Keep getting redirected

[essexboy]

Now for the other users - could you check for alerts/redirects on completion please

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]


[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > ->
YN -> HKEY_USERS\S-1-5-19\: Main\\"XMLHTTP_UUID_Default" -> F1 81 9E 0F 60 8C 6E 4D B5 26 C6 5F BF D9 CB AB  [binary data]
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > ->
YN -> HKEY_USERS\S-1-5-20\: Main\\"XMLHTTP_UUID_Default" -> F1 81 9E 0F 60 8C 6E 4D B5 26 C6 5F BF D9 CB AB  [binary data]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\] > ->
YN -> HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\: Main\\"XMLHTTP_UUID_Default" -> F1 81 9E 0F 60 8C 6E 4D B5 26 C6 5F BF D9 CB AB  [binary data]
YN -> HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\: URLSearchHooks\\"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}" [HKLM] -> C:\Program Files (x86)\uTorrentBar\tbuTo1.dll [uTorrentBar Toolbar]
YN -> HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\: "ProxyEnable" -> 0
< FireFox Settings [Prefs.js] > -> C:\Users\Chris\AppData\Roaming\Mozilla\FireFox\Profiles\nr8zccsm.default\prefs.js
YN -> browser.search.defaultengine -> "Ask.com"
< FireFox Extensions [User Folders] > ->
YY -> ShopToWin13   -> C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions\{b9dbe2c0-031f-4cad-911a-f4a7381d79c0}
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\] > -> HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Modified Within 30 Days]
NY ->  573779942 -> C:\Windows\SysWow64\573779942
[Custom Items]
:reg
[ HKEY_USERS\S-1-5-19-3498192001-3238401358-4033018105-1001\SOFTWARE\Microsoft\Internet Explorer\Main]
"XMLHTTP_UUID_Default"=-
[ HKEY_USERS\S-1-5-20-3498192001-3238401358-4033018105-1001\SOFTWARE\Microsoft\Internet Explorer\Main]
"XMLHTTP_UUID_Default"=-
[ HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\SOFTWARE\Microsoft\Internet Explorer\Main]
"XMLHTTP_UUID_Default"=-
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

[chris_s]

MBAM report

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7313

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

7/29/2011 3:21:25 PM
mbam-log-2011-07-29 (15-21-25).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 365634
Time elapsed: 36 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Will rerun OTS now

[essexboy]

Once done let me know if that cleared it

[chris_s]

OTS report

All Processes Killed
[Registry - Safe List]
Registry key HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Main not found.
Registry key HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Main not found.
Registry key HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Main not found.
Registry key HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\URLSearchHooks not found.
Registry value HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable deleted successfully.
Prefs.js: "Ask.com" removed from browser.search.defaultengine
File C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions\{b9dbe2c0-031f-4cad-911a-f4a7381d79c0} not found.
Registry value HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}\ not found.
Registry value HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
[Files/Folders - Modified Within 30 Days]
File C:\Windows\SysWow64\573779942 not found!
[Custom Items]
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\S-1-5-19-3498192001-3238401358-4033018105-1001\SOFTWARE\Microsoft\Internet Explorer\Main not found.
Registry key HKEY_LOCAL_MACHINE\S-1-5-20-3498192001-3238401358-4033018105-1001\SOFTWARE\Microsoft\Internet Explorer\Main not found.
Registry key HKEY_LOCAL_MACHINE\S-1-5-21-3498192001-3238401358-4033018105-1001\SOFTWARE\Microsoft\Internet Explorer\Main not found.
[Empty Temp Folders]
 
 
User: All Users
 
User: Chris
->Temp folder emptied: 149228 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 88302490 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1536 bytes
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Public
->Temp folder emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 32902 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 84.00 mb
 
 
[EMPTYFLASH]
 
User: All Users
 
User: Chris
->Flash cache emptied: 0 bytes
 
User: Default
 
User: Default User
 
User: Public
 
Total Flash Files Cleaned = 0.00 mb
 
Restore point Set: OTS Restore Point
< End of fix log >
OTS by OldTimer - Version 3.1.44.0 fix logfile created on 07292011_175326

Files\Folders moved on Reboot...
C:\Users\Chris\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

[chris_s]

Thanks again and after i test a little ill let you know what happens

For now is there anything i should do to help stop this? Avast is up to date as well as MBAM. Is there something else i should be running?

[essexboy]

Lets see if it has gone first 

[chris_s]

No problems so far so i guess im clear.

[essexboy]

Subject to no further problems   

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

 Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]


[Unregister Dlls]
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]


Run OTS and hit the cleanup button.  It will remove all the programmes we have used plus itself. 

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Do not show hidden files and folders.
  
• Click Yes to confirm.
• Click OK.

SPRING CLEAN

To manually create a new Restore Point

• Go to Control Panel and select System
  
• Select System
  
• On the left select System Protection and accept the warning if you get one
  
• Select System Protection Tab
  
• Select Create at the bottom
  
• Type in a name i.e. Clean
• Select Create

Now we can purge the infected ones

• GoStart > All programs > Accessories > system tools
  
• Right click Disc cleanup an select run as administrator
  
• Select Your main drive and accept the warning if you get one
  
• For a few moments the system will make some calculations
• Select the More Options tab
  
• In the System Restore and Shadow Backups select Clean up
  
• Select Delete on the pop up
  
• Select OK
• Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
 
Malwarebytes.  Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

• Microsoft Windows Update
  

To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ?
Keep safe  :wave: