Author Topic: [RESOLVED]Alert (Read 5979 times)

Franck · « **on:** April 19, 2011, 09:32:53 PM »

Hello everyone,

I have an alert from avast saying a program tries to use "explorer.exe" to get connected to a website, and this when I start the computer and regularly during the day.
This happens even when I am not on Internet explorer or Firefox.
Malwarebytes' Anti-Malware, nor Adaware or Spybot detected no threat.
Attached is a scan of the alert.

Do you have any idea of what it might be, and how to get rid of it?

Thanks a lot in advance,

essexboy · « **Reply #1 on:** April 19, 2011, 10:11:10 PM »

See if after running this the alerts stop

Clear Cache/Temp Files
Download TFC by OldTimer to your desktop

Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Franck · « **Reply #2 on:** April 20, 2011, 10:06:30 AM »

Hi essexboy,

Thank you for your last mail. I did as you said (even twice), but I still got the same alerts right after start-up my computer.

SafeSurf · « **Reply #3 on:** April 20, 2011, 10:23:33 AM »

Other than this alert, are you having any other problems with your machine?

Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0.

Follow the directions of obtaining an OTS logs (save them as ANSI and not Unicode). Post the OTS log as an attachment (Additional Options > Attach > Post).

I am going to contact Essexboy to let him know that you will be posting the log for him. He will also review your log and give you further instructions, however he comes on the forum late UK time. He will respond to you in this thread, so remember to check this thread daily.

***Please do not make any further changes to your machine after you have provided the logs.***

Let me know if you have any questions. Thank you.

Franck · « **Reply #4 on:** April 20, 2011, 12:51:51 PM »

Hello SafeSurf,

So far no other problem with my computer. It's just this recurrent alert. Though it says the connection attempt to malicious site has been blocked, I am just wondering if there is not a Trojan or something stronger. And above all because this occurs even I have not started surfing.
Thanks for you time, ideas, and for informing essexBoy.

Franck
(Paris,France)

essexboy · « **Reply #5 on:** April 20, 2011, 06:29:10 PM »

If you could run OTS I will look deeper

Hermite15 · « **Reply #6 on:** April 20, 2011, 07:06:49 PM »

sounds like the network shield has been doing a firewall outbound protection job there... not saying that it replaces it at all, but that's good.

essexboy · « **Reply #7 on:** April 20, 2011, 07:32:59 PM »

I have noticed that a few times now - good to see it is working beyond expectations

Franck · « **Reply #8 on:** April 20, 2011, 10:02:09 PM »

Hello All,

When I tried to run OTS, Avast recommended me to do it in the Sandbox; what I did.
When OTS was working I had 2 for Trojan blocked alerts - I attached the file.
OTS stopped before producing any report - I had messages like 'insufficient space to do this command".
My computer was in a strange state, as I had errors when trying to open firefox. My desktop was not perfectly displayed.
Finally I restart my computer.

Thanks all in advance for your answers.

essexboy · « **Reply #9 on:** April 20, 2011, 10:07:56 PM »

Allow OTS to run normally otherwise it will fail to produce the log. Avast is being rightly cautious as this is a programme from the internet that has the capability of editing the registry, deleting files and services. But, it is safe

Franck · « **Reply #10 on:** April 20, 2011, 10:33:49 PM »

Hello,

I finally got the OTS log.

Franck
(Paris, France)

essexboy · « **Reply #11 on:** April 20, 2011, 10:51:59 PM »

Hi a question first - did you set firefox to use a proxy in Japan ?

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> 
YN -> HKEY_LOCAL_MACHINE\: Main\\"Search Page" -> ${URL_SEARCHPAGE}
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1060284298-1383384898-1417001333-1004\] > -> 
YN -> HKEY_USERS\S-1-5-21-1060284298-1383384898-1417001333-1004\: Main\\"Search Page" -> ${URL_SEARCHPAGE}
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\xp\Application Data\Mozilla\FireFox\Profiles\2qko9pyo.default\prefs.js
YN -> browser.search.defaultthis.engineName -> "  "
YN -> browser.search.selectedEngine -> "  "
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {EA35911C-1B6A-4AF3-B803-913BA025C271} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1060284298-1383384898-1417001333-1004\] > -> HKEY_USERS\S-1-5-21-1060284298-1383384898-1417001333-1004\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{7FED05BE-14FB-4A41-B0D9-79ABBC36FEE4}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_USERS\S-1-5-21-1060284298-1383384898-1417001333-1004\] > -> HKEY_USERS\S-1-5-21-1060284298-1383384898-1417001333-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "Qfilezorijegoz" -> [rundll32.exe  "C:\WINDOWS\nmub40.dll",Startup]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\Program Files\Lphant Applications\Lphant\Lphant.exe" -> [C:\Program Files\Lphant Applications\Lphant\Lphant.exe:*:Enabled:Lphant]
YN -> "E:\Mes docs 19-09-2008\Ma sécurité\Test débit cité fibre\iperf.exe" -> [E:\Mes docs 19-09-2008\Ma sécurité\Test débit cité fibre\iperf.exe:*:Disabled:iperf]
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Franck · « **Reply #12 on:** April 21, 2011, 12:02:11 AM »

Hi essexboy,

No I didn't set firefox to use proxy a Japan.
Here attached is Insert is the log of actions taken during the fix.

essexboy · « **Reply #13 on:** April 21, 2011, 07:08:45 PM »

OK lets remove them now - once done can you let me know what problems you are still having

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Registry - Safe List]
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\xp\Application Data\Mozilla\FireFox\Profiles\2qko9pyo.default\prefs.js
YN -> network.proxy.backup.ftp -> "58.157.9.52"
YN -> network.proxy.backup.ftp_port -> 80
YN -> network.proxy.backup.gopher -> "58.157.9.52"
YN -> network.proxy.backup.gopher_port -> 80
YN -> network.proxy.backup.socks -> "58.157.9.52"
YN -> network.proxy.backup.socks_port -> 80
YN -> network.proxy.backup.ssl -> "58.157.9.52"
YN -> network.proxy.backup.ssl_port -> 80
YN -> network.proxy.ftp -> "121.241.105.50"
YN -> network.proxy.ftp_port -> 80
YN -> network.proxy.gopher -> "121.241.105.50"
YN -> network.proxy.gopher_port -> 80
YN -> network.proxy.http -> "121.241.105.50"
YN -> network.proxy.http_port -> 80
YN -> network.proxy.share_proxy_settings -> true
YN -> network.proxy.socks -> "121.241.105.50"
YN -> network.proxy.socks_port -> 80
YN -> network.proxy.ssl -> "121.241.105.50"
YN -> network.proxy.ssl_port -> 80
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Franck · « **Reply #14 on:** April 21, 2011, 08:36:11 PM »

Hi EssexBoy,
Here is the last OTS log.

One comment: since the first "run fix", I haven't received any alert.

Thx

Franck
(Paris, France)

Author Topic: [RESOLVED]Alert (Read 5979 times)

Franck

[RESOLVED]Alert

essexboy

Re: Alert

Franck

Re: Alert

SafeSurf

Re: Alert

Franck

Re: Alert

essexboy

Re: Alert

Hermite15

Re: Alert

essexboy

Re: Alert

Franck

Re: Alert

essexboy

Re: Alert

Franck

Re: Alert

essexboy

Re: Alert

Franck

Re: Alert

essexboy

Re: Alert

Franck

Re: Alert