Redirect Virus and More!

[Godfree]

Hey guys. Well I've been trying to fix up my cousins computer for a while now and haven't been able to get past a few hurdles. It started out with some fake anti virus which I cleared, and it also has the redirect virus (when clicking on search result links it redirects to someplace other than where you intended to go!) And I haven't been able to kick it.

aswMBR BSOD'd on me so I don't have a log for that, but I attached the dump log. Also AVAST keeps throwing up a blocked attempt by: c:\windows\assembly\tmp\u\800000cb.@ which comes up as Win32:Malware-gen from csrss.exe. It always gets moved to the vault however it never fixes it. I also can't install the next windows update without me getting stuck in a reboot loop, can get more info on that if you like.

 I've yet to run a full Avast scan (will do so tomorrow when I get up) but here are the current logs if you can pick anything out of it.

(this is a previous MBAM scan that cleared something before my most recent clean scan)

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7035

Windows 6.0.6001 Service Pack 1 (Safe Mode)
Internet Explorer 8.0.6001.19019

9/6/2011 5:01:34 PM
mbam-log-2011-09-06 (17-01-34).txt

Scan type: Quick scan
Objects scanned: 163030
Time elapsed: 2 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Security Protection (Trojan.FakeAlert) -> Value: Security Protection -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\Users\jessica kufs\AppData\Roaming\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com (Adware.GamesVance) -> Quarantined and deleted successfully.

Files Infected:
c:\Users\jessica kufs\AppData\Roaming\defender.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

[Pondus]

essexboy is notified, he is usually in here around 08:00pm - 11:59pm UK time

[Godfree]

Excellent! Thank you for the amazingly fast reply, that works well because that's roughly when I get up. I'll hold off on an avast scan until I hear back from him.

[essexboy]

Some system files are not reporting the right MD5 - so I will need to use a stronger tool on those

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 3E E0 8E 13 B0 37 4A 47 A0 46 BA A6 FC 3B 8D 01 [binary data]
  IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 3E E0 8E 13 B0 37 4A 47 A0 46 BA A6 FC 3B 8D 01 [binary data]
  IE - HKU\S-1-5-21-1644362912-3407632406-2420646519-1000\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 3E E0 8E 13 B0 37 4A 47 A0 46 BA A6 FC 3B 8D 01 [binary data]
  FF - prefs.js..extensions.enabledItems: {a4da2051-4054-44a6-9dd5-a26a05014755}:1.0
  [2011/09/08 08:49:15 | 000,000,000 | ---D | M] (XUL Cache) -- C:\Users\jessica kufs\AppData\Roaming\Mozilla\Firefox\Profiles\x65kr2xw.default\extensions\{a4da2051-4054-44a6-9dd5-a26a05014755}
  O2 - BHO: (no name) - {138EE03E-37B0-474A-A046-BAA6FC3B8D01} - C:\Windows\SysWOW64\wscui32.dll (Creative Technology Ltd)
  O2 - BHO: (no name) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No CLSID value found.
  O3 - HKU\S-1-5-21-1644362912-3407632406-2420646519-1000\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
  
  :Reg
  [HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
  XMLHTTP_UUID_Default=-
  [HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
  XMLHTTP_UUID_Default=-
  [HKU\S-1-5-21-1644362912-3407632406-2420646519-1000\SOFTWARE\Microsoft\Internet Explorer\Main]
  XMLHTTP_UUID_Default=-
  
  :Files
  ipconfig /flushdns /c
  C:\Windows\assembly\tmp
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

 IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[Godfree]

Hello Essexboy

It seems that OTL is hanging on "processing registry data xmlhttp_uuid_default=-..." with a blank cmd.exe window open. I re-ran  after a reboot and still hanging on this step.

Please advise.

[essexboy]

OK stop OTL for now and proceed direct to combofix please - we will revisit that reg key later

[Godfree]

Alright ComboFix completed, the log wasn't created in C:\ but rather C:\ComboFix\ComboFix.txt but there isn't much to the log, is this the correct one? Also a catchme.txt was created on the desktop that I included. SearchFilterHost.exe attempted to run when I booted from c:\windows\system32 and it never had before so I blocked it with Online Armor just in case. It seems that google is no longer redirecting me at the moment however

Update: I did a full AVAST scan and it came up with a few results, I however didn't clean it because I didn't want to mess anything else up that we were working on, it's included in my attachments. I'm going to leave the computer on in case you want me to clean these.

A side note: would you suggest any firewall aside from Online Armor? It seems to be kind of buggy, I allow a program yet it still closes on startup (FATrayMon.exe) then again I don't even know what Fast Access is  

[essexboy]

Combofix failed to run completely but it did quarantine some files

Could you run another OTL for me please - selecting all usersand also let me know what the current problems are

[Godfree]

I sure can, here you go. I removed online armor for comodo because OA was causing too many issues with programs. Currently the redirect virus seems to be gone, or at least inoperable at the moment. The avast its picked up are still there however. Let me know how this log is looking.

[essexboy]

Fast access is a facial recognition programme and part of your Dell set up

Still a few Comodo bits laying around so I will kill those, also combofix is set to run on restart so lets see if it can complete

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  SRV:64bit: - [2011/06/30 09:37:30 | 002,528,096 | ---- | M] (COMODO) [Auto | Running] -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe -- (cmdAgent)
  O2 - BHO: (no name) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No CLSID value found.
  [2011/09/10 07:49:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\COMODO
  [2011/09/10 07:49:14 | 000,000,000 | ---D | C] -- C:\Program Files\COMODO
  [2011/09/10 07:48:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Comodo
  [2011/09/10 07:47:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Comodo Downloader
  [2011/09/10 07:49:49 | 000,001,753 | ---- | M] () -- C:\Users\Public\Desktop\COMODO Firewall.lnk
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[Godfree]

Comodo is currently the firewall that I'm using, the one that I removed was Online Armor, sorry for any confusion I caused there   I'll hold off on running that as I don't want to cripple my Comodo haha.

A few Combofix windows have popped up the last 2 times I restarted but I dont believe they are doing anything, just opening and closing from the looks of things.

[essexboy]

In that case do not run the fix 

What is the current state of play

[essexboy]

OK lets uninstall combofix and then get a fresh copy

Remove ComboFix

• Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
  
• In the Run box, type in ComboFix /Uninstall
   (Notice the space between the "x" and "/")
  then click OK
  
  
  
  
• Follow the prompts on the screen
• A message should appear confirming that ComboFix was uninstalled

THEN download and run a fresh copy from here

Link 1
Link 2

[Godfree]

Alright I have re-downloaded Combofix, however there is still a folder at C:\Combofix with a bunch of files in it after the uninstall, is this okay? Would you like me to run combofix? Sorry for the delay, I work third shift and decided to pass out 

[essexboy]

Time is not a problem

Yep run it now please