Keep getting redirected

[chris_s]

This started a few days ago and comes and gos. It happens when i do a google search from my browser (FF) Malware bytes blocks it most of the time.

Heres the info i have right now

Redirect to, find-fast-answers.com
IP, 67.29.139.153
Type, outgoing
Port, 52309
Process, avastsvc.exe

I ran a boot time scan a few days ago and it showed nothing but will do it again now. MB found a few things a few days ago and removed them but now shows nothing. Heres what was found a few days ago.

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7286

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

7/26/2011 4:24:55 PM
mbam-log-2011-07-26 (16-24-55).txt

Scan type: Quick scan
Objects scanned: 175048
Time elapsed: 1 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{0F9E81F1-8C60-4D6E-B526-C65FBFD9CBAb} (Trojan.Tracur.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0F9E81F1-8C60-4D6E-B526-C65FBFD9CBAB} (Trojan.Tracur.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\api-ms-win-core-misc-l1-1-032.dll (Trojan.Tracur.Gen) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-032.dll (Trojan.Tracur.Gen) -> Quarantined and deleted successfully.

Going to run boot time and MB again and report back

[chris_s]

Boot time showed nothing.

[Pondus]

you mean this

Redirect to, find-fast-answers.com
IP, 67.29.139.153
Type, outgoing
Port, 52309
Process, avastsvc.exe

that is from avast.....unless fake......why the MBAM protection module detect this   

[chris_s]

Full MB scan showed nothing

you mean this

Redirect to, find-fast-answers.com
IP, 67.29.139.153
Type, outgoing
Port, 52309
Process, avastsvc.exe

that is from avast.....why the MBAM protection module detect this   

Give me a sec and ill see if the warning is the same

[Pondus]

found out why   

This is quite normal. The reason it is showing Avast! instead of your internet browser is because Avast!, like many antivirus softwares, hooks into your browsers to scan internet traffic for infections and block malicious websites as well. The same thing happens with Kaspersky, if Kaspersky is installed and the user browses to a website on Malwarebytes' Anti-Malware's block list it will show that AVP.exe is being blocked instead of the user's internet browser.

 Your system isn't compromised and you don't need to take any additional action

http://forums.malwarebytes.org/index.php?showtopic=72258

[DavidR]

It isn't the process (the web shield) but the IP that MBAM is blocking.

Why it is blocking that IP is beyond me, but a search for find-fast-answers.com seems to indicate a malware infection. http://answers.yahoo.com/question/index?qid=20110726003222AAOzHKn It doesn't have a particularly good reputation, http://www.mywot.com/en/scorecard/find-fast-answers.com, but WOT isn't a great tool in this regard, just use for guidance only.

[chris_s]

So should i run OTS?

[DavidR]

What happened after running MBAM and removing those files and registry entries.
e.g. do those files come back ?

It won't hurt to do an OTS scan:

Unfortunately no two attacks are the same so first I will need to see what you have.

Download OTS to your Desktop and double-click on it to run it

• Make sure you close all other programs and don't use the PC while the scan runs.
  
• Select All Users
  
• Under additional scans select the following

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

• Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  
• When the scan is complete Notepad will open with the report file loaded in it.
• Please attach the log in your next post.

Note: this says attach the file (to big for copy and paste, use the Additional Options in the Reply window to attach the file.

[chris_s]

What happened after running MBAM and removing those files and registry entries.
e.g. do those files come back ?

Everything was fine for a few hours then the redirect started again. Havent found any new files at all.

Also i want to add that when ever i do a scan, whether its boot time or MB, after that i dont get the redirect until after maybe 20 google searches then it starts again. The redirect isnt all the time either, maybe one in three searches.

Ill do the OTS and report

[chris_s]

Mediafire link to OTS http://www.mediafire.com/?j7rd41rj5485528

[DavidR]

OK, essexboy who is the malware removal specialist will be in bed now, 3:10am in the UK.

He is usually on-line around 7pm UK time.

[chris_s]

No problem Ill be stopping back to get this fixed and then ask some questions on how to keep this from happening again

[essexboy]

Hi there I can only stop this at the moment for the main user, could you run OTS again and select all users  please after this fix run

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]


[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_CURRENT_USER\] > ->
YN -> HKEY_CURRENT_USER\: Main\\"XMLHTTP_UUID_Default" -> F1 81 9E 0F 60 8C 6E 4D B5 26 C6 5F BF D9 CB AB  [binary data]
< FireFox Extensions [User Folders] > ->
YY -> XUL Cache   -> C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions\{4b3df4d4-cc55-4071-9d1e-a0a325eb1ec9}
YY -> ShopToWin13   -> C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions\{b9dbe2c0-031f-4cad-911a-f4a7381d79c0}
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Modified Within 30 Days]
NY ->  573779942 -> C:\Windows\SysWow64\573779942
[Custom Items]
:REG
[HKCU\SOFTWARE\Microsoft\Internet Explorer\Main]
"XMLHTTP_UUID_Default"=-
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[ZipFiles]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

[chris_s]

Sorry about that. Forgot to select all users

Mediafire link to OTS report http://www.mediafire.com/?fsybp106q25cn4u

Will run fix now and then MBAM and report back.

[chris_s]

OTS fix report

All Processes Killed
[Registry - Safe List]
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Main not found.
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions\{4b3df4d4-cc55-4071-9d1e-a0a325eb1ec9}\defaults\preferences folder moved successfully.
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions\{4b3df4d4-cc55-4071-9d1e-a0a325eb1ec9}\defaults folder moved successfully.
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions\{4b3df4d4-cc55-4071-9d1e-a0a325eb1ec9}\chrome folder moved successfully.
Folder move failed. C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions\{4b3df4d4-cc55-4071-9d1e-a0a325eb1ec9} scheduled to be moved on reboot.
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions\{b9dbe2c0-031f-4cad-911a-f4a7381d79c0}\chrome\skin folder moved successfully.
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions\{b9dbe2c0-031f-4cad-911a-f4a7381d79c0}\chrome\content\locale folder moved successfully.
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions\{b9dbe2c0-031f-4cad-911a-f4a7381d79c0}\chrome\content folder moved successfully.
Folder move failed. C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions\{b9dbe2c0-031f-4cad-911a-f4a7381d79c0}\chrome scheduled to be moved on reboot.
Folder move failed. C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions\{b9dbe2c0-031f-4cad-911a-f4a7381d79c0} scheduled to be moved on reboot.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
[Files/Folders - Modified Within 30 Days]
C:\Windows\SysWow64\573779942 moved successfully.
[Custom Items]
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\\XMLHTTP_UUID_Default deleted successfully.
[Empty Temp Folders]
 
 
User: All Users
 
User: Chris
->Temp folder emptied: 2491781 bytes
->Temporary Internet Files folder emptied: 15332070 bytes
->Java cache emptied: 91269788 bytes
->FireFox cache emptied: 993852820 bytes
->Google Chrome cache emptied: 8980035 bytes
->Flash cache emptied: 3734413 bytes
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Public
->Temp folder emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 839933 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 136282 bytes
RecycleBin emptied: 110130376 bytes
 
Total Files Cleaned = 1,170.00 mb
 
 
[EMPTYFLASH]
 
User: All Users
 
User: Chris
->Flash cache emptied: 0 bytes
 
User: Default
 
User: Default User
 
User: Public
 
Total Flash Files Cleaned = 0.00 mb
 
Restore point Set: OTS Restore Point
< End of fix log >
OTS by OldTimer - Version 3.1.44.0 fix logfile created on 07292011_143309

Files\Folders moved on Reboot...
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions\{4b3df4d4-cc55-4071-9d1e-a0a325eb1ec9} folder moved successfully.
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions\{b9dbe2c0-031f-4cad-911a-f4a7381d79c0}\chrome folder moved successfully.
C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions\{b9dbe2c0-031f-4cad-911a-f4a7381d79c0} folder moved successfully.
C:\Users\Chris\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...