Possible security issues?

[Jaymie1989]

Hi again

  I'm afraid I have got the Avast pop up again for the same process and URL

[essexboy]

OK lets have a different look this time.  With the generated zip file could you upload to Mediafire and post the sharing link please

 Download AVPTool from Here to your desktop
 
Run the programme you have just downloaded to your desktop (it will be randomly named )
 
First we will run a virus scan
On the first tab select all elements down to Computer and then select start scan 
Once it has finished select report and post that.
 

 
Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop
 
Now an analysis scan
Select the Manual Disinfection tab 
Press the Gather System Information button 
Once done Open the last report saved folder  then upload the zip file
The file is located at C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip
 

[Jaymie1989]

The scan goes so far then just closes.

I've ran it 4 times now.

[essexboy]

Could you just run the analysis portion then please

[Jaymie1989]

I managed to get both and they are here:

Zip file here: http://www.mediafire.com/?qpppvu85atq6r9r

Text scan file here: http://www.mediafire.com/?8dbn8mkvjrdd7u2

[essexboy]

OK based on one I was working with the other day could you do the following please and let me know if the alerts stop.  On completion of the run there will be a zip file in the following location C:\_OTS\moved files
Could you upload that to mediafire and post the sharing link

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]


[Unregister Dlls]
[Registry - Safe List]
< 64bit-BHO's [HKEY_LOCAL_MACHINE] > -> 64bit-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {9F3209E2-334B-41E9-B09C-703F398742E7} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {9F3209E2-334B-41E9-B09C-703F398742E7} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_USERS\S-1-5-21-2605978935-3684104221-935809672-1001\] > -> HKEY_USERS\S-1-5-21-2605978935-3684104221-935809672-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "oleCommslib" -> C:\Users\Freestyle Dust\AppData\Local\oleNetppm\oleCommslib.dll ["rundll32.exe" "C:\Users\Freestyle Dust\AppData\Local\oleNetppm\oleCommslib.dll",QuickCommonServices BthNetUI]
[Custom Items]
:Files
ipconfig /flushdns /c
C:\Users\Freestyle Dust\AppData\Local\oleNetppm
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[ZipFiles]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

[Jaymie1989]

Hi again,

When I run OTS it gets to this fix and just stops responding. I have left if for hours and its still not responded. I have restarted my PC again and it still stops on the same part.

Code: [Select]

[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[ZipFiles]
When I restart my PC it produces a text log but I cannot save it as that stops responding as well.

The Avast popups dont show anymore but I always have a CMD window open when window starts and the title is _uninst_39020753 and a Windows error message saying Windows cannot find '8233203.exe'. Make sure you typed the name correctly, and then try again.

Both of these are the same everytime my pc starts up. When I click ok on the error both the error and CMD go away and doesnt show again.

[essexboy]

OK then that means we killed the right one - could you run a fresh OTS log and I will see if I can now locate that run command and kill it, when you run OTS could you ensure all users is selected please.  There is no need to paste in the script this time

[Jaymie1989]

and here you are: http://pastebin.com/xfJA9E2q

[essexboy]

Hmm not showing as a run key so lets look at the hidden entries

Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.

• Save it to the desktop.
• Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
• You will receive a prompt:

Do you want to skip supplementary searches? click NO

• If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
• You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  
• Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
  

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

[Jaymie1989]

As its to long to post here, Here is the link again: http://pastebin.com/9F45MYP4

[Nesivos]

@essexboy

Thanks for the link to the Kaspersky AV Removal Tool

Downloaded, installed and running it.

[essexboy]

OK I will need to review the entire thread to see if I can locate that - or have missed it

Back anon

[Jaymie1989]

Anything?

[essexboy]

I have had some other people looking at this topic and so far none of us can find the run entry for it, one suggestion was to run GMER which will do now.  Also could you run msconfig and let me know what entries are in there

Download the GMER Rootkit Scanner. Unzip it to your Desktop.
 
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
 
Double-click gmer.exe. The program will begin to run.
 
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!
 
If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.

Once the scan is complete, you may receive another notice about rootkit activity.

• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt" 
  
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.