Avast blocking malicious url redirects

[ajeje]

It doesn't work

Same problem of aswMBR...

[jeffce]

Hi,

Download Combofix from either of the links below, and save it to your desktop. 
Link 1
Link 2

**Note:  It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.

When finished, it will produce a report for you. 

• Please post the C:\ComboFix.txt for further review.

[ajeje]

• Please post the C:\ComboFix.txt for further review.

Hi jeffce, here Combofix's log.

Thanks for your time!

[jeffce]

Hi,

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  

Code: [Select]

ClearJavaCache::

DDS::
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

Folder::
C:\found.002


• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
  

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

[ajeje]

@jeffce: OK thanks, I will try it when I get home.

Not sure if is relavant or not, but during ComboFix scan two program stopped working: pev.3XE and PEV.exe

[ajeje]

Hi,

• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
  

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

Hi, I have run it and I think it have reboot my pc (I was away) but I cannot find the log. In C: there is not ComboFix.txt anymore.

Should I re-run it?

EDIT: I think it hasn't fixed the problem. It seems that the redirect occurs while searching in Google something and then clicking a result.

Thanks

[jeffce]

Hi,

Is there not a log at C:\ComboFix.txt?  If it is not there look in C:\Qoobox\ComboFix.txt   It may have been placed there accidentally. 

[ajeje]

No, I have a ComboFix2.txt but was the one of the first scan (without your script).
I'm trying to re-do the second scan with you script but I got 2 BSOD and now the computer is blocked at ComboFix's first screen...

Should I try to go back to a restore point?

[ajeje]

Hi, just an update...
I went back to a restore point dated 17th march (if I'm not wrong), then I have run a scan with Superantispyware which found a trojan, instead mbam and spybot found nothing. I have run OTL (here attached the log), GMER (log attached) and I'm trying ComboFix but it stays blocked on the screen "Administrator: Autoscan" where it says that it should take around 10 mins.

[jeffce]

Hi,

Let's get some of this taken out with OTL...

Please download and run ERUNT (Emergency Recovery Utility NT).  This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.  **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

Code: [Select]

:Services

:OTL
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 30 C9 47 C9 65 B4 CA 01  [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\SearchScopes,DefaultScope = {BD6E5B1C-84B3-4A02-887F-BF02498AB597}
IE - HKCU\..\SearchScopes\{036D37F4-2E1E-41F1-B7D0-A0F2B3963C78}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{23EDB896-A4A3-4CEC-932F-6F658922B0B1}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&mkt=it-it&FORM=IEFM&src={referrer:source?}
IE - HKCU\..\SearchScopes\{39990E08-4741-473F-8D86-B4F4DB4A37B4}: "URL" = http://www.bing.com/search?FORM=IEFM1&q={searchTerms}&src={referrer:source?}
IE - HKCU\..\SearchScopes\{BD6E5B1C-84B3-4A02-887F-BF02498AB597}: "URL" = http://www.google.it/search?hl=it&q={searchTerms}&meta=
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost; 127.0.0.1; <local>
FF - prefs.js..browser.startup.homepage: "about:home"
FF - prefs.js..network.proxy.network.proxy.socks_remote_dns: 1
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
[2010/02/27 13.18.54 | 000,001,827 | ---- | M] () -- C:\Users\Istvan\AppData\Roaming\Mozilla\Firefox\Profiles\wdmjx60v.default\searchplugins\bing.xml
[2012/02/18 12.40.01 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
O4 - HKLM..\Run: [Acer Tour]  File not found
O4 - HKLM..\Run: [eRecoveryService]  File not found
O4 - HKLM..\Run: [GSISETUP] F:\setup.exe File not found
O4 - HKCU..\Run: []  File not found
O4 - HKCU..\Run: [Acer Tour Reminder]  File not found
O4 - HKCU..\Run: [DriverMax]  File not found
O4 - HKCU..\Run: [DriverMax_RESTART]  File not found
O33 - MountPoints2\{0240bdd6-87f4-11de-ac4c-001d9228b691}\Shell - "" = AutoRun
O33 - MountPoints2\{0240bdd6-87f4-11de-ac4c-001d9228b691}\Shell\AutoRun\command - "" = L:\AutoRun.exe
O33 - MountPoints2\{0240bdf3-87f4-11de-ac4c-001d9228b691}\Shell - "" = AutoRun
O33 - MountPoints2\{0240bdf3-87f4-11de-ac4c-001d9228b691}\Shell\AutoRun\command - "" = L:\AutoRun.exe
O33 - MountPoints2\{0240bdfa-87f4-11de-ac4c-001d9228b691}\Shell - "" = AutoRun
O33 - MountPoints2\{0240bdfa-87f4-11de-ac4c-001d9228b691}\Shell\AutoRun\command - "" = L:\AutoRun.exe
O33 - MountPoints2\{0240be0b-87f4-11de-ac4c-001d9228b691}\Shell - "" = AutoRun
O33 - MountPoints2\{0240be0b-87f4-11de-ac4c-001d9228b691}\Shell\AutoRun\command - "" = L:\AutoRun.exe
O33 - MountPoints2\{85ed08ea-955c-11dd-9826-001d9228b691}\Shell - "" = AutoRun
O33 - MountPoints2\{85ed08ea-955c-11dd-9826-001d9228b691}\Shell\AutoRun\command - "" = L:\LaunchU3.exe -a
O33 - MountPoints2\M\Shell - "" = AutoRun
O33 - MountPoints2\M\Shell\AutoRun\command - "" = M:\LaunchU3.exe -a
[2012/03/18 11.05.12 | 000,000,000 | ---D | C] -- C:\found.002
[2012/03/19 00.43.55 | 000,249,856 | ---- | M] () -- C:\Users\Istvan\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

