Author Topic: Possible security issues?  (Read 13616 times)

0 Members and 1 Guest are viewing this topic.

Jaymie1989

  • Guest
Possible security issues?
« on: July 24, 2011, 04:19:17 PM »
Hi,

Since yesterday after reinstalling Windows 7 my Avast keeps popping up with this threat that's blocked.

C:\Windows\sysWOW64\RunDLL32.exe I looked in my task manager and its being called 3 times. I know for a 64 bit PC which is what I'm using it should call it twice.
I have scanned with MBAM and Avast AV and SuperAnti Spyware and it found the sysWOW64 folder clean. I am not sure what to to.

I read this topic first but that didn't offer any solution to me.
http://www.sevenforums.com/system-security/60667-where-should-you-see-rundll32-exe-how-many-copies.html

Here is my task manager:


and here is the Avast AV pop up:


What ever I am doing on my PC it will pop up every few minutes.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
URL:MAL detection
« Reply #1 on: July 24, 2011, 04:53:28 PM »
The RunDLL32.exe is effectively used by a hidden element on your system to try an connect to a malicious site.

Did you spend any time on-line without full protection after re-installing win7 ?

If you can run these tools and post/attach the logs that they generate.

You can check if you have an MBR rootkit using this tool:
Quote from: essexboy
Download aswMBR.exe ( 1.8MB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

 
On completion of the scan click save log, save it to your desktop and post in your next reply



Also
Quote from: essexboy
Download OTS to your Desktop and double-click on it to run it
  • Make sure you close all other programs and don't use the PC while the scan runs.
  • Select All Users
  • Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

  • Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

  • Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Please attach the log in your next post.

Note: this says attach the file (to big for copy and paste, use the Additional Options in the Reply window to attach the file.
« Last Edit: July 24, 2011, 04:55:08 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Jaymie1989

  • Guest
Re: Possible security issues?
« Reply #2 on: July 24, 2011, 05:59:31 PM »
When the scan runs on aswMBR.exe is always stops responding after a while and forces me to close the program. I have also tried running it as admin and it still does the same.

I cannot paste or attach my OTS so I have added it to my pastebin here: http://pastebin.com/05rYshmC

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Possible security issues?
« Reply #3 on: July 24, 2011, 06:08:33 PM »
When you run aswMBR.exe in the AV Scan drop down options choose None and not Quick scan, see if that allows it to complete.

I'm not familiar with the OTS log, so that will have to be picked up by someone with the experience on that.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Jaymie1989

  • Guest
Re: Possible security issues?
« Reply #4 on: July 24, 2011, 06:15:32 PM »
Thanks, Ill try that now.

I am also having it where when I click a link on Google or type a URL in it will redirect to a random website where the URL shows the IP. I'm not sure if its all the same issue or not.

Jaymie1989

  • Guest
Re: Possible security issues?
« Reply #5 on: July 24, 2011, 06:20:04 PM »
Here is the scan with none selected.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Possible security issues?
« Reply #6 on: July 24, 2011, 06:21:16 PM »
Hi I see you have Trend Micro\Browser Guard does that reroute through a proxy ?

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Registry - Safe List]
< 64bit-BHO's [HKEY_LOCAL_MACHINE] > -> 64bit-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {9F3209E2-334B-41E9-B09C-703F398742E7} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {9F3209E2-334B-41E9-B09C-703F398742E7} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "Sidebar" -> C:\Program Files (x86)\Windows Sidebar\Sidebar.exe [%ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun]
[Files - No Company Name]
NY ->  xö@ -> C:\Windows\xö@
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

THEN

As a test

Please read carefully and follow these steps. 
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
     
     

     
     
  • If an infected file is detected, the default action will be Cure, click on Continue.
     
     

     
     
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
     
     

     
     
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
     
     

     
     
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Possible security issues?
« Reply #7 on: July 24, 2011, 06:32:18 PM »
Thanks, Ill try that now.

I am also having it where when I click a link on Google or type a URL in it will redirect to a random website where the URL shows the IP. I'm not sure if its all the same issue or not.

I believe it is related, however, now essexboy is on the case please follow his instructions.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Jaymie1989

  • Guest
Re: Possible security issues?
« Reply #8 on: July 24, 2011, 06:35:14 PM »
Thanks David.

@EssexBoy about Trend Micro\Browser Guard I installed it because I thought it would add a bit more security to my browser. I have no idea how it works.

Here is the OTS Log
All Processes Killed
[Registry - Safe List]
64bit-Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9F3209E2-334B-41E9-B09C-703F398742E7}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F3209E2-334B-41E9-B09C-703F398742E7}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9F3209E2-334B-41E9-B09C-703F398742E7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F3209E2-334B-41E9-B09C-703F398742E7}\ not found.
Registry value HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Sidebar deleted successfully.
[Files - No Company Name]
C:\Windows\xö@ moved successfully.
[Empty Temp Folders]
 
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56468 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Freestyle Dust
->Temp folder emptied: 2568572 bytes
->Temporary Internet Files folder emptied: 18931168 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 75665402 bytes
->Apple Safari cache emptied: 6765568 bytes
->Flash cache emptied: 58478 bytes
 
User: Public
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4066330 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
RecycleBin emptied: 5657210218 bytes
 
Total Files Cleaned = 5,498.00 mb
 
 
[EMPTYFLASH]
 
User: All Users
 
User: Default
->Flash cache emptied: 0 bytes
 
User: Default User
->Flash cache emptied: 0 bytes
 
User: Freestyle Dust
->Flash cache emptied: 0 bytes
 
User: Public
 
Total Flash Files Cleaned = 0.00 mb
 
Error creating restore point.
< End of fix log >
OTS by OldTimer - Version 3.1.44.0 fix logfile created on 07242011_172519

Files\Folders moved on Reboot...
C:\Users\Freestyle Dust\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

TDSSKiller came back clean but here is the log


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Possible security issues?
« Reply #9 on: July 24, 2011, 07:14:23 PM »
Nor do I know how it works  ;D But the main driving part is a dll that requires rundll to work

I can see no visible malware so lets take a peek at your drivers

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Jaymie1989

  • Guest
Re: Possible security issues?
« Reply #10 on: July 24, 2011, 07:41:48 PM »
Here is my ComboFix log

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Possible security issues?
« Reply #11 on: July 24, 2011, 07:47:29 PM »
Drivers are good and no visible malware - could you uninstall the trend micro thing and see if that resolves the problem please

Jaymie1989

  • Guest
Re: Possible security issues?
« Reply #12 on: July 24, 2011, 07:57:04 PM »
Nothing at the moment seems to be popping up about it.

I did block the URL in Avast, I have just unblocked it to see if it does pop up or not. Ill leave it about 20 mins for my next reply as it does pop up, well did every few minutes

Thanks  ;D

Jaymie1989

  • Guest
Re: Possible security issues?
« Reply #13 on: July 24, 2011, 08:19:54 PM »
Nothing has popped up so I'm guessing the problem has cleared.

Any ideas what is was?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Possible security issues?
« Reply #14 on: July 24, 2011, 10:19:12 PM »
It was either this C:\Windows\xö@ or it was within the temporary files

Let me know tomorrow if all is OK and I will remove my tools