Win32:BackoffPOS-Q[Trj] in rundll32.exe

Since a couple of days ago I constantly get this message

http://i.imgur.com/g4pphlE.jpg

I have no idea, what’s wrong with it. When I scan the file manually there seems to be nothing wrong with it.
Any ideas on how to fix this? It’s pretty annoying.

Also I’m trying to find out where the object path points to, but I can’t find out how to access logs in Avast, to get more information.
Is there a menu where these messages are logged?

follow instructions here https://forum.avast.com/index.php?topic=53253.0
attach Malwarebytes and Farbar Recovery Scan Tool logs

I ran the tools, but they didn’t find anything.
I attached the logs, but I needed to delete “One Month Created Files and Folders”, as it revealed too much personal information.

What folder is that in, in programme files ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: FF NetworkProxy: "autoconfig_url", "data:text/javascript,function%20FindProxyForURL(url%2C%20host)%20%7B%20var%20lhost%2C%20localIpAddresses%2C%20localDomains%2C%20ipNotation%2C%20i%3B%20function%20isPlainHostNameEx()%20%7B%20return%20!(!!~lhost.indexOf('.')%20%7C%7C%20!!~lhost.indexOf('%3A'))%3B%20%7D%20lhost%20%3D%20host.toLowerCase()%3B%20ipNotation%20%3D%20%2F%5E%5Cd%2B%5C.%5Cd%2B%5C.%5Cd%2B%5C.%5Cd%2B%24%2Fg%3B%20localIpAddresses%20%3D%20%5B'127.0.0.1'%2C'10.*.*.*'%2C'172.1%5B6-9%5D.*.*'%2C'172.2%5B1-9%5D.*.*'%2C'172.3%5B0-1%5D.*.*'%2C'192.168.*.*'%5D%3B%20localDomains%20%3D%20%5B'zeus.pm'%2C'zenguard.biz'%2C'local'%2C'dev'%2C'ip'%2C'box'%2C'lvh.me'%2C'ripe'%2C'invalid'%2C'intra'%2C'intranet'%2C'onion'%2C'vcap.me'%2C'127.0.0.1.xip.io'%2C'smackaho.st'%2C'localtest.me'%2C'site'%5D%3B%20if%20(isPlainHostNameEx())%20%7B%20return%20'DIRECT'%3B%20%7D%20if%20(ipNotation.test(lhost))%20%7B%20for%20(i%20%3D%200%3B%20i%20%3C%20localIpAddresses.length%3B%20i%2B%2B)%20%7B%20if%20(shExpMatch(lhost%2C%20localIpAddresses%5Bi%5D))%20%7B%20return%20'DIRECT'%3B%20%7D%20%7D%20%7D%20for%20(i%20%3D%200%3B%20i%20%3C%20localDomains.length%3B%20i%2B%2B)%20%7B%20if%20(dnsDomainIs(lhost%2C%20localDomains%5Bi%5D))%20%7B%20return%20'DIRECT'%3B%20%7D%20%7D%20return%20'HTTPS%20us41.zenguard.org%3A443%3BHTTPS%20us30.zenguard.org%3A443%3BHTTPS%20us73.zenguard.org%3A443%3BHTTPS%20us33.zenguard.org%3A443%3BHTTPS%20us39.zenguard.org%3A443%3BHTTPS%20ch67.zenguard.org%3A443%3BHTTPS%20ch58.zenguard.org%3A443%3BHTTPS%20ch59.zenguard.org%3A443%3BHTTPS%20ch31.zenguard.org%3A443%3BHTTPS%20ch65.zenguard.org%3A443%3BHTTPS%20de35.zenguard.org%3A443%3BHTTPS%20de41.zenguard.org%3A443%3BHTTPS%20de49.zenguard.org%3A443%3BHTTPS%20de45.zenguard.org%3A443%3BHTTPS%20de37.zenguard.org%3A443%3BHTTPS%20gb34.zenguard.org%3A443%3BHTTPS%20gb18.zenguard.org%3A443%3BHTTPS%20gb25.zenguard.org%3A443%3BHTTPS%20gb28.zenguard.org%3A443%3BHTTPS%20gb14.zenguard.org%3A443%3BHTTPS%20hk35.zenguard.org%3A443%3BHTTPS%20hk37.zenguard.org%3A443%3BHTTPS%20hk31.zenguard.org%3A443%3BHTTPS%20hk32.zenguard.org%3A443%3BHTTPS%20hk36.zenguard.org%3A443'%3B%20%7D%20%2F*ZenMate*%2F" FF NetworkProxy: "type", 2 Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

I don’t know what folder it’s in. I can’t find out how to tell Avast to show me that log again, or how to get the full location path.

If you hover your cursor over the last alert it will expand file path it will expand it to show which folder in programme files it is in

where can I find that in the avast menu?

Right click the Avast blob and select last popup. If it has not re-appeared since the last boot then it will not be there

Could you run a fresh FRST scan please

the last popup is just some avast commercial… I’m not getting the virus log…
next time it’ll pop up, i’ll try to get the object’s location…

if you dont see Essexboy in the next hour, then he has logged out for today

According to the logs you have not installed any new files for over a month is that correct ?

In that case I can do nothing. You are aware that more information is given out on facebook and twitter than you could ever glean from an analysis log.

facebook does certainly not publish what files I downloaded, created, or modified over the last month on my local machine. I consider this very personal information, which I don’t want to see online.
If you absolutely need to know what files changed on my machine, then there is nothing I can do.
Please consider this thread closed.

Consider it closed then. We cannot lock threads though.