----------

[ajeje]

Hi jeffce, firstly thanks for your help!

Here attached OTL log after I have run the fix (OTL-120401-2135.txt) and the one after I have run the scan (OTL-120401-2140.txt).
LOP Check or Purity this time boxes should have been checked during the fix?

[jeffce]

Hi ajeje,

Malwarebytes

I see that you have Malwarebytes already on your computer.  Please open Malwarebytes, update it and then run a Quick Scan.  Save the log that is created for your next reply.
----------

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

• Please go here then click on:
  

• Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.

All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.[/quote]

• Select the option YES, I accept the Terms of Use then click on:
  
• When prompted allow the Add-On/Active X to install.
  
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  
• Now click on Advanced Settings and select the following:
  
  • Scan for potentially unwanted applications
    
  • Scan for potentially unsafe applications
    
  • Enable Anti-Stealth Technology
    
• Now click on:
  
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  
• When completed the Online Scan will begin automatically.
  
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  
• When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  
• Now click on:
  
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  
• Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
----------

In your next reply please post the logs made by Malwarebytes and ESET online scanner. 

[ajeje]

Please open Malwarebytes, update it and then run a Quick Scan.  Save the log that is created for your next reply.

Here attached mbam log.

When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

I haven't found an option to export full log. The scan resulted with these:

Code: [Select]

E:\Programmi\SmitfraudFix.exe multiple threats
E:\Programmi\SmitfraudFix\Process.exe Win32/PrcView application
E:\Programmi\SmitfraudFix\restart.exe Win32/Shutdown.NAA application
E:\Webmaster\files.rar multiple threats

Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

This file contains only

Code: [Select]

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK

[jeffce]

Hi,

I don't see the Malwarebytes log attached?
----------

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

Code: [Select]

:Services

:Files
E:\Webmaster\files.rar
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[clearallrestorepoints]
[start explorer]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

----------

[ajeje]

Sorry, probably I have forgot to attach MBAM log but it haven't found any threat.

Regarding what ESET found, I don't think that "E:\Webmaster\files.rar" and "E:\Programmi\SmitfraudFix\" are causing the problem mentioned in this thread. The first one is an archive with some file I have downloaded from a forum many years ago, the second is a program I have downloaded some weeks ago to delete a virus I got. It was the redirect problem posted here but maybe the two things are connected.

Anyway later today I will run the OTL fix you posted. I have seen a [clearallrestorepoints] will it be safe to delete every restore point? It seems my computer is getting slower these days and ofter during scans it stalls...

Thanks