Hello, Avast is picking up a file in system volume information_restore at the end is A0186240.bat its blocked and cannot click on it to take actions
In my start up menu was a program called 0
A ip was trying to send me a udp pkg, but my firewall blocked it, once i stopped 0 from starting on start up the router took over on blocking that ip, i traced the ip and it turned out to be someone I know, his computer has no reason to know what my ip is, we chat but on a chat in a chat room but it does not connect directly to each others computers. I should mention I know this person for years and he is stumped by it too, he has not been able to find anything at his end but its coming from port 3303 on his
now another ip is trying to do the same thing, local ip, and both are trying to send to the same port 19605, not sure how i will check a local ip but my guess is it will lead to someone I know
so far I figure the file avast is finding has something to do with it and 0 program on start up
0 leads to a microsoft file but i can’t see in the start up menu the whole name of the file
any ideas?
Welcome to the forums, Aiolos 
Try using the free version of malwarebytes antimalware and see what it finds.
Download it, install it, update it, and then run a Full scan.
Let it fix what it finds and post the resulting log here.
You can get it at the link below.
http://www.malwarebytes.org/mbam.php
I guess I should have mentioned some of the actions I have taken, I scan with malwarebytes everyday it finds nothing, although i notice in task manager it stops responding during every scan now then starts up again.
I also ran spybot and nothing, looked online ran a couple of on line scans as well. Avast is the only program finding anything and of course that 0 thing in my start up I found.
also use microsoft essential it finds orsam, but malwarebytes says it from the avenger program i ran for root kits. avenger said to reboot but does not show anything after you reboot it just disappears.
On my computer I have the paid version of avast and zonealarm, currently I have all my computers locked to not share info, 3 computers. have not checked to see if others are infected.
i scanned for open ports on auditmypc.com and passed with no open ports
I am on a d link 655 router wireless
OK, since it is in a Restore point, you can try turning off System Restore, restarting your computer, and then turning on System Restore again. This will delete the bad restore point but it will also delete all previous restore points.
Hi, thanks for responding, did the system restore thing, and scanned, that file is gone now will do another scan later and see if it comes back. 0 is still there, wish I could figure out what that is, and no sign of his ip or any ip this morning trying to reach port 19605 yet, which is odd. I did nothing to stop it, last night.
just one more question, during start up avast is off and zone alarm the fire wall is on but the anti-phishing if off have to click fix it to get it going, do you think this is normal during start up?
Again thanks for your help
have you try a boot cd
also use microsoft essential it finds orsam..........does this mean you have avast and microsoft essential installed ?
Hi Aiolos
lets see if I can isolate the problem
Download OTL to your Desktop
[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
[b]netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT
[/b]
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Hi ran the scan, has some security stuff on it that should not be posted in public, it only delivered one report which I saved, not sure what info you want from it?
MY friend did a system restore on his and his computer has stopped trying to send to me at port 19605 however 3 other computers are, but are blocked at the router.
Oh should have mentioned that noticed in the router that my public ip is trying connect to port 443 of the same ip from various ports, which seems odd and never seen that before, router is blocking it
The OTL log will give us important information so that we can help you, and you can attach it to the thread for privacy:
Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0.
Follow the directions of obtaining the OTL logs (save them as ANSI and not Unicode). When the OTL scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. Post the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post). Essexboy is our Certified Malware Expert, and can offer you great help with your problem. He comes on the forum late UK time.
Without the logs I cannot assist… But you can delete them once I have downloaded them
Ok have it figured out will do the scans, post them but will take out the port numbers of the security devices and message the device port to you if you need them, there is only 4, Ip I can change anytime so not worried about that
I download the scan program from firfox so maybe thats why it did not report properly will do fresh from IE
Malwarebytes, avast, panda online and one other on line forgot the name are finding nothing
will do it tomorrow after work probably, and thanks for help, running in selective mode right now and less troubles, will scan in full mode though.
Took 3 hours to get here when i click on the book mark for this site this is what i got in the address bar
netsvcs%SYSTEMDRIVE%*.exe/md5startexplorer.exewinlogon.exeUserinit.exesvchost.exe/md5stop%systemroot%*. /mp /sCREATERESTOREPOINT
On IE now but said errors when I started up, internet was turned off at the router, will try scan but doubt it going to work
hope this is it only gave one report and in search of otl on my computer its there 3 times
tried something else and got two reports, sorry for all the posts but its hard figuring it out
while scanning error occured violation 0053DA1E in modulke OTL.exe read address ooooooo
Thank you for providing your logs; the second set came through fine. I will let Essexboy instruct you further regarding the next steps to take regarding your logs, but I wanted to point out a few things:
It appears that you are using MSE along with Avast, which means you are using 2 resident AV’s on the same machine which could cause all kinds of problems. Here is the uninstaller for MSE http://support.microsoft.com/kb/2435760/ then reboot your machine.
In addition, you also have Zone Alarm Force Shield, which could also conflict with AIS (Avast IS), since this is a security software that uses a heuristics scanner and antiphishing in a browser as well as a sandbox. This software has also been known to cause issues with some browsers http://www.wilderssecurity.com/showthread.php?t=271585 and unless you opted-out upon installation this is where you got your ask toolbar from that also shows up on your log. This toolbar can be uninstalled.
TeaTimer (TT) has also caused some issues with users with Avast, so you may want to consider disabling TT or uninstalling SB w/TT at some point.
Essexboy will be along shortly to instruct you further. In the meantime, please refrain from using your machine until he gives you instructions. Should you have any questions, feel free to post them. Thank you.
I see that you have Skype there is a new virus making the rounds that uses that as a vector
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - {A1FB2F9A-D35E-11DD-8935-E46A56D89593} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.:Files
ipconfig /flushdns /c:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
.
THEN
Download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop
[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[*]Double click on ComboFix.exe & follow the prompts.
[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
First scan done posting so it does not get altered
Hi other program ran but woulf not produce a report it hung up at that point, said preparing and everything stopped