions, download and burn (maybe from another computer), finally use one of this rescue CD's:
1. Dr. Web
2. Avira
3. BitDefender
4. Kaspersky
5. F-Secure
The best things in life are free.

Offline nmb

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3054
Re: new to forum... need help! Win32:Fasec
« Reply #6 on: August 01, 2009, 08:03:57 PM »
follow tech

micky77

  • Guest
Re: new to forum... need help! Win32:Fasec
« Reply #7 on: August 01, 2009, 08:41:14 PM »
Can you also download Rootrepeal, and post the log. You may have a rootkit. http://rootrepeal.googlepages.com/

Choose files, before scanning
« Last Edit: August 09, 2009, 10:25:42 AM by micky77 »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37337
  • Not a avast user
Re: new to forum... need help! Win32:Fasec
« Reply #8 on: August 01, 2009, 09:32:55 PM »
Quote
Can someone please offer me some guidance! Upon doing a startup scan,

Boot time Avast Antivirus Scanning
http://www.digitalred.com/avast-boot-time.php

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Re: new to forum... need help! Win32:Fasec
« Reply #9 on: August 01, 2009, 11:22:09 PM »
Can you also download Rootrepeal, and post the log. You may have a rootkit. http://rootrepeal.googlepages.com/

Hmmm... not really a good impression of this program... To avoid FUD, can other people post the experience with it?
It's a standalone (but requires to load drivers).
The best things in life are free.

micky77

  • Guest
Re: new to forum... need help! Win32:Fasec
« Reply #10 on: August 02, 2009, 12:55:50 AM »
Hmmm... not really a good impression of this program... To avoid FUD

Why is that ? Have you heard something bad ? Its recommended by MalwareBytes, the program eveyone advises,when Avast fails 

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Re: new to forum... need help! Win32:Fasec
« Reply #11 on: August 02, 2009, 09:00:39 PM »
Why is that ?
I've tried to run the program.
No GUI appeared.
Process was running in background taking 50-70% of the CPU.
Can't kill the program (even with admin rights).
Well, not a good first impression eh...?
The best things in life are free.

micky77

  • Guest
Re: new to forum... need help! Win32:Fasec
« Reply #12 on: August 08, 2009, 10:59:11 AM »
Why is that ?
I've tried to run the program.
No GUI appeared.
Process was running in background taking 50-70% of the CPU.
Can't kill the program (even with admin rights).
Well, not a good first impression eh...?

Its your system Tech, I have no problems, Gui appears,CPU about 20%, program immediately stops when told to.

No my names not Terry  ;D
« Last Edit: August 08, 2009, 11:00:44 AM by micky77 »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Re: new to forum... need help! Win32:Fasec
« Reply #13 on: August 08, 2009, 01:48:35 PM »
Its your system Tech, I have no problems, Gui appears,CPU about 20%, program immediately stops when told to.
Tested again... no GUI, CPU at 50% stalled... Vista Business 32bits (and Vista firewall only). No HIPS program running.
Probably program is having problems with (installation of) C:\Windows\system32\drivers\rootrepeal.sys
« Last Edit: August 08, 2009, 01:53:18 PM by Tech »
The best things in life are free.

CharleyO

  • Guest
Re: new to forum... need help! Win32:Fasec
« Reply #14 on: August 09, 2009, 02:30:17 AM »
***

Since the OP has not posted since advice was given, I have analyzed the HJT log which show many problems :

We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
We recommend you to use a firewall.


There are too many entries for Symantec/Norton products which may have contributed to the problem since it is very unwise to use 2 active AV programs :

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
Symantec Update related

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
Symantec Update related   (2 entries)

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
coIEPlg.dll - Browser plugin related with Norton_Confidential, http://www.symantec.com/en/me/home_homeo ffice/products/sysreq.jsp?pcid=ts&pvid=n co

   O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
IPSBHO.dll - Symantec Intrusion Prevention - see here, http://investor.symantec.com/phoenix.zht ml?c=89422&p=irol-newsArticle&ID=738300& highlight=

O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
CoIEPlg.dll - Browser plugin related with Norton_Confidential, http://www.symantec.com/en/me/home_homeo ffice/products/sysreq.jsp?pcid=ts&pvid=n co

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
Part of Norton AntiVirus. Auto-protect and E-mail check will not function without this

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
Related to Norton Antivirus from Symantec Corp

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
Related to antivirus from Symantec Corp

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
Related to antivirus from Symantec Corp

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
Related to antivirus from Symantec Corp

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
Related to antivirus from Symantec Corp

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
Related to antivirus from Symantec Corp

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
Related to antivirus from Symantec Corp

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
Related to antivirus from Symantec Corp

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Related to antivirus from Symantec Corp
The computer has (or did have) a Symantec AV program and is (was) Norton 360. The proper removal tool from Symantec should be used.


BAD entries in the HJT log :

C:\Program Files\Internet Explorer\Iexplore.exe
This is not Internet Explorer but it is a virus.

C:\Program Files\Internet Explorer\Iexplore.exe
This is not Internet Explorer but it is a virus.

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
Unnecessary (deactivated) entry that can be fixed. Related to Yahoo Companion!

O2 - BHO: (no name) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - (no file)
Unnecessary (deactivated) entry that can be fixed. Unknown entry.
related to Yahoo Companion. http://www.spyandseek.com/Search.php?search_for=FDAD4DA1-61A2-4FD8-9C17-86F7AC245081&search=SAS-Search

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/WebfettiInitialSetu p1.0.1.1.cab
Should be fixed. Related to FunWebProducts (Zwinky, SmileyCentral, CursorMania, MyFunCards, etc.) that is known to install adware & spyware.
http://www.spyandseek.com/Search.php?search_for=1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB&search=SAS-Search



Overview of running tasks :

smss.exe   
System task   
Session Manager Subsystem

winlogon.exe   
System task   
Microsoft Windows Logon Process

services.exe   
System task   
Windows Service Controller

lsass.exe   
System task   
Local Security Authority Service

svchost.exe   
System task   
Microsoft Service Host Process

SZServer.exe   
Backgroundtask   
STOPzilla Service

svchost.exe   
System task   
Microsoft Service Host Process

svchost.exe   
System task   
Microsoft Service Host Process

ccSvcHst.exe   
Firewall   
Symantec Service Framework Executable

aswUpdSv.exe   
Virusscan   
Avast Anti-Virus Component

ashServ.exe   
Virusscan   
Avast

Explorer.EXE   
System task   
Microsoft Windows Explorer

RTHDCPL.EXE   
Driver   
Realtek HD Audio Sound Effect Manager

hpcmpmgr.exe   
Application   
HP Component Manager

ReminderApp.exe   
Unknown task     (The process belongs to software by Nova Development.)
Unknown task      ( http://www.file.net/process/reminderapp.exe.html )

HPWuSchd2.exe   
Backgroundtask   
Hewlett Packard Software Update Scheduler

SearchProtection.exe   
Backgroundtask   
Search Protection

iTunesHelper.exe   
Application   
Apple Itunes

realsched.exe   
Application   
RealNetworks Scheduler

jusched.exe   
Backgroundtask   
Sun Java Update Scheduler

ashDisp.exe   
Virusscan   
Avast AntiVirus

ccSvcHst.exe   
Firewall   
Symantec Service Framework Executable

Compaq Connections.exe   
Unknown task   
Unknown task      http://www.file.net/process/compaq%20connections.exe.html

TrueWeather.exe   
Unknown task   
Unknown task      http://www.file.net/process/trueweather.exe.html

hpqtra08.exe   
Backgroundtask   
Hewlett Packard Imaging

SetPoint.exe   
Backgroundtask   
Logitech SetPoint Event Manager

KHALMNPR.EXE   
Backgroundtask   
Logitech Mouse Utility

ymsgr_tray.exe   
Backgroundtask   
Yahoo! Messenger Server Traybar

spoolsv.exe   
System task   
Microsoft Printer Spooler Service

AppleMobileDeviceService.exe   
Backgroundtask   
Apple Mobile Device Service

arservice.exe   
System task   
Media Center Away Mode Service

mDNSResponder.exe   
Backgroundtask   
Bonjour for Windows Component

ehRecvr.exe   
Backgroundtask   
Media Center Receiver Service

ehSched.exe   
Backgroundtask   
Media Center Scheduler Service

jqs.exe   
Backgroundtask   
jqs.exe

LSSrvc.exe   
Backgroundtask   
NERO Light Scribe Module

nvsvc32.exe   
Application   
NVIDIA Driver Helper Service

HPZipm12.exe   
Driver   
HP Taskbar Utility

svchost.exe   
System task   
Microsoft Service Host Process

YahooAUService.exe   
Backgroundtask   
Yahoo! AutoUpdater

ashMaiSv.exe   
Virusscan   
Avast Anti-Virus Component

ashWebSv.exe   
Virusscan   
avast! Web Scanner

iPodService.exe   
Backgroundtask   
Apple iTunes

dllhost.exe   
System task   
Microsoft DCOM DLL Host Process

STOPzilla.exe   
Backgroundtask   
STOPzilla! Application

hpsysdrv.exe   
Application   
Hewlett-Packard Monitoring Tool

DISCover.exe   
Unknown task      http://www.file.net/process/discover.exe.html
Unknown task

DiscUpdMgr.exe   
Unknown task      http://www.file.net/process/discupdmgr.exe.html
Unknown task

DiscStreamHub.exe   
Unknown task         http://www.file.net/process/discstreamhub.exe.html
Unknown task

Iexplore.exe   
Virus   
FORBOT-AG WORM!

Iexplore.exe   
Virus   
FORBOT-AG WORM!

HJTInstall.exe   
Unknown task   
Unknown task

HJTInstall.exe   
Unknown task   
Unknown task

HJTInstall.exe   
Unknown task   

HJTInstall.exe   
Unknown task   

HiJackThis.exe   
Application   
Merijn Hijackthis