Possible security issues?

Hi,

Since yesterday after reinstalling Windows 7 my Avast keeps popping up with this threat that’s blocked.

C:\Windows\sysWOW64\RunDLL32.exe I looked in my task manager and its being called 3 times. I know for a 64 bit PC which is what I’m using it should call it twice.
I have scanned with MBAM and Avast AV and SuperAnti Spyware and it found the sysWOW64 folder clean. I am not sure what to to.

I read this topic first but that didn’t offer any solution to me.
http://www.sevenforums.com/system-security/60667-where-should-you-see-rundll32-exe-how-many-copies.html

Here is my task manager:

http://i195.photobucket.com/albums/z248/Jaymie1989/TaskManager.jpg

and here is the Avast AV pop up:

http://i195.photobucket.com/albums/z248/Jaymie1989/Avast.jpg

What ever I am doing on my PC it will pop up every few minutes.

The RunDLL32.exe is effectively used by a hidden element on your system to try an connect to a malicious site.

Did you spend any time on-line without full protection after re-installing win7 ?

If you can run these tools and post/attach the logs that they generate.

You can check if you have an MBR rootkit using this tool:

Also

Note: this says attach the file (to big for copy and paste, use the Additional Options in the Reply window to attach the file.

When the scan runs on aswMBR.exe is always stops responding after a while and forces me to close the program. I have also tried running it as admin and it still does the same.

I cannot paste or attach my OTS so I have added it to my pastebin here: http://pastebin.com/05rYshmC

When you run aswMBR.exe in the AV Scan drop down options choose None and not Quick scan, see if that allows it to complete.

I’m not familiar with the OTS log, so that will have to be picked up by someone with the experience on that.

Thanks, Ill try that now.

I am also having it where when I click a link on Google or type a URL in it will redirect to a random website where the URL shows the IP. I’m not sure if its all the same issue or not.

Here is the scan with none selected.

Hi I see you have Trend Micro\Browser Guard does that reroute through a proxy ?

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Registry - Safe List]
< 64bit-BHO's [HKEY_LOCAL_MACHINE] > -> 64bit-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {9F3209E2-334B-41E9-B09C-703F398742E7} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {9F3209E2-334B-41E9-B09C-703F398742E7} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "Sidebar" -> C:\Program Files (x86)\Windows Sidebar\Sidebar.exe [%ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun]
[Files - No Company Name]
NY ->  xö@ -> C:\Windows\xö@
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

THEN

As a test

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

I believe it is related, however, now essexboy is on the case please follow his instructions.

Thanks David.

@EssexBoy about Trend Micro\Browser Guard I installed it because I thought it would add a bit more security to my browser. I have no idea how it works.

Here is the OTS Log
All Processes Killed
[Registry - Safe List]
64bit-Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{9F3209E2-334B-41E9-B09C-703F398742E7}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{9F3209E2-334B-41E9-B09C-703F398742E7}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{9F3209E2-334B-41E9-B09C-703F398742E7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{9F3209E2-334B-41E9-B09C-703F398742E7}\ not found.
Registry value HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sidebar deleted successfully.
[Files - No Company Name]
C:\Windows\xö@ moved successfully.
[Empty Temp Folders]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56468 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Freestyle Dust
->Temp folder emptied: 2568572 bytes
->Temporary Internet Files folder emptied: 18931168 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 75665402 bytes
->Apple Safari cache emptied: 6765568 bytes
->Flash cache emptied: 58478 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4066330 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
RecycleBin emptied: 5657210218 bytes

Total Files Cleaned = 5,498.00 mb

[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Freestyle Dust
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

Error creating restore point.
< End of fix log >
OTS by OldTimer - Version 3.1.44.0 fix logfile created on 07242011_172519

Files\Folders moved on Reboot…
C:\Users\Freestyle Dust\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\Windows\temp_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot…

TDSSKiller came back clean but here is the log

Nor do I know how it works ;D But the main driving part is a dll that requires rundll to work

I can see no visible malware so lets take a peek at your drivers

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[
]Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Here is my ComboFix log

Drivers are good and no visible malware - could you uninstall the trend micro thing and see if that resolves the problem please

Nothing at the moment seems to be popping up about it.

I did block the URL in Avast, I have just unblocked it to see if it does pop up or not. Ill leave it about 20 mins for my next reply as it does pop up, well did every few minutes

Thanks ;D

Nothing has popped up so I’m guessing the problem has cleared.

Any ideas what is was?

It was either this C:\Windows\xö@ or it was within the temporary files

Let me know tomorrow if all is OK and I will remove my tools

Hi again

:-[ I’m afraid I have got the Avast pop up again for the same process and URL

OK lets have a different look this time. With the generated zip file could you upload to Mediafire and post the sharing link please

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan
On the first tab select all elements down to Computer and then select start scan
Once it has finished select report and post that.

http://i1224.photobucket.com/albums/ee362/Essexboy3/avpfront-1.jpg

Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop

Now an analysis scan
Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder then upload the zip file
The file is located at C:\Users[i]your name[/i]\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip

http://i1224.photobucket.com/albums/ee362/Essexboy3/avpmanual.jpg

The scan goes so far then just closes.

I’ve ran it 4 times now.

Could you just run the analysis portion then please

I managed to get both and they are here:

Zip file here: http://www.mediafire.com/?qpppvu85atq6r9r

Text scan file here: http://www.mediafire.com/?8dbn8mkvjrdd7u2