Very stealthy redirect

[DavidR]

OK, I was hoping it might have completed but not shut down. So we will have to see if essexboy has any suggestions to resolve this.

I assume that you disabled all anti-virus and anti-spyware applications before running Combofix ?

[FrankW]

I assume that you disabled all anti-virus and anti-spyware applications before running Combofix ?

Yes, I even tried booting into safe mode and disabling any services/startups related to the AV currently installed (Avira & MABM). Tried running Defogger. Made sure Combofix.exe program was run off the desktop.

Current state of play:
1) Links in google are not currently arriving at the wrong web page. I'll try to test this more extensively.

2) Google search is acting weird. When I type my search words and press enter or click the search button sometimes it does nothing. It especially doesn't seem to like the enter key. Yahoo search works fine.

3) If I click a link in google search results, then go back to the search results, when I hover the visited link in search results page I see weird indirect links through doubleclick.net. I can't recall seeing this behaviour before e.g.
 http://googleads.g.doubleclick.net/pagead/nclk?sa=L&ai=1&u=http://www.virtuallythere.com/
On the other computer which I'm using to type this note I get similar but different behaviour. The prefix on the link starts "http://www.google.com.au" i.e not via doubleclick
Further weirdness: On the infected computer I get the same result searching google.com and google.com.au
On this computer I'm typing on which I'm starting to be less confident about, the link swapping behaviour seemingly only happens if I use google.com.au.

[FrankW]

URL rewriting is not happening with IE(which now takes a very long time to start) so I checked the extensions in Firefox and found something called "XULRunner 1.9.1" which I certainly didn't install after I reinstalled Firefox a few days ago. Removing Disabling it has seemingly fixed the URL rewriting in Firefox on the infected PC for now. Still need to figure out how to remove it.
Support.mozilla.com indicates that this may be Trojan.FakeAlert i.e. one of the viruses removed about 5 days ago.

[DavidR]

Yes this rogue extension "XULRunner" has cropped up before as a cause of redirection, etc. But essexboy has normally found that in the OTS log, but I don't see any reference to XUL in his OTS fix.

Then again I don't see any reference to UXL in your first attached OTS .txt file and I don't know if combifix would detect it. What I did notice in the log was it appears you have a positively ancient version of avast and thunderbird. Are these versions reported in the registry correct, see below ?

HKLM\software\mozilla\Mozilla Firefox 3.0.11\
HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.18\

If the above are correct you aren't doing yourself any favours as these old out of date version have vulnerabilities are exploited. So my recommendation is at the very earliest opportunity after you are clear to update to the latest versions.

So it looks like this may have occurred after the first OTS scan. I would suggest you download OTS again (to ensure you have the latest version and run it again and post the log.

[FrankW]

Found there is one registry entry under:
HKLM\SOFTWARE\Mozilla\Firefox\extensions
This entry points to a folder with a long apparently random name beginning "{CB0FF5E6-0E" located in:
C:\Documents and Settings\Administrator\Local Settings\Application Data\
Restarted Firefox after removing the folder then found XULRunner no longer listed on the extensions page.
The offending folder contains 2 sub-folder and 4 files including a javascript program which presumably does the URL mangling.

Now need to find what put it there.

Thanks for your comments about old versions. I don't know where it's finding Firefox 3.0.11 I have been using FF4 and have now upgraded to FF5. Yes I do need to upgrade Thunderbird2 to TB5.

[DavidR]

It is possible they could be old registry entries, but then again I didn't see any entries for FF4 in the log either.

It will still be a couple of hours before essexboy is back from work and on-line, so in that period I would say run OTS again and attach the log so he has something to analyses when he does arrive.

I don't know if you followed his instructions from a previous post in regard to what to look for and custom scans, so I will reproduce the download link and those instructions here just in case.

Unfortunately no two attacks are the same so first I will need to see what you have.

Download OTS to your Desktop and double-click on it to run it

• Make sure you close all other programs and don't use the PC while the scan runs.
  
• Select All Users
  
• Under additional scans select the following

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

• Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  
• When the scan is complete Notepad will open with the report file loaded in it.
• Please attach the log in your next post.

[FrankW]

Oops I just realised. When I upgraded from Firefox3 to FF4 and FF5 I changed to using the portable version rather than the normal version. That means it won't show up as an installed program.

[DavidR]

That would probably be it so the old registry entries and extensions, etc could well be present.

You could try ccleaner and see if its registry function would find any of these orphan entries. I only suggest ccleaner as its registry cleaning function isn't too severe.

Personally I don't see the benefit from using the portable version.

[FrankW]

"Unfortunately no two attacks are the same so first I will need to see what you have."
You want to read the javascript? It's not very human friendly. Can post it if you like. It's very similar to what this chap reports.
http://devnu11.tumblr.com/post/4420292270/deconstructing-a-browser-redirect-virus

The OTS log is now 306kb that's >192kb which is maximum upload. I noticed an extra line at the beginning of the script you posted. Would that make a difference? Last log was 146kb.

[DavidR]

Then upload it to mediafire - http://www.mediafire.com/ and post the sharing link.

In all honesty, reading additional information on the attack and how to 'deconstruct' it isn't going to help it will be beyond me too. So just upload the OTS log to mediafire.

[essexboy]

XUL runner is bad - although I saw no sign of that on the OTS log - otherwise I would have removed it as a matter of course

Could you run a fresh OTS log please and ensure all users is selected

[DavidR]

It wasn't in the first OTS log (Reply #33) and I have been pushing for several hours to run a fresh one and post the mediafire link.

[essexboy]

I had a double check as well in case I missed it - but I hadn't 

[DavidR]

If you read a later reply to my questioning the FF version (also in Reply #33) it also turns out FrankW is using portable firefox 4. So I don't know how that plays out in relation to XUL runner ?

I guess we will have to wait FrankW uploading his OTS log to mediafire, unfortunately I fear that will be after you have gone off-line.

[essexboy]

In that case as the FF is portable the malware may be on the USB drive, which is why it did not show on the first OTS