I am an Avast 4.8 Home Edition user and recently decided to run an intense scan rather than the normal scan’s I periodically run. The intense scan found two problems, (1)Win32:Fasec [trJ] in files A0065059.com & jah31970.exe (2)BV.Autorun-E [WRM] in file A0065076.inf. I chose the Avast recommended option to quarantine the files which it did successfully.
I am slightly worried now as to wether I have actually eliminated the virus’s as I have noticed some other unusual things. I run Zone Alarm Security Suite and have just noticed in the alerts and log section that a Global Windows Hook it trying to establish itself almost constantly (repeats between 10 seconds and ten minutes) c:\program files\Internet Explorer\iexplorer.exe.
Another strange thing, I am set up as the windows administrator, however it will now not let me perform the ‘Delete Browsing History’ which until very recently worked.
I don’t know if I am being paranoid or have good reason to be worried, can anyone help me please?
I suggest the general cleaning procedure before anything else…
Clean your temporary files.
Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
I have completed all of the steps that you listed.
I didn’t get any hits using the Avast! antirootkit but got some listings when using Rootkit Unhooker. Log below from Rootkit Unhooker, Hijack This log to follow next due to maximum post characters being reached.
Thanks for your help so far.
Regards
Martin.
RkUnhooker report generator v0.7
Rootkit Unhooker kernel version: 3.8.341.552
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:58:58, on 28/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
I can’t delete browsing history any more from the tools menu on Internet Explorer even though I am the Administrator.
The constant blocking by Zonealarm of a Global Windows Hook attempting to be set, details:-
Internet Explorer is trying to monitor your system to observe what events are occurring.
The current security setting for Internet Explorer does not permit this action. Your computer is safe.
Inside the OSFirewall alert
Alert property Alert property value Technical explanation
Program Name Internet Explorer A program running on your computer, which attempted an action that it is not currently permitted to perform.
Filename C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe The filename of the program that ZoneAlarm Security Suite found on your computer.
Program Size 633632 The size of the program executable file in bytes.
Program MD5 9d3db9adfabd2f0bc778ec03250a3abb The MD5 hash, or number, that uniquely identifies the executable.
Smart Checksum 93ed0eabe541991ba05a9280f5da8b9f The SKIMP hash, or number, that uniquely identifies the executable.
Date Modified Oct-15-2008 07:06:26 AM The date when C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe was most recently modified.
Event Type Execution The event involved executing Windows instructions.
Sub Event Type ExecutionGlobalWindowsHook Internet Explorer attempted to set a Windows hook without a specific thread.
Great suggestions, although useless. - Ok, Sorry, no need to throw that at you Avast Home Edition is the ONLY scanner that detects the Win32-FAREC [trj]. (By the way, it does detect it at boot-scan, says it deletes it, but it can’t. It’s still there - So that again is pretty useless) Trend Micro Rootkitbuster: “Virus? What virus?” Aswar: Congratulations! Your system is clean. (yeah right) McAfee: Hey Win32 Farec! Come on in buddy! (here’s where the trouble started, McAfee just LET THIS ONE THROUGH UNDETECTED!) Superantispyware - Useless suggestion This is a VIRUS not spyware. Spywareterminator: - Same thing. Useless. Avast Antirootkit: “Device C: can’t be opened” (Wow! That’s a useful utility!)
Anyway, I’m pissed. This #$&^%#$% somehow got into my system, and NONE of the so-called self-proclaimed Professional Anti-Virus Solutions can do a D@MN thing about it.
Oh well, nothing you guys can’t do anything about. Not your fault. It’s the virus-writers (hope they rot in hell forever). Just wanted to blow off some steam I think I’ll just reformat the thing.
Well if it is useless and you have effectively given up what can we do.
I can’t believe that you have tried all the suggested options in your quote of Tech’s general cleansing script.
The Win32:Fasec malware name is an avast malware name there is no standard naming convention so the malware name could vary from AV to AV (not win32:farec that you mention, there is no malware of that name in the avast virus database). So any google search, etc. you might do on win32:farec will reveal nothing
However, what Win32:Fasec stands for basically is Fake Security Alerts, where pop-ups announce your system is infected/vulnerable, etc. and you should visit site X/download a solution, etc. One program that has had a degree of success in the Fake Alerts/Rogue Programs is MalwareBytes AntiMalware (MBAM in line 3).
I appreciate your angry, but that won’t help us to try and help you, other than the avast detection (file name and location) what other symptoms were there.
Whilst formatting will resolve this problem, it certainly won’t help you find a resolution which may stop you being infected after your format.
I also don’t know if you visited the link in line 8 as the main route of entry on to a system is through vulnerabilities that are being exploited in out of date software.
Don’t get me wrong, I do appreciate the forum as it is. And as I said in my last line: it’s not your fault. I was careless enough to let someone use his USB-stick in my PC, and I had McAfee running ($-ware, and it doesn’t do the job! Be warned!)
My symptoms now:
c:\resycled\boot.com containing some nasty virus
Updates for McAfee and AdAware are blocked
Some weird “msqpdxtenrfyyc.dll” in my C:\Windows\System32 that contains WIN32-FASEC [trj] according to Avast Bootscan
Avast claims to delete it, but it keeps coming back
I ran all the suggested programs, installed from a CD that I made in a clean system, installed and ran them both in Safe Mode (when possible) and in normal mode of Windows - to no avail. I’m stuck here. I have a virus that can not be dealt with.
I suggest you download MBAM and install it update it and run it from safe mode as msqpdxtenrfyyc.dll is a rootkit TDSS (I believe) if you try a forum search for msq*.dll you will find a topic where this file was removed along with one in the system32\drivers\ folder.
essexboy because he saw from the MBAM log that this involved TDSS, a rootkit, suggested another more powerful tool only to find that MBAM had indeed taken it out.
Access to the updates for the virusdatabase for Kaspersky is blocked by the virus (Program installs OK, but stops because it can’t update)
Access to the whole ESET-website is blocked by the virus.
Access to the online scanner of Bitdefender is blocked by the virus.
Give me 5 minutes in a room with the $#&^#@$&^% that wrote this virus.
Yes, ran DrWeb too, nothing found.
Tried to use FileAssassin (in MBAM) to delete the weird msq*.* file, it said it couldn’t delete it right away, and suggested a restart.
So I did, in Safe Mode. The file seems to be gone. Found another msq*.sys in C:\Windows\System32\Drivers and quarantained that.
Anti-virus websites are still being blocked though, so I guess there’s something still there.
Just downloaded the BitDefender ISO you suggested (thanks!) and will burn that on a clean system now. Will keep you posted. Thanks for all the help so far guys, and for not kicking me out after the initial rant